Edit tour

Windows Analysis Report
qhos.exe

Overview

General Information

Sample name:	qhos.exe
Analysis ID:	1574327
MD5:	b9e7c2155c65081c5fae1a33bc55efef
SHA1:	1d94d24217e44aca4549d67e340e4a79ebb2dc77
SHA256:	d3ce2fa0dbe4469c93aef6210dc08771c4f06a77ec09a522f1b3773d55d70eab
Tags:	exegithub-com--hombozuser-JAMESWT_MHT
Infos:

Detection

Python Stealer, Muck Stealer

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected Muck Stealer

Found pyInstaller with non standard icon

Yara detected Generic Python Stealer

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

qhos.exe (PID: 4204 cmdline: "C:\Users\user\Desktop\qhos.exe" MD5: B9E7C2155C65081C5FAE1A33BC55EFEF)

qhos.exe (PID: 1516 cmdline: "C:\Users\user\Desktop\qhos.exe" MD5: B9E7C2155C65081C5FAE1A33BC55EFEF)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
00000002.00000002.2247890897.000001613A4A4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
00000002.00000003.2231782577.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
00000002.00000003.2229704914.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
00000002.00000003.2228048852.00000161386D7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
00000002.00000002.2244466649.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
00000002.00000003.2227792101.00000161386CA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
00000002.00000002.2247145926.00000161398E3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
00000002.00000003.2226223735.00000161398D2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
Process Memory Space: qhos.exe PID: 1516	JoeSecurity_GenericPythonStealer	Yara detected Generic Python Stealer	Joe Security
Process Memory Space: qhos.exe PID: 1516	JoeSecurity_MuckStealer	Yara detected Muck Stealer	Joe Security
Click to see the 14 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://discord.gift/

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: qhos.exe

ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\qhos.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt

Jump to behavior

Source: qhos.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: qhos.exe, 00000002.00000002.2252037864.00007FF8A8C84000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2249763026.00007FF8A812F000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: cryptography_rust.pdbc source: qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: qhos.exe, 00000002.00000002.2251380744.00007FF8A8722000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: qhos.exe, 00000002.00000002.2251380744.00007FF8A8722000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: qhos.exe, 00000000.00000003.2108974639.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2262490595.00007FF8B8CB6000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: qhos.exe, 00000000.00000003.2107239336.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2263834683.00007FF8B9F71000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: qhos.exe, 00000000.00000003.2107239336.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2263834683.00007FF8B9F71000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: qhos.exe, 00000002.00000002.2250326995.00007FF8A826E000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: qhos.exe, 00000000.00000003.2108889235.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: params.pparams.qparams.gpub_keypriv_keyossl_ec_group_new_excrypto\ec\ec_lib.cEC_GROUP_copyEC_GROUP_set_generatorEC_GROUP_set_curveEC_GROUP_get_curveEC_GROUP_get_degreeEC_GROUP_check_discriminantEC_POINT_newEC_POINT_copyEC_POINT_set_to_infinityEC_POINT_set_Jprojective_coordinates_GFpEC_POINT_set_affine_coordinatesEC_POINT_get_affine_coordinatesEC_POINT_addEC_POINT_dblEC_POINT_invertEC_POINT_is_at_infinityEC_POINT_is_on_curveEC_POINT_cmpEC_POINT_mulEC_GROUP_get_trinomial_basisEC_GROUP_get_pentanomial_basisgroup_new_from_nameossl_ec_group_set_paramsencodingdecoded-from-explicitEC_GROUP_new_from_paramsgeneratorcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.4.0built on: Wed Nov 27 17:13:13 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/AOSSL_WINCTX: Undefinednot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: qhos.exe, 00000000.00000003.2122986513.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2264047776.00007FF8BA4F3000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: qhos.exe, 00000002.00000002.2263170088.00007FF8B93D1000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: qhos.exe, 00000000.00000003.2108576620.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: qhos.exe, 00000002.00000002.2250569649.00007FF8A8335000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2261427850.00007FF8B8B1C000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: qhos.exe, 00000000.00000003.2107699064.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2256732523.00007FF8B7898000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: qhos.exe, 00000000.00000003.2109601690.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2260362388.00007FF8B8832000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: qhos.exe, 00000002.00000002.2258742138.00007FF8B7E02000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: qhos.exe, 00000000.00000003.2109069201.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2263461700.00007FF8B9843000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2261427850.00007FF8B8B1C000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: qhos.exe, 00000000.00000003.2107829884.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2262692341.00007FF8B8F74000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: qhos.exe, 00000000.00000003.2109179069.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2262955352.00007FF8B8F89000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: cryptography_rust.pdb source: qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2262692341.00007FF8B8F74000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: qhos.exe, 00000002.00000002.2257812927.00007FF8B78BF000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: qhos.exe, 00000000.00000003.2120505427.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2242436608.00000161365D0000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: qhos.exe, 00000002.00000002.2250569649.00007FF8A8335000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: qhos.exe, 00000002.00000002.2259162108.00007FF8B7E2D000.00000002.00000001.01000000.00000011.sdmp

Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AB83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF646AB83B0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AB92F0 FindFirstFileExW,FindClose,	0_2_00007FF646AB92F0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AD18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF646AD18E4
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AB92F0 FindFirstFileExW,FindClose,	2_2_00007FF646AB92F0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AD18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF646AD18E4

Source: qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108377559.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: qhos.exe, 00000000.00000003.2108377559.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co=
Source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107699064.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120321625.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109069201.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107829884.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108889235.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120505427.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109306532.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109468138.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108377559.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108974639.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB284D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB2848000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2121472864.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109179069.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108161364.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB284E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2129958039.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107699064.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120321625.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109069201.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107829884.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108889235.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120505427.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109306532.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109468138.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108377559.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108974639.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB2848000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2121472864.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109179069.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108161364.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB284E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2129958039.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2119826313.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107699064.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120321625.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109069201.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107829884.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108889235.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120505427.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109306532.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109468138.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108377559.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108974639.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB2848000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2121472864.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109179069.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108161364.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2129958039.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2119826313.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107699064.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120321625.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109069201.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107829884.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108889235.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120505427.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109306532.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109468138.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108377559.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108974639.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB284D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB2848000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2121472864.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109179069.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108161364.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2129958039.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2119826313.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228516271.00000161386BF000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2141563979.00000161386B6000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229294201.0000016138ACB000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229349813.00000161386C0000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2170243701.0000016138AA0000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224791154.0000016138AC8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2145260413.000001613867B000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2150905057.0000016138660000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2149534121.000001613857C000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2154456117.0000016138583000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2144553009.00000161386BC000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2148695617.0000016138676000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: qhos.exe, 00000002.00000003.2232049120.00000161389EF000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2145980469.00000161389EB000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2230494609.00000161389EE000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231367808.00000161389EE000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225347143.00000161389ED000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229948504.00000161389EE000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2141319554.00000161389B9000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2152537058.00000161389E8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2141319554.0000016138A08000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2148434113.00000161389E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107699064.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120321625.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109069201.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107829884.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108889235.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120505427.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109306532.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109468138.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108377559.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108974639.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB284D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB2848000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2121472864.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109179069.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108161364.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB284E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2129958039.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107699064.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120321625.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109069201.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107829884.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108889235.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120505427.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109306532.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109468138.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108377559.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108974639.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB2848000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2121472864.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109179069.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108161364.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB284E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2129958039.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2119826313.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107699064.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120321625.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109069201.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107829884.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108889235.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120505427.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109306532.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109468138.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108377559.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108974639.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB2848000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2121472864.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109179069.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108161364.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2129958039.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2119826313.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: qhos.exe, 00000000.00000003.2108576620.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107699064.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120321625.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109069201.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107829884.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108889235.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120505427.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109306532.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109468138.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108377559.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108974639.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB2848000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2121472864.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109179069.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108161364.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB284E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2129958039.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2119826313.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: qhos.exe, 00000002.00000002.2246269615.0000016139270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: qhos.exe, 00000002.00000002.2246269615.0000016139270000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: qhos.exe, 00000002.00000002.2246452336.0000016139370000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: qhos.exe, 00000002.00000003.2145980469.00000161389FC000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2148434113.00000161389E8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2245836032.0000016138D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: qhos.exe, 00000002.00000003.2148434113.000001613897D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2245955266.0000016138E70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tar.gz
Source: qhos.exe, 00000002.00000003.2148434113.000001613897D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2245955266.0000016138E70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tgz
Source: qhos.exe, 00000002.00000003.2225020695.0000016138C3D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227027725.0000016138C59000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229329228.0000016138C5D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2168553683.0000016138C33000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224089402.0000016138C03000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2226265552.0000016138C3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://httpbin.org/post
Source: qhos.exe, 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2247890897.000001613A460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.instagram.com/api/v1/users/web_profile_info/?username=
Source: qhos.exe, 00000002.00000002.2247890897.000001613A460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://i.instagram.com/api/v1/users/web_profile_info/?username=P
Source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107699064.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120321625.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109069201.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107829884.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108889235.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120505427.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109306532.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109468138.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108377559.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108974639.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB2848000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2121472864.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109179069.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108161364.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB284E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2129958039.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2119826313.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107699064.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120321625.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109069201.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107829884.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108889235.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120505427.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109306532.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109468138.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108377559.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108974639.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB284D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB2848000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2121472864.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109179069.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108161364.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2129958039.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2119826313.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107699064.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120321625.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109069201.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107829884.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108889235.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120505427.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109306532.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109468138.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108377559.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108974639.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB284D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB2848000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2121472864.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109179069.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108161364.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB284E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2129958039.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107699064.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120321625.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109069201.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107829884.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108889235.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120505427.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109306532.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109468138.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108377559.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108974639.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB2848000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2121472864.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109179069.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108161364.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2129958039.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2119826313.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: qhos.exe, 00000002.00000002.2246184492.0000016139170000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2246109714.0000016139070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: qhos.exe, 00000002.00000003.2160777549.0000016138B81000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2160719792.0000016138D13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python.org
Source: qhos.exe, 00000002.00000003.2227466821.00000161386F3000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225474655.00000161386ED000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2160218075.0000016138CE6000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229580844.00000161386F5000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2244511519.00000161386F6000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227052513.00000161386EE000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python.org/
Source: qhos.exe, 00000002.00000003.2160777549.0000016138B81000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2160719792.0000016138D13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://python.org:80
Source: qhos.exe, 00000000.00000003.2123294840.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: qhos.exe, 00000000.00000003.2123294840.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2128119605.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2123294840.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: qhos.exe, 00000002.00000002.2246109714.0000016139070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107699064.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120321625.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109069201.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2107829884.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108889235.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2120505427.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109306532.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109468138.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108377559.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108974639.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB2848000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109601690.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2121472864.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2109179069.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108161364.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2117268018.0000015AB284E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2129958039.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2119826313.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: qhos.exe, 00000002.00000003.2152106234.0000016138765000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2158818231.0000016138765000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2149534121.0000016138766000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2155848066.0000016138B0F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2150645663.0000016138B0F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2162011246.0000016138765000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229467868.0000016138767000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224689003.0000016138767000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: qhos.exe, 00000002.00000003.2160719792.0000016138D13000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228429343.00000161385BC000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://127.0.0.1:8443
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aliexpress.com)
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com)
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: qhos.exe, 00000002.00000002.2247890897.000001613A4A4000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: qhos.exe, 00000002.00000002.2247890897.000001613A460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api19-va.tiktokv.com/aweme/v1/user/profile/self/?
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://binance.com)
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://blog.jaraco.com/skeleton
Source: qhos.exe, 00000002.00000003.2228747088.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224921144.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2226265552.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2245751959.0000016138D5B000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229406726.0000016138D57000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2168553683.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2246634870.0000016139600000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue37179
Source: qhos.exe, 00000002.00000002.2244777664.0000016138870000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2245836032.0000016138D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue44497.
Source: qhos.exe, 00000002.00000002.2247890897.000001613A494000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1086668425797058691/1113770559688413245/app.asar
Source: qhos.exe, 00000002.00000002.2247890897.000001613A494000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1086668425797058691/1113770559688413245/app.asar0
Source: qhos.exe, 00000002.00000002.2247890897.000001613A494000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1135684724585681039/1143224080603037827/app.asar
Source: qhos.exe, 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: qhos.exe, qhos.exe, 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmp	String found in binary or memory: https://cffi.readthedocs.io/en/latest/using.html#callbacks
Source: qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://coinbase.com)
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crunchyroll.com)
Source: qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io
Source: qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/
Source: qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/changelog/
Source: qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file
Source: qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/installation/
Source: qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cryptography.io/en/latest/security/
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231729190.0000016138607000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2160777549.0000016138B81000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229128890.00000161385BD000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229224187.00000161385D0000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2160719792.0000016138D13000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228429343.00000161385BC000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231729190.0000016138607000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2160777549.0000016138B81000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229128890.00000161385BD000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229224187.00000161385D0000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2160719792.0000016138D13000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228429343.00000161385BC000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.3
Source: qhos.exe, 00000002.00000002.2247890897.000001613A4A4000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com)
Source: qhos.exe, 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/users/
Source: qhos.exe, 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v6/guilds/
Source: qhos.exe, 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2247890897.000001613A460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v6/users/
Source: qhos.exe, 00000002.00000002.2247890897.000001613A494000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: qhos.exe, 00000002.00000002.2246269615.0000016139270000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPs
Source: qhos.exe, 00000002.00000002.2247890897.000001613A4A4000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.gg/
Source: qhos.exe, 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.gift/
Source: qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v6/users/
Source: qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/j
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://disney.com)
Source: qhos.exe, 00000002.00000003.2228747088.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224921144.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2226265552.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2245751959.0000016138D5B000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229406726.0000016138D57000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2168553683.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2246634870.0000016139600000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.aiohttp.org/en/stable/client_advanced.html#proxy-support
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-profile/customizi
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2243944971.00000161385C1000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229128890.00000161385BD000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2151869646.00000161385B2000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2149534121.000001613857C000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2154456117.0000016138583000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228429343.00000161385BC000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: qhos.exe, 00000002.00000003.2227425811.0000016138C21000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2226265552.0000016138C03000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224089402.0000016138C03000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2168553683.0000016138BF4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2160880937.0000016138C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html
Source: qhos.exe, 00000002.00000003.2227425811.0000016138C21000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2168553683.0000016138C33000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2226265552.0000016138C03000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224089402.0000016138C03000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2245463764.0000016138C23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/asyncio-eventloop.html
Source: qhos.exe, 00000002.00000003.2224838760.00000161366C0000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225900899.00000161366CD000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2242981654.00000161366CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.metadata.html
Source: qhos.exe, 00000002.00000003.2140563814.0000016138434000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224410745.0000016138439000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227125083.0000016138468000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2137761125.0000016138434000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224775605.0000016138466000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227844773.000001613846B000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2243629688.000001613846D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/reference/import.html#finders-and-loaders
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebay.com)
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://epicgames.com)
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://expressvpn.com)
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://filepreviews.io/
Source: qhos.exe, 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://geolocation-db.com/jsonp/
Source: qhos.exe, 00000002.00000002.2245955266.0000016138E70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com)
Source: qhos.exe, 00000002.00000002.2243263904.0000016138370000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224838760.00000161366C0000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225900899.00000161366CD000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2242981654.00000161366CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: qhos.exe, 00000002.00000003.2228747088.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224921144.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2226265552.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2245751959.0000016138D5B000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229406726.0000016138D57000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2168553683.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2246634870.0000016139600000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/aio-libs/aiohttp/discussions/6044
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/astral-sh/ruff
Source: qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/frankxrs
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/frankxrs/
Source: qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/frn
Source: qhos.exe, 00000002.00000002.2245836032.0000016138D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: qhos.exe, 00000002.00000002.2246109714.0000016139070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/platformdirs/platformdirs
Source: qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography
Source: qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/
Source: qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/actions?query=workflow%3ACI
Source: qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/8996
Source: qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/9253
Source: qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main
Source: qhos.exe, 00000000.00000003.2127807235.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md
Source: qhos.exe, 00000002.00000002.2245955266.0000016138E70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging
Source: qhos.exe, 00000002.00000002.2244777664.0000016138870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
Source: qhos.exe, 00000002.00000002.2244777664.0000016138870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
Source: qhos.exe, 00000002.00000002.2244692409.0000016138770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/new?template=distutils-deprecation.yml
Source: qhos.exe, 00000000.00000003.2127807235.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/wheel
Source: qhos.exe, 00000000.00000003.2127807235.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/wheel/issues
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs
Source: qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs)
Source: qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/blob/main/.github/CONTRIBUTING.md)
Source: qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1328)
Source: qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1329)
Source: qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/1330)
Source: qhos.exe, 00000002.00000003.2227425811.0000016138C21000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2226265552.0000016138C03000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224089402.0000016138C03000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2168553683.0000016138BF4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2160880937.0000016138C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/136
Source: qhos.exe, 00000002.00000003.2230165900.0000016138982000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231473672.0000016138983000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2244882796.0000016138983000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/251
Source: qhos.exe, 00000002.00000003.2227425811.0000016138C21000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2226265552.0000016138C03000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224089402.0000016138C03000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2168553683.0000016138BF4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2160880937.0000016138C20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/issues/428
Source: qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python-attrs/attrs/wiki/Extensions-to-attrs)
Source: qhos.exe, 00000002.00000002.2242981654.00000161366CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: qhos.exe, 00000002.00000002.2243263904.0000016138370000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224838760.00000161366C0000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225900899.00000161366CD000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2242981654.00000161366CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: qhos.exe, 00000002.00000003.2140563814.0000016138434000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224410745.0000016138439000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2243582686.0000016138446000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2137761125.0000016138434000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2135342024.0000016138685000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227006505.0000016138445000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231110123.0000016138446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: qhos.exe, 00000002.00000002.2247642998.000001613A020000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/pull/118960
Source: qhos.exe, 00000002.00000003.2228747088.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224921144.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2226265552.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2245751959.0000016138D5B000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229406726.0000016138D57000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2168553683.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2246634870.0000016139600000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/pull/28073
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/actions/workflows/main.yml/badge.svg
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/actions?query=workflow%3A%22tests%22
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/issues
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/hynek
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sponsors/hynek).
Source: qhos.exe, 00000002.00000002.2243263904.0000016138370000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224838760.00000161366C0000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225900899.00000161366CD000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2242981654.00000161366CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gmail.com)
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hbo.com)
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hotmail.com)
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hynek.me/articles/import-attrs/)
Source: qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.imgur.com/Npe8QuD.png
Source: qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.o
Source: qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.o%o/
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/badge/skeleton-2024-informational
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/charliermarsh/ruff/main/assets
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/pyversions/importlib_metadata.svg
Source: qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/cryptography.svg
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/importlib_metadata.svg
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://importlib-metadata.readthedocs.io/
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://importlib-metadata.readthedocs.io/en/latest/?badge=latest
Source: qhos.exe, 00000002.00000002.2245836032.0000016138D70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://instagram.com)
Source: qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224984259.000001613876A000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2160248585.0000016138B76000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2245077420.0000016138AB2000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224689003.0000016138767000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klaviyo.com/
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228005090.000001613865C000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228168076.0000016138676000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2148168716.0000016138B17000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2150905057.0000016138660000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2149534121.000001613857C000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2154456117.0000016138583000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mail.python.org/mailman/listinfo/cryptography-dev
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://minecraft.net)
Source: qhos.exe, 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nationsglory.fr/profile/
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://netflix.com)
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://origin.com)
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com)
Source: qhos.exe, 00000002.00000002.2246184492.0000016139170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/guides/packaging-namespace-packages/.
Source: qhos.exe, 00000002.00000002.2246184492.0000016139170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/
Source: qhos.exe, 00000002.00000002.2246035228.0000016138F70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229383601.00000161386AB000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231146364.00000161386B2000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2233409874.00000161386B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/pyproject-toml/#declaring-project-metadata-the
Source: qhos.exe, 00000002.00000002.2246109714.0000016139070000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2246035228.0000016138F70000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2159231381.0000016138B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://paypal.com)
Source: qhos.exe, 00000002.00000002.2243687617.0000016138470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: qhos.exe, 00000002.00000002.2252037864.00007FF8A8C84000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0649/)
Source: qhos.exe, 00000002.00000002.2246184492.0000016139170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0685/
Source: qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0749/)-implementing
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://playstation.com)
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pornhub.com)
Source: qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/attrs/)
Source: qhos.exe, 00000002.00000002.2246184492.0000016139170000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2246109714.0000016139070000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2246035228.0000016138F70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/build/).
Source: qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/cryptography/
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/importlib_metadata
Source: qhos.exe, 00000000.00000003.2127807235.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/setuptools/
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/python-attrs/attrs/main/docs/_static/attrs_logo.svg
Source: qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/cryptography/badge/?version=latest
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://readthedocs.org/projects/importlib-metadata/badge/?version=latest
Source: qhos.exe, 00000002.00000002.2245955266.0000016138E70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riotgames.com)
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://roblox.com)
Source: qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sellix.io)
Source: qhos.exe, 00000002.00000002.2246184492.0000016139170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/
Source: qhos.exe, 00000002.00000003.2225000256.0000016138BE4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228900472.0000016138BE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html
Source: qhos.exe, 00000002.00000003.2231557294.0000016138A2C000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2244977860.0000016138A30000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225347143.00000161389ED000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231197726.0000016138A25000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228210646.0000016138A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: qhos.exe, 00000002.00000002.2246184492.0000016139170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages
Source: qhos.exe, 00000002.00000002.2246184492.0000016139170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages0d
Source: qhos.exe, 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skins.nationsglory.fr/face/
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spotify.com)
Source: qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/tagged/python-attrs)
Source: qhos.exe, 00000002.00000003.2172109744.0000016139B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stake.com)
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stake.com)p
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.com)
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://telegram.com)
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek
Source: qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek).
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/badges/package/pypi/importlib-metadata
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi
Source: qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-importlib-metadata?utm_source=pypi-importlib-metadata&utm
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiktok.com)
Source: qhos.exe, 00000002.00000002.2247890897.000001613A4A4000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiktok.com/
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228516271.00000161386BF000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2150645663.0000016138AFF000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229349813.00000161386C0000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386C5000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2157392945.0000016138AFF000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2155848066.0000016138B0F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2150645663.0000016138B0F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2150905057.0000016138660000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2149534121.000001613857C000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2154456117.0000016138583000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitch.com)
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com)
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://uber.com)
Source: qhos.exe, 00000000.00000003.2127807235.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wheel.readthedocs.io/
Source: qhos.exe, 00000000.00000003.2127807235.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wheel.readthedocs.io/en/stable/news.html
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2143735844.00000161385D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231164029.000001613864B000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228403002.0000016138625000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2141319554.00000161389B9000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2151869646.00000161385B2000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2149534121.000001613857C000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2154456117.0000016138583000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2141319554.0000016138A08000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228591557.0000016138628000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz
Source: qhos.exe, 00000000.00000003.2113154731.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/
Source: qhos.exe, 00000000.00000003.2113154731.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2113154731.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2113231807.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/
Source: qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/)
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/FilePreviews.svg
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Klaviyo.svg
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Tidelift.svg
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/24.2.0/_static/sponsors/Variomedia.svg
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/latest/names.html)
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/changelog.html
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/changelog.html)
Source: qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/comparison.html#customization)
Source: qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/init.html#hooking-yourself-into-initialization)
Source: qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.attrs.org/en/stable/why.html#data-classes)
Source: qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.instagram.com/
Source: qhos.exe, 00000000.00000003.2119826313.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2250660913.00007FF8A8370000.00000002.00000001.01000000.00000012.sdmp, qhos.exe, 00000002.00000002.2251719356.00007FF8A8863000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228005090.000001613865C000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2148434113.000001613897D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228168076.0000016138676000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2148168716.0000016138B17000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2150905057.0000016138660000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2149534121.000001613857C000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2154456117.0000016138583000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: qhos.exe, 00000000.00000003.2127807235.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0427/
Source: qhos.exe, 00000002.00000002.2252614358.00007FF8A8DF4000.00000008.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/
Source: qhos.exe, 00000002.00000002.2252037864.00007FF8A8C84000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.variomedia.de/
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xbox.com)
Source: qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com)
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com)

Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AB1000	0_2_00007FF646AB1000
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AB8BD0	0_2_00007FF646AB8BD0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AD5C70	0_2_00007FF646AD5C70
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AD69D4	0_2_00007FF646AD69D4
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AD0938	0_2_00007FF646AD0938
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AC1FD0	0_2_00007FF646AC1FD0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AC8804	0_2_00007FF646AC8804
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646ACDF60	0_2_00007FF646ACDF60
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AC17B0	0_2_00007FF646AC17B0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AD9798	0_2_00007FF646AD9798
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AD18E4	0_2_00007FF646AD18E4
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AD411C	0_2_00007FF646AD411C
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AB9870	0_2_00007FF646AB9870
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646ACE5E0	0_2_00007FF646ACE5E0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AC1DC4	0_2_00007FF646AC1DC4
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AC3610	0_2_00007FF646AC3610
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AC5DA0	0_2_00007FF646AC5DA0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AD5EEC	0_2_00007FF646AD5EEC
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AC9F10	0_2_00007FF646AC9F10
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AC1BC0	0_2_00007FF646AC1BC0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646ABA34B	0_2_00007FF646ABA34B
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646ABA4E4	0_2_00007FF646ABA4E4
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646ABAD1D	0_2_00007FF646ABAD1D
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AD0938	0_2_00007FF646AD0938
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AD6488	0_2_00007FF646AD6488
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AC2C80	0_2_00007FF646AC2C80
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AD3C80	0_2_00007FF646AD3C80
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AC21D4	0_2_00007FF646AC21D4
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AC3A14	0_2_00007FF646AC3A14
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AC8154	0_2_00007FF646AC8154
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AC19B4	0_2_00007FF646AC19B4
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646ACDACC	0_2_00007FF646ACDACC
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AB1000	2_2_00007FF646AB1000
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646ABA34B	2_2_00007FF646ABA34B
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AD69D4	2_2_00007FF646AD69D4
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AC1FD0	2_2_00007FF646AC1FD0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AC8804	2_2_00007FF646AC8804
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646ACDF60	2_2_00007FF646ACDF60
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AC17B0	2_2_00007FF646AC17B0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AD9798	2_2_00007FF646AD9798
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AD18E4	2_2_00007FF646AD18E4
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AD411C	2_2_00007FF646AD411C
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AB9870	2_2_00007FF646AB9870
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646ACE5E0	2_2_00007FF646ACE5E0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AC1DC4	2_2_00007FF646AC1DC4
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AC3610	2_2_00007FF646AC3610
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AC5DA0	2_2_00007FF646AC5DA0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AD5EEC	2_2_00007FF646AD5EEC
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AC9F10	2_2_00007FF646AC9F10
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AB8BD0	2_2_00007FF646AB8BD0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AC1BC0	2_2_00007FF646AC1BC0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF8A7FEB6D0	2_2_00007FF8A7FEB6D0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF8A7FE9F90	2_2_00007FF8A7FE9F90

Source: C:\Users\user\Desktop\qhos.exe	Code function: String function: 00007FF646AB2910 appears 34 times
Source: C:\Users\user\Desktop\qhos.exe	Code function: String function: 00007FF646AB2710 appears 92 times

Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: _overlapped.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: python3.dll.0.dr

Static PE information: No import functions for PE file found

Source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_wmi.pyd. vs qhos.exe
Source: qhos.exe, 00000000.00000003.2107699064.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs qhos.exe
Source: qhos.exe, 00000000.00000003.2120321625.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs qhos.exe
Source: qhos.exe, 00000000.00000003.2109069201.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs qhos.exe
Source: qhos.exe, 00000000.00000003.2107829884.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs qhos.exe
Source: qhos.exe, 00000000.00000003.2108889235.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs qhos.exe
Source: qhos.exe, 00000000.00000003.2120505427.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs qhos.exe
Source: qhos.exe, 00000000.00000003.2109306532.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs qhos.exe
Source: qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs qhos.exe
Source: qhos.exe, 00000000.00000003.2109468138.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs qhos.exe
Source: qhos.exe, 00000000.00000003.2108377559.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs qhos.exe
Source: qhos.exe, 00000000.00000003.2108974639.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs qhos.exe
Source: qhos.exe, 00000000.00000003.2109601690.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs qhos.exe
Source: qhos.exe, 00000000.00000003.2109179069.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs qhos.exe
Source: qhos.exe, 00000000.00000003.2108161364.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs qhos.exe
Source: qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs qhos.exe
Source: qhos.exe, 00000000.00000003.2129958039.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs qhos.exe
Source: qhos.exe, 00000000.00000003.2119826313.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs qhos.exe
Source: qhos.exe, 00000000.00000003.2107239336.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs qhos.exe
Source: qhos.exe, 00000000.00000003.2122986513.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs qhos.exe
Source: qhos.exe, 00000000.00000003.2108576620.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs qhos.exe
Source: qhos.exe	Binary or memory string: OriginalFilename vs qhos.exe
Source: qhos.exe, 00000002.00000002.2250660913.00007FF8A8370000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilenamelibsslH vs qhos.exe
Source: qhos.exe, 00000002.00000002.2263579687.00007FF8B9846000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs qhos.exe
Source: qhos.exe, 00000002.00000002.2263905697.00007FF8B9F77000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs qhos.exe
Source: qhos.exe, 00000002.00000002.2262574880.00007FF8B8CBB000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs qhos.exe
Source: qhos.exe, 00000002.00000002.2263246283.00007FF8B93DC000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs qhos.exe
Source: qhos.exe, 00000002.00000002.2254416985.00007FF8A8F1D000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython312.dll. vs qhos.exe
Source: qhos.exe, 00000002.00000002.2256823232.00007FF8B789F000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs qhos.exe
Source: qhos.exe, 00000002.00000002.2258259050.00007FF8B78CB000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs qhos.exe
Source: qhos.exe, 00000002.00000002.2261649018.00007FF8B8B25000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs qhos.exe
Source: qhos.exe, 00000002.00000002.2263049469.00007FF8B8F93000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs qhos.exe
Source: qhos.exe, 00000002.00000002.2259445618.00007FF8B7E49000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs qhos.exe
Source: qhos.exe, 00000002.00000002.2242436608.00000161365D0000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs qhos.exe
Source: qhos.exe, 00000002.00000002.2250151622.00007FF8A8134000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs qhos.exe
Source: qhos.exe, 00000002.00000002.2259955518.00007FF8B7E5E000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs qhos.exe
Source: qhos.exe, 00000002.00000002.2260554717.00007FF8B8834000.00000002.00000001.01000000.00000021.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs qhos.exe
Source: qhos.exe, 00000002.00000002.2251719356.00007FF8A8863000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs qhos.exe
Source: qhos.exe, 00000002.00000002.2262784212.00007FF8B8F77000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilename_wmi.pyd. vs qhos.exe

Source: classification engine

Classification label: mal72.troj.winEXE@3/60@0/0

Source: C:\Users\user\Desktop\qhos.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI42042

Jump to behavior

Source: qhos.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\qhos.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor

Source: C:\Users\user\Desktop\qhos.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: qhos.exe, 00000002.00000002.2250326995.00007FF8A826E000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: qhos.exe, 00000002.00000002.2250326995.00007FF8A826E000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: qhos.exe, 00000002.00000002.2250326995.00007FF8A826E000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: qhos.exe, 00000002.00000002.2250326995.00007FF8A826E000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: qhos.exe, qhos.exe, 00000002.00000002.2250326995.00007FF8A826E000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: qhos.exe, 00000002.00000002.2250326995.00007FF8A826E000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: qhos.exe, 00000002.00000002.2250326995.00007FF8A826E000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: qhos.exe

ReversingLabs: Detection: 18%

Source: C:\Users\user\Desktop\qhos.exe

File read: C:\Users\user\Desktop\qhos.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\qhos.exe "C:\Users\user\Desktop\qhos.exe"
Source: C:\Users\user\Desktop\qhos.exe	Process created: C:\Users\user\Desktop\qhos.exe "C:\Users\user\Desktop\qhos.exe"
Source: C:\Users\user\Desktop\qhos.exe	Process created: C:\Users\user\Desktop\qhos.exe "C:\Users\user\Desktop\qhos.exe"	Jump to behavior

Source: C:\Users\user\Desktop\qhos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\qhos.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: qhos.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: qhos.exe

Static file information: File size 15717053 > 1048576

Source: qhos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: qhos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: qhos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: qhos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: qhos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: qhos.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: qhos.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: qhos.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\python312.pdb source: qhos.exe, 00000002.00000002.2252037864.00007FF8A8C84000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2249763026.00007FF8A812F000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: cryptography_rust.pdbc source: qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed Sep 27 22:33:28 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_push_octet_ptrOSSL_PARAM_BLD_to_param..\s\crypto\params.c source: qhos.exe, 00000002.00000002.2251380744.00007FF8A8722000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: qhos.exe, 00000002.00000002.2251380744.00007FF8A8722000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: qhos.exe, 00000000.00000003.2108974639.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2262490595.00007FF8B8CB6000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: qhos.exe, 00000000.00000003.2107239336.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2263834683.00007FF8B9F71000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: qhos.exe, 00000000.00000003.2107239336.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2263834683.00007FF8B9F71000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: qhos.exe, 00000002.00000002.2250326995.00007FF8A826E000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: qhos.exe, 00000000.00000003.2108889235.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: params.pparams.qparams.gpub_keypriv_keyossl_ec_group_new_excrypto\ec\ec_lib.cEC_GROUP_copyEC_GROUP_set_generatorEC_GROUP_set_curveEC_GROUP_get_curveEC_GROUP_get_degreeEC_GROUP_check_discriminantEC_POINT_newEC_POINT_copyEC_POINT_set_to_infinityEC_POINT_set_Jprojective_coordinates_GFpEC_POINT_set_affine_coordinatesEC_POINT_get_affine_coordinatesEC_POINT_addEC_POINT_dblEC_POINT_invertEC_POINT_is_at_infinityEC_POINT_is_on_curveEC_POINT_cmpEC_POINT_mulEC_GROUP_get_trinomial_basisEC_GROUP_get_pentanomial_basisgroup_new_from_nameossl_ec_group_set_paramsencodingdecoded-from-explicitEC_GROUP_new_from_paramsgeneratorcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.4.0built on: Wed Nov 27 17:13:13 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/AOSSL_WINCTX: Undefinednot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: qhos.exe, 00000000.00000003.2122986513.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2264047776.00007FF8BA4F3000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: qhos.exe, 00000002.00000002.2263170088.00007FF8B93D1000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: qhos.exe, 00000000.00000003.2108576620.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbEE source: qhos.exe, 00000002.00000002.2250569649.00007FF8A8335000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2261427850.00007FF8B8B1C000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap source: qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: qhos.exe, 00000000.00000003.2107699064.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2256732523.00007FF8B7898000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: qhos.exe, 00000000.00000003.2109601690.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2260362388.00007FF8B8832000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: qhos.exe, 00000002.00000002.2258742138.00007FF8B7E02000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: qhos.exe, 00000000.00000003.2109069201.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2263461700.00007FF8B9843000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: qhos.exe, 00000000.00000003.2108716029.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2261427850.00007FF8B8B1C000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: qhos.exe, 00000000.00000003.2107829884.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2262692341.00007FF8B8F74000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: qhos.exe, 00000000.00000003.2109179069.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2262955352.00007FF8B8F89000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: cryptography_rust.pdb source: qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: qhos.exe, 00000000.00000003.2109700743.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2262692341.00007FF8B8F74000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: qhos.exe, 00000002.00000002.2257812927.00007FF8B78BF000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: qhos.exe, 00000000.00000003.2120505427.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2242436608.00000161365D0000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: qhos.exe, 00000002.00000002.2250569649.00007FF8A8335000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: qhos.exe, 00000002.00000002.2259162108.00007FF8B7E2D000.00000002.00000001.01000000.00000011.sdmp

Source: qhos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: qhos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: qhos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: qhos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: qhos.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libcrypto-3.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.0.dr	Static PE information: section name: .00cfg
Source: python312.dll.0.dr	Static PE information: section name: PyRuntim

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\qhos.exe

Process created: "C:\Users\user\Desktop\qhos.exe"

Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\frozenlist\_frozenlist.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\multidict\_multidict.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_websocket\mask.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\yarl\_quoting_c.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_http_parser.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_websocket\reader_c.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_http_writer.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\propcache\_helpers_c.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI42042\_overlapped.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\qhos.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt

Jump to behavior

Source: C:\Users\user\Desktop\qhos.exe

Code function: 0_2_00007FF646AB5820 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF646AB5820

Source: C:\Users\user\Desktop\qhos.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\frozenlist\_frozenlist.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\multidict\_multidict.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_websocket\mask.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_websocket\reader_c.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_http_parser.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\yarl\_quoting_c.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_http_writer.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\propcache\_helpers_c.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\qhos.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI42042\_overlapped.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\qhos.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-17639

Source: C:\Users\user\Desktop\qhos.exe

API coverage: 1.9 %

Source: C:\Users\user\Desktop\qhos.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor

Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AB83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF646AB83B0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AB92F0 FindFirstFileExW,FindClose,	0_2_00007FF646AB92F0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646AD18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF646AD18E4
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AB92F0 FindFirstFileExW,FindClose,	2_2_00007FF646AB92F0
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646AD18E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF646AD18E4

Source: C:\Users\user\Desktop\qhos.exe

Code function: 2_2_00007FF8A7FEBED0 _Py_NoneStruct,_PyArg_ParseTuple_SizeT,GetSystemInfo,VirtualAlloc,_Py_Dealloc,PyExc_MemoryError,PyErr_SetString,_PyObject_GC_New,PyExc_NotImplementedError,PyErr_Format,Py_FatalError,PyObject_GC_Track,PyExc_SystemError,PyErr_SetString,_Py_Dealloc,_Py_Dealloc,

2_2_00007FF8A7FEBED0

Source: qhos.exe, 00000002.00000002.2249532941.00007FF8A76CF000.00000002.00000001.01000000.00000023.sdmp	Binary or memory string: vmCimC
Source: qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2230341663.0000016138692000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2136425848.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2144553009.0000016138678000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2143735844.0000016138673000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229676249.000001613868A000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2142884462.0000016138679000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2145260413.000001613867B000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2137968668.0000016138679000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlleric version of r

Source: C:\Users\user\Desktop\qhos.exe

Code function: 0_2_00007FF646ACA684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF646ACA684

Source: C:\Users\user\Desktop\qhos.exe

Code function: 0_2_00007FF646AD34F0 GetProcessHeap,

0_2_00007FF646AD34F0

Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646ABC910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF646ABC910
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646ACA684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF646ACA684
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646ABD37C SetUnhandledExceptionFilter,	0_2_00007FF646ABD37C
Source: C:\Users\user\Desktop\qhos.exe	Code function: 0_2_00007FF646ABD19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF646ABD19C
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646ABC910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF646ABC910
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF646ACA684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF646ACA684
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF8A7FFADB8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8A7FFADB8
Source: C:\Users\user\Desktop\qhos.exe	Code function: 2_2_00007FF8A7FFA470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8A7FFA470

Source: C:\Users\user\Desktop\qhos.exe

Process created: C:\Users\user\Desktop\qhos.exe "C:\Users\user\Desktop\qhos.exe"

Jump to behavior

Source: C:\Users\user\Desktop\qhos.exe

Code function: 0_2_00007FF646AD95E0 cpuid

0_2_00007FF646AD95E0

Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_websocket VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\attrs-24.2.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\attrs-24.2.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\attrs-24.2.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\attrs-24.2.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography-44.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography-44.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography-44.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography-44.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography-44.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography-44.0.0.dist-info\licenses VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography-44.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\importlib_metadata-8.0.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\wheel-0.43.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\jaraco VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\jaraco\text\Lorem ipsum.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\multidict VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\multidict VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\multidict VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\multidict\_multidict.cp312-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\multidict VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\yarl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\yarl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\yarl\_quoting_c.cp312-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\propcache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI42042\propcache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qhos.exe	Queries volume information: C:\Users\user\Desktop\qhos.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\qhos.exe

Code function: 0_2_00007FF646ABD080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF646ABD080

Source: C:\Users\user\Desktop\qhos.exe

Code function: 0_2_00007FF646AD5C70 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF646AD5C70

Stealing of Sensitive Information

Yara detected Muck Stealer

Source: Yara match	File source: 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2247890897.000001613A4A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2231782577.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2229704914.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2228048852.00000161386D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2244466649.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2227792101.00000161386CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2247145926.00000161398E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2226223735.00000161398D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qhos.exe PID: 1516, type: MEMORYSTR

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: qhos.exe PID: 1516, type: MEMORYSTR

Remote Access Functionality

Yara detected Muck Stealer

Source: Yara match	File source: 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2247890897.000001613A4A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2231782577.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2229704914.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2228048852.00000161386D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2244466649.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2227792101.00000161386CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2247145926.00000161398E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2226223735.00000161398D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qhos.exe PID: 1516, type: MEMORYSTR

Yara detected Generic Python Stealer

Source: Yara match

File source: Process Memory Space: qhos.exe PID: 1516, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	24 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
qhos.exe	18%	ReversingLabs	Win64.Infostealer.Generic

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI42042\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\_cffi_backend.cp312-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\_multiprocessing.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\_overlapped.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\_uuid.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\_wmi.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_http_parser.cp312-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_http_writer.cp312-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_websocket\mask.cp312-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_websocket\reader_c.cp312-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography\hazmat\bindings\_rust.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\frozenlist\_frozenlist.cp312-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\multidict\_multidict.cp312-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\propcache\_helpers_c.cp312-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\pyexpat.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\python3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\python312.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI42042\yarl\_quoting_c.cp312-win_amd64.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
https://discord.gift/	100%	Avira URL Cloud	malware
https://nationsglory.fr/profile/	0%	Avira URL Cloud	safe
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages0d	0%	Avira URL Cloud	safe
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages	0%	Avira URL Cloud	safe
https://filepreviews.io/	0%	Avira URL Cloud	safe
https://www.attrs.org/en/stable/why.html#data-classes)	0%	Avira URL Cloud	safe
https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek).	0%	Avira URL Cloud	safe
https://i.o	0%	Avira URL Cloud	safe
https://www.variomedia.de/	0%	Avira URL Cloud	safe
https://www.attrs.org/en/stable/changelog.html	0%	Avira URL Cloud	safe
https://www.attrs.org/	0%	Avira URL Cloud	safe
https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).	0%	Avira URL Cloud	safe
https://i.o%o/	0%	Avira URL Cloud	safe
https://stake.com)p	0%	Avira URL Cloud	safe
https://www.attrs.org/en/stable/comparison.html#customization)	0%	Avira URL Cloud	safe
https://www.attrs.org/en/stable/changelog.html)	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://nationsglory.fr/profile/	qhos.exe, 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pyca/cryptography/issues/8996	qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp	false		high
https://github.com/astral-sh/ruff	qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.gift/	qhos.exe, 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://github.com/python-attrs/attrs/issues/251	qhos.exe, 00000002.00000003.2230165900.0000016138982000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231473672.0000016138983000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2244882796.0000016138983000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages	qhos.exe, 00000002.00000002.2246184492.0000016139170000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages0d	qhos.exe, 00000002.00000002.2246184492.0000016139170000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/python/importlib_metadata/actions/workflows/main.yml/badge.svg	qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://coinbase.com)	qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tiktok.com/	qhos.exe, 00000002.00000002.2247890897.000001613A4A4000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/aio-libs/aiohttp/discussions/6044	qhos.exe, 00000002.00000003.2228747088.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224921144.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2226265552.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2245751959.0000016138D5B000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229406726.0000016138D57000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2168553683.0000016138D52000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2246634870.0000016139600000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/issues	qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tiktok.com)	qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://python.org	qhos.exe, 00000002.00000003.2160777549.0000016138B81000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2160719792.0000016138D13000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com)	qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	qhos.exe, 00000002.00000002.2243263904.0000016138370000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224838760.00000161366C0000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225900899.00000161366CD000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2242981654.00000161366CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wheel.readthedocs.io/en/stable/news.html	qhos.exe, 00000000.00000003.2127807235.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/sponsors/hynek	qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api19-va.tiktokv.com/aweme/v1/user/profile/self/?	qhos.exe, 00000002.00000002.2247890897.000001613A460000.00000004.00001000.00020000.00000000.sdmp	false		high
https://importlib-metadata.readthedocs.io/	qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/LICENSE-2.0	qhos.exe, 00000000.00000003.2113154731.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2113154731.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2113231807.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/core-metadata/	qhos.exe, 00000002.00000002.2246184492.0000016139170000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2243944971.00000161385C1000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229128890.00000161385BD000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2151869646.00000161385B2000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2149534121.000001613857C000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2154456117.0000016138583000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228429343.00000161385BC000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://paypal.com)	qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/pypa/packaging	qhos.exe, 00000002.00000002.2245955266.0000016138E70000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek).	qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://i.instagram.com/api/v1/users/web_profile_info/?username=	qhos.exe, 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2247890897.000001613A460000.00000004.00001000.00020000.00000000.sdmp	false		high
https://readthedocs.org/projects/importlib-metadata/badge/?version=latest	qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://refspecs.linuxfoundation.org/elf/gabi4	qhos.exe, 00000002.00000002.2245955266.0000016138E70000.00000004.00001000.00020000.00000000.sdmp	false		high
https://discord.com/api/webhooks/1267176433306829014/YhEVi7QXrkO9uMJodvR8Fp2e6uTZlqxB6sVXodhGTQI4MPs	qhos.exe, 00000002.00000002.2246269615.0000016139270000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com/api/v9/users/	qhos.exe, 00000002.00000002.2247890897.000001613A494000.00000004.00001000.00020000.00000000.sdmp	false		high
https://xbox.com)	qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/attachments/1086668425797058691/1113770559688413245/app.asar0	qhos.exe, 00000002.00000002.2247890897.000001613A494000.00000004.00001000.00020000.00000000.sdmp	false		high
https://youtube.com)	qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://blog.jaraco.com/skeleton	qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python-attrs/attrs/issues/136	qhos.exe, 00000002.00000003.2227425811.0000016138C21000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2226265552.0000016138C03000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224089402.0000016138C03000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2168553683.0000016138BF4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2160880937.0000016138C20000.00000004.00000020.00020000.00000000.sdmp	false		high
http://i.instagram.com/api/v1/users/web_profile_info/?username=P	qhos.exe, 00000002.00000002.2247890897.000001613A460000.00000004.00001000.00020000.00000000.sdmp	false		high
https://i.o	qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/platformdirs/platformdirs	qhos.exe, 00000002.00000002.2246109714.0000016139070000.00000004.00001000.00020000.00000000.sdmp	false		high
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	qhos.exe, 00000002.00000002.2246269615.0000016139270000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md	qhos.exe, 00000000.00000003.2127807235.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://crunchyroll.com)	qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	false		high
https://discord.com	qhos.exe, 00000002.00000002.2247890897.000001613A4A4000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python-attrs/attrs/issues/1330)	qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.instagram.com/	qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pypi.org/project/build/).	qhos.exe, 00000002.00000002.2246184492.0000016139170000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2246109714.0000016139070000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2246035228.0000016138F70000.00000004.00001000.00020000.00000000.sdmp	false		high
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.3	qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231729190.0000016138607000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2160777549.0000016138B81000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229128890.00000161385BD000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229224187.00000161385D0000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2160719792.0000016138D13000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228429343.00000161385BC000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2	qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231729190.0000016138607000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2160777549.0000016138B81000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229128890.00000161385BD000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229224187.00000161385D0000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2160719792.0000016138D13000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228429343.00000161385BC000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/wheel	qhos.exe, 00000000.00000003.2127807235.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/dev/peps/pep-0427/	qhos.exe, 00000000.00000003.2127807235.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	qhos.exe, 00000002.00000002.2243263904.0000016138370000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224838760.00000161366C0000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225900899.00000161366CD000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2242981654.00000161366CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	qhos.exe, 00000002.00000003.2140563814.0000016138434000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2224410745.0000016138439000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2243582686.0000016138446000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2137761125.0000016138434000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2135342024.0000016138685000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227006505.0000016138445000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231110123.0000016138446000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ebay.com)	qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.apache.org/licenses/	qhos.exe, 00000000.00000003.2113154731.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/workflows/CI/badge.svg?branch=main	qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file	qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp	false		high
https://filepreviews.io/	qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.attrs.org/en/stable/why.html#data-classes)	qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://playstation.com)	qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/badge/skeleton-2024-informational	qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/pyproject-toml/#declaring-project-metadata-the	qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229383601.00000161386AB000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231146364.00000161386B2000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2233409874.00000161386B9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/installation/	qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sellix.io)	qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613998D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/issues/417#issuecomment-392298401	qhos.exe, 00000002.00000002.2244777664.0000016138870000.00000004.00001000.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/attachments/1086668425797058691/1113770559688413245/app.asar	qhos.exe, 00000002.00000002.2247890897.000001613A494000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.attrs.org/en/stable/changelog.html	qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v6/guilds/	qhos.exe, 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.variomedia.de/	qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://img.shields.io/pypi/v/importlib_metadata.svg	qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/jaraco/jaraco.functools/issues/5	qhos.exe, 00000002.00000002.2245836032.0000016138D70000.00000004.00001000.00020000.00000000.sdmp	false		high
https://discordapp.com/j	qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues	qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp	false		high
https://www.attrs.org/	qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mahler:8092/site-updates.py	qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228005090.000001613865C000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228168076.0000016138676000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2148168716.0000016138B17000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2150905057.0000016138660000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2149534121.000001613857C000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2154456117.0000016138583000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc7231#section-4.3.6)	qhos.exe, 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228516271.00000161386BF000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2150645663.0000016138AFF000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2229349813.00000161386C0000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2231057854.00000161386C5000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2157392945.0000016138AFF000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2155848066.0000016138B0F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2150645663.0000016138B0F000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2150905057.0000016138660000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2149534121.000001613857C000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2154456117.0000016138583000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/	qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.gg/	qhos.exe, 00000002.00000002.2247890897.000001613A4A4000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.attrs.org/en/latest/glossary.html#term-dunder-methods)).	qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://127.0.0.1:8443	qhos.exe, 00000002.00000003.2160719792.0000016138D13000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2228429343.00000161385BC000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://netflix.com)	qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	false		high
https://gmail.com)	qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	qhos.exe, 00000002.00000003.2224838760.00000161366C0000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2225900899.00000161366CD000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2242981654.00000161366CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://outlook.com)	qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/actions?query=workflow%3A%22tests%22	qhos.exe, 00000000.00000003.2123938778.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i.o%o/	qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com)	qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cacerts.digicert.co	qhos.exe, 00000000.00000003.2130559311.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2108377559.0000015AB2841000.00000004.00000020.00020000.00000000.sdmp	false		high
https://stake.com)p	qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://binance.com)	qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/changelog/	qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://spotify.com)	qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues/9253	qhos.exe, 00000002.00000002.2249210092.00007FF8A74F7000.00000002.00000001.01000000.00000023.sdmp	false		high
https://www.attrs.org/en/stable/changelog.html)	qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mail.python.org/mailman/listinfo/cryptography-dev	qhos.exe, 00000000.00000003.2112574641.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/issues/new?template=distutils-deprecation.yml	qhos.exe, 00000002.00000002.2244692409.0000016138770000.00000004.00001000.00020000.00000000.sdmp	false		high
http://docs.python.org/library/itertools.html#recipes	qhos.exe, 00000002.00000003.2145980469.00000161389FC000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2148434113.00000161389E8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000002.2245836032.0000016138D70000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.attrs.org/en/stable/comparison.html#customization)	qhos.exe, 00000000.00000003.2110680460.0000015AB2850000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB2842000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000000.00000003.2110600157.0000015AB284F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/users/	qhos.exe, 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.gofile.io/getServer	qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.com)	qhos.exe, 00000002.00000002.2248095326.000001613A560000.00000004.00001000.00020000.00000000.sdmp, qhos.exe, 00000002.00000003.2223814087.000001613998D000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574327
Start date and time:	2024-12-13 08:41:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	qhos.exe
Detection:	MAL
Classification:	mal72.troj.winEXE@3/60@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 73% Number of executed functions: 67 Number of non-executed functions: 253
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
VT rate limit hit for: qhos.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI42042\VCRUNTIME140.dll	lz4wnSavmK.exe	Get hash	malicious	Python Stealer	Browse
	WVuXCNNYG0.exe	Get hash	malicious	Python Stealer	Browse
	dipwo1iToJ.exe	Get hash	malicious	Python Stealer	Browse
	Counseling_Services_Overview.docm	Get hash	malicious	Unknown	Browse
	uOsIQqfgiT.exe	Get hash	malicious	Charity, TrojanRansom	Browse
	saiya.exe	Get hash	malicious	AsyncRAT, XWorm	Browse
	RuntimeusererVers.exe	Get hash	malicious	Python Stealer	Browse
	OBS-Studio-30.2.3-Windows-Installer.exe	Get hash	malicious	Unknown	Browse
	BrowserUpdate.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	CStealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI42042\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109392
Entropy (8bit):	6.641929675972235
Encrypted:	false
SSDEEP:	1536:GcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/woecbq8qZHg2zuCS+zuecL:GV3iC0h9q4v6XjKwoecbq8qBTq+1cL
MD5:	4585A96CC4EEF6AAFD5E27EA09147DC6
SHA1:	489CFFF1B19ABBEC98FDA26AC8958005E88DD0CB
SHA-256:	A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
SHA-512:	D78260C66331FE3029D2CC1B41A5D002EC651F2E3BBF55076D65839B5E3C6297955AFD4D9AB8951FBDC9F929DBC65EB18B14B59BCE1F2994318564EB4920F286
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: lz4wnSavmK.exe, Detection: malicious, Browse Filename: WVuXCNNYG0.exe, Detection: malicious, Browse Filename: dipwo1iToJ.exe, Detection: malicious, Browse Filename: Counseling_Services_Overview.docm, Detection: malicious, Browse Filename: uOsIQqfgiT.exe, Detection: malicious, Browse Filename: saiya.exe, Detection: malicious, Browse Filename: RuntimeusererVers.exe, Detection: malicious, Browse Filename: OBS-Studio-30.2.3-Windows-Installer.exe, Detection: malicious, Browse Filename: BrowserUpdate.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d..._#;..........." ...".....`......................................................=.....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\_asyncio.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	71448
Entropy (8bit):	6.243013214204417
Encrypted:	false
SSDEEP:	1536:nhaPPkvDcBlqCTFFQ/ObfW11swNIGOnL7SyaeCxT:hanCDcnqCJFOObfW11swNIGOnLoeE
MD5:	2CD68FF636394D3019411611E27D0A3B
SHA1:	DA369C5D1A32F68639170D8A265A9EA49C2C8EBD
SHA-256:	0D4FBD46F922E548060EA74C95E99DC5F19B1DF69BE17706806760515C1C64FE
SHA-512:	37388D137454F52057B2376D95ABCC955FA1EDC3E20B96445FA45D1860544E811DF0C547F221C8671DC1A4D90262BB20F3B9F114252F3C47A8C3829951A2CE51
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B:.T.[...[...[...#*..[...'...[...'...[...'...[...'...[...&...[..M#...[...[...[...&...[...&...[...&F..[...&...[..Rich.[..........................PE..d...Q..e.........." ...#.f................................................... ......A&....`.............................................P......d......................../..............T...........................@...@............................................text...)d.......f.................. ..`.rdata..`O.......P...j..............@..@.data...(...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84760
Entropy (8bit):	6.584507188180646
Encrypted:	false
SSDEEP:	1536:FFzZz757cav+IuK66nlxX8W8LsANVIGCV87SyixL7:DzZzq6n3MhLsMVIGCV8O7
MD5:	C7CE973F261F698E3DB148CCAD057C96
SHA1:	59809FD48E8597A73211C5DF64C7292C5D120A10
SHA-256:	02D772C03704FE243C8DE2672C210A5804D075C1F75E738D6130A173D08DFCDE
SHA-512:	A924750B1825747A622EEF93331FD764D824C954297E37E8DC93A450C11AA7AB3AD7C3B823B11656B86E64DE3CD5D409FDA15DB472488DFAA4BB50341F0B29D1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w.l.3...3...3...:...9......1......0......>......;......7.......0...x...1...3...l.......;.......2.......2.......2...Rich3...................PE..d...f..e.........." ...#.....^...............................................P.......@....`.............................................H............0....... ..,......../...@..........T...........................p...@............................................text............................... ..`.rdata..p>.......@..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\_cffi_backend.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	179712
Entropy (8bit):	6.180800197956408
Encrypted:	false
SSDEEP:	3072:IULjhBCx8qImKrUltSfGzdMcbb9CF8OS7jkSTLkKWlgeml:IgCeqImzSfIMcNCvOkSTLLWWem
MD5:	FCB71CE882F99EC085D5875E1228BDC1
SHA1:	763D9AFA909C15FEA8E016D321F32856EC722094
SHA-256:	86F136553BA301C70E7BADA8416B77EB4A07F76CCB02F7D73C2999A38FA5FA5B
SHA-512:	4A0E98AB450453FD930EDC04F0F30976ABB9214B693DB4B6742D784247FB062C57FAFAFB51EB04B7B4230039AB3B07D2FFD3454D6E261811F34749F2E35F04D6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......a..#%p.p%p.p%p.p,..p)p.p5.q'p.p5.zp!p.p5.q!p.p5.q-p.p5.q)p.pn..q!p.p6.q&p.p%p.p.p.pm..q!p.p,..p$p.pm..q$p.pm.xp$p.pm..q$p.pRich%p.p........................PE..d...W..f.........." ...).....B......`........................................0............`..........................................h..l....i..................T............ .......O...............................M..@............................................text............................... ..`.rdata..............................@..@.data....].......0...p..............@....pdata..T...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124696
Entropy (8bit):	6.1345016966871455
Encrypted:	false
SSDEEP:	3072:kuiS11BYNd+5AWdu41qOqJ/f/EX4lCPIWu1ptpIGLP+z:Pl1U+Ke/16f/ExWI
MD5:	10FDCF63D1C3C3B7E5861FBB04D64557
SHA1:	1AA153EFEC4F583643046618B60E495B6E03B3D7
SHA-256:	BC3B83D2DC9E2F0E6386ED952384C6CF48F6EED51129A50DFD5EF6CBBC0A8FB3
SHA-512:	DC702F4100ED835E198507CD06FA5389A063D4600FC08BE780690D729AB62114FD5E5B201D511B5832C14E90A5975ED574FC96EDB5A9AB9EB83F607C7A712C7F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>...z.z.z.s...\|....x....v....r....~.....x.1...{.1...\|.....y.z.......\|.....{...o.{.....{.Richz.................PE..d...c..e.........." ...#............p^..............................................".....`..........................................`.......a.........................../......p.......T...............................@............................................text............................... ..`.rdata...l.......n..................@..@.data....4.......0...h..............@....pdata..............................@..@.rsrc...............................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	253208
Entropy (8bit):	6.567915765795386
Encrypted:	false
SSDEEP:	6144:DV0lmIvcruIDCiryrjqPBTn9qWM53pLW1AuDRRRctULoT3TdTx:SN0rQiryr8TaV+QTdTx
MD5:	21C73E7E0D7DAD7A1FE728E3B80CE073
SHA1:	7B363AF01E83C05D0EA75299B39C31D948BBFE01
SHA-256:	A28C543976AA4B6D37DA6F94A280D72124B429F458D0D57B7DBCF71B4BEA8F73
SHA-512:	0357102BFFC2EC2BC6FF4D9956D6B8E77ED8558402609E558F1C1EBC1BACA6AEAA5220A7781A69B783A54F3E76362D1F74D817E4EE22AAC16C7F8C86B6122390
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.R.!...!...!...Y=..!..+]...!..+]...!..+]...!..+]...!..M\...!...Y...!...!...!..M\...!..M\...!..M\...!..M\Q..!..M\...!..Rich.!..........PE..d...T..e.........." ...#.v...<......\|.....................................................`..........................................T..P....T...................'......./......P...`...T........................... ...@............................................text....t.......v.................. ..`.rdata...............z..............@..@.data....*...p...$...R..............@....pdata...'.......(...v..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64792
Entropy (8bit):	6.219813461442214
Encrypted:	false
SSDEEP:	1536:CQGllrIdcGuzZc94cVM7gDX4NIGOI67Sy+xzn1:I6cvz+9IgDX4NIGOI6Sn1
MD5:	F495D1897A1B52A2B15C20DCECB84B47
SHA1:	8CB65590A8815BDA58C86613B6386B5982D9EC3F
SHA-256:	E47E76D70D508B62924FE480F30E615B12FDD7745C0AAC68A2CDDABD07B692AE
SHA-512:	725D408892887BEBD5BCF040A0ECC6A4E4B608815B9DEA5B6F7B95C812715F82079896DF33B0830C9F787FFE149B8182E529BB1F78AADD89DF264CF8853EE4C4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........u...&...&...&.U&...&u..'...&u..'...&u..'...&u..'...&...'...&...'...&...&M..&...'...&...'...&..9&...&...'...&Rich...&........PE..d......e.........." ...#.R...~.......>..............................................'.....`.............................................P.............................../......X....\|..T............................{..@............p..(............................text...7P.......R.................. ..`.rdata...N...p...P...V..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	159512
Entropy (8bit):	6.841828996170163
Encrypted:	false
SSDEEP:	3072:RmuEE9tZBoI+1hINrznfB9mNoNSn2Vh/VDxuVIGZ1L6E:RmuFPobkNpYONnvfuCE
MD5:	4E2239ECE266230ECB231B306ADDE070
SHA1:	E807A078B71C660DB10A27315E761872FFD01443
SHA-256:	34130D8ABE27586EE315262D69AF4E27429B7EAB1F3131EA375C2BB62CF094BE
SHA-512:	86E6A1EAB3529E600DD5CAAB6103E34B0F618D67322A5ECF1B80839FAA028150C492A5CF865A2292CC8584FBA008955DA81A50B92301583424401D249C5F1401
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........TB#.5,p.5,p.5,p.M.p.5,p.I-q.5,p.I)q.5,p.I(q.5,p.I/q.5,pnH-q.5,p.M-q.5,p.5-p.5,pnH!q.5,pnH,q.5,pnH.p.5,pnH.q.5,pRich.5,p........PE..d......e.........." ...#.d..........06....................................................`......................................... %..L...l%..x....p.......P.......@.../......4.......T...........................p...@............................................text...:b.......d.................. ..`.rdata..............h..............@..@.data...(....@......................@....pdata.......P....... ..............@..@.rsrc........p.......4..............@..@.reloc..4............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\_multiprocessing.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35096
Entropy (8bit):	6.456173627081832
Encrypted:	false
SSDEEP:	768:VAIvrenSE0PkA9c0ji+m9IGWte5YiSyv2pAAMxkEn:6ITQSH9c0jlm9IGWtU7SyOOxj
MD5:	811BCEE2F4246265898167B103FC699B
SHA1:	AE3DE8ACBA56CDE71001D3796A48730E1B9C7CCE
SHA-256:	FB69005B972DC3703F9EF42E8E0FDDF8C835CB91F57EF9B6C66BBDF978C00A8C
SHA-512:	1F71E23CE4B6BC35FE772542D7845DCBEA2A34522BA0468B61CB05F9ABAB7732CBF524BCFF498D1BD0B13B5E8A45C373CCA19AD20E5370F17259E281EDF344BE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........)*.wGy.wGy.wGy...y.wGy'.Fx.wGy'.Bx.wGy'.Cx.wGy'.Dx.wGyA.Fx.wGy.wFy.wGy..Fx.wGyA.Jx.wGyA.Gx.wGyA..y.wGyA.Ex.wGyRich.wGy........................PE..d...W..e.........." ...#.....>......P.....................................................`.........................................0E..`....E..x............p.......Z.../...........4..T............................3..@............0...............................text............................... ..`.rdata..r ...0..."..."..............@..@.data........`.......D..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc...............X..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\_overlapped.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55576
Entropy (8bit):	6.3454178187323755
Encrypted:	false
SSDEEP:	1536:2ND3ua5sIRL9EiqXxpNdtrtBIGXtz7SyNxM:2NjOiUpNdPBIGXtzi
MD5:	F9C67280538408411BE9A7341B93B5B0
SHA1:	CCF776CD2483BC83B48B1DB322D7B6FCAB48356E
SHA-256:	5D298BB811037B583CFF6C88531F1742FAE5EEE47C290ADB47DDBD0D6126B9CC
SHA-512:	AF2156738893EF504D582ACE6750B25BC42AD1EC8A92E0550CE54810706D854F37A82F38EB965A537CAD5D35C0178C5EB7B4D20DB2A95BEBFECF9A13C0592646
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\|!{X.O(X.O(X.O(Qe.(\.O(.aN)Z.O(.aJ)T.O(.aK)P.O(.aL)[.O(.`N)Z.O(X.N(/.O(.eN)].O(.eK)Y.O(.`B)Y.O(.`O)Y.O(.`.(Y.O(.`M)Y.O(RichX.O(................PE..d...V..e.........." ...#.L...`......P...............................................wC....`.............................................X...X............................/......(....f..T...........................`e..@............`...............................text....J.......L.................. ..`.rdata..D8...`...:...P..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32536
Entropy (8bit):	6.464181935983508
Encrypted:	false
SSDEEP:	768:/k+Ea6rfMkAYY0J/MpIGQUG5YiSyvHAMxkEJ5YSv:8tfHY0JEpIGQU87SyPx/Y+
MD5:	6E00E0821BB519333CCFD4E61A83CB38
SHA1:	3550A41BB2EA54F456940C4D1940ACAB36815949
SHA-256:	2AD02D49691A629F038F48FCDEE46A07C4FCC2CB0620086E7B09AC11915AE6B7
SHA-512:	C3F8332C10B58F30E292676B48ECF1860C5EF9546367B87E90789F960C91EAE4D462DD3EE9CB14F603B9086E81B6701AAB56DA5B635B22DB1E758ED0A983E562
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B:W\.[9..[9..[9..#...[9..'8..[9..'<..[9..'=..[9..':..[9..&8..[9.M#8..[9..[8.M[9..&4..[9..&9..[9..&...[9..&;..[9.Rich.[9.........................PE..d...Y..e.........." ...#.....8.......................................................a....`..........................................C..L....C..d....p.......`.......P.../..........p4..T...........................03..@............0..8............................text............................... ..`.rdata.......0......................@..@.data........P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83224
Entropy (8bit):	6.340320871656589
Encrypted:	false
SSDEEP:	1536:ZUuhzLx79flWrqcqtpjly+uCo9/s+S+pzcHQ6B48/VI9dsSbxntpIGLwIU7SyZxL:ZU6zLRNawRy+uCo9/sT+pzuXxVIbsSde
MD5:	899380B2D48DF53414B974E11BB711E3
SHA1:	F1D11F7E970A7CD476E739243F8F197FCB3AD590
SHA-256:	B38E66E6EE413E5955EF03D619CADD40FCA8BE035B43093D2342B6F3739E883E
SHA-512:	7426CA5E7A404B9628E2966DAE544F3E8310C697145567B361825DC0B5C6CD87F2CAF567DEF8CD19E73D68643F2F38C08FF4FF0BB0A459C853F241B8FDF40024
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J./.+z\|.+z\|.+z\|.S.\|.+z\|.W{}.+z\|.W.}.+z\|.W~}.+z\|.Wy}.+z\|}V{}.+z\|.+{\|.+z\|.S{}.+z\|}Vw}.+z\|}Vz}.+z\|}V.\|.+z\|}Vx}.+z\|Rich.+z\|................PE..d......e.........." ...#.v...........-.......................................`...........`.............................................P............@.......0.........../...P..........T...............................@............................................text....u.......v.................. ..`.rdata...x.......z...z..............@..@.data...H...........................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124696
Entropy (8bit):	6.2652662506859444
Encrypted:	false
SSDEEP:	3072:fZIPlR6TxhNO7/9CO4w5yIFGcXcpVNIGOQyl:RjFHO7kC56cXuo
MD5:	CEE93C920951C1169B615CB6330CEDDA
SHA1:	EF2ABF9F760DB2DE0BD92AFE8766A0B798CF8167
SHA-256:	FF25BDBEEF34D2AA420A79D3666C2660E7E3E96259D1F450F1AF5268553380EC
SHA-512:	999D324448BB39793E4807432C697F01F8922B0ABA4519A21D5DC4F4FC8E9E4737D7E104B205B931AF753EDA65F61D0C744F12BE84446F9C6CB3C2A5B35B773C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@.g...g...g.......g..../..g......g....+..g....*..g....-..g..q./..g..../..g...g/..f..q.#..g..q....g..q...g..q.,..g..Rich.g..........PE..d......e.........." ...#.............................................................-....`.........................................po..P....o..................8......../.......... ...T...............................@............................................text............................... ..`.rdata..............................@..@.data...8............\|..............@....pdata..8...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	177432
Entropy (8bit):	5.975354635226847
Encrypted:	false
SSDEEP:	3072:KXGEr/16/nJxNOJW5NT6X3l44K5WOSCSVRJNI7IM/cbP7RHs3J7VIGC7hN:Y/r/16/nDNPT6X3l1CMVS7i
MD5:	9B4E74FD1DE0F8A197E4AA1E16749186
SHA1:	833179B49EB27C9474B5189F59ED7ECF0E6DC9EA
SHA-256:	A4CE52A9E0DADDBBE7A539D1A7EDA787494F2173DDCC92A3FAF43B7CF597452B
SHA-512:	AE72B39CB47A859D07A1EE3E73DE655678FE809C5C17FFD90797B5985924DDB47CEB5EBE896E50216FB445526C4CBB95E276E5F3810035B50E4604363EB61CD4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U.k.4.8.4.8.4.8.L)8.4.8.H.9.4.8.H.9.4.8.H.9.4.8.H.9.4.8kI.9.4.8.4.8#5.8.L.9.4.8kI.9.4.8kI.9.4.8kIE8.4.8kI.9.4.8Rich.4.8........................PE..d......e.........." ...#............\,....................................................`......................................... ...d.......................8......../......x...@...T...............................@............................................text.............................. ..`.rdata...!......."..................@..@.data...(...........................@....pdata..8............^..............@..@.rsrc................j..............@..@.reloc..x............t..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\_uuid.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25368
Entropy (8bit):	6.6272949891352315
Encrypted:	false
SSDEEP:	384:lrfwHnEWGQiAQVIGZwJXHQIYiSy1pCQ4XAM+o/8E9VF0NyqzJSj:dQnEIHQVIGZw95YiSyv8AMxkEqw
MD5:	3C8737723A903B08D5D718336900FD8C
SHA1:	2AD2D0D50F6B52291E59503222B665B1823B0838
SHA-256:	BB418E91E543C998D11F9E65FD2A4899B09407FF386E059A88FE2A16AED2556B
SHA-512:	1D974EC1C96E884F30F4925CC9A03FB5AF78687A267DEC0D1582B5D7561D251FB733CF733E0CC00FAEE86F0FEF6F73D36A348F3461C6D34B0238A75F69320D10
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<p.R#.R#.R#...#.R#i.S".R#i.W".R#i.V".R#i.Q".R#..S".R#..S".R#.S#..R#..Z".R#..R".R#...#.R#..P".R#Rich.R#........................PE..d...]..e.........." ...#.....&...... ........................................p......wz....`.........................................`)..L....)..x....P.......@.......4.../...`..@...`#..T........................... "..@............ ..8............................text...h........................... ..`.rdata....... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..@....`.......2..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\_wmi.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36632
Entropy (8bit):	6.364173312940401
Encrypted:	false
SSDEEP:	768:PgMwnWGwMtUTA7LlVIGCilx5YiSyvzAMxkEaFy:PgMwWGJtGA7LlVIGCih7Syrx+g
MD5:	EE33F4C8D17D17AD62925E85097B0109
SHA1:	8C4A03531CF3DBFE6F378FDAB9699D51E7888796
SHA-256:	79ADCA5037D9145309D3BD19F7A26F7BB7DA716EE86E01073C6F2A9681E33DAD
SHA-512:	60B0705A371AD2985DB54A91F0E904EEA502108663EA3C3FB18ED54671BE1932F4F03E8E3FD687A857A5E3500545377B036276C69E821A7D6116B327F5B3D5C1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._\...=.@.=.@.=.@.En@.=.@.A.A.=.@.A.A.=.@.A.A.=.@.@.A.=.@.A.A.=.@PE.A.=.@.=.@A=.@PE.A.=.@.@.A.=.@.@.A.=.@.@.@.=.@.@.A.=.@Rich.=.@........PE..d..._..e.........." ...#.(...:.......&....................................................`..........................................T..H....T...............p..`....`.../......t...DG..T............................C..@............@.......S..@....................text...>&.......(.................. ..`.rdata..D....@... ...,..............@..@.data........`.......L..............@....pdata..`....p.......P..............@..@.rsrc................T..............@..@.reloc..t............^..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_http_parser.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	263168
Entropy (8bit):	6.21627512418483
Encrypted:	false
SSDEEP:	6144:QV35ER7EkqmDenqq2xXqEq5K9CdFdcax:QV32HbDQpH5K9CdF
MD5:	556DA0B3FFC0DED5269CC5EF2B58F515
SHA1:	19D19EED09C6FC4539ABAD6E1B64BAA47FE1A5D0
SHA-256:	2EC92093132694B879A78A02A7751768A8321E49AA7149776F3AA7DC39F34B7B
SHA-512:	EEB15A973AA940BB47A38CE7D6403B57E4C1CADF88A8425B43A4F95D8D0D8AD24C4087283F449880206750BBE0A60C7CE018A764DD903CD2A92306B5CB2E384A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.zU@.zU@.zUI..UF.zUQ~{TB.zU2y{TB.zU.}{TC.zU@.{U..zUQ~yTD.zUQ~~TH.zUQ~.TL.zU.~rTE.zU.~zTA.zU.~.UA.zU.~xTA.zURich@.zU........PE..d...&1Rg.........." ....(...............................................................`......................................... ...........x....`.......@...............p..\...0..................................@............@...............................text...h'.......(.................. ..`.rdata.......@.......,..............@..@.data... @..........................@....pdata.......@......................@..@.rsrc........`......................@..@.reloc..\....p......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_http_writer.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49664
Entropy (8bit):	5.798969146565644
Encrypted:	false
SSDEEP:	768:TPriCeqBiVwVJAQ8mK4fE0UYq0olSXEDmYgRE8tJQ:TprimVJtFxEqq5mYg20JQ
MD5:	2D6B0A6E3DACD8A512C4D7B21C603BEE
SHA1:	6088CB2D767024D2371C34F71EE5FE12C577FF64
SHA-256:	E5B3C4063E9F6AEF5E0DE529B6326816D820BE4C4406B5ABF98E36E25DB47739
SHA-512:	7BA3C9E68667D23DA443FF201A43D17D55AA180E2AB6204C2F1F4899761FD8D1C5F4447F2E27E21C84347E463AC4BB75C00DA14A91C218D62EC9E00745815F03
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........TJ...J...J...C.].H...[d..H...8c..H...[d..I...[d..B...[d..F....g..I...J........d..K....d..K....d1.K....d..K...RichJ...................PE..d...&1Rg.........." ...*.z...........\|.......................................P............`............................................h...H...d....0....... ...............@......p...............................0...@...............P............................text....x.......z.................. ..`.rdata..20.......2...~..............@..@.data....N..........................@....pdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_websocket\mask.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	5.653914099651
Encrypted:	false
SSDEEP:	384:+IKmzsyA2+kEyrMxA91WZqJ91cL9U0WJtqpTHl2zwu9L6lBw81eLaZ4p1exetkDI:ZhzcnygxA91bryrczTGbw8kLtsqqTH
MD5:	5DCBFE4E67D270CDAEC74AF070439BB9
SHA1:	013935A24E8F116E921C5D0D2D0D8029F5C0213E
SHA-256:	AE6E0E449AACE7B4DF9327D7470652B17FB17F1A1483DA0FA033483BA6D9953A
SHA-512:	D561168440AFE5983580DFFB37DF2CDB02CD4EB7FB18858866EFE746CD985A03929743B0E387159ED1A4C9805E0C3B4AC66B05FA744DFB9B087CD0FDE81498CB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........TB...B...B...K.M.@...Sd..@...0c..@...Sd..A...Sd..J...Sd..N....g..A...B........d..C....d..C....d!.C....d..C...RichB...........PE..d..."1Rg.........." ....N...B......`P....................................................`......................................... {..X...x{..d...................................0s...............................q..@............`...............................text....L.......N.................. ..`.rdata...)...`......R..............@..@.data................\|..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_websocket\reader_c.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	161792
Entropy (8bit):	6.0916455245461165
Encrypted:	false
SSDEEP:	1536:lWN8oZXh2Y/m2/0+AMvRSDFxNYH/9Iw89qV406AgGkbJT0N6ctLU+XqiasgzvGaR:QGoVwY8M5bFIwoqRkYU0qikOXMNkqB
MD5:	A5C5C9268C5A77651A06CE7802BFD7E0
SHA1:	EED897C9E4A5AEDBACE6AF8D68DF587CFEEBA749
SHA-256:	E650698CDF135F3856ABFD9D4237BD479E670A37CB22C83C0B51D90E8FBC3E98
SHA-512:	F357B76AE8797B8D9D582558E4BD2E9252F0A3F9219FFB6D475C40F7994926D8E4C65EBE1FEB3DA9E34F3621A53E35621DADA6A40179A90322EA594C4FA494D5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r..E6...6...6...?.G.2...'U..4...DR..4...'U..2...'U..>...'U..:...~V..5...6........U..7....U..7....U+.7....U..7...Rich6...........PE..d...(1Rg.........." ...*..................................................................`......................................... N..`....N..x...............D...................`<.............................. ;..@............................................text............................... ..`.rdata...f.......h..................@..@.data...X$...p.......P..............@....pdata..D............f..............@..@.rsrc................t..............@..@.reloc...............v..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\attrs-24.2.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI42042\attrs-24.2.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	Unicode text, UTF-8 text, with very long lines (411)
Category:	dropped
Size (bytes):	11524
Entropy (8bit):	5.211520136058075
Encrypted:	false
SSDEEP:	192:ERsUfi6bkQk+k/kKkegToJWicnJsPVA1oz2dv7COmoKTACoEJdQ/0G6lWg+JdQV5:ERsXpLs3VoJWRnJsPvz2dDCHoKsLgA6z
MD5:	49CABCB5F8DA14C72C8C3D00ADB3C115
SHA1:	F575BECF993ECDF9C6E43190C1CB74D3556CF912
SHA-256:	DC9824E25AFD635480A8073038B3CDFE6A56D3073A54E1A6FB21EDD4BB0F207C
SHA-512:	923DAEEE0861611D230DF263577B3C382AE26400CA5F1830EE309BD6737EED2AD934010D61CDD4796618BEDB3436CD772D9429A5BED0A106EF7DE60E114E505C
Malicious:	false
Preview:	Metadata-Version: 2.3.Name: attrs.Version: 24.2.0.Summary: Classes Without Boilerplate.Project-URL: Documentation, https://www.attrs.org/.Project-URL: Changelog, https://www.attrs.org/en/stable/changelog.html.Project-URL: GitHub, https://github.com/python-attrs/attrs.Project-URL: Funding, https://github.com/sponsors/hynek.Project-URL: Tidelift, https://tidelift.com/subscription/pkg/pypi-attrs?utm_source=pypi-attrs&utm_medium=pypi.Author-email: Hynek Schlawack <hs@ox.cx>.License-Expression: MIT.License-File: LICENSE.Keywords: attribute,boilerplate,class.Classifier: Development Status :: 5 - Production/Stable.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classifier: Programming Languag

C:\Users\user\AppData\Local\Temp\_MEI42042\attrs-24.2.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	3556
Entropy (8bit):	5.809424313364516
Encrypted:	false
SSDEEP:	96:Q9ewBtnJT/oPynEddwBbCobXm9qGmR5VXzskcGD+qLtxO:2ewnXJCKXGeR/XzKiO
MD5:	4B6973D2285295CF5E3A45E64EB7A455
SHA1:	1089F2F3C35303D6D5DD19F0C0F707B9609EE3F2
SHA-256:	2B368DFC37283970C33CC8D4EEC129F668EB99EBF9D3AA27F49A1B149658F2B0
SHA-512:	A5150ECB625A3CFDC3F22C60EB7B16FDBED01CD47505BD520491B477AE24E8C59FFAE2334948122E656F6F0A5F2AF0635B6D976241745583A3D7AF9E3781718D
Malicious:	false
Preview:	attr/__init__.py,sha256=l8Ewh5KZE7CCY0i1iDfSCnFiUTIkBVoqsXjX9EZnIVA,2087..attr/__init__.pyi,sha256=aTVHBPX6krCGvbQvOl_UKqEzmi2HFsaIVm2WKmAiqVs,11434..attr/__pycache__/__init__.cpython-312.pyc,,..attr/__pycache__/_cmp.cpython-312.pyc,,..attr/__pycache__/_compat.cpython-312.pyc,,..attr/__pycache__/_config.cpython-312.pyc,,..attr/__pycache__/_funcs.cpython-312.pyc,,..attr/__pycache__/_make.cpython-312.pyc,,..attr/__pycache__/_next_gen.cpython-312.pyc,,..attr/__pycache__/_version_info.cpython-312.pyc,,..attr/__pycache__/converters.cpython-312.pyc,,..attr/__pycache__/exceptions.cpython-312.pyc,,..attr/__pycache__/filters.cpython-312.pyc,,..attr/__pycache__/setters.cpython-312.pyc,,..attr/__pycache__/validators.cpython-312.pyc,,..attr/_cmp.py,sha256=3umHiBtgsEYtvNP_8XrQwTCdFoZIX4DEur76N-2a3X8,4123..attr/_cmp.pyi,sha256=U-_RU_UZOyPUEQzXE6RMYQQcjkZRY25wTH99sN0s7MM,368..attr/_compat.py,sha256=n2Uk3c-ywv0PkFfGlvqR7SzDXp4NOhWmNV_ZK6YfWoM,2958..attr/_config.py,sha256=z81Vt-GeT_2taxs1XZfmHx9TWlSxjP

C:\Users\user\AppData\Local\Temp\_MEI42042\attrs-24.2.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	87
Entropy (8bit):	4.730668933656452
Encrypted:	false
SSDEEP:	3:RtEeXAaCTQnP+tPCCfA5I:Rt2PcnWBB3
MD5:	52ADFA0C417902EE8F0C3D1CA2372AC3
SHA1:	B67635615EEF7E869D74F4813B5DC576104825DD
SHA-256:	D7215D7625CC9AF60AED0613AAD44DB57EBA589D0CCFC3D8122114A0E514C516
SHA-512:	BFA87E7B0E76E544C2108EF40B9FAC8C5FF4327AB8EDE9FEB2891BD5D38FEA117BD9EEBAF62F6C357B4DEADDAD5A5220E0B4A54078C8C2DE34CB1DD5E00F2D62
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: hatchling 1.25.0.Root-Is-Purelib: true.Tag: py3-none-any.

C:\Users\user\AppData\Local\Temp\_MEI42042\attrs-24.2.0.dist-info\licenses\LICENSE

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1109
Entropy (8bit):	5.104415762129373
Encrypted:	false
SSDEEP:	24:bGf8rUrmJHHH0yN3gtsHw1hC09QHOsUv4eOk4/+/m3oqLFh:bW8rUaJHlxE3dQHOs5exm3ogFh
MD5:	5E55731824CF9205CFABEAB9A0600887
SHA1:	243E9DD038D3D68C67D42C0C4BA80622C2A56246
SHA-256:	882115C95DFC2AF1EEB6714F8EC6D5CBCABF667CAFF8729F42420DA63F714E9F
SHA-512:	21B242BF6DCBAFA16336D77A40E69685D7E64A43CC30E13E484C72A93CD4496A7276E18137DC601B6A8C3C193CB775DB89853ECC6D6EB2956DEEE36826D5EBFE
Malicious:	false
Preview:	The MIT License (MIT)..Copyright (c) 2015 Hynek Schlawack and the attrs contributors..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in all.copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHE

C:\Users\user\AppData\Local\Temp\_MEI42042\base_library.zip

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1329520
Entropy (8bit):	5.586655762137983
Encrypted:	false
SSDEEP:	12288:uttcY+b+vOmgRF1+fYNXPh26UZWAzCu7j5D95wdgkVodYOPjwwMJ9gCCaYc2I:uttcY+mHCiCA5TNqodYOPEPEaYc2I
MD5:	898E35281A756640780DBC31A0B78452
SHA1:	845B59CFD9FB152725F250A872E9D1D7A66AF258
SHA-256:	0DAA440C78582A693DABBC2325A06D817131BB170BAD436B126BAD896F1377CD
SHA-512:	421CC4A15E94293E53F1039B8BB5BE7EDCBC8E3E0E4ABC7F34FAF991993F51CB5F51493B58BB341CB9579347EC134B02104454075A8E7E33E45B8E3A66A44D79
Malicious:	false
Preview:	PK..........!.x[_C............_collections_abc.pyc......................................Z.....d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.............Z...e.d.........Z.d...Z...e.e.........Z.[.g.d...Z.d.Z...e...e.d.................Z...e...e...e.........................Z...e...e.i.j%..........................................Z...e...e.i.j)..........................................Z...e...e.i.j-..........................................Z...e...e.g.................Z...e...e...e.g.........................Z...e...e...e.d.........................Z...e...e...e.d.d.z...........................Z...e...e...e.........................Z...e...e.d.................Z ..e...e.d.................Z!..e...e...e"........................Z#..e.i.j%..................................Z$..e.i.j)..................................Z%..e.i.j-..................................Z&..e.e.jN..........................Z(..e...d...................Z)d...Z..e........Z..e.e........Z+ejY............................[d...Z-..e-........

C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography-44.0.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography-44.0.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	5724
Entropy (8bit):	5.120429897887076
Encrypted:	false
SSDEEP:	96:DlkQIUQIhQIKQILbQIRIaMPktjaVMxsxA2ncEvGDfe0HEdwGArNZG0JQTQCQx5Kw:dcPuPwsrcEvGDfe0HENA5w0JQTQ9x59H
MD5:	526D9AC9D8150602EC9ED8B9F4DE7102
SHA1:	DBA2CB32C21C4B0F575E77BBCDD4FA468056F5E3
SHA-256:	D95F491ED418DC302DB03804DAF9335CE21B2DF4704587E6851EF03E1F84D895
SHA-512:	FB13A2F6B64CB7E380A69424D484FC9B8758FA316A7A155FF062BFDACDCA8F2C5D2A03898CD099688B1C16A5A0EDCECFC42BF0D4D330926B10C3FCE9F5238643
Malicious:	false
Preview:	Metadata-Version: 2.3.Name: cryptography.Version: 44.0.0.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: License :: OSI Approved :: BSD License.Classifier: Natural Language :: English.Classifier: Operating System :: MacOS :: MacOS X.Classifier: Operating System :: POSIX.Classifier: Operating System :: POSIX :: BSD.Classifier: Operating System :: POSIX :: Linux.Classifier: Operating System :: Microsoft :: Windows.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classif

C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography-44.0.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	16380
Entropy (8bit):	5.587009861664839
Encrypted:	false
SSDEEP:	192:hXr12s/l45jEVeK+VqhXJZ4WJJ6sf7B0PpzIq+NX6ih5VFUqq8q:hXplMEVdhJrJJ6sf7B0Ppz/+96ihu8q
MD5:	A53742D3EE69CAE1FD8BDEDAC05BB828
SHA1:	02BC360839FEB54E58E14D410266652DCB718353
SHA-256:	9518E7D9DA0F889F568F800E1A4ADC0686234DC9D9934A46F78FFB5E6C351A98
SHA-512:	C69C4D3ECA56D725E90F9F0C4B98071F4F92A3BC06A635CE0D6309976C750B20B3DA353EFED27F07712FF5E0C1A8114300004C8E2D2EE9155F31D856A3C6EE05
Malicious:	false
Preview:	cryptography-44.0.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-44.0.0.dist-info/METADATA,sha256=2V9JHtQY3DAtsDgE2vkzXOIbLfRwRYfmhR7wPh-E2JU,5724..cryptography-44.0.0.dist-info/RECORD,,..cryptography-44.0.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-44.0.0.dist-info/WHEEL,sha256=Hn9bytZpOGoR6M4U5xUTHC1AJpPD9B1xPrM4STxljEU,94..cryptography-44.0.0.dist-info/licenses/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-44.0.0.dist-info/licenses/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-44.0.0.dist-info/licenses/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography/__about__.py,sha256=fcUqF1IcadxBSH0us1vCvob0OJOrPV3h30yZD8wsHo4,445..cryptography/__init__.py,sha256=XsRL_PxbU6UgoyoglAgJQSrJCP97ovBA8YIEQ2-uI68,762..cryptography/__pycache__/__about__.cpython-312.pyc,,..cryptography/__pycache__/__init__.cpython-312

C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography-44.0.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	5.0373614967294325
Encrypted:	false
SSDEEP:	3:RtEeX5pG6vhP+tkKciH/KQb:RtvoKWKTQb
MD5:	A868F93FCF51C4F1C25658D54F994349
SHA1:	535C88A10911673DEABB7889D365E81729E483A6
SHA-256:	1E7F5BCAD669386A11E8CE14E715131C2D402693C3F41D713EB338493C658C45
SHA-512:	EC13CAC9DF03676640EF5DA033E8C2FAEE63916F27CC27B9C43F0824B98AB4A6ECB4C8D7D039FA6674EF189BDD9265C8ED509C1D80DFF610AEB9E081093AEB3D
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: maturin (1.7.5).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64.

C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography-44.0.0.dist-info\licenses\LICENSE

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	197
Entropy (8bit):	4.61968998873571
Encrypted:	false
SSDEEP:	3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
MD5:	8C3617DB4FB6FAE01F1D253AB91511E4
SHA1:	E442040C26CD76D1B946822CAF29011A51F75D6D
SHA-256:	3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
SHA-512:	77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
Malicious:	false
Preview:	This software is made available under the terms of either of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of both these licenses..

C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography-44.0.0.dist-info\licenses\LICENSE.APACHE

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11360
Entropy (8bit):	4.426756947907149
Encrypted:	false
SSDEEP:	192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
MD5:	4E168CCE331E5C827D4C2B68A6200E1B
SHA1:	DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
SHA-256:	AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
SHA-512:	F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography-44.0.0.dist-info\licenses\LICENSE.BSD

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1532
Entropy (8bit):	5.058591167088024
Encrypted:	false
SSDEEP:	24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
MD5:	5AE30BA4123BC4F2FA49AA0B0DCE887B
SHA1:	EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
SHA-256:	602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
SHA-512:	DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
Malicious:	false
Preview:	Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

C:\Users\user\AppData\Local\Temp\_MEI42042\cryptography\hazmat\bindings\_rust.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	8292864
Entropy (8bit):	6.493076254122072
Encrypted:	false
SSDEEP:	98304:Y4sf3zg+qUuQdPJMqYLSxuBLZqwt0kDO+5+O:cdeqYLSxuBLZrGjq+
MD5:	34293B976DA366D83C12D8EE05DE7B03
SHA1:	82B8EB434C26FCC3A5D9673C9B93663C0FF9BF15
SHA-256:	A2285C3F2F7E63BA8A17AB5D0A302740E6ADF7E608E0707A7737C1EC3BD8CECC
SHA-512:	0807EC7515186F0A989BB667150A84FF3BEBCC248625597BA0BE3C6F07AD60D70CF8A3F65191436EC16042F446D4248BF92FCD02212E459405948DB10F078B8E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y.j...j...j....F..j.......j.......j.......j.......j.......j.......j...j...h.......i...j...j.......j.......j..Rich.j..........................PE..d....^Gg.........." ...*.R\..n"......~Z.......................................~...........`...........................................x.X.....x...............y...............~.......o.T.....................o.(...p.o.@............p\.8............................text....Q\......R\................. ..`.rdata..P9...p\..:...V\.............@..@.data... >....x.......x.............@....pdata........y.......y.............@..@.reloc........~.......}.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\frozenlist\_frozenlist.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	87040
Entropy (8bit):	5.9471652810047235
Encrypted:	false
SSDEEP:	1536:NIf505ZC316pwJV0Jzn4pyOJ8RMrpLkFb0GZi8fR3px7F:Q66gFlmrpLkFwGTp3pt
MD5:	5A5BD0B8845F5A47ECFC2C55ABE7413C
SHA1:	D4B2E85D30480573FEFBC413C4F7B81FA67115E1
SHA-256:	8BE6E6CC104018C0DC1AE0694330F44B94FABB6C50EEC086373DDF24117D78A7
SHA-512:	B2C24C3C5D59A4987F36DFCF677227C020BB632B7155E99D7405516BD855B03965F3FC3558E8637DA1B4E65E7EF7C5D2EA33B338BAEAE72F62017ED682D19651
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.5VK.fVK.fVK.f_3DfRK.fF..gTK.f.3.gTK.fF..gUK.fF..g^K.fF..g[K.f...gUK.fVK.f.K.f...gWK.f...gWK.f..(fWK.f...gWK.fRichVK.f........PE..d.....g.........." ...).....v............................................................`..........................................7..h...x7..x............p..(....................&..............................P%..@...............@............................text............................... ..`.rdata...J.......L..................@..@.data...h....P.......6..............@....pdata..(....p.......D..............@..@.rsrc................P..............@..@.reloc...............R..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5162776
Entropy (8bit):	5.958207976652471
Encrypted:	false
SSDEEP:	98304:S3+FRtLtlVriXpshX179Cahd4tC9P1+1CPwDvt3uFlDCi:ASRtLtvd99Cahd4tC9w1CPwDvt3uFlDz
MD5:	51E8A5281C2092E45D8C97FBDBF39560
SHA1:	C499C810ED83AAADCE3B267807E593EC6B121211
SHA-256:	2A234B5AA20C3FAECF725BBB54FB33F3D94543F78FA7045408E905593E49960A
SHA-512:	98B91719B0975CB38D3B3C7B6F820D184EF1B64D38AD8515BE0B8B07730E2272376B9E51631FE9EFD9B8A1709FEA214CF3F77B34EEB9FD282EB09E395120E7CB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./',.kFB.kFB.kFB.b>..yFB..:C.iFB..:G.gFB..:F.cFB..:A.oFB.kFC..FB. >C.`FB.;A.KFB.;F..EB.;B.jFB.;..jFB.;@.jFB.RichkFB.........................PE..d...x..e.........." ...#..6..*......v.........................................O.......O...`.........................................0.G.0.....M.@....0N.\|.....K.\.....N../...@N.....PsC.8............................qC.@.............M..............................text...4.6.......6................. ..`.rdata..`.....6.......6.............@..@.data....n....J..<....J.............@....pdata........K.......J.............@..@.idata...%....M..&....M.............@..@.00cfg..u.... N.......M.............@..@.rsrc...\|....0N.......M.............@..@.reloc..k....@N.......M.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	790296
Entropy (8bit):	5.607732992846443
Encrypted:	false
SSDEEP:	6144:7aO1lo7USZGjweMMHO4+xuVg7gCl2VdhMd1DdwMVn4TERUr3zgKpJJ/wknofFe9A:FkeMKOr97gCAE35gEGzLpwknofFe9XbE
MD5:	BFC834BB2310DDF01BE9AD9CFF7C2A41
SHA1:	FB1D601B4FCB29FF1B13B0D2ED7119BD0472205C
SHA-256:	41AD1A04CA27A7959579E87FBBDA87C93099616A64A0E66260C983381C5570D1
SHA-512:	6AF473C7C0997F2847EBE7CEE8EF67CD682DEE41720D4F268964330B449BA71398FDA8954524F9A97CC4CDF9893B8BDC7A1CF40E9E45A73F4F35A37F31C6A9C3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T..T..T..].3.Z....V......V....X....\....P....W..T..I....e....U.._.U....U..RichT..........PE..d......e.........." ...#.6..........K........................................0.......w....`..........................................w...Q..............s.... ..pM......./......`... ...8...............................@............................................text....4.......6.................. ..`.rdata...y...P...z...:..............@..@.data....N.......H..................@....pdata..XV... ...X..................@..@.idata..bc.......d...T..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..?...........................@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\multidict\_multidict.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	5.417086235508803
Encrypted:	false
SSDEEP:	768:67CE1/NMVzMoCQVbrw0k6To3OOG/B+jPSrSRNj4bSM2V:QruzMoNrNTo3OOG/eRF4be
MD5:	4EED96BBB1C4B6D63F50C433E9C0A16A
SHA1:	CDE34E8F1DAC7F4E98D2B0AAF1186C6938DE06C3
SHA-256:	B521B7E3B6BED424A0719C36735BC4BF2BB8B0926370B31C221C604E81F8D78B
SHA-512:	1CACB250D867FCBBC5224C3F66CB23A93F818BC1D0524CAD6D1C52295D243AF10F454FDE13FA58671D3EE62281A2A3F71A69F28B08FD942FCEDBA3C9B09A774A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v`.2...2...2...;y..0..."...0...yy..0..."...1..."...:..."...9...!...1...2...G...z...3...z...3...z.s.3...z...3...Rich2...................PE..d....}.f.........." ...).\...^...... `....................................................`.............................................d...$...d...............x...............,...................................P...@............p...............................text....[.......\.................. ..`.rdata...+...p...,...`..............@..@.data...."..........................@....pdata..x...........................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\propcache\_helpers_c.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	5.893653938715821
Encrypted:	false
SSDEEP:	768:+s11wjRRndyww3gZ/RDJutFyX1loDPJfgjsfu4Wk9gqNYQ410ij/5eN+wDmde8VO:T1xgPdQyXDoDA4utk9g1EDmde8VbRA
MD5:	99E89078A7B0CC53096EEB29CB6A0F53
SHA1:	C9EA97566B8DBFB6525B7102AE9AB2DA58EC1E2A
SHA-256:	AA09ADFA72070AF1E151AA6CEB01AD510A29514E68AEE703D57398ECA53397D2
SHA-512:	D6FC565F66011D71D94CE7FFD1BE6CC23749B39DBD346140C07783637B48C11D4061809A513D7263D3F712D83398907955998D11B88A61D5766BE9F00D5BDE06
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r..T6...6...6...?.].4...'d..4...Dc..4...'d..5...'d..>...'d..:...~g..5...6........d..7....d..7....d1.7....d..7...Rich6...........PE..d...B.Lg.........." ...*.....l...... ........................................p............`.............................................d...d...d....P.......@...............`..X...................................p...@............................................text...x........................... ..`.rdata...E.......F..................@..@.data........ ......................@....pdata.......@......................@..@.rsrc........P......................@..@.reloc..X....`......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\pyexpat.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	200472
Entropy (8bit):	6.382659996286758
Encrypted:	false
SSDEEP:	3072:mhaQEuYCUDWuc7VmkqrgVrLJEKAAKJadAT0nIgjWdopPb/+mVApIGLhSZ:yaJh6v7VRVrLJEKAABiuXKd4GE
MD5:	F554064233C082F98EF01195693D967D
SHA1:	F191D42807867E0174DDC66D04C45250D9F6561E
SHA-256:	E1D56FFBF5E5FAB481D7A14691481B8FF5D2F4C6BF5D1A4664C832756C5942FE
SHA-512:	3573A226305CEC45333FC4D0E6FC0C3357421AD77CD8A1899C90515994351292EE5D1C445412B5563AA02520736E870A9EE879909CD992F5BE32E877792BDB88
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................g.................................h.......................h.......h.......h.......h.......Rich....................PE..d...Z..e.........." ...#............0...............................................2.....`.............................................P...`............................/..........P4..T............................3..@............ ...............................text.../........................... ..`.rdata..4.... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\python3.dll

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68376
Entropy (8bit):	6.14883904573939
Encrypted:	false
SSDEEP:	768:3V1EbYGVXq6KC/prVHBN0cW18itCQDFPnOMFn+gikF/nFX14uewjBcCCC0yamM/J:3DmF61JFn+/OipIGL0m7Sy0xG
MD5:	77896345D4E1C406EEFF011F7A920873
SHA1:	EE8CDD531418CFD05C1A6792382D895AC347216F
SHA-256:	1E9224BA7190B6301EF47BEFA8E383D0C55700255D04A36F7DAC88EA9573F2FB
SHA-512:	3E98B1B605D70244B42A13A219F9E124944DA199A88AD4302308C801685B0C45A037A76DED319D08DBF55639591404665BEFE2091F0F4206A9472FEE58D55C22
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C..."e.."e.."e.0_m.."e.0_e.."e.0_..."e.0_g.."e.Rich."e.................PE..d...@..e.........." ...#............................................................q.....`.........................................`...H................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\python312.dll

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6972184
Entropy (8bit):	5.774196030396665
Encrypted:	false
SSDEEP:	98304:B6vwRS7fYzmSSVlLWyJVT7OQvxHDMiEPlk:8vwRHTSVlfJVmir
MD5:	5C5602CDA7AB8418420F223366FFF5DB
SHA1:	52F81EE0AEF9B6906F7751FD2BBD4953E3F3B798
SHA-256:	E7890E38256F04EE0B55AC5276BBF3AC61392C3A3CE150BB5497B709803E17CE
SHA-512:	51C3B4F29781BB52C137DDB356E1BC5A37F3A25F0ED7D89416B14ED994121F884CB3E40CCDBB211A8989E3BD137B8DF8B28E232F98DE8F35B03965CFCE4B424F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................m.................x...s...x......x......x......Rich............PE..d...=..e.........." ...#..(..6B.....l........................................@k.......k...`......................................... .O.......O.......i......``..V...4j../....i..X.. I3.T....................7I.(....G3.@.............(..............................text...V.(.......(................. ..`.rdata...A'...(..B'...(.............@..@.data....4... P..x....O.............@....pdata...V...``..X...v_.............@..@PyRuntim......b.......a.............@....rsrc.........i.......h.............@..@.reloc...X....i..Z....h.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\select.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31000
Entropy (8bit):	6.531624163477087
Encrypted:	false
SSDEEP:	768:s7ENJKHq1vv38pIGQGE5YiSyvTcAMxkEMrX:s7ENJKK1vv38pIGQGO7Syb6xuX
MD5:	BFFFF83A000BAF559F3EB2B599A1B7E8
SHA1:	7F9238BDA6D0C7CC5399C6B6AB3B42D21053F467
SHA-256:	BC71FBDFD1441D62DD86D33FF41B35DC3CC34875F625D885C58C8DC000064DAB
SHA-512:	3C0BA0CF356A727066AE0D0D6523440A882AAFB3EBDF70117993EFFD61395DEEBF179948F8C7F5222D59D1ED748C71D9D53782E16BD2F2ECCC296F2F8B4FC948
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t.q\|'.q\|'.q\|'...'.q\|'q.}&.q\|'q.y&.q\|'q.x&.q\|'q..&.q\|'..}&.q\|'.q}'.q\|'..}&.q\|'..q&.q\|'..\|&.q\|'...'.q\|'..~&.q\|'Rich.q\|'........PE..d...Z..e.........." ...#.....2............................................................`..........................................@..L...,A..x....p.......`.......J.../......L....3..T............................2..@............0...............................text...v........................... ..`.rdata.......0......................@..@.data........P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\LICENSE

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11358
Entropy (8bit):	4.4267168336581415
Encrypted:	false
SSDEEP:	192:nU6G5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEn7HbHR:U9vlKM1zJlFvmNz5VrlkTS07Ht
MD5:	3B83EF96387F14655FC854DDC3C6BD57
SHA1:	2B8B815229AA8A61E483FB4BA0588B8B6C491890
SHA-256:	CFC7749B96F63BD31C3C42B5C471BF756814053E847C10F3EB003417BC523D30
SHA-512:	98F6B79B778F7B0A15415BD750C3A8A097D650511CB4EC8115188E115C47053FE700F578895C097051C9BC3DFB6197C2B13A15DE203273E1A3218884F86E90E8
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. http://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial own

C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4648
Entropy (8bit):	5.006900644756252
Encrypted:	false
SSDEEP:	96:Dx2ZSaCSmS8R902Vpnu386eLQ9Ac+fFZpDN00x2jZ2SBXZJSwTE:9Smzf02Vpnu386mQ9B+TP0vJHJSwTE
MD5:	98ABEAACC0E0E4FC385DFF67B607071A
SHA1:	E8C830D8B0942300C7C87B3B8FD15EA1396E07BD
SHA-256:	6A7B90EFFEE1E09D5B484CDF7232016A43E2D9CC9543BCBB8E494B1EC05E1F59
SHA-512:	F1D59046FFA5B0083A5259CEB03219CCDB8CC6AAC6247250CBD83E70F080784391FCC303F7630E1AD40E5CCF5041A57CB9B68ADEFEC1EBC6C31FCF7FFC65E9B7
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: importlib_metadata.Version: 8.0.0.Summary: Read metadata from Python packages.Author-email: "Jason R. Coombs" <jaraco@jaraco.com>.Project-URL: Source, https://github.com/python/importlib_metadata.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.License-File: LICENSE.Requires-Dist: zipp >=0.5.Requires-Dist: typing-extensions >=3.6.4 ; python_version < "3.8".Provides-Extra: doc.Requires-Dist: sphinx >=3.5 ; extra == 'doc'.Requires-Dist: jaraco.packaging >=9.3 ; extra == 'doc'.Requires-Dist: rst.linker >=1.9 ; extra == 'doc'.Requires-Dist: furo ; extra == 'doc'.Requires-Dist: sphinx-lint ; extra == 'doc'.Requires-Dist: jaraco.tidelift >=1.4 ; extra == 'doc'.Provides-Extra: perf.Requires-D

C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2518
Entropy (8bit):	5.6307766747793275
Encrypted:	false
SSDEEP:	48:UnuXTg06U5J/Vw9l/gfNX7/XzBk9pvJq/fwJOfYrBfnJ/V0XJnzN/3WJV:bXzP/EgdzzBkDJsoIYrBfJ/CXNz9qV
MD5:	EB513CAFA5226DDA7D54AFDCC9AD8A74
SHA1:	B394C7AEC158350BAF676AE3197BEF4D7158B31C
SHA-256:	0D8D3C6EEB9EBBE86CAC7D60861552433C329DA9EA51248B61D02BE2E5E64030
SHA-512:	A0017CFAFF47FDA6067E3C31775FACEE4728C3220C2D4BD70DEF328BD20AA71A343E39DA15CD6B406F62311894C518DFCF5C8A4AE6F853946F26A4B4E767924E
Malicious:	false
Preview:	importlib_metadata-8.0.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..importlib_metadata-8.0.0.dist-info/LICENSE,sha256=z8d0m5b2O9McPEK1xHG_dWgUBT6EfBDz6wA0F7xSPTA,11358..importlib_metadata-8.0.0.dist-info/METADATA,sha256=anuQ7_7h4J1bSEzfcjIBakPi2cyVQ7y7jklLHsBeH1k,4648..importlib_metadata-8.0.0.dist-info/RECORD,,..importlib_metadata-8.0.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..importlib_metadata-8.0.0.dist-info/WHEEL,sha256=mguMlWGMX-VHnMpKOjjQidIo1ssRlCFu4a4mBpz1s2M,91..importlib_metadata-8.0.0.dist-info/top_level.txt,sha256=CO3fD9yylANiXkrMo4qHLV_mqXL2sC5JFKgt1yWAT-A,19..importlib_metadata/__init__.py,sha256=tZNB-23h8Bixi9uCrQqj9Yf0aeC--Josdy3IZRIQeB0,33798..importlib_metadata/__pycache__/__init__.cpython-312.pyc,,..importlib_metadata/__pycache__/_adapters.cpython-312.pyc,,..importlib_metadata/__pycache__/_collections.cpython-312.pyc,,..importlib_metadata/__pycache__/_compat.cpython-312.pyc,,..importlib_metadata/__pycac

C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	91
Entropy (8bit):	4.687870576189661
Encrypted:	false
SSDEEP:	3:RtEeXMRYFAVLMvhRRP+tPCCfA5S:RtC1VLMvhjWBBf
MD5:	7D09837492494019EA51F4E97823D79F
SHA1:	7829B4324BB542799494131A270EC3BDAD4DEDEF
SHA-256:	9A0B8C95618C5FE5479CCA4A3A38D089D228D6CB1194216EE1AE26069CF5B363
SHA-512:	A0063220ECDD22C3E735ACFF6DE559ACF3AC4C37B81D37633975A22A28B026F1935CD1957C0FF7D2ECC8B7F83F250310795EECC5273B893FFAB115098F7B9C38
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: setuptools (70.1.1).Root-Is-Purelib: true.Tag: py3-none-any..

C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\top_level.txt

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	19
Entropy (8bit):	3.536886723742169
Encrypted:	false
SSDEEP:	3:JSej0EBERG:50o4G
MD5:	A24465F7850BA59507BF86D89165525C
SHA1:	4E61F9264DE74783B5924249BCFE1B06F178B9AD
SHA-256:	08EDDF0FDCB29403625E4ACCA38A872D5FE6A972F6B02E4914A82DD725804FE0
SHA-512:	ECF1F6B777970F5257BDDD353305447083008CEBD8E5A27C3D1DA9C7BDC3F9BF3ABD6881265906D6D5E11992653185C04A522F4DB5655FF75EEDB766F93D5D48
Malicious:	false
Preview:	importlib_metadata.

C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text, with very long lines (888)
Category:	dropped
Size (bytes):	1335
Entropy (8bit):	4.226823573023539
Encrypted:	false
SSDEEP:	24:FP6Hbz+g9RPZ14bJi04L6GEbX4UQF4UkZQhxI2EIhNyu:9E+i6bJmLm43+Uxxnh0u
MD5:	4CE7501F6608F6CE4011D627979E1AE4
SHA1:	78363672264D9CD3F72D5C1D3665E1657B1A5071
SHA-256:	37FEDCFFBF73C4EB9F058F47677CB33203A436FF9390E4D38A8E01C9DAD28E0B
SHA-512:	A4CDF92725E1D740758DA4DD28DF5D1131F70CEF46946B173FE6956CC0341F019D7C4FECC3C9605F354E1308858721DADA825B4C19F59C5AD1CE01AB84C46B24
Malicious:	false
Preview:	Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum..Curabitur pretium tincidunt lacus. Nulla gravida orci a odio. Nullam varius, turpis et commodo pharetra, est eros bibendum elit, nec luctus magna felis sollicitudin mauris. Integer in mauris eu nibh euismod gravida. Duis ac tellus et risus vulputate vehicula. Donec lobortis risus a elit. Etiam tempor. Ut ullamcorper, ligula eu tempor congue, eros est euismod turpis, id tincidunt sapien risus a quam. Maecenas fermentum consequat mi. Donec fermentum. Pellentesque malesuada nulla a mi. Duis sapien sem, aliquet nec, commodo eget, consequat quis, neque.

C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\wheel-0.43.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\wheel-0.43.0.dist-info\LICENSE.txt

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1107
Entropy (8bit):	5.115074330424529
Encrypted:	false
SSDEEP:	24:PWmrRONJHLH0cPP3gtkHw1h39QHOsUv4eOk4/+jvho3nPz:ttONJbbvE/NQHOs5eNS3n7
MD5:	7FFB0DB04527CFE380E4F2726BD05EBF
SHA1:	5B39C45A91A556E5F1599604F1799E4027FA0E60
SHA-256:	30C23618679108F3E8EA1D2A658C7CA417BDFC891C98EF1A89FA4FF0C9828654
SHA-512:	205F284F3A7E8E696C70ED7B856EE98C1671C68893F0952EEC40915A383BC452B99899BDC401F9FE161A1BF9B6E2CEA3BCD90615EEE9173301657A2CE4BAFE14
Malicious:	false
Preview:	MIT License..Copyright (c) 2012 Daniel Holth <dholth@fastmail.fm> and contributors..Permission is hereby granted, free of charge, to any person obtaining a.copy of this software and associated documentation files (the "Software"),.to deal in the Software without restriction, including without limitation.the rights to use, copy, modify, merge, publish, distribute, sublicense,.and/or sell copies of the Software, and to permit persons to whom the.Software is furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included.in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL.THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR.OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERW

C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\wheel-0.43.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	2153
Entropy (8bit):	5.088249746074878
Encrypted:	false
SSDEEP:	48:DEhpFu5MktjaywDK48d+md+7uT8RfkD1UKd+mOl1Awry:DEhpiMktjayq/7kOfsUzmbYy
MD5:	EBEA27DA14E3F453119DC72D84343E8C
SHA1:	7CEB6DBE498B69ABF4087637C6F500742FF7E2B4
SHA-256:	59BAC22B00A59D3E5608A56B8CF8EFC43831A36B72792EE4389C9CD4669C7841
SHA-512:	A41593939B9325D40CB67FD3F41CD1C9E9978F162487FB469094C41440B5F48016B9A66BE2E6E4A0406D6EEDB25CE4F5A860BA1E3DC924B81F63CEEE3AE31117
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: wheel.Version: 0.43.0.Summary: A built-package format for Python.Keywords: wheel,packaging.Author-email: Daniel Holth <dholth@fastmail.fm>.Maintainer-email: Alex Gr.nholm <alex.gronholm@nextday.fi>.Requires-Python: >=3.8.Description-Content-Type: text/x-rst.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Requires-Dist: pytest >= 6.0.0 ; extra == "test".Requires-Dist: setuptools >= 65 ; extra == "test".Project-URL: Changelog, https://wheel.readthedocs.io/en/s

C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\wheel-0.43.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	4557
Entropy (8bit):	5.714200636114494
Encrypted:	false
SSDEEP:	96:QXVuEmegx01TQIvFCiq9H/H7vp88FxTXiJPkGJP4CWweXQHmnDpMI78IegK5EeZR:QXVxAbYkU4CWweXQHmnDpMeV2BvTRqQF
MD5:	44D352C4997560C7BFB82D9360F5985A
SHA1:	BE58C7B8AB32790384E4E4F20865C4A88414B67A
SHA-256:	783E654742611AF88CD9F00BF01A431A219DB536556E63FF981C7BD673070AC9
SHA-512:	281B1D939A560E6A08D0606E5E8CE15F086B4B45738AB41ED6B5821968DC8D764CD6B25DB6BA562A07018C271ABF17A6BC5A380FAD05696ADF1D11EE2C5749C8
Malicious:	false
Preview:	../../bin/wheel,sha256=cT2EHbrv-J-UyUXu26cDY-0I7RgcruysJeHFanT1Xfo,249..wheel-0.43.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..wheel-0.43.0.dist-info/LICENSE.txt,sha256=MMI2GGeRCPPo6h0qZYx8pBe9_IkcmO8aifpP8MmChlQ,1107..wheel-0.43.0.dist-info/METADATA,sha256=WbrCKwClnT5WCKVrjPjvxDgxo2tyeS7kOJyc1GaceEE,2153..wheel-0.43.0.dist-info/RECORD,,..wheel-0.43.0.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..wheel-0.43.0.dist-info/WHEEL,sha256=EZbGkh7Ie4PoZfRQ8I0ZuP9VklN_TvcZ6DSE5Uar4z4,81..wheel-0.43.0.dist-info/entry_points.txt,sha256=rTY1BbkPHhkGMm4Q3F0pIzJBzW2kMxoG1oriffvGdA0,104..wheel/__init__.py,sha256=D6jhH00eMzbgrXGAeOwVfD5i-lCAMMycuG1L0useDlo,59..wheel/__main__.py,sha256=NkMUnuTCGcOkgY0IBLgBCVC_BGGcWORx2K8jYGS12UE,455..wheel/__pycache__/__init__.cpython-312.pyc,,..wheel/__pycache__/__main__.cpython-312.pyc,,..wheel/__pycache__/_setuptools_logging.cpython-312.pyc,,..wheel/__pycache__/bdist_wheel.cpython-312.pyc,,..wheel/__pycache

C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\wheel-0.43.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.672346887071811
Encrypted:	false
SSDEEP:	3:RtEeX/QFM+vxP+tPCCfA5I:Rt1Qq2WBB3
MD5:	24019423EA7C0C2DF41C8272A3791E7B
SHA1:	AAE9ECFB44813B68CA525BA7FA0D988615399C86
SHA-256:	1196C6921EC87B83E865F450F08D19B8FF5592537F4EF719E83484E546ABE33E
SHA-512:	09AB8E4DAA9193CFDEE6CF98CCAE9DB0601F3DCD4944D07BF3AE6FA5BCB9DC0DCAFD369DE9A650A38D1B46C758DB0721EBA884446A8A5AD82BB745FD5DB5F9B1
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: flit 3.9.0.Root-Is-Purelib: true.Tag: py3-none-any.

C:\Users\user\AppData\Local\Temp\_MEI42042\setuptools\_vendor\wheel-0.43.0.dist-info\entry_points.txt

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	104
Entropy (8bit):	4.271713330022269
Encrypted:	false
SSDEEP:	3:1SSAnAYgh+MWTMhk6WjrAM5t5ln:1Jb9WTMhk9jUM5t5ln
MD5:	6180E17C30BAE5B30DB371793FCE0085
SHA1:	E3A12C421562A77D90A13D8539A3A0F4D3228359
SHA-256:	AD363505B90F1E1906326E10DC5D29233241CD6DA4331A06D68AE27DFBC6740D
SHA-512:	69EAE7B1E181D7BA1D3E2864D31E1320625A375E76D3B2FBF8856B3B6515936ACE3138D4D442CABDE7576FCFBCBB0DEED054D90B95CFA1C99829DB12A9031E26
Malicious:	false
Preview:	[console_scripts].wheel=wheel.cli:main..[distutils.commands].bdist_wheel=wheel.bdist_wheel:bdist_wheel..

C:\Users\user\AppData\Local\Temp\_MEI42042\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1504024
Entropy (8bit):	6.578874733366613
Encrypted:	false
SSDEEP:	24576:95WQyUuqjJVKMXijWRwtHHofIyEcL/2m75i5zxHWc9C08lY8ore60hH:9b0yVKMyjWR6nofQm7U59HWKYY8
MD5:	82EA0259009FF75BBA817BD8C15C7588
SHA1:	04C49687D8241B43AE61A6C59299255EF09A7B39
SHA-256:	8AA8B909A39FCC33D1EC2AD51EAC6714A318C6EFD04F963D21B75D8F64809AD6
SHA-512:	1F8B3343898462E385D25E1820A3D7D971D633933E482EA9FFC596E7E1F902F5657A9F2C104CF320EEEF34CCE814261304E2E1C063BE4C6A807ADC9B75F3E670
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W..W..W..^.P.[....U....Z...._.....S.....T..W........V.....V....<.V......V..RichW..........................PE..d......e.........." ...#..................................................................`.........................................Px...".............................../...........*..T............................(..@...............8............................text............................... ..`.rdata..............................@..@.data...PG.......>..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1137944
Entropy (8bit):	5.462221778372869
Encrypted:	false
SSDEEP:	12288:IFrEHdcM6hbZCjJ43w9hIpCQvb0QN8MdIEQ+U2BNNmD+99FfctZq:IFrEXcCjfk7bPNfv42BN6yzUtZq
MD5:	A1388676824CE6347D31D6C6A7A1D1B5
SHA1:	27DD45A5C9B7E61BB894F13193212C6D5668085B
SHA-256:	2480A78815F619A631210E577E733C9BAFECB7F608042E979423C5850EE390FF
SHA-512:	26EA1B33F14F08BB91027E0D35AC03F6203B4DFEEE602BB592C5292AB089B27FF6922DA2804A9E8A28E47D4351B32CF93445D894F00B4AD6E2D0C35C6C7F1D89
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3m..3m..3m..:...5m......1m......>m......;m......0m......0m..x...1m..3m..cm......2m......2m....j.2m......2m..Rich3m..................PE..d...]..e.........." ...#.>..........`*.......................................p.......%....`.........................................p...X............P.......@.........../...`......P^..T............................]..@............P..p............................text....=.......>.................. ..`.rdata..\....P.......B..............@..@.data...X.... ......................@....pdata.......@......................@..@.rsrc........P......."..............@..@.reloc.......`.......,..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI42042\yarl\_quoting_c.cp312-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\qhos.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	6.009351293579179
Encrypted:	false
SSDEEP:	1536:3A6zeuPEpCbl4DlaAw/AlDNTXBUhF5dYLprRD0PcpgpPmlK:3A6jPEUbOwajI5dsOPcpgpPe
MD5:	EA44DB84EB5858D4579FCB071D4DE2F6
SHA1:	1677D7D95FB7DD34B108787120ADEBE588D24B76
SHA-256:	8011CDA4DD0E7C591C82D91243B6A8EDFC4D95056E99BD123ADE9CF02D76E32D
SHA-512:	E0FE02FDB3A645A232537FCC04427345B2532E489F5AA6AA59BCF03E98A038FABA5A2F2F5F89C3190C6371A4B8D56C52962DA826DF0753CAF875475BFB97AA8E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].......................................................................^.....................F.............Rich............................PE..d.....Lg.........." .....................................................................`.........................................0X..d....X..x...............................,...0H...............................F..@............ ...............................text............................... ..`.rdata...M... ...N..................@..@.data....6...p.......`..............@....pdata...............l..............@..@.rsrc................x..............@..@.reloc..,............z..............@..B................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.992725781649403
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	qhos.exe
File size:	15'717'053 bytes
MD5:	b9e7c2155c65081c5fae1a33bc55efef
SHA1:	1d94d24217e44aca4549d67e340e4a79ebb2dc77
SHA256:	d3ce2fa0dbe4469c93aef6210dc08771c4f06a77ec09a522f1b3773d55d70eab
SHA512:	eb201810d6b8b6f28dd7ff409b2de5a53eb94f16bcf306bb85b67df231d6ca31e548f18a9e2789b34522d59572a8e276bb0066c7741b6665d3f75ce77adc23b2
SSDEEP:	393216:n4uIwq3Obs2ClIW+eGQRH9joGBGc0L2eQnM:nRIwq3ObRqIW+e5RH9MpQnM
TLSH:	C9F63350E0D4ACD6CBB6563EAEA58141E6A3BF520B3CCA4B5B70B5470AB31C1587EF0D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d..

File Icon


Icon Hash:	1262a1a0aa92aa8a

Static PE Info

General

Entrypoint:	0x14000ce20
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6755E55F [Sun Dec 8 18:28:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F19807EDABCh
dec eax
add esp, 28h
jmp 00007F19807ED6DFh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F19807EDE88h
test eax, eax
je 00007F19807ED883h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F19807ED867h
dec eax
cmp ecx, eax
je 00007F19807ED876h
xor eax, eax
dec eax
cmpxchg dword ptr [0003570Ch], ecx
jne 00007F19807ED850h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F19807ED859h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F19807ED869h
mov byte ptr [000356F5h], 00000001h
call 00007F19807ECFB5h
call 00007F19807EE2A0h
test al, al
jne 00007F19807ED866h
xor al, al
jmp 00007F19807ED876h
call 00007F19807FADBFh
test al, al
jne 00007F19807ED86Bh
xor ecx, ecx
call 00007F19807EE2B0h
jmp 00007F19807ED84Ch
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [000356BCh], 00000000h
mov ebx, ecx
jne 00007F19807ED8C9h
cmp ecx, 01h
jnbe 00007F19807ED8CCh
call 00007F19807EDDFEh
test eax, eax
je 00007F19807ED88Ah
test ebx, ebx
jne 00007F19807ED886h
dec eax
lea ecx, dword ptr [000356A6h]
call 00007F19807FABB2h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca34	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x19a1c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2238	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x61000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f70	0x2a000	b8c3814c5fb0b18492ad4ec2ffe0830a	False	0.5518740699404762	data	6.489205819736506	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a28	0x12c00	78c5cabbf77993daf011adb1fcabcd33	False	0.5242838541666667	data	5.750769769311862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2238	0x2400	9cd1eac931545f28ab09329f8bfce843	False	0.4697265625	data	5.2645170849678795	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x19a1c	0x19c00	35db13bd970349e79d066a52e38a415a	False	0.07967991504854369	data	3.7032712285528175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x61000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x471d8	0xdcf	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.925035360678925
RT_ICON	0x47fa8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.02200402224062463
RT_ICON	0x587d0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.05402692489371753
RT_ICON	0x5c9f8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.0766597510373444
RT_ICON	0x5efa0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.12781425891181988
RT_ICON	0x60048	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.28102836879432624
RT_GROUP_ICON	0x604b0	0x5a	data	0.7666666666666667
RT_MANIFEST	0x6050c	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Target ID:	0
Start time:	02:42:55
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\qhos.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\qhos.exe"
Imagebase:	0x7ff646ab0000
File size:	15'717'053 bytes
MD5 hash:	B9E7C2155C65081C5FAE1A33BC55EFEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:42:58
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\qhos.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\qhos.exe"
Imagebase:	0x7ff646ab0000
File size:	15'717'053 bytes
MD5 hash:	B9E7C2155C65081C5FAE1A33BC55EFEF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MuckStealer, Description: Yara detected Muck Stealer, Source: 00000002.00000003.2224536608.00000161398B8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MuckStealer, Description: Yara detected Muck Stealer, Source: 00000002.00000003.2225574398.00000161385B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MuckStealer, Description: Yara detected Muck Stealer, Source: 00000002.00000003.2167476534.000001613992D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MuckStealer, Description: Yara detected Muck Stealer, Source: 00000002.00000002.2247890897.000001613A4A4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MuckStealer, Description: Yara detected Muck Stealer, Source: 00000002.00000003.2223814087.0000016139961000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MuckStealer, Description: Yara detected Muck Stealer, Source: 00000002.00000003.2227740468.0000016138688000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MuckStealer, Description: Yara detected Muck Stealer, Source: 00000002.00000003.2231057854.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MuckStealer, Description: Yara detected Muck Stealer, Source: 00000002.00000003.2231782577.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MuckStealer, Description: Yara detected Muck Stealer, Source: 00000002.00000003.2227566885.000001613864E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MuckStealer, Description: Yara detected Muck Stealer, Source: 00000002.00000003.2229184929.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MuckStealer, Description: Yara detected Muck Stealer, Source: 00000002.00000003.2229704914.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MuckStealer, Description: Yara detected Muck Stealer, Source: 00000002.00000003.2228048852.00000161386D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MuckStealer, Description: Yara detected Muck Stealer, Source: 00000002.00000002.2244466649.00000161386D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MuckStealer, Description: Yara detected Muck Stealer, Source: 00000002.00000003.2227792101.00000161386CA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MuckStealer, Description: Yara detected Muck Stealer, Source: 00000002.00000002.2247145926.00000161398E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MuckStealer, Description: Yara detected Muck Stealer, Source: 00000002.00000003.2225094216.000001613858F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MuckStealer, Description: Yara detected Muck Stealer, Source: 00000002.00000003.2226223735.00000161398D2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	41

Executed Functions

Function 00007FF646AB8BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF646AB9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF646AB45E4,00000000,00007FF646AB1985), ref: 00007FF646AB9439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8C46

Part of subcall function 00007FF646ACA4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646ACA500

Part of subcall function 00007FF646AC878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC87F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8CD6
CreateProcessW.KERNELBASE ref: 00007FF646AB8D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8D18

Part of subcall function 00007FF646AB2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF646AB3706,?,00007FF646AB3804), ref: 00007FF646AB2C9E
Part of subcall function 00007FF646AB2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF646AB3706,?,00007FF646AB3804), ref: 00007FF646AB2D63
Part of subcall function 00007FF646AB2C50: MessageBoxW.USER32 ref: 00007FF646AB2D99

RegisterClassW.USER32 ref: 00007FF646AB8D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8D7B
CreateWindowExW.USER32 ref: 00007FF646AB8DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8E05
PeekMessageW.USER32 ref: 00007FF646AB8E29
TranslateMessage.USER32 ref: 00007FF646AB8E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8E41
PeekMessageW.USER32 ref: 00007FF646AB8E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8FF4
GetExitCodeProcess.KERNELBASE ref: 00007FF646AB9009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB9012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB901F

Strings

PyInstaller Onefile Hidden Window, xrefs: 00007FF646AB8D85
PyInstallerOnefileHiddenWindow, xrefs: 00007FF646AB8D44
Failed to create child process!, xrefs: 00007FF646AB8D20
CreateProcessW, xrefs: 00007FF646AB8D27

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: 90a9b7065753a577a3d8aaa6a24ab6decbbff63b8eb4cc3ba588ef88bab95aef
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: 4CD17072A0CE8686EB50BF74E8542A9B761FF84B58F404235EE5D82A94DF3DD189C720

Function 00007FF646AB1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_PYI_ARCHIVE_FILE, xrefs: 00007FF646AB38D2, 00007FF646AB39FF
Py_GIL_DISABLED, xrefs: 00007FF646AB3AF4
Failed to start splash screen!, xrefs: 00007FF646AB3ED4
_PYI_SPLASH_IPC, xrefs: 00007FF646AB3A23, 00007FF646AB3EF5
pkg, xrefs: 00007FF646AB39BE
MEI, xrefs: 00007FF646AB3933
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF646AB3E0A
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF646AB3BE8
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF646AB3D35
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF646AB3882, 00007FF646AB38AF
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF646AB3D12
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF646AB3EBB
Could not create temporary directory!, xrefs: 00007FF646AB3CBF
Failed to load splash screen resources!, xrefs: 00007FF646AB3E85
pyi-disable-windowed-traceback, xrefs: 00007FF646AB3BB2
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF646AB3A0B, 00007FF646AB3CD4, 00007FF646AB3F6B
VCRUNTIME140.dll, xrefs: 00007FF646AB3DB1
Failed to convert DLL search path!, xrefs: 00007FF646AB3DDC
pyi-python-flag, xrefs: 00007FF646AB3AD6
pyi-runtime-tmpdir, xrefs: 00007FF646AB3B68
Failed to remove temporary directory: %s, xrefs: 00007FF646AB3FC3
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF646AB3971
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF646AB3A17, 00007FF646AB3A2F, 00007FF646AB3A9B
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF646AB3B32
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF646AB3EA6
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF646AB39DE
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF646AB3C61
pyi-contents-directory, xrefs: 00007FF646AB3B8D

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: 221ee4957dd18ffe06ee3afddcba002a7644656f480b66111b2d55fc76433b33
Instruction ID: e663eb8b3e3a5c81446f7c51d033023ef0ae220e8eabbe53520916e19b31bc26
Opcode Fuzzy Hash: 221ee4957dd18ffe06ee3afddcba002a7644656f480b66111b2d55fc76433b33
Instruction Fuzzy Hash: 54328F61A0CE8A91FB15FB2594543B9E791AF45B80F844036DB5EC32D6EF2EE5D8C320

Function 00007FF646AD5C70 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF646AD5CB5

Part of subcall function 00007FF646AD5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD561C

Part of subcall function 00007FF646ACA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF646AD2D92,?,?,?,00007FF646AD2DCF,?,?,00000000,00007FF646AD3295,?,?,?,00007FF646AD31C7), ref: 00007FF646ACA9CE
Part of subcall function 00007FF646ACA9B8: GetLastError.KERNEL32(?,?,?,00007FF646AD2D92,?,?,?,00007FF646AD2DCF,?,?,00000000,00007FF646AD3295,?,?,?,00007FF646AD31C7), ref: 00007FF646ACA9D8

Part of subcall function 00007FF646ACA970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF646ACA94F,?,?,?,?,?,00007FF646ACA83A), ref: 00007FF646ACA979
Part of subcall function 00007FF646ACA970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF646ACA94F,?,?,?,?,?,00007FF646ACA83A), ref: 00007FF646ACA99E

_get_daylight.LIBCMT ref: 00007FF646AD5CA4

Part of subcall function 00007FF646AD5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD567C

_get_daylight.LIBCMT ref: 00007FF646AD5F1A
_get_daylight.LIBCMT ref: 00007FF646AD5F2B
_get_daylight.LIBCMT ref: 00007FF646AD5F3C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF646AD617C), ref: 00007FF646AD5F63

Strings

Eastern Summer Time, xrefs: 00007FF646AD6021
Eastern Standard Time, xrefs: 00007FF646AD6009

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction ID: 55578c49a2b50647e8dd274050e19fb689096193c7310f5c576fc5e830db80a3
Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
Instruction Fuzzy Hash: 89D1B036A0CA4286E724FF25D4411B9E7A2EF84794F448136EE4DC7686DF3EE8C18760

Function 00007FF646AD69D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF646AD6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD6749
Part of subcall function 00007FF646AD6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD67C7
Part of subcall function 00007FF646AD6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD6818

CreateFileW.KERNELBASE ref: 00007FF646AD6ADA
CreateFileW.KERNEL32 ref: 00007FF646AD6B2A
GetLastError.KERNEL32 ref: 00007FF646AD6B5A
GetFileType.KERNELBASE ref: 00007FF646AD6B6F
GetLastError.KERNEL32 ref: 00007FF646AD6B79
CloseHandle.KERNEL32 ref: 00007FF646AD6BAC
CloseHandle.KERNEL32 ref: 00007FF646AD6D0F
CreateFileW.KERNEL32 ref: 00007FF646AD6D44
GetLastError.KERNEL32 ref: 00007FF646AD6D53

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: 4b9469eb6c5fc31cb35a5f7cffc3118790cff9842ea38c706e8772ccd5f79d83
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: D3C1D032B28E4585EB50EFA4C4902AC7772FB49B98F055229DE2E977D4CF3AE495C310

Function 00007FF646AB83B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF646AB8B09,00007FF646AB3FA5), ref: 00007FF646AB841B
RemoveDirectoryW.KERNEL32(?,00007FF646AB8B09,00007FF646AB3FA5), ref: 00007FF646AB849E
DeleteFileW.KERNELBASE(?,00007FF646AB8B09,00007FF646AB3FA5), ref: 00007FF646AB84BD
FindNextFileW.KERNELBASE(?,00007FF646AB8B09,00007FF646AB3FA5), ref: 00007FF646AB84CB
FindClose.KERNEL32(?,00007FF646AB8B09,00007FF646AB3FA5), ref: 00007FF646AB84DC
RemoveDirectoryW.KERNELBASE(?,00007FF646AB8B09,00007FF646AB3FA5), ref: 00007FF646AB84E5

Strings

%s\*, xrefs: 00007FF646AB83E2

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 39a93d91a788addd72801eeb202cf5dd5373a6ceabdc1da620128e14205563d9
Instruction ID: 8c86abc49579f10d6e34541715bbc53c9d2aeefcb6a30df112c6c6214f4081e7
Opcode Fuzzy Hash: 39a93d91a788addd72801eeb202cf5dd5373a6ceabdc1da620128e14205563d9
Instruction Fuzzy Hash: C5418431A0CD4685EB60BB28E4545B9A364FF94B54F400232EA5DC36D4DF3ED58AC721

Function 00007FF646AD5EEC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF646AD5F1A

Part of subcall function 00007FF646AD5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD567C

_get_daylight.LIBCMT ref: 00007FF646AD5F2B

Part of subcall function 00007FF646AD5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD561C

_get_daylight.LIBCMT ref: 00007FF646AD5F3C

Part of subcall function 00007FF646AD5638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD564C

Part of subcall function 00007FF646ACA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF646AD2D92,?,?,?,00007FF646AD2DCF,?,?,00000000,00007FF646AD3295,?,?,?,00007FF646AD31C7), ref: 00007FF646ACA9CE
Part of subcall function 00007FF646ACA9B8: GetLastError.KERNEL32(?,?,?,00007FF646AD2D92,?,?,?,00007FF646AD2DCF,?,?,00000000,00007FF646AD3295,?,?,?,00007FF646AD31C7), ref: 00007FF646ACA9D8

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF646AD617C), ref: 00007FF646AD5F63

Strings

Eastern Summer Time, xrefs: 00007FF646AD6021
Eastern Standard Time, xrefs: 00007FF646AD6009

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction ID: 462c1a6e787762f53ce4442e65868ce01f5fa0c96262af21b11dcfb6fb0b5114
Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
Instruction Fuzzy Hash: 3F515332A0CA4286E714FF25D8815B9E762FF48784F449135EE4DC7696DF3EE48087A0

Function 00007FF646AB92F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF646AB9323
FindClose.KERNELBASE ref: 00007FF646AB9332

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: 94e0381262aa3be1df1a36332a5e030d073c09c9b33a0a3afa61ecf0f50070c9
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: 7BF06872A1CB4586F7A0BB60B45976AF390FB84764F044339DA6D426D4DF3DD0898A10

Function 00007FF646AD0938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
Instruction ID: bfdaa5846c838cf4e90fe4b9c7f55c12ee1b8b531be475d0fd3672fd7e076044
Opcode Fuzzy Hash: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
Instruction Fuzzy Hash: 0202B022A0DE4240FA65BF21B445279E692AF45BA0F554A35DE9EC73D2DE3FE4C18330

Function 00007FF646AB1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF646AB7F80: _fread_nolock.LIBCMT ref: 00007FF646AB802A

_fread_nolock.LIBCMT ref: 00007FF646AB1A1B

Part of subcall function 00007FF646AB2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF646AB1B6A), ref: 00007FF646AB295E

Strings

malloc, xrefs: 00007FF646AB1B22
Failed to seek to cookie position!, xrefs: 00007FF646AB19EE
Could not allocate memory for archive structure!, xrefs: 00007FF646AB1A61
Failed to read cookie!, xrefs: 00007FF646AB1A2B
Error on file., xrefs: 00007FF646AB1B8D
calloc, xrefs: 00007FF646AB1A68
fseek, xrefs: 00007FF646AB19F5
MEI, xrefs: 00007FF646AB1991
Could not allocate buffer for TOC!, xrefs: 00007FF646AB1B1B
Could not read full TOC!, xrefs: 00007FF646AB1B55
fread, xrefs: 00007FF646AB1A32, 00007FF646AB1B5C

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: f8096cce2067d15cebc3bdaacbdc60c8b6a2e1e4d6ea3146b715ff88ef4c1dca
Instruction ID: fb68b462c496d3267f3d19e048758a998510c19fa25a4a07b9e80cc3ea4f54ed
Opcode Fuzzy Hash: f8096cce2067d15cebc3bdaacbdc60c8b6a2e1e4d6ea3146b715ff88ef4c1dca
Instruction Fuzzy Hash: 5A81C671A0CE8A86E760FB24D0446F9A391FF45B84F404435DA8EC779ADE3EE5C58760

Function 00007FF646AB1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF646AB16A2
Failed to create symbolic link %s!, xrefs: 00007FF646AB1622
malloc, xrefs: 00007FF646AB1749
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF646AB16DA
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF646AB17CA
Failed to extract %s: failed to open target file!, xrefs: 00007FF646AB165C
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF646AB17DF
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF646AB1742
fseek, xrefs: 00007FF646AB16E1
fopen, xrefs: 00007FF646AB1663
fwrite, xrefs: 00007FF646AB17D1
fread, xrefs: 00007FF646AB17E6

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: e33f210c217a6ffcc68d29fe46a5e37371bf7e5689aecd108357e4c1f5d99a01
Instruction ID: 7cea0f6b518ac829e0a57dd3ded8ca75e6943cbfbf62f1eea1e4938712e7af52
Opcode Fuzzy Hash: e33f210c217a6ffcc68d29fe46a5e37371bf7e5689aecd108357e4c1f5d99a01
Instruction Fuzzy Hash: 4851CE61B0CE4B92EA10BB6194001B9E361BF44B94F404532EE0D8779ADF3EE9D9C760

Function 00007FF646AB8850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF646AB3CBB), ref: 00007FF646AB88F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF646AB3CBB), ref: 00007FF646AB88FA
CreateDirectoryW.KERNELBASE(?,00000000,00007FF646AB3CBB), ref: 00007FF646AB893C

Part of subcall function 00007FF646AB8A20: GetEnvironmentVariableW.KERNEL32(00007FF646AB388E), ref: 00007FF646AB8A57
Part of subcall function 00007FF646AB8A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF646AB8A79

Part of subcall function 00007FF646AC82A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC82C1

Part of subcall function 00007FF646AB2810: MessageBoxW.USER32 ref: 00007FF646AB28EA

Strings

TMP, xrefs: 00007FF646AB888C, 00007FF646AB8993
LOADER: failed to set the TMP environment variable., xrefs: 00007FF646AB88CC
TMP, xrefs: 00007FF646AB88B2
_MEI%d, xrefs: 00007FF646AB8902
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF646AB896E

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction ID: 2546f8c976cc7f5e1d053ae623ef2df7c0b73ed9b1cb8fb79c5707d50c9421b4
Opcode Fuzzy Hash: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
Instruction Fuzzy Hash: E341C211A0DE4645FA20FB65A8552FA9391AF89FC4F400031EE0ED77DADE3EE585C361

Function 00007FF646AB1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF646AB141E
malloc, xrefs: 00007FF646AB12C1, 00007FF646AB12F6
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF646AB1276
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF646AB12BA
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF646AB12EF
1.3.1, xrefs: 00007FF646AB1249

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 5203fde90a14cfca52878d148793ed0f56fa2f4a03ba52266beea290f2c18543
Instruction ID: 94b5e9199faa9a2437e9a99d68bb45cad878c6760aeae8a0a6c71f3252fb2062
Opcode Fuzzy Hash: 5203fde90a14cfca52878d148793ed0f56fa2f4a03ba52266beea290f2c18543
Instruction Fuzzy Hash: 8D51F762A0CE4685E660BB11A4403BAE291FF85F94F444135EE4EC77D9EF3EE985C720

Function 00007FF646ACED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF646ACF11A,?,?,-00000018,00007FF646ACADC3,?,?,?,00007FF646ACACBA,?,?,?,00007FF646AC5FAE), ref: 00007FF646ACEEFC
GetProcAddress.KERNEL32(?,?,?,00007FF646ACF11A,?,?,-00000018,00007FF646ACADC3,?,?,?,00007FF646ACACBA,?,?,?,00007FF646AC5FAE), ref: 00007FF646ACEF08

Strings

ext-ms-, xrefs: 00007FF646ACEE59
api-ms-, xrefs: 00007FF646ACEE46

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: 14ecf939b8a505e272a2ee51ba5cea1676fcc5a38141318f937c7cfc00b2c5a6
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: 4141F261B1DE1291FB16FB16A804675A3D1BF49BD0F884539ED1EC7784EE3EE8858320

Function 00007FF646AB36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF646AB3804), ref: 00007FF646AB36E1
GetLastError.KERNEL32(?,00007FF646AB3804), ref: 00007FF646AB36EB

Part of subcall function 00007FF646AB2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF646AB3706,?,00007FF646AB3804), ref: 00007FF646AB2C9E
Part of subcall function 00007FF646AB2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF646AB3706,?,00007FF646AB3804), ref: 00007FF646AB2D63
Part of subcall function 00007FF646AB2C50: MessageBoxW.USER32 ref: 00007FF646AB2D99

Strings

Failed to obtain executable path., xrefs: 00007FF646AB36F3
GetModuleFileNameW, xrefs: 00007FF646AB36FA
Failed to convert executable path to UTF-8., xrefs: 00007FF646AB3790
Failed to resolve full path to executable %ls., xrefs: 00007FF646AB3739
\\?\, xrefs: 00007FF646AB375A

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: f4218f39d8e50210100c9c618269aac41dbcf59cfdedcadee4aa92cf82d355c3
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: 1821B8A1F1CE4691FA20F720E8153B6E255BF48B95F804136EB5EC25D6EE2EE5C4C720

Function 00007FF646ACBACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646ACBEF9

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 71330427dde7a49afb2283bb308656113f98e0c66a4f806cd66398b14c9322eb
Instruction ID: 4bd69cada80353a37acf5b273de84fa040e5e699879e62acb933e40167c84bd8
Opcode Fuzzy Hash: 71330427dde7a49afb2283bb308656113f98e0c66a4f806cd66398b14c9322eb
Instruction Fuzzy Hash: EEC1C322A0CF8681E761BB1594402BDBBA1EF81B80F554131EA4F87795CF7FE8D98720

Function 00007FF646AB8760 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF646AB8780
OpenProcessToken.ADVAPI32 ref: 00007FF646AB8793
GetTokenInformation.KERNELBASE ref: 00007FF646AB87B8
GetLastError.KERNEL32 ref: 00007FF646AB87C2
GetTokenInformation.KERNELBASE ref: 00007FF646AB8802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF646AB881E
CloseHandle.KERNEL32 ref: 00007FF646AB8836

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction ID: e922f539595c6da0abe4fc4c8d9879105661e91a21a22ea4e74c9b48d0e8e5d1
Opcode Fuzzy Hash: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
Instruction Fuzzy Hash: F1215121A0CE4642EB50BB99F45422AE3A1FF85BE0F100235EA6D83AE4DE6ED4848750

Function 00007FF646AB90E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF646AB8760: GetCurrentProcess.KERNEL32 ref: 00007FF646AB8780
Part of subcall function 00007FF646AB8760: OpenProcessToken.ADVAPI32 ref: 00007FF646AB8793
Part of subcall function 00007FF646AB8760: GetTokenInformation.KERNELBASE ref: 00007FF646AB87B8
Part of subcall function 00007FF646AB8760: GetLastError.KERNEL32 ref: 00007FF646AB87C2
Part of subcall function 00007FF646AB8760: GetTokenInformation.KERNELBASE ref: 00007FF646AB8802
Part of subcall function 00007FF646AB8760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF646AB881E
Part of subcall function 00007FF646AB8760: CloseHandle.KERNEL32 ref: 00007FF646AB8836

LocalFree.KERNEL32(?,00007FF646AB3C55), ref: 00007FF646AB916C
LocalFree.KERNEL32(?,00007FF646AB3C55), ref: 00007FF646AB9175

Strings

D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF646AB9142
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF646AB9183
D:(A;;FA;;;%s), xrefs: 00007FF646AB9157
S-1-3-4, xrefs: 00007FF646AB9121

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
Instruction ID: 702e8323489f964ad7221e3df6f26ae13b47c2394ded001998fd0ca9d72cdbbc
Opcode Fuzzy Hash: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
Instruction Fuzzy Hash: 88216D21A0CF4681F750BB10E8152EAA265FF89B80F444036EA4E93796DF3ED885C760

Function 00007FF646AB7E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00000000,?,00007FF646AB352C,?,00000000,00007FF646AB3F23), ref: 00007FF646AB7F22

Strings

%.*s, xrefs: 00007FF646AB7EDB
%s%c, xrefs: 00007FF646AB7E94
\, xrefs: 00007FF646AB7E87

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 8ca7fb79b4ea6b2c566bb37e9ebd00ba932afb87f6e77ad964f7d4209dd14296
Instruction ID: 9a82708fdc449c614e7bcfd2c244fa198ab62936b17c0f83a15d30f1cbdf31d0
Opcode Fuzzy Hash: 8ca7fb79b4ea6b2c566bb37e9ebd00ba932afb87f6e77ad964f7d4209dd14296
Instruction Fuzzy Hash: 4531D22161DEC945EA61BB20E8507EAA354EF84FE4F044231EF6D837C9DE2DD681C710

Function 00007FF646ACCFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF646ACCFBB), ref: 00007FF646ACD0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF646ACCFBB), ref: 00007FF646ACD177

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: db8144fa8de4560c9db26a591e74a51a30638b8b82208d5df199264a3feb93ce
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: 2A91B572F1CA5185F750BF6994502BDABA1BB44B88F14413ADE0F97A85CE3ED4C2D720

Function 00007FF646ACF9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF646ACFAEC
_get_daylight.LIBCMT ref: 00007FF646ACFAFD
_get_daylight.LIBCMT ref: 00007FF646ACFB0E
_isindst.LIBCMT ref: 00007FF646ACFBD9

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction ID: 5d4382dae873106612d260bcfe249a384a2a2cc08cdd79d4a10b884bf338f876
Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
Instruction Fuzzy Hash: 0951F672F0C9118AFB18FF24D9516BCA7A1AF40358F504135EE2FD2AE5DF39A4818710

Function 00007FF646AC57EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF646AC581F
GetFileInformationByHandle.KERNELBASE ref: 00007FF646AC5881
GetLastError.KERNEL32 ref: 00007FF646AC5912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF646AC5724), ref: 00007FF646AC595E

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 6433626fc0a770ba4f6d83c09f3326f67990d509dea1b3a303c7df294cc1bd66
Instruction ID: eeb62928c636e0669b382bade804c40e460ad5be323f962b1659bec64547a717
Opcode Fuzzy Hash: 6433626fc0a770ba4f6d83c09f3326f67990d509dea1b3a303c7df294cc1bd66
Instruction Fuzzy Hash: 39519E62E0CA418AFB50FFB1D4503BDA3B1AF48B98F144435EE0E97689DF39D8918720

Function 00007FF646AC5698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC56C5
CreateFileW.KERNELBASE ref: 00007FF646AC5704
CloseHandle.KERNEL32 ref: 00007FF646AC5739

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 24238bc47b860f74abc13910c6a37bc7991964e3dbe0c30fb6d15975fbdc4001
Instruction ID: 003e7fb06907797d4426876347d0c4ceaf76d33be45db742ae55c21cd34c4069
Opcode Fuzzy Hash: 24238bc47b860f74abc13910c6a37bc7991964e3dbe0c30fb6d15975fbdc4001
Instruction Fuzzy Hash: 9C41A222D1CB8283E750BB219514379A260FF947A4F108334FA5E43AD6DF6DA8F08760

Function 00007FF646ABCCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646ABCE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF646ABCE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF646ABCCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF646ABCD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF646ABCD91

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: 68e24dddbd21d9a77a6339aa77bfa84cc9758c376dcb79c8f6f9fa717f17e5a3
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: 14317CA4E4CE0B91FA54BB24A4227B99792AF41B84F440435DB5FCB2D7DE2FA4C5C231

Function 00007FF646AC9AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF646AC9A9C), ref: 00007FF646AC9AB1
TerminateProcess.KERNEL32(?,?,?,00007FF646AC9A9C), ref: 00007FF646AC9ABC
ExitProcess.KERNEL32 ref: 00007FF646AC9ACB

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction ID: ec1450da2718350654a6f8dc5e83ee46aed51c5582562ee1a78996a9481ceaa4
Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
Instruction Fuzzy Hash: E5D06C54F0CE4652EA98BF7058990B892526F88B41B141438DC0B8A393ED2EA88E8320

Function 00007FF646AC01AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC01F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC02E7

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: a3783c103f76f5a150d3b5fcf152306cbe0f3b8844b431ddea41a13b1dbc13d8
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: E551D761B0DE5186EA24BE79940067AE291AF84BA8F144734DE7E877C5CF3FD4818620

Function 00007FF646ACC1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF646ACC33D), ref: 00007FF646ACC1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF646ACC33D), ref: 00007FF646ACC1FA

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: f830b1211c18eb29c1bc67a836b981ce4ee4ab7924ca5013b5d6ec107a6b7e74
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: D81104A1B0CE4181DA10BB29A814169E361FB41BF4F544331EE7F8B7D8CE3DD0918710

Function 00007FF646AC5994 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF646AC58A9), ref: 00007FF646AC59C7
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF646AC58A9), ref: 00007FF646AC59DD

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 3eb82881f56b5e10c0b4ae1229c4961d4f4fc58e8f6ff53d00dfea58f30bf4d5
Instruction ID: 5a007183fe55d776fd48fa1e71c835cd4014b111bfaf987e81d1c2820e558cd3
Opcode Fuzzy Hash: 3eb82881f56b5e10c0b4ae1229c4961d4f4fc58e8f6ff53d00dfea58f30bf4d5
Instruction Fuzzy Hash: 4811A77261CA0282EB547B15A44113FF760FB84771F500235FAAEC19D8EF2DD494DB20

Function 00007FF646ACA9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF646AD2D92,?,?,?,00007FF646AD2DCF,?,?,00000000,00007FF646AD3295,?,?,?,00007FF646AD31C7), ref: 00007FF646ACA9CE
GetLastError.KERNEL32(?,?,?,00007FF646AD2D92,?,?,?,00007FF646AD2DCF,?,?,00000000,00007FF646AD3295,?,?,?,00007FF646AD31C7), ref: 00007FF646ACA9D8

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction ID: 5170b3c0750fc4f413f491839f4301f1448e701da48262983d5f2953801ff956
Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction Fuzzy Hash: A5E08650F0CF0243FF187BB258461789151AF84B40F054034CD1EC22A1DE2F68C58370

Function 00007FF646ACABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF646ACAA45,?,?,00000000,00007FF646ACAAFA), ref: 00007FF646ACAC36
GetLastError.KERNEL32(?,?,?,00007FF646ACAA45,?,?,00000000,00007FF646ACAAFA), ref: 00007FF646ACAC40

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 4421f65a1d5d932771d6c02c6a38c6ac6485ff798776fc5bca9598156b1a3e86
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: 5F219611F1CE4242FAA477A1949427996D2AF84B94F084235DB2FC77C6DE6EA8C58321

Function 00007FF646ACBF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646ACBF44

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: ed8cf6e32a03d3f94da9f40b4b31d5b76b07cdec689a2c8ebc29546d551ad3c5
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: 5E41A17291CA018BEA34BB19A541279F3A4EF55B84F144131DA9FC7691CF2FE482CBA1

Function 00007FF646AB7F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF646AB802A

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: c7509c5c59c4a666db98ff03363a6938e2dccbe5af1fc5850b6eda6e7b6e2098
Instruction ID: e88ecf1e667533f00b64861faddc77ab2317fbcbad9f1e1e5c88d0b9f487e311
Opcode Fuzzy Hash: c7509c5c59c4a666db98ff03363a6938e2dccbe5af1fc5850b6eda6e7b6e2098
Instruction Fuzzy Hash: A4219121B0DE9685FB54BA2665043BAD651BF45FC4F8C4430EF4D87B86CE7FE0818621

Function 00007FF646ACB9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646ACBA32

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction ID: 6e63662f9f859c76cc8bd77a0976d98c8a690125d1530e6c2cefc4eef86f082f
Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction Fuzzy Hash: 2431AE21A1CE468AF7517B55884137CAA60AF80B94F420135EA6F833E2CF7FE8C58775

Function 00007FF646AC99D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF646AC99FF

Part of subcall function 00007FF646AC9AF8: GetModuleHandleExW.KERNEL32 ref: 00007FF646AC9B1D
Part of subcall function 00007FF646AC9AF8: GetProcAddress.KERNEL32 ref: 00007FF646AC9B33
Part of subcall function 00007FF646AC9AF8: FreeLibrary.KERNEL32 ref: 00007FF646AC9B5A

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction ID: 44141691edc5fb6da086790566712c62181f1d305d7a84018295773ff131c47c
Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction Fuzzy Hash: 65218E32E08B828AEB64FF64C4442FC73A0EB84718F441635D72E86AD5DF39D585CB60

Function 00007FF646AC6004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC5F69

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: d6cd1648f345502d5c1341cf7a8f0021f5a7680b53877f4a911ded8a5316e984
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: A7117522A1CE4189EE64BF51940117EE2A4BF45B84F444031FB4ED7B96DF7FE89087A0

Function 00007FF646AD63C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD63E7

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: 81743825312f596e3e6acc6b0ddcb152fd889cf52da661fbec6b3b1d834786c3
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: 7421507271CE4286DB61BF18D450379B6A1EB84B94F185234EA9EC76D9DF3ED4808B10

Function 00007FF646AC042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC0480

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 34f793176986138ff5a0492500a7c0450bf4c5dc3551675a7404ce0c7b690199
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: B601D621A0CF4140EA04FF569A0107AE691BF95FE0F084631EE6D97BD6CE3FE5918310

Function 00007FF646AC7F6C Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC7FAA

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
Instruction ID: fccd77d4f0130cb4ac1e8ee914c3e2b24fc13042966e5b8347ccb094a1680fb2
Opcode Fuzzy Hash: 6832eb5f98ca96f5e7cd25db8366a3c1a8b2d6b45623d2691d830cdd3d76c9ad
Instruction Fuzzy Hash: 8201CC20E0DE8348FE647B656581179D190AF06794F444635EA2FC26C6DF3FE4C0C272

Function 00007FF646AC82A8 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC82C1

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction ID: 6075334c80d5b26ddd4bd56e77df0aa313612b74e5c51b274e345fd4fa108db3
Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction Fuzzy Hash: DBE012A0E0CF078AFB143BB445D61799510EF56740F414571EA1BDA2C7DE2F68C99632

Function 00007FF646ACEC08 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF646ACB39A,?,?,?,00007FF646AC4F81,?,?,?,?,00007FF646ACA4FA), ref: 00007FF646ACEC5D

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction ID: 978fe7990072de376f591108215e05fec5e15e31213779a5549db662b515ea57
Opcode Fuzzy Hash: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
Instruction Fuzzy Hash: 0FF06D54B0DB0685FE587B6258512B6CA956F85B80F4C5430CD0FC63D1DE1EF4C08270

Function 00007FF646ACD66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF646AC0D00,?,?,?,00007FF646AC236A,?,?,?,?,?,00007FF646AC3B59), ref: 00007FF646ACD6AA

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: 901096b45d9cde69264e8ed3c5aae3be45c3383c6456c806cd6efcfc95867fd2
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: ACF05810B2DF0695FE647B615801279E2915F94BA0F080232DC2FC53C2DE2FA4C0E230

Non-executed Functions

Function 00007FF646AB5820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB5830
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB5842
GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB5879
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB588B
GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB58A4
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB58B6
GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB58CF
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB58E1
GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB58FD
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB590F
GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB592B
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB593D
GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB5959
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB596B
GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB5987
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB5999
GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB59B5
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB59C7

Strings

PyMarshal_ReadObjectFromString, xrefs: 00007FF646AB5C5D, 00007FF646AB5C7F
PyConfig_InitIsolatedConfig, xrefs: 00007FF646AB59AB, 00007FF646AB59CD
PyObject_CallFunction, xrefs: 00007FF646AB5CE7, 00007FF646AB5D09
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF646AB5DCD, 00007FF646AB5DEF
PyStatus_Exception, xrefs: 00007FF646AB5E29, 00007FF646AB5E4B
PyUnicode_Decode, xrefs: 00007FF646AB5EE1, 00007FF646AB5F03
Py_IsInitialized, xrefs: 00007FF646AB5921, 00007FF646AB5943
Py_DecRef, xrefs: 00007FF646AB5826, 00007FF646AB5848
PySys_GetObject, xrefs: 00007FF646AB5E57, 00007FF646AB5E79
PyEval_EvalCode, xrefs: 00007FF646AB5BA5, 00007FF646AB5BC7
PyMem_RawFree, xrefs: 00007FF646AB5C8B, 00007FF646AB5CAD
PyObject_CallFunctionObjArgs, xrefs: 00007FF646AB5D15, 00007FF646AB5D37
PyImport_ExecCodeModule, xrefs: 00007FF646AB5C01, 00007FF646AB5C23
PyConfig_SetBytesString, xrefs: 00007FF646AB5A07, 00007FF646AB5A29
PyConfig_Read, xrefs: 00007FF646AB59D9, 00007FF646AB59FB
PyErr_Clear, xrefs: 00007FF646AB5A91, 00007FF646AB5AB3
PyConfig_SetString, xrefs: 00007FF646AB5A35, 00007FF646AB5A57
GetProcAddress, xrefs: 00007FF646AB5858
PyUnicode_Join, xrefs: 00007FF646AB5F99, 00007FF646AB5FBB
Failed to get address for %hs, xrefs: 00007FF646AB5851
PyObject_SetAttrString, xrefs: 00007FF646AB5D71, 00007FF646AB5D93
Py_Finalize, xrefs: 00007FF646AB58C5, 00007FF646AB58E7
PyObject_Str, xrefs: 00007FF646AB5D9F, 00007FF646AB5DC1
PyConfig_Clear, xrefs: 00007FF646AB597D, 00007FF646AB599F
PyErr_Occurred, xrefs: 00007FF646AB5B1B, 00007FF646AB5B3D
PyErr_Restore, xrefs: 00007FF646AB5B77, 00007FF646AB5B99
PyUnicode_FromFormat, xrefs: 00007FF646AB5F3D, 00007FF646AB5F5F
Py_InitializeFromConfig, xrefs: 00007FF646AB58F3, 00007FF646AB5915
PyErr_NormalizeException, xrefs: 00007FF646AB5AED, 00007FF646AB5B0F
Py_PreInitialize, xrefs: 00007FF646AB594F, 00007FF646AB5971
PySys_SetObject, xrefs: 00007FF646AB5E85, 00007FF646AB5EA7
PyErr_Fetch, xrefs: 00007FF646AB5ABF, 00007FF646AB5AE1
PyModule_GetDict, xrefs: 00007FF646AB5CB9, 00007FF646AB5CDB
PyRun_SimpleStringFlags, xrefs: 00007FF646AB5DFB, 00007FF646AB5E1D
PyImport_ImportModule, xrefs: 00007FF646AB5C2F, 00007FF646AB5C51
PyErr_Print, xrefs: 00007FF646AB5B49, 00007FF646AB5B6B
PyConfig_SetWideStringList, xrefs: 00007FF646AB5A63, 00007FF646AB5A85
PyUnicode_Replace, xrefs: 00007FF646AB5FC7, 00007FF646AB5FE9
PyImport_AddModule, xrefs: 00007FF646AB5BD3, 00007FF646AB5BF5
Py_ExitStatusException, xrefs: 00007FF646AB589A, 00007FF646AB58BC
PyUnicode_FromString, xrefs: 00007FF646AB5F6B, 00007FF646AB5F8D
PyUnicode_AsUTF8, xrefs: 00007FF646AB5EB3, 00007FF646AB5ED5
PyObject_GetAttrString, xrefs: 00007FF646AB5D43, 00007FF646AB5D65
PyUnicode_DecodeFSDefault, xrefs: 00007FF646AB5F0F, 00007FF646AB5F31
Py_DecodeLocale, xrefs: 00007FF646AB586F, 00007FF646AB5891

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: 3bfb4b33ddc7db6e6cf35bd3b5391dd9991feebdaef6050e558f8e4131e1bf98
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: 0322C6A494DF4B91FA44FF65A9141B4A3A6AF09B85F845035CC1F82660FF3EB9C89330

Function 00007FF646AD411C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF646AD416A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD47D6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD494C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD4C0A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD4E2A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD5067
memcpy_s.LIBCPMT ref: 00007FF646AD5142
memcpy_s.LIBCPMT ref: 00007FF646AD51ED
memcpy_s.LIBCPMT ref: 00007FF646AD52BC

Strings

1#INF, xrefs: 00007FF646AD4293
1#IND, xrefs: 00007FF646AD4257
1#QNAN, xrefs: 00007FF646AD4283
1#SNAN, xrefs: 00007FF646AD427A

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction ID: 238cf1794539046850a9e5715494541eee2ce8662793f6ffc99d7affc7e837e2
Opcode Fuzzy Hash: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
Instruction Fuzzy Hash: DCB2D472A1CB828BE764AF64D5407FDB7A2FB54388F405135DE0D97A84DF3AA980CB50

Function 00007FF646ABAD1D Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid literal/length code, xrefs: 00007FF646ABB452
invalid literal/lengths set, xrefs: 00007FF646ABB1A3
invalid distance code, xrefs: 00007FF646ABB624
invalid bit length repeat, xrefs: 00007FF646ABB109
invalid distances set, xrefs: 00007FF646ABB210
invalid distance too far back, xrefs: 00007FF646ABB6E0
too many length or distance symbols, xrefs: 00007FF646ABAEB6
invalid code lengths set, xrefs: 00007FF646ABAE9D
invalid code -- missing end-of-block, xrefs: 00007FF646ABB136

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction ID: 6e430fe2fded03d79e3933d65cabd871db8a4c70f8081729147b51acdb72ad7e
Opcode Fuzzy Hash: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
Instruction Fuzzy Hash: 20520772A18AA98BD7A4AF14D458B7D7BA9FB44740F014139E74AC3780DF3ED984CB50

Function 00007FF646ABD19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF646ABD1B8
RtlCaptureContext.KERNEL32 ref: 00007FF646ABD1E5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF646ABD1FF
RtlVirtualUnwind.KERNEL32 ref: 00007FF646ABD240
IsDebuggerPresent.KERNEL32 ref: 00007FF646ABD294
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF646ABD2B1
UnhandledExceptionFilter.KERNEL32 ref: 00007FF646ABD2BC

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction ID: 92649db19a58825e99a4dac90a4638036bb8c7d084b49fae8ff6791a639c58e0
Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
Instruction Fuzzy Hash: 46311E72608F8586EB60AF60E8403EEB365FB84748F44443ADB4D87B94EF39D588C720

Function 00007FF646ACA684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF646ACA6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF646ACA715
RtlVirtualUnwind.KERNEL32 ref: 00007FF646ACA750
IsDebuggerPresent.KERNEL32 ref: 00007FF646ACA789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF646ACA793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF646ACA79E

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: 50dd96237e29b7b86551cdffe0ed105bee75ee508fc4e0750def38e2e7a9e7f6
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: 38316036618F8186DB60EF25E8402AEB3A4FB88758F540136EB9D83B58DF3DC185CB10

Function 00007FF646AD18E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD1930
FindFirstFileExW.KERNEL32 ref: 00007FF646AD1A3A

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction ID: 6b46c94d7df38dbe31fc08cd39529078ef482a1b3dcac93b16a71b437e0770a3
Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
Instruction Fuzzy Hash: 31B1C926B1CE9241EB61BB6194085B9E392EB44BD4F444131EE5E87BD5EF3EE8C1C320

Function 00007FF646ABD080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF646ABD0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF646ABD0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF646ABD0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF646ABD0D6

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: 16d320fcbef588b419c15c560a1ae3d5b6c9ac3e4547a7c55e05ff67ae357075
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: 23117036B58F058AEB40EF60E8442B973A4FB19758F040E35DE2D867A4DF3CD1988350

Function 00007FF646AD3C80 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF646AD3CE6
memcpy_s.LIBCPMT ref: 00007FF646AD3D11

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 544b82256ad39761c0f181a40b2af40bafc430d74428605fe4bf993ffdfc649b
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 6DC1E472B1CA8687D724AF19A04466AF7A2F795784F448134DF4E87784DF3EE840CB40

Function 00007FF646ABA4E4 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

unknown header flags set, xrefs: 00007FF646ABA535
, xrefs: 00007FF646ABA5CB
header crc mismatch, xrefs: 00007FF646ABA991

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction ID: 19952ea0c4c5bed1e76faf83485b71f39666ab5bca86ebfc3e28b39c1c85e402
Opcode Fuzzy Hash: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
Instruction Fuzzy Hash: 4BF17372A1CBD94BE795BF18C088B3ABAA9EF45B40F054538DB4987791CF3AD980C750

Function 00007FF646AD9798 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF646AD99E7
RaiseException.KERNEL32 ref: 00007FF646AD99F8

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction ID: e0547a7eef81b050adbd1b4bee9b4e67c14c08b0bcd103bd54b5a98712837e63
Opcode Fuzzy Hash: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
Instruction Fuzzy Hash: 2BB15B73A08B898BEB15EF29C84636C7BA1F784B48F148921DE5D837A4CF3AD491C710

Function 00007FF646AC3A14 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF646AC3DC4
, xrefs: 00007FF646AC3B82

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction ID: 719e7c8196e604ac4be49d909c2a6f808b1180dadf43ed653efd70093c60f4e8
Opcode Fuzzy Hash: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
Instruction Fuzzy Hash: 17E1AD36A0CE4686EB78BE29815017DB3A0FF45B48F244235DA4F87695DF2BE8D1C760

Function 00007FF646ABA34B Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF646ABA4B2
incorrect header check, xrefs: 00007FF646ABA4CB

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction ID: 7229e12ce8bcb3388b0df57193bfebb4b87da9efe387b661ebdaffedb1bf51a4
Opcode Fuzzy Hash: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
Instruction Fuzzy Hash: 08918772A1CACA87E7A4BA14C488B3E7A99FB45750F114139DB5A867C0CF3EE5C4CB10

Function 00007FF646ACDF60 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF646ACE0EA
e+000, xrefs: 00007FF646ACE06D

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction ID: 3748e75db049f792ee92ac1b641954f9ac94799a3e919cd2cb9aedc024521ed1
Opcode Fuzzy Hash: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
Instruction Fuzzy Hash: F9514962B1CAC586E724AF399801769EB91F744B94F489231CBA987AC5CF3FE485C710

Function 00007FF646ACDACC Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF646ACDE0E

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: 815ac2e141ada93c1a0a9efc73518c5577f255eab45b951d9507b85b29600c11
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: ABA14762A0DBC546EB21FF29A4007A9BB91EB61B84F048032DE8E87785DE3EE541D711

Function 00007FF646AC8804 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF646AC8823

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction ID: 37a1ede52e4ee1efab9290635e2ee129af5ea431270292b75c3b126eff72c995
Opcode Fuzzy Hash: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
Instruction Fuzzy Hash: 18519D11B0CE4241FB64BB26990157ADA91BF84BC4F484535DE0FC7BD6EE3EE4824322

Function 00007FF646AD34F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF646AD34F4

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction ID: 1fe9de5e415e56e8fb9f8db231c9238f29be92a402fb7397717cc690b24946a0
Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
Instruction Fuzzy Hash: 2CB09260E0BE02C2EA483B216C8222862A67F58700F9801B8C40C80330EE2E20E95761

Function 00007FF646AC3610 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction ID: a6ded7ead745dc9cb84b1d58b351c103b4ca83ac9962fa9e8cccc248732ded58
Opcode Fuzzy Hash: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
Instruction Fuzzy Hash: BDD1CD76A0CE4286EB78FE29815067DA3A0EF05B48F144235CE4F87694DF3BE881D760

Function 00007FF646AB9870 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction ID: 782d8929298b8e1548dfcb4eb6ccdc722328f4cb7442cd8eb5f221247fa1927a
Opcode Fuzzy Hash: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
Instruction Fuzzy Hash: 7DC17F762181E08BD289EB29E47947A73D1F78A30DB95406BEF87477C6CB3CA514DB20

Function 00007FF646AC2C80 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction ID: 4a0d54717cffa6a8f141ebbf1030e818853e6024a19cd5edd1c7744cc6a4de9a
Opcode Fuzzy Hash: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
Instruction Fuzzy Hash: 77B14B72A0CB8589EB65EF39C05027CBBA0EB4AB4CF244135DA4E97395CF3AD491C764

Function 00007FF646ACE5E0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction ID: 0c134dd82c3d4734311c15ba296fe2374218874d2a8995f1e4ce6445d7b06679
Opcode Fuzzy Hash: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
Instruction Fuzzy Hash: C581E472A1CB8186E774FF19944137AFA91FB45794F144235DB8E83B95CE3EE4808B10

Function 00007FF646AD6488 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: b78332369169aed8be6dd13cc6d08ed8a401c1151d3c5d6e5b3c154adaf735d2
Instruction ID: 329137ece246195734230063f949a766480a1c9eb33865e5f9eff3dfd704f207
Opcode Fuzzy Hash: b78332369169aed8be6dd13cc6d08ed8a401c1151d3c5d6e5b3c154adaf735d2
Instruction Fuzzy Hash: 3861EE22F0C99246F768BA28845477DE682AF41760F1D5239DE1DC76D5DE7FE8C08B20

Function 00007FF646AC1DC4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 3a9c1bc7c4ec0c3d041ab4218418525cec4764385290f5e017ead95d7e4c3e96
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: AF516536B1CA5286E724AB29D058238B7A1EB45B58F244131DF4E97795CF3BEC83C790

Function 00007FF646AC21D4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 40b04aa8517b7d0541353a8c38609ae6eb38e73c5577172ce582f5484efbfe3b
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 99516576A2CE5186E764AB29C054238B7A0EB94B6CF244131CE4E977D4CF3BE883C750

Function 00007FF646AC19B4 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: f8808582b08c6c42f9f0f0f34f3798b9a089780b8858603f06942f2bbd53d2e0
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 5C518676B1CE5186E724AB29C048238B7A0EB84B58F244131CB4E97795DF3BEC97CB50

Function 00007FF646AC1FD0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 9601b2500b3cc9becc54417d4ef027d7c0bcf3ab90493288a4691cfba441db5c
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 3A515276A1CE5185E724AB29C450239B7A1EB55B5CF248132CE4E977A4CF3BEC82C760

Function 00007FF646AC17B0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 709efac6b9a81d802921c39a5d477ff3ec1e7e0540ff52177a309e328c42ee6f
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: E1518036B1CA5186E764AB29D04863CA7A1EB44B58F245131CB4E97794CF3BEC93C7A0

Function 00007FF646AC1BC0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: efcdb5c687ddd6d8aed77d9e28bfbfb9df54b9ef5ea7b128e45fc42483d5c9fe
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: F2519F36B1CE5186E725AB29C048238A7A1EB45B58F644131DF4E977A8CF3BEC93C750

Function 00007FF646AC5DA0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 3efb26b6b06398aa685425efde007546dab04c9669551e04e95c46003fe06208
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: B241A9A2C0DF4A48F969B92C49146B8D6C09F63BA0E585274FD9BD33C3DD0E6DE68121

Function 00007FF646AC9F10 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction ID: bd2ab6b473f046e9285b4bd4d6bc22db7269027fe494d8323e3ddbe34f9dae9e
Opcode Fuzzy Hash: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
Instruction Fuzzy Hash: 1E41A562718E5581EF04EF6ADA14169B391FB48FD0B499436DE0ED7B58DE3ED5818300

Function 00007FF646AC8154 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction ID: 27584ecdc0612c3cdbe58ddb31ae8ac9bb14fc14cba006be8ce2325e3b58b328
Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction Fuzzy Hash: FF31A032A0CF4281E764BF25A84413EAAD5BB85B90F144239EA5EA3B95DF3DD0428314

Function 00007FF646AD95E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction ID: a70f17e566da095b517f5b80477cb351915d9230fc77d27010dfe4c86a52e938
Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
Instruction Fuzzy Hash: 28F0687171C6558ADB98EF69A402629B7D1F7083C0F408139D58DC3B04DE3DD0A19F54

Function 00007FF646ABD37C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction ID: f5e2cce8705aaed852fa522966dbd73247ac4af76d8fc84458bd2bf7c31e5987
Opcode Fuzzy Hash: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
Instruction Fuzzy Hash: 2CA0026290CC0ED0E684BB00EC90035E331FB61704B400076E51EC10B19F3EA484D320

Function 00007FF646AB76B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF646AB76C7
GetLastError.KERNEL32 ref: 00007FF646AB76D9
GetProcAddress.KERNEL32 ref: 00007FF646AB7715
GetLastError.KERNEL32 ref: 00007FF646AB7727
GetProcAddress.KERNEL32 ref: 00007FF646AB7740
GetLastError.KERNEL32 ref: 00007FF646AB7752
GetProcAddress.KERNEL32 ref: 00007FF646AB776B
GetLastError.KERNEL32 ref: 00007FF646AB777D
GetProcAddress.KERNEL32 ref: 00007FF646AB7799
GetLastError.KERNEL32 ref: 00007FF646AB77AB
GetProcAddress.KERNEL32 ref: 00007FF646AB77C7
GetLastError.KERNEL32 ref: 00007FF646AB77D9
GetProcAddress.KERNEL32 ref: 00007FF646AB77F5
GetLastError.KERNEL32 ref: 00007FF646AB7807
GetProcAddress.KERNEL32 ref: 00007FF646AB7823
GetLastError.KERNEL32 ref: 00007FF646AB7835
GetProcAddress.KERNEL32 ref: 00007FF646AB7851
GetLastError.KERNEL32 ref: 00007FF646AB7863

Strings

Tcl_JoinThread, xrefs: 00007FF646AB7875, 00007FF646AB7897
Tcl_DoOneEvent, xrefs: 00007FF646AB7761, 00007FF646AB7783
Tcl_EvalEx, xrefs: 00007FF646AB7BB1, 00007FF646AB7BD3
Tcl_EvalObjv, xrefs: 00007FF646AB7BDF, 00007FF646AB7C01
Tcl_Free, xrefs: 00007FF646AB7C3B, 00007FF646AB7C5D
Tcl_Finalize, xrefs: 00007FF646AB778F, 00007FF646AB77B1
Tcl_GetString, xrefs: 00007FF646AB7A9D, 00007FF646AB7ABF
Tcl_CreateObjCommand, xrefs: 00007FF646AB7A6F, 00007FF646AB7A91
Tcl_SetVar2Ex, xrefs: 00007FF646AB7B27, 00007FF646AB7B49
Tcl_ThreadAlert, xrefs: 00007FF646AB79E5, 00007FF646AB7A07
Tk_Init, xrefs: 00007FF646AB7C69, 00007FF646AB7C8B
Tcl_CreateInterp, xrefs: 00007FF646AB770B, 00007FF646AB772D
GetProcAddress, xrefs: 00007FF646AB76EF
Tcl_ConditionFinalize, xrefs: 00007FF646AB792D, 00007FF646AB794F
Tcl_DeleteInterp, xrefs: 00007FF646AB77EB, 00007FF646AB780D
Tcl_Alloc, xrefs: 00007FF646AB7C0D, 00007FF646AB7C2F
Failed to get address for %hs, xrefs: 00007FF646AB76E8
Tcl_ConditionWait, xrefs: 00007FF646AB7989, 00007FF646AB79AB
Tcl_ThreadQueueEvent, xrefs: 00007FF646AB79B7, 00007FF646AB79D9
Tcl_ConditionNotify, xrefs: 00007FF646AB795B, 00007FF646AB797D
Tcl_GetVar2, xrefs: 00007FF646AB7A13, 00007FF646AB7A35
Tcl_GetObjResult, xrefs: 00007FF646AB7B55, 00007FF646AB7B77
Tk_GetNumMainWindows, xrefs: 00007FF646AB7C97, 00007FF646AB7CB9
Tcl_NewStringObj, xrefs: 00007FF646AB7ACB, 00007FF646AB7AED
Tcl_FinalizeThread, xrefs: 00007FF646AB77BD, 00007FF646AB77DF
Tcl_MutexUnlock, xrefs: 00007FF646AB78D1, 00007FF646AB78F3
Tcl_SetVar2, xrefs: 00007FF646AB7A41, 00007FF646AB7A63
Tcl_EvalFile, xrefs: 00007FF646AB7B83, 00007FF646AB7BA5
Tcl_FindExecutable, xrefs: 00007FF646AB7736, 00007FF646AB7758
Tcl_GetCurrentThread, xrefs: 00007FF646AB7847, 00007FF646AB7869
Tcl_NewByteArrayObj, xrefs: 00007FF646AB7AF9, 00007FF646AB7B1B
Tcl_CreateThread, xrefs: 00007FF646AB7819, 00007FF646AB783B
Tcl_MutexLock, xrefs: 00007FF646AB78A3, 00007FF646AB78C5
Tcl_MutexFinalize, xrefs: 00007FF646AB78FF, 00007FF646AB7921
Tcl_Init, xrefs: 00007FF646AB76C0, 00007FF646AB76DF

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: 714d873f52792af51d2eb95879a31041a4c2e9fb29adf144e46d7ae3e9b5053e
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: C202C664A4DF0B91FA95FB55A9145B4E3A2BF08B94F845036DD1E82260EF7EF5C88330

Function 00007FF646AB81C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646AB9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF646AB45E4,00000000,00007FF646AB1985), ref: 00007FF646AB9439

ExpandEnvironmentStringsW.KERNEL32(?,00007FF646AB88A7,?,?,00000000,00007FF646AB3CBB), ref: 00007FF646AB821C

Part of subcall function 00007FF646AB2810: MessageBoxW.USER32 ref: 00007FF646AB28EA

Strings

%.*s, xrefs: 00007FF646AB82FC
CreateDirectory, xrefs: 00007FF646AB836C
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF646AB8363
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF646AB81F3
\, xrefs: 00007FF646AB8251
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF646AB82C9
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF646AB8230
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF646AB828D

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction ID: 8bb942d9accb12893743d5663a9705109e68a0ad1f84d1eaa7007a96fb313aa4
Opcode Fuzzy Hash: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
Instruction Fuzzy Hash: 8051B551A2CE4681FB50FB24E8516BAE261EF94B84F444032EB0EC26D5EE3EE584C770

Function 00007FF646AB2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF646AB21AB
SelectObject.GDI32 ref: 00007FF646AB21F2
DrawTextW.USER32 ref: 00007FF646AB2215
SelectObject.GDI32 ref: 00007FF646AB222B
ReleaseDC.USER32 ref: 00007FF646AB223B
MoveWindow.USER32 ref: 00007FF646AB228B
MoveWindow.USER32 ref: 00007FF646AB22CB
MoveWindow.USER32 ref: 00007FF646AB231E
MoveWindow.USER32 ref: 00007FF646AB2366

Strings

P%, xrefs: 00007FF646AB21FF

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 8f999aa9f5823572a3b6343ba8003cdef3f383c2b888c49ce5458c15d0946eff
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 89510766618BA186D674AF22E4181BAF7A1F798B65F004121EFDE83794DF3DD085CB20

Function 00007FF646AB80B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF646AB80EF
GetWindowLongPtrW.USER32 ref: 00007FF646AB816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF646AB8182
GetLastError.KERNEL32 ref: 00007FF646AB818C
SetWindowLongPtrW.USER32 ref: 00007FF646AB81A3

Strings

Needs to remove its temporary files., xrefs: 00007FF646AB8175

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: 49fb1d1a2cd9831c95365f66379ace5cf215a7cfb8f841da46c25e108772c34f
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: 30218B61A0DE4682E781BB7AB854169E261EF88F90F484231DF2EC3798DE2DD5C58231

Function 00007FF646AC6300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC6343
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC6730
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC69CC

Strings

p, xrefs: 00007FF646AC63F5
-, xrefs: 00007FF646AC63D9
f, xrefs: 00007FF646AC6465
:, xrefs: 00007FF646AC64FC
p, xrefs: 00007FF646AC646D

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: aa2407f8c1ed831867b3ad40dca8b114fb89a499afc9eb9ec86097677855a780
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 53129F62B0C95386FB24FB14D1582B9F6A1FB80750F9C5535E68B86AC4DF3EE5C09B20

Function 00007FF646AC1038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC1078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC1440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC16DF

Strings

p, xrefs: 00007FF646AC1182
f, xrefs: 00007FF646AC117A
p, xrefs: 00007FF646AC111D
f, xrefs: 00007FF646AC12C5
f, xrefs: 00007FF646AC1110

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 28290d89d08414d8567abeafee8764f8486b2777e875aa6f8eefec77dc04a77b
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: F9127271F0C98385FB60BA15E15C679E2A1EB40758F984035D79B866C4DF7EECC09B24

Function 00007FF646AB1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF646AB1098
malloc, xrefs: 00007FF646AB110F
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF646AB10CC
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF646AB11F6
fseek, xrefs: 00007FF646AB10D3
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF646AB1108
fread, xrefs: 00007FF646AB11FD

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 459c70ac1d7639bc8463e208505d68a8d1b4527688a9ba0853ea1617660c4a39
Instruction ID: 75acdbc43d5ab413e49369bbaf7646ea72df2cf47cc4fe4bc891f38b3f50b0f9
Opcode Fuzzy Hash: 459c70ac1d7639bc8463e208505d68a8d1b4527688a9ba0853ea1617660c4a39
Instruction Fuzzy Hash: 1F41A061B0CE5686EA00FB12A8046B9E391FF54FC4F444432EE0D8779ADF3EE5858760

Function 00007FF646AB1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF646AB149F
malloc, xrefs: 00007FF646AB151F
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF646AB14DE
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF646AB15DF
fseek, xrefs: 00007FF646AB14E5
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF646AB1518
fread, xrefs: 00007FF646AB15E6

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 0b283387f8163d2c1451a1fd9c7ee0611bebd7135be36a4017c4ebfd3c397b14
Instruction ID: f56dee9665f3d7c6bce260a51f4e99b799b89c0c3015a8798b2d1cd23bd2389b
Opcode Fuzzy Hash: 0b283387f8163d2c1451a1fd9c7ee0611bebd7135be36a4017c4ebfd3c397b14
Instruction Fuzzy Hash: 5441BF62A0CE4695EB00FF2194411B9E391FF44B88F444532EE4E87B99DE3EE986C764

Function 00007FF646ABEA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF646ABEAD5

Part of subcall function 00007FF646ABFA2C: __GetUnwindTryBlock.LIBCMT ref: 00007FF646ABFA6F
Part of subcall function 00007FF646ABFA2C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF646ABFA94

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF646ABEBAD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF646ABEDFB
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF646ABEF08

Strings

csm, xrefs: 00007FF646ABEBD0
csm, xrefs: 00007FF646ABEAEF
csm, xrefs: 00007FF646ABEB56

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction ID: 4bfb47a96ec4a45f6f35c18dc0a998d94f19ea201aeb451d2be834f586817538
Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
Instruction Fuzzy Hash: 44D18132A0CB4986EB20BB25D4413ADB7A0FB45B88F144136EF4D9BB96DF39E490C750

Function 00007FF646AB2C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF646AB3706,?,00007FF646AB3804), ref: 00007FF646AB2C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF646AB3706,?,00007FF646AB3804), ref: 00007FF646AB2D63
MessageBoxW.USER32 ref: 00007FF646AB2D99

Strings

<FormatMessageW failed.>, xrefs: 00007FF646AB2D70
[PYI-%d:ERROR] , xrefs: 00007FF646AB2CA6
Error, xrefs: 00007FF646AB2D8C
%ls: , xrefs: 00007FF646AB2D22

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction ID: 1815dee7cb6c81bd9e244ddeef3f08de92b89a1fc78b08fc108bba6b9799667a
Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
Instruction Fuzzy Hash: 7231C562B0CE4542E620BB25B8546BBA795BF88BD8F400136EF4DD3759DE3DD58AC310

Function 00007FF646ABDD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF646ABDFEA,?,?,?,00007FF646ABDCDC,?,?,?,00007FF646ABD8D9), ref: 00007FF646ABDDBD
GetLastError.KERNEL32(?,?,?,00007FF646ABDFEA,?,?,?,00007FF646ABDCDC,?,?,?,00007FF646ABD8D9), ref: 00007FF646ABDDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF646ABDFEA,?,?,?,00007FF646ABDCDC,?,?,?,00007FF646ABD8D9), ref: 00007FF646ABDDF5
FreeLibrary.KERNEL32(?,?,?,00007FF646ABDFEA,?,?,?,00007FF646ABDCDC,?,?,?,00007FF646ABD8D9), ref: 00007FF646ABDE63
GetProcAddress.KERNEL32(?,?,?,00007FF646ABDFEA,?,?,?,00007FF646ABDCDC,?,?,?,00007FF646ABD8D9), ref: 00007FF646ABDE6F

Strings

api-ms-, xrefs: 00007FF646ABDDDD

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: ba447dd26a55f1580cd122c3252bf3c7c0b2209d998c564449d5e35bd34a7759
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: 6C317E21B1EE4A91EE52BB02A800579E394FF59FA0F594536EE1D87380EF3DE4848624

Function 00007FF646AB6350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

LoadLibrary, xrefs: 00007FF646AB649E
Failed to load Python DLL '%ls'., xrefs: 00007FF646AB6497
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF646AB63F7
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF646AB63B7
ucrtbase.dll, xrefs: 00007FF646AB63CD
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF646AB6446

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: c6b32316bfe7a0aff6899d53276924ef6fe1744c5bc58fcca4aca07baf8add6e
Instruction ID: 7ee21ffe7dc67eb685b9e8cfd04273cce96db1e623073fe23fc909731debaf24
Opcode Fuzzy Hash: c6b32316bfe7a0aff6899d53276924ef6fe1744c5bc58fcca4aca07baf8add6e
Instruction Fuzzy Hash: 60416171B1CE8A91EA11FB20E5152E9E315FB44B84F800132EB5D83696EF3EE685C760

Function 00007FF646AB2A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF646AB351A,?,00000000,00007FF646AB3F23), ref: 00007FF646AB2AA0

Strings

Warning, xrefs: 00007FF646AB2B1E
WARNING, xrefs: 00007FF646AB2AAF
[PYI-%d:%s] , xrefs: 00007FF646AB2AA8
0, xrefs: 00007FF646AB2B16
Warning [ANSI Fallback], xrefs: 00007FF646AB2B0F

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction ID: c2813bd725b3eccd40631ed21aafc63be86ae157b3e2fe12baad35545d490715
Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
Instruction Fuzzy Hash: 2F218172A1CB8182E660BB51F8417E6A394FB887C4F400136FE8D83659DF3DD689C750

Function 00007FF646ACB1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF646ACB1CF
FlsGetValue.KERNEL32 ref: 00007FF646ACB1E4
FlsSetValue.KERNEL32 ref: 00007FF646ACB205
FlsSetValue.KERNEL32 ref: 00007FF646ACB232
FlsSetValue.KERNEL32 ref: 00007FF646ACB243
FlsSetValue.KERNEL32 ref: 00007FF646ACB254
SetLastError.KERNEL32 ref: 00007FF646ACB26F

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
Instruction ID: 5485b52b4cc808fed16e114185bb9831f8efa67bb9f261050c3c035b5b671ca4
Opcode Fuzzy Hash: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
Instruction Fuzzy Hash: 19216F20E0DE4641FA647761966513DD1429F54BB0F044734D93FCBAD6EE2FB4C58321

Function 00007FF646AD7DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF646AD7E0D
GetLastError.KERNEL32 ref: 00007FF646AD7E19
CloseHandle.KERNEL32 ref: 00007FF646AD7E31
CreateFileW.KERNEL32 ref: 00007FF646AD7E5C
WriteConsoleW.KERNEL32 ref: 00007FF646AD7E7B

Strings

CONOUT$, xrefs: 00007FF646AD7E3D

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: 873558190367a4d2a237d141310b78e621a26cc4aadf2a4411ebacf0bb35fd4f
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: 62116021B1CE4286E750BB52E854369A6A1FB88FE4F044234EE5DC77A4DF7ED8848750

Function 00007FF646AB8560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF646AB9216), ref: 00007FF646AB8592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF646AB9216), ref: 00007FF646AB85E9

Part of subcall function 00007FF646AB9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF646AB45E4,00000000,00007FF646AB1985), ref: 00007FF646AB9439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF646AB9216), ref: 00007FF646AB8678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF646AB9216), ref: 00007FF646AB86E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF646AB9216), ref: 00007FF646AB86F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF646AB9216), ref: 00007FF646AB870A

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction ID: ad8de16c187df3f2852ea0ae3ac4c055481e7318f227933dd2571555c14f3504
Opcode Fuzzy Hash: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
Instruction Fuzzy Hash: 2141B462B1DA8A81EB30BB15A5406AAA394FF84FC8F440135DF8DD7B89DE3DD581C721

Function 00007FF646ACB338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF646AC4F81,?,?,?,?,00007FF646ACA4FA,?,?,?,?,00007FF646AC71FF), ref: 00007FF646ACB347
FlsSetValue.KERNEL32(?,?,?,00007FF646AC4F81,?,?,?,?,00007FF646ACA4FA,?,?,?,?,00007FF646AC71FF), ref: 00007FF646ACB37D
FlsSetValue.KERNEL32(?,?,?,00007FF646AC4F81,?,?,?,?,00007FF646ACA4FA,?,?,?,?,00007FF646AC71FF), ref: 00007FF646ACB3AA
FlsSetValue.KERNEL32(?,?,?,00007FF646AC4F81,?,?,?,?,00007FF646ACA4FA,?,?,?,?,00007FF646AC71FF), ref: 00007FF646ACB3BB
FlsSetValue.KERNEL32(?,?,?,00007FF646AC4F81,?,?,?,?,00007FF646ACA4FA,?,?,?,?,00007FF646AC71FF), ref: 00007FF646ACB3CC
SetLastError.KERNEL32(?,?,?,00007FF646AC4F81,?,?,?,?,00007FF646ACA4FA,?,?,?,?,00007FF646AC71FF), ref: 00007FF646ACB3E7

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
Instruction ID: 4a71e147efff7ddf5ec5792a9eec7515b8802806d8ed92a319dcc9e0278aedb9
Opcode Fuzzy Hash: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
Instruction Fuzzy Hash: 94116D20B0DE4282FA547721969113DE182AF44BB0F044734E93FCABD6EE2FA4C58331

Function 00007FF646AB2910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF646AB1B6A), ref: 00007FF646AB295E

Strings

%s: %s, xrefs: 00007FF646AB29E8
Error, xrefs: 00007FF646AB2A0E
Error [ANSI Fallback], xrefs: 00007FF646AB29FF
[PYI-%d:ERROR] , xrefs: 00007FF646AB2966

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: d37e2d4d2308dea67e29211079533e7d7725b0c4c17ce40f7ef0c1dc1b714c33
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: 0B31C762B1CA8552E760B761A8406F6A695BF88BD4F400132FE8DC3759DF3DD586C610

Function 00007FF646AB2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF646AB23C8
DialogBoxIndirectParamW.USER32 ref: 00007FF646AB248E
DeleteObject.GDI32 ref: 00007FF646AB24C1
DestroyIcon.USER32 ref: 00007FF646AB24D3

Strings

Unhandled exception in script, xrefs: 00007FF646AB23F8

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction ID: 1f4a9a6a93d6be28d5ca47a1fe6d4408e396623dd6e333d495b9e3931d868974
Opcode Fuzzy Hash: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
Instruction Fuzzy Hash: 8D31607261CA8189EB60FF21E8552F9A360FF88788F440135EA4E8BB49DF3DD184C710

Function 00007FF646AB2B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF646AB918F,?,00007FF646AB3C55), ref: 00007FF646AB2BA0
MessageBoxW.USER32 ref: 00007FF646AB2C2A

Strings

Warning, xrefs: 00007FF646AB2C1D
WARNING, xrefs: 00007FF646AB2BAF
[PYI-%d:%ls] , xrefs: 00007FF646AB2BA8

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction ID: bc119789994dea0b09f3c0065e460ed68dafabd97455bb7fd221f3f59a000547
Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
Instruction Fuzzy Hash: 6D21A16270CF4182E750BB54F8847EAA3A4FB887C4F400136EE8D97659DE3DD689C710

Function 00007FF646AB2710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF646AB1B99), ref: 00007FF646AB2760

Strings

ERROR, xrefs: 00007FF646AB276F
[PYI-%d:%s] , xrefs: 00007FF646AB2768
Error, xrefs: 00007FF646AB27DE
Error [ANSI Fallback], xrefs: 00007FF646AB27CF

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: 5277d9acfab89ab9d99eefbe351da8155980cb4421cfd4bf95e27f7c4d2a6c8b
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: 1A217C72A1CB8582E660BB50B8817E6A3A4FB887C4F400136EE8D83659DF7DD6898750

Function 00007FF646AC9AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF646AC9B1D
GetProcAddress.KERNEL32 ref: 00007FF646AC9B33
FreeLibrary.KERNEL32 ref: 00007FF646AC9B5A

Strings

CorExitProcess, xrefs: 00007FF646AC9B2C
mscoree.dll, xrefs: 00007FF646AC9B14

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction ID: 4cab9f14f70f979fc23faefe4030f7606b165a6ff013825362236a9b19570db4
Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
Instruction Fuzzy Hash: 91F0C261B0CF0681FB50FB20E454379A320EF49761F440235CA6E861E4CF2ED0C8C320

Function 00007FF646AD93D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF646AD9400
_set_statfp.LIBCMT ref: 00007FF646AD941B
_set_statfp.LIBCMT ref: 00007FF646AD9437
_set_statfp.LIBCMT ref: 00007FF646AD9473

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 12fd4369076be84bdc41967321dd05b3af15b2017aa65e09af264655ccb87287
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 0C1191B2E5CE1301F754B124D456375A0466F59374F050634EE7E8A2D7CE2EE9C14124

Function 00007FF646ACB400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF646ACA613,?,?,00000000,00007FF646ACA8AE,?,?,?,?,?,00007FF646ACA83A), ref: 00007FF646ACB41F
FlsSetValue.KERNEL32(?,?,?,00007FF646ACA613,?,?,00000000,00007FF646ACA8AE,?,?,?,?,?,00007FF646ACA83A), ref: 00007FF646ACB43E
FlsSetValue.KERNEL32(?,?,?,00007FF646ACA613,?,?,00000000,00007FF646ACA8AE,?,?,?,?,?,00007FF646ACA83A), ref: 00007FF646ACB466
FlsSetValue.KERNEL32(?,?,?,00007FF646ACA613,?,?,00000000,00007FF646ACA8AE,?,?,?,?,?,00007FF646ACA83A), ref: 00007FF646ACB477
FlsSetValue.KERNEL32(?,?,?,00007FF646ACA613,?,?,00000000,00007FF646ACA8AE,?,?,?,?,?,00007FF646ACA83A), ref: 00007FF646ACB488

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
Instruction ID: ab841c59357fbc51218342ff9f52246f9c9d86c21f1757fdbedd7b2e82a45e22
Opcode Fuzzy Hash: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
Instruction Fuzzy Hash: 35116020F0DE4281FA58B765A651179E142AF847B0F488734E93FDA6D6EE2FF4C58321

Function 00007FF646ACB294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF646ACB2A5
FlsSetValue.KERNEL32 ref: 00007FF646ACB2C4
FlsSetValue.KERNEL32 ref: 00007FF646ACB2EC
FlsSetValue.KERNEL32 ref: 00007FF646ACB2FD
FlsSetValue.KERNEL32 ref: 00007FF646ACB30E

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
Instruction ID: 86671ee24139577d78aba48cedbc953abf6e272e14e05e0a083e1c436438244b
Opcode Fuzzy Hash: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
Instruction Fuzzy Hash: 65111520E0DE0786FA687365546227AD1425F55720F484734D93FCA6D2ED2FB4C58232

Function 00007FF646AC6010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC6176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC622C

Strings

verbose, xrefs: 00007FF646AC6020

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: b7f936ef77a05fbbf5bcbdb9318f582ee60864c70ac4e53c8cb264772f776e68
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: D091BD22B0CE4681F761FF28D46877DB391AB40B94F489136DA5B873C5DE3EE8858321

Function 00007FF646ACFC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646ACFF17

Part of subcall function 00007FF646AC7AAC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC7AC9

Strings

ccs, xrefs: 00007FF646ACFE52
UTF-16LEUNICODE, xrefs: 00007FF646ACFEB5
UTF-8, xrefs: 00007FF646ACFE96

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction ID: e83a27682eb624cd7a69e608bc88cd276ad15e97e9e6ee65e58b27b9216eda8a
Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
Instruction Fuzzy Hash: 9A819132E0CA4285F7657F298150278B6E0AF12B88F558035DA0BD7299DF2FE9C19761

Function 00007FF646ABD6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF646ABD6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF646ABD77A
RtlUnwindEx.KERNEL32 ref: 00007FF646ABD7D4

Strings

csm, xrefs: 00007FF646ABD761

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: f828acd0bc2dcb960bfc5a8e9d4a57377a6c33b733f08c646bd0f2cee17a734c
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: 88518D32A1DA468ADB14BF15E444A78A791EB44F98F108136DB4E87788EF7EE8C1C710

Function 00007FF646ABEF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF646ABEFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF646ABEFF3

Strings

RCC, xrefs: 00007FF646ABEFC3
MOC, xrefs: 00007FF646ABEFBB

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: dae0add7e3fb6d68b07cc8d1a71a599aaa782982d38f98aaaa4431fecfb95fb4
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: AA61807290CBC981EB60AB15E4403AAF7A0FB85B84F084625EB9D47B55DF7DD1D0CB20

Function 00007FF646ABF2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF646ABF320
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF646ABF408

Strings

csm, xrefs: 00007FF646ABF45A
csm, xrefs: 00007FF646ABF342

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction ID: f86d0bfa028b3355662eaf225ee7f0f9ea563091d72a369f551eeacd452bd8a3
Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
Instruction Fuzzy Hash: 79518F3290CA8A86EB64BF259144368F6A0FB54F94F188236DB5D87B95CF3EE490C711

Function 00007FF646AB2810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF646AB28EA

Strings

ERROR, xrefs: 00007FF646AB286F
Error, xrefs: 00007FF646AB28DD
[PYI-%d:%ls] , xrefs: 00007FF646AB2868

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: 9e8d19d2ed1f2bc9a69fc9b3d6ec2212395e429851e979d2b3735ae190349c10
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: 50219FA2B0CB4182E650BB54F8447EAA3A4FB88784F400136EE8D93659DE3DD689C710

Function 00007FF646ACC610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF646ACC68F
WriteFile.KERNEL32 ref: 00007FF646ACC957
WriteFile.KERNEL32 ref: 00007FF646ACC99D
GetLastError.KERNEL32 ref: 00007FF646ACCA53

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: 0dba6a515fa2e01f3673ed82e3a01550e4808a6e0913874a808adb3bc7c19de5
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: 42D114B2B1CE808AE710EF65D4442AC77B2FB44B98B448235DE5F97B89DE39D046C350

Function 00007FF646AB20C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF646AB20F4
SetWindowLongPtrW.USER32 ref: 00007FF646AB2116
GetWindowLongPtrW.USER32 ref: 00007FF646AB2140
InvalidateRect.USER32 ref: 00007FF646AB2160

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 47707f41c947277ee21eb20f1cba9eb01b94d3b999dd30700cc6c654e67de4f0
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: F111A971A1C94642F694F769F5442B99292EB89B84F488031DF4947B9DCD2FD8D5C220

Function 00007FF646AD5B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646AD17D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD1803

_get_daylight.LIBCMT ref: 00007FF646AD5CA4
_get_daylight.LIBCMT ref: 00007FF646AD5CB5

Strings

?, xrefs: 00007FF646AD5C35

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction ID: 1ad96de91a2e71baa94c0c0fa1f11e64dfbd77817f8c3bc05a208d5144c89007
Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
Instruction Fuzzy Hash: 33412B12A0CA8245FB24BB25E405379E691EF90BA4F144235EF5D86AD5DF3ED8C1C710

Function 00007FF646AC9084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC90B6

Part of subcall function 00007FF646ACA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF646AD2D92,?,?,?,00007FF646AD2DCF,?,?,00000000,00007FF646AD3295,?,?,?,00007FF646AD31C7), ref: 00007FF646ACA9CE
Part of subcall function 00007FF646ACA9B8: GetLastError.KERNEL32(?,?,?,00007FF646AD2D92,?,?,?,00007FF646AD2DCF,?,?,00000000,00007FF646AD3295,?,?,?,00007FF646AD31C7), ref: 00007FF646ACA9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF646ABCC15), ref: 00007FF646AC90D4

Strings

C:\Users\user\Desktop\qhos.exe, xrefs: 00007FF646AC90C2

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\qhos.exe
API String ID: 3580290477-2817503745
Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction ID: b9cd7c38ff6c84f88980d320efce69b329563604248803c2d62eb1080271ffe3
Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
Instruction Fuzzy Hash: 6B416032A0CF5286EB54FF25A4420BDA795EF457D4B554035EA4F83B85DE3EE4C18360

Function 00007FF646ACCCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF646ACCDBF
GetLastError.KERNEL32 ref: 00007FF646ACCDE1

Strings

U, xrefs: 00007FF646ACCD6B

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction ID: d80dacdd379b6231e40d1a1cfeaf56bfd43486245b47f24f5af2b85ff2a7b5d5
Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
Instruction Fuzzy Hash: 4E41B472B1CA4581DB61AF25E4443AAA7A1FB88794F444035EE4EC7B98EF3DD481C750

Function 00007FF646ACF628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF646ACF668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF646ACF6BA

Strings

:, xrefs: 00007FF646ACF67E

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
Instruction ID: 8beab3b547bb5766f344f132f6ee627726beca0c861ab153c26e978782805346
Opcode Fuzzy Hash: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
Instruction Fuzzy Hash: 6B21B662A0CE8182FB20BB15D04426DB3B1FF84B44F954035DA9E83694DF7EE9C58761

Function 00007FF646ABFDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF646ABFE08
RaiseException.KERNEL32 ref: 00007FF646ABFE49

Strings

csm, xrefs: 00007FF646ABFE36

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: 7d9e53c96976b0a9da84be20f7235d8270a38c20977b9f41d312cad6607664ba
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: 8311193261CF8582EB61AB15F440269B7E5FB88B88F584234DF8D47B69DF3DD5918B00

Function 00007FF646AD07AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD07DC
GetDriveTypeW.KERNEL32 ref: 00007FF646AD081C

Strings

:, xrefs: 00007FF646AD0805

Memory Dump Source

Source File: 00000000.00000002.2268055145.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000000.00000002.2268031814.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268088150.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268116056.00007FF646AF2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2268159479.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 9151ae9870f228d7b05f5a075ce259a5260c193ca323c73bcf92ff579b76113a
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: 3D01676291CE0785FB60BF60A46627EA3A0FF44744F840135D95DC6695DF3EE5848B34

Analysis Process: qhos.exePID: 1516, Parent PID: 4204COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	554
Total number of Limit Nodes:	14

Executed Functions

Function 00007FF646AB1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF646AB3A17, 00007FF646AB3A2F, 00007FF646AB3A9B
pyi-runtime-tmpdir, xrefs: 00007FF646AB3B68
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF646AB3882, 00007FF646AB38AF
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF646AB3D35
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF646AB3B32
VCRUNTIME140.dll, xrefs: 00007FF646AB3DB1
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF646AB3A0B, 00007FF646AB3CD4, 00007FF646AB3F6B
_PYI_SPLASH_IPC, xrefs: 00007FF646AB3A23, 00007FF646AB3EF5
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF646AB3BE8
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF646AB3E0A
Failed to convert DLL search path!, xrefs: 00007FF646AB3DDC
pyi-disable-windowed-traceback, xrefs: 00007FF646AB3BB2
pyi-contents-directory, xrefs: 00007FF646AB3B8D
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF646AB3C61
Could not create temporary directory!, xrefs: 00007FF646AB3CBF
Py_GIL_DISABLED, xrefs: 00007FF646AB3AF4
pyi-python-flag, xrefs: 00007FF646AB3AD6
pkg, xrefs: 00007FF646AB39BE
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF646AB3EBB
Failed to start splash screen!, xrefs: 00007FF646AB3ED4
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF646AB3EA6
MEI, xrefs: 00007FF646AB3933
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF646AB39DE
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF646AB3971
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF646AB3D12
_PYI_ARCHIVE_FILE, xrefs: 00007FF646AB38D2, 00007FF646AB39FF
Failed to load splash screen resources!, xrefs: 00007FF646AB3E85
Failed to remove temporary directory: %s, xrefs: 00007FF646AB3FC3

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: c0a66ebca772141f760a29a0dd77fc68e5502f7a94feb123d2d63e937376cc0c
Instruction ID: e663eb8b3e3a5c81446f7c51d033023ef0ae220e8eabbe53520916e19b31bc26
Opcode Fuzzy Hash: c0a66ebca772141f760a29a0dd77fc68e5502f7a94feb123d2d63e937376cc0c
Instruction Fuzzy Hash: 54328F61A0CE8A91FB15FB2594543B9E791AF45B80F844036DB5EC32D6EF2EE5D8C320

Function 00007FF646AD69D4 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF646AD6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD6749
Part of subcall function 00007FF646AD6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD67C7
Part of subcall function 00007FF646AD6708: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD6818

CreateFileW.KERNEL32 ref: 00007FF646AD6ADA
CreateFileW.KERNEL32 ref: 00007FF646AD6B2A
GetLastError.KERNEL32 ref: 00007FF646AD6B5A
GetFileType.KERNEL32 ref: 00007FF646AD6B6F
GetLastError.KERNEL32 ref: 00007FF646AD6B79
CloseHandle.KERNEL32 ref: 00007FF646AD6BAC
CloseHandle.KERNEL32 ref: 00007FF646AD6D0F
CreateFileW.KERNEL32 ref: 00007FF646AD6D44
GetLastError.KERNEL32 ref: 00007FF646AD6D53

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction ID: 4b9469eb6c5fc31cb35a5f7cffc3118790cff9842ea38c706e8772ccd5f79d83
Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
Instruction Fuzzy Hash: D3C1D032B28E4585EB50EFA4C4902AC7772FB49B98F055229DE2E977D4CF3AE495C310

Function 00007FF646AB92F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF646AB9323
FindClose.KERNEL32 ref: 00007FF646AB9332

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction ID: 94e0381262aa3be1df1a36332a5e030d073c09c9b33a0a3afa61ecf0f50070c9
Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
Instruction Fuzzy Hash: 7BF06872A1CB4586F7A0BB60B45976AF390FB84764F044339DA6D426D4DF3DD0898A10

Function 00007FF646AB1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF646AB7F80: _fread_nolock.LIBCMT ref: 00007FF646AB802A

_fread_nolock.LIBCMT ref: 00007FF646AB1A1B

Part of subcall function 00007FF646AB2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF646AB1B6A), ref: 00007FF646AB295E

Strings

Failed to read cookie!, xrefs: 00007FF646AB1A2B
MEI, xrefs: 00007FF646AB1991
calloc, xrefs: 00007FF646AB1A68
Failed to seek to cookie position!, xrefs: 00007FF646AB19EE
Could not read full TOC!, xrefs: 00007FF646AB1B55
malloc, xrefs: 00007FF646AB1B22
fseek, xrefs: 00007FF646AB19F5
Could not allocate memory for archive structure!, xrefs: 00007FF646AB1A61
Could not allocate buffer for TOC!, xrefs: 00007FF646AB1B1B
Error on file., xrefs: 00007FF646AB1B8D
fread, xrefs: 00007FF646AB1A32, 00007FF646AB1B5C

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: abc02df14881b8553accab44fb79ef53eaa7c88a432e732f5ead529d710b0ae2
Instruction ID: fb68b462c496d3267f3d19e048758a998510c19fa25a4a07b9e80cc3ea4f54ed
Opcode Fuzzy Hash: abc02df14881b8553accab44fb79ef53eaa7c88a432e732f5ead529d710b0ae2
Instruction Fuzzy Hash: 5A81C671A0CE8A86E760FB24D0446F9A391FF45B84F404435DA8EC779ADE3EE5C58760

Function 00007FF646AB2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32 ref: 00007FF646AB21AB
SelectObject.GDI32 ref: 00007FF646AB21F2
DrawTextW.USER32 ref: 00007FF646AB2215
SelectObject.GDI32 ref: 00007FF646AB222B
ReleaseDC.USER32 ref: 00007FF646AB223B
MoveWindow.USER32 ref: 00007FF646AB228B
MoveWindow.USER32 ref: 00007FF646AB22CB
MoveWindow.USER32 ref: 00007FF646AB231E
MoveWindow.USER32 ref: 00007FF646AB2366

Strings

P%, xrefs: 00007FF646AB21FF

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 8f999aa9f5823572a3b6343ba8003cdef3f383c2b888c49ce5458c15d0946eff
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 89510766618BA186D674AF22E4181BAF7A1F798B65F004121EFDE83794DF3DD085CB20

Function 00007FF646AB1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF646AB14DE
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF646AB15DF
malloc, xrefs: 00007FF646AB151F
fseek, xrefs: 00007FF646AB14E5
Failed to extract %s: failed to open archive file!, xrefs: 00007FF646AB149F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF646AB1518
fread, xrefs: 00007FF646AB15E6

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 3899eae9b9cf556598d50536af751799a91292f9e5d7650659be9fe1a68b4b95
Instruction ID: f56dee9665f3d7c6bce260a51f4e99b799b89c0c3015a8798b2d1cd23bd2389b
Opcode Fuzzy Hash: 3899eae9b9cf556598d50536af751799a91292f9e5d7650659be9fe1a68b4b95
Instruction Fuzzy Hash: 5441BF62A0CE4695EB00FF2194411B9E391FF44B88F444532EE4E87B99DE3EE986C764

Function 00007FF646AB1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1.3.1, xrefs: 00007FF646AB1249
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF646AB12BA
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF646AB1276
malloc, xrefs: 00007FF646AB12C1, 00007FF646AB12F6
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF646AB12EF
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF646AB141E

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 5578c14fe94a244900e9a575e4f77a257a8de495ed559fdf9b362ebbbffb2fa7
Instruction ID: 94b5e9199faa9a2437e9a99d68bb45cad878c6760aeae8a0a6c71f3252fb2062
Opcode Fuzzy Hash: 5578c14fe94a244900e9a575e4f77a257a8de495ed559fdf9b362ebbbffb2fa7
Instruction Fuzzy Hash: 8D51F762A0CE4685E660BB11A4403BAE291FF85F94F444135EE4EC77D9EF3EE985C720

Function 00007FF646AB36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF646AB3804), ref: 00007FF646AB36E1
GetLastError.KERNEL32(?,00007FF646AB3804), ref: 00007FF646AB36EB

Part of subcall function 00007FF646AB2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF646AB3706,?,00007FF646AB3804), ref: 00007FF646AB2C9E
Part of subcall function 00007FF646AB2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF646AB3706,?,00007FF646AB3804), ref: 00007FF646AB2D63
Part of subcall function 00007FF646AB2C50: MessageBoxW.USER32 ref: 00007FF646AB2D99

Strings

\\?\, xrefs: 00007FF646AB375A
Failed to convert executable path to UTF-8., xrefs: 00007FF646AB3790
GetModuleFileNameW, xrefs: 00007FF646AB36FA
Failed to resolve full path to executable %ls., xrefs: 00007FF646AB3739
Failed to obtain executable path., xrefs: 00007FF646AB36F3

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction ID: f4218f39d8e50210100c9c618269aac41dbcf59cfdedcadee4aa92cf82d355c3
Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
Instruction Fuzzy Hash: 1821B8A1F1CE4691FA20F720E8153B6E255BF48B95F804136EB5EC25D6EE2EE5C4C720

Function 00007FF646ACBACC Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646ACBEF9

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ba46bac31fe72f1dd681b3566344db0dd8f54c3f22ac6e326a6392c95ac81308
Instruction ID: 4bd69cada80353a37acf5b273de84fa040e5e699879e62acb933e40167c84bd8
Opcode Fuzzy Hash: ba46bac31fe72f1dd681b3566344db0dd8f54c3f22ac6e326a6392c95ac81308
Instruction Fuzzy Hash: EEC1C322A0CF8681E761BB1594402BDBBA1EF81B80F554131EA4F87795CF7FE8D98720

Function 00007FF646AB6350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LoadLibrary, xrefs: 00007FF646AB649E
Failed to load Python DLL '%ls'., xrefs: 00007FF646AB6497
ucrtbase.dll, xrefs: 00007FF646AB63CD
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF646AB6446
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF646AB63B7
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF646AB63F7

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
Instruction ID: 7ee21ffe7dc67eb685b9e8cfd04273cce96db1e623073fe23fc909731debaf24
Opcode Fuzzy Hash: 113c6b1de756f4b5b5eb6aeb9c43a8ac160651dc44d73755d1f433b83002bd4c
Instruction Fuzzy Hash: 60416171B1CE8A91EA11FB20E5152E9E315FB44B84F800132EB5D83696EF3EE685C760

Function 00007FF646AB2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF646AB23C8
DialogBoxIndirectParamW.USER32 ref: 00007FF646AB248E
DeleteObject.GDI32 ref: 00007FF646AB24C1
DestroyIcon.USER32 ref: 00007FF646AB24D3

Strings

Unhandled exception in script, xrefs: 00007FF646AB23F8

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: dd10c28d74256616f4f20b34f0e4914686707bcd8d030bd0fddff274f11205b5
Instruction ID: 1f4a9a6a93d6be28d5ca47a1fe6d4408e396623dd6e333d495b9e3931d868974
Opcode Fuzzy Hash: dd10c28d74256616f4f20b34f0e4914686707bcd8d030bd0fddff274f11205b5
Instruction Fuzzy Hash: 8D31607261CA8189EB60FF21E8552F9A360FF88788F440135EA4E8BB49DF3DD184C710

Function 00007FF646AC5698 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC56C5
CreateFileW.KERNEL32 ref: 00007FF646AC5704
CloseHandle.KERNEL32 ref: 00007FF646AC5739

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction ID: 003e7fb06907797d4426876347d0c4ceaf76d33be45db742ae55c21cd34c4069
Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
Instruction Fuzzy Hash: 9C41A222D1CB8283E750BB219514379A260FF947A4F108334FA5E43AD6DF6DA8F08760

Function 00007FF646AB20C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF646AB20F4
SetWindowLongPtrW.USER32 ref: 00007FF646AB2116
GetWindowLongPtrW.USER32 ref: 00007FF646AB2140
InvalidateRect.USER32 ref: 00007FF646AB2160

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 47707f41c947277ee21eb20f1cba9eb01b94d3b999dd30700cc6c654e67de4f0
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: F111A971A1C94642F694F769F5442B99292EB89B84F488031DF4947B9DCD2FD8D5C220

Function 00007FF646ABCCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646ABCE7C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF646ABCE90

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF646ABCCD0
__scrt_release_startup_lock.LIBCMT ref: 00007FF646ABCD3E
__scrt_get_show_window_mode.LIBCMT ref: 00007FF646ABCD91

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction ID: 68e24dddbd21d9a77a6339aa77bfa84cc9758c376dcb79c8f6f9fa717f17e5a3
Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
Instruction Fuzzy Hash: 14317CA4E4CE0B91FA54BB24A4227B99792AF41B84F440435DB5FCB2D7DE2FA4C5C231

Function 00007FF646AC01AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC01F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC02E7

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: a3783c103f76f5a150d3b5fcf152306cbe0f3b8844b431ddea41a13b1dbc13d8
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: E551D761B0DE5186EA24BE79940067AE291AF84BA8F144734DE7E877C5CF3FD4818620

Function 00007FF646ACC1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF646ACC33D), ref: 00007FF646ACC1F0
GetLastError.KERNEL32(?,?,?,?,?,00007FF646ACC33D), ref: 00007FF646ACC1FA

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction ID: f830b1211c18eb29c1bc67a836b981ce4ee4ab7924ca5013b5d6ec107a6b7e74
Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
Instruction Fuzzy Hash: D81104A1B0CE4181DA10BB29A814169E361FB41BF4F544331EE7F8B7D8CE3DD0918710

Function 00007FF646ACA9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF646AD2D92,?,?,?,00007FF646AD2DCF,?,?,00000000,00007FF646AD3295,?,?,?,00007FF646AD31C7), ref: 00007FF646ACA9CE
GetLastError.KERNEL32(?,?,?,00007FF646AD2D92,?,?,?,00007FF646AD2DCF,?,?,00000000,00007FF646AD3295,?,?,?,00007FF646AD31C7), ref: 00007FF646ACA9D8

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction ID: 5170b3c0750fc4f413f491839f4301f1448e701da48262983d5f2953801ff956
Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
Instruction Fuzzy Hash: A5E08650F0CF0243FF187BB258461789151AF84B40F054034CD1EC22A1DE2F68C58370

Function 00007FF646ACABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF646ACAA45,?,?,00000000,00007FF646ACAAFA), ref: 00007FF646ACAC36
GetLastError.KERNEL32(?,?,?,00007FF646ACAA45,?,?,00000000,00007FF646ACAAFA), ref: 00007FF646ACAC40

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction ID: 4421f65a1d5d932771d6c02c6a38c6ac6485ff798776fc5bca9598156b1a3e86
Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
Instruction Fuzzy Hash: 5F219611F1CE4242FAA477A1949427996D2AF84B94F084235DB2FC77C6DE6EA8C58321

Function 00007FF646ACBF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646ACBF44

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction ID: ed8cf6e32a03d3f94da9f40b4b31d5b76b07cdec689a2c8ebc29546d551ad3c5
Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
Instruction Fuzzy Hash: 5E41A17291CA018BEA34BB19A541279F3A4EF55B84F144131DA9FC7691CF2FE482CBA1

Function 00007FF646AB7F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF646AB802A

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: e030e723ccfde11af85d0dda47479fa887e00b1a31505a58a3447353ba43a7bb
Instruction ID: e88ecf1e667533f00b64861faddc77ab2317fbcbad9f1e1e5c88d0b9f487e311
Opcode Fuzzy Hash: e030e723ccfde11af85d0dda47479fa887e00b1a31505a58a3447353ba43a7bb
Instruction Fuzzy Hash: A4219121B0DE9685FB54BA2665043BAD651BF45FC4F8C4430EF4D87B86CE7FE0818621

Function 00007FF646ACB9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646ACBA32

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction ID: 6e63662f9f859c76cc8bd77a0976d98c8a690125d1530e6c2cefc4eef86f082f
Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
Instruction Fuzzy Hash: 2431AE21A1CE468AF7517B55884137CAA60AF80B94F420135EA6F833E2CF7FE8C58775

Function 00007FF646AC99D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF646AC99FF

Part of subcall function 00007FF646AC9AF8: GetModuleHandleExW.KERNEL32 ref: 00007FF646AC9B1D
Part of subcall function 00007FF646AC9AF8: GetProcAddress.KERNEL32 ref: 00007FF646AC9B33
Part of subcall function 00007FF646AC9AF8: FreeLibrary.KERNEL32 ref: 00007FF646AC9B5A

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction ID: 44141691edc5fb6da086790566712c62181f1d305d7a84018295773ff131c47c
Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
Instruction Fuzzy Hash: 65218E32E08B828AEB64FF64C4442FC73A0EB84718F441635D72E86AD5DF39D585CB60

Function 00007FF646AC6004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC5F69

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: d6cd1648f345502d5c1341cf7a8f0021f5a7680b53877f4a911ded8a5316e984
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: A7117522A1CE4189EE64BF51940117EE2A4BF45B84F444031FB4ED7B96DF7FE89087A0

Function 00007FF646AD63C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD63E7

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction ID: 81743825312f596e3e6acc6b0ddcb152fd889cf52da661fbec6b3b1d834786c3
Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
Instruction Fuzzy Hash: 7421507271CE4286DB61BF18D450379B6A1EB84B94F185234EA9EC76D9DF3ED4808B10

Function 00007FF646AC042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC0480

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 34f793176986138ff5a0492500a7c0450bf4c5dc3551675a7404ce0c7b690199
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: B601D621A0CF4140EA04FF569A0107AE691BF95FE0F084631EE6D97BD6CE3FE5918310

Function 00007FF646AB9070 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646AB9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF646AB45E4,00000000,00007FF646AB1985), ref: 00007FF646AB9439

LoadLibraryExW.KERNEL32(?,00007FF646AB6466,?,00007FF646AB336E), ref: 00007FF646AB9092

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 7140f7c55cf735ced6a4f02887063d730e60c19ae08c919a697b9dfe54228ee6
Instruction ID: 8b1532ee70d9dc98c42d2d4301d7ecae923003158cc13b09837e4516e46c70d8
Opcode Fuzzy Hash: 7140f7c55cf735ced6a4f02887063d730e60c19ae08c919a697b9dfe54228ee6
Instruction Fuzzy Hash: 0DD0C211F28A4541EA94F767BA466399252AFCEFC0F88C035EE1D43B4ADC3DC0814B00

Function 00007FF646ACD66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF646AC0D00,?,?,?,00007FF646AC236A,?,?,?,?,?,00007FF646AC3B59), ref: 00007FF646ACD6AA

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction ID: 901096b45d9cde69264e8ed3c5aae3be45c3383c6456c806cd6efcfc95867fd2
Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
Instruction Fuzzy Hash: ACF05810B2DF0695FE647B615801279E2915F94BA0F080232DC2FC53C2DE2FA4C0E230

Non-executed Functions

Function 00007FF8A7FEB6D0 Relevance: 91.4, APIs: 46, Strings: 6, Instructions: 369threadCOMMON

Download Yara Rule

APIs

PyTuple_New.PYTHON312 ref: 00007FF8A7FEB72E
PyObject_Call.PYTHON312 ref: 00007FF8A7FEB7AC
memcpy.VCRUNTIME140 ref: 00007FF8A7FEB815
PyErr_Fetch.PYTHON312 ref: 00007FF8A7FEB837
PyUnicode_FromFormat.PYTHON312 ref: 00007FF8A7FEB88F
PyUnicode_FromFormat.PYTHON312 ref: 00007FF8A7FEB8A1
PyErr_Restore.PYTHON312 ref: 00007FF8A7FEB8B6
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FEB8C4
_PyErr_WriteUnraisableMsg.PYTHON312 ref: 00007FF8A7FEB8CF
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEB8E3
PyErr_Clear.PYTHON312 ref: 00007FF8A7FEB8F4
PyRun_StringFlags.PYTHON312 ref: 00007FF8A7FEB926
PyUnicode_AsWideCharString.PYTHON312 ref: 00007FF8A7FEB939
CreateThread.KERNEL32 ref: 00007FF8A7FEB962
CloseHandle.KERNEL32 ref: 00007FF8A7FEB970
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEB983
PyErr_Clear.PYTHON312 ref: 00007FF8A7FEB989
PyErr_Clear.PYTHON312 ref: 00007FF8A7FEB99B
PyErr_Fetch.PYTHON312 ref: 00007FF8A7FEB9AA
PyErr_NormalizeException.PYTHON312 ref: 00007FF8A7FEB9BC
PyObject_CallFunctionObjArgs.PYTHON312 ref: 00007FF8A7FEB9FC
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEBA37
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FEBA3D
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEBA5B
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEBA75
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEBA9B
PyErr_Fetch.PYTHON312 ref: 00007FF8A7FEBAB2
PyUnicode_FromFormat.PYTHON312 ref: 00007FF8A7FEBB0A
PyUnicode_FromFormat.PYTHON312 ref: 00007FF8A7FEBB19
PyErr_Restore.PYTHON312 ref: 00007FF8A7FEBB2D
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FEBB3B
_PyErr_WriteUnraisableMsg.PYTHON312 ref: 00007FF8A7FEBB46
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEBB5A
PyErr_WriteUnraisable.PYTHON312 ref: 00007FF8A7FEBB65
PyErr_Clear.PYTHON312 ref: 00007FF8A7FEBB6B
PyUnicode_FromFormat.PYTHON312 ref: 00007FF8A7FEBB93
PyErr_Restore.PYTHON312 ref: 00007FF8A7FEBBA5
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FEBBB3
_PyErr_WriteUnraisableMsg.PYTHON312 ref: 00007FF8A7FEBBBE
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEBBD3
PyErr_Clear.PYTHON312 ref: 00007FF8A7FEBBE3

Part of subcall function 00007FF8A7FEB620: PyErr_SetString.PYTHON312 ref: 00007FF8A7FEB65E

PyErr_WriteUnraisable.PYTHON312 ref: 00007FF8A7FEBBDD
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEBC08
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEBC24
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEBC39

Strings

done(), xrefs: 00007FF8A7FEB91A
%c%s%R%s, xrefs: 00007FF8A7FEB888, 00007FF8A7FEBB00
uring handling of the above exception by 'onerror', xrefs: 00007FF8A7FEBB75
rom cffi callback , xrefs: 00007FF8A7FEB850, 00007FF8A7FEBACC
, trying to convert the result back to C, xrefs: 00007FF8A7FEB7DF
%c%s%s, xrefs: 00007FF8A7FEB89A, 00007FF8A7FEBB12, 00007FF8A7FEBB80

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$Dealloc$Unicode_$ClearFormatFromUnraisableWrite$FetchRestoreString$CallObject_$ArgsCharCloseCreateExceptionFlagsFunctionHandleNormalizeOccurredRun_ThreadTuple_Widememcpy
String ID: %c%s%R%s$%c%s%s$, trying to convert the result back to C$done()$rom cffi callback $uring handling of the above exception by 'onerror'
API String ID: 3680899025-2484428055
Opcode ID: decc0abd9df1063f42d66e8780f255c007d8368bf3654e8c28f0d229d635d203
Instruction ID: 0eedf4f31b9e0ce9e35a0c83de3b875ed3f1bc7f1cb7e94abbb50bc8efb8d549
Opcode Fuzzy Hash: decc0abd9df1063f42d66e8780f255c007d8368bf3654e8c28f0d229d635d203
Instruction Fuzzy Hash: 1BF12932A0AA62A5EB159FB5E8446BC27A0FF44BD4F044035DE4E57B68EF7CE645E300

Function 00007FF646AB8BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646AB9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF646AB45E4,00000000,00007FF646AB1985), ref: 00007FF646AB9439

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8C2B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8C46

Part of subcall function 00007FF646ACA4EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646ACA500

Part of subcall function 00007FF646AC878C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC87F3

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8CD6
CreateProcessW.KERNEL32 ref: 00007FF646AB8D0E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8D18

Part of subcall function 00007FF646AB2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF646AB3706,?,00007FF646AB3804), ref: 00007FF646AB2C9E
Part of subcall function 00007FF646AB2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF646AB3706,?,00007FF646AB3804), ref: 00007FF646AB2D63
Part of subcall function 00007FF646AB2C50: MessageBoxW.USER32 ref: 00007FF646AB2D99

RegisterClassW.USER32 ref: 00007FF646AB8D70
GetLastError.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8D7B
CreateWindowExW.USER32 ref: 00007FF646AB8DC5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8DD7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8DF2
GetLastError.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8E05
PeekMessageW.USER32 ref: 00007FF646AB8E29
TranslateMessage.USER32 ref: 00007FF646AB8E37
DispatchMessageW.USER32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8E41
PeekMessageW.USER32 ref: 00007FF646AB8E5C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8E6E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8E89
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8E9F
GetLastError.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8EA9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8EB7
DestroyWindow.USER32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB8FF4
GetExitCodeProcess.KERNEL32 ref: 00007FF646AB9009
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB9012
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF646AB3F7F), ref: 00007FF646AB901F

Strings

CreateProcessW, xrefs: 00007FF646AB8D27
Failed to create child process!, xrefs: 00007FF646AB8D20
PyInstaller Onefile Hidden Window, xrefs: 00007FF646AB8D85
PyInstallerOnefileHiddenWindow, xrefs: 00007FF646AB8D44

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction ID: 90a9b7065753a577a3d8aaa6a24ab6decbbff63b8eb4cc3ba588ef88bab95aef
Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
Instruction Fuzzy Hash: 4CD17072A0CE8686EB50BF74E8542A9B761FF84B58F404235EE5D82A94DF3DD189C720

Function 00007FF8A7FEBED0 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 234memoryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FEBF1C

Part of subcall function 00007FF8A7FEBD60: PyErr_Format.PYTHON312 ref: 00007FF8A7FEBD94

GetSystemInfo.KERNEL32 ref: 00007FF8A7FEBF91
VirtualAlloc.KERNEL32 ref: 00007FF8A7FEC009
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEC060
PyErr_SetString.PYTHON312 ref: 00007FF8A7FEC077
_PyObject_GC_New.PYTHON312 ref: 00007FF8A7FEC09B
PyErr_Format.PYTHON312 ref: 00007FF8A7FEC103
Py_FatalError.PYTHON312 ref: 00007FF8A7FEC200
PyObject_GC_Track.PYTHON312 ref: 00007FF8A7FEC21C
PyErr_SetString.PYTHON312 ref: 00007FF8A7FEC261
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEC278
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEC2A5

Strings

libffi failed to build this callback, xrefs: 00007FF8A7FEC257
FFI_TRAMPOLINE_SIZE too small in src/c/libffi_x86_x64\ffi.c, xrefs: 00007FF8A7FEC1F9
O!O|OO:callback, xrefs: 00007FF8A7FEBF03
Cannot allocate write+execute memory for ffi.callback(). You might be running on a system that prevents this. For more information, see https://cffi.readthedocs.io/en/latest/using.html#callbacks, xrefs: 00007FF8A7FEC06D
%s: callback with unsupported argument or return type or with '...', xrefs: 00007FF8A7FEC0F5

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$Dealloc$FormatObject_String$AllocArg_ErrorFatalInfoParseSizeSystemTrackTuple_Virtual
String ID: %s: callback with unsupported argument or return type or with '...'$Cannot allocate write+execute memory for ffi.callback(). You might be running on a system that prevents this. For more information, see https://cffi.readthedocs.io/en/latest/using.html#callbacks$FFI_TRAMPOLINE_SIZE too small in src/c/libffi_x86_x64\ffi.c$O!O|OO:callback$libffi failed to build this callback
API String ID: 1427098410-3680541158
Opcode ID: 23c9fd3e63b424cc72bec812328284be27760d706a1b8ba850e7a80d662f87e5
Instruction ID: 8ca5db29ecc8f7cf554ab4fd52e16b72def15030848b9e537dcd7d85e8df3f61
Opcode Fuzzy Hash: 23c9fd3e63b424cc72bec812328284be27760d706a1b8ba850e7a80d662f87e5
Instruction Fuzzy Hash: 3BB14D36A0AB52A5EB248F75E84027C73A4FB88BD4F448132DA8D577A4EF3CD695D304

Function 00007FF8A7FFADB8 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF8A7FFADD4
memset.VCRUNTIME140 ref: 00007FF8A7FFADF8
RtlCaptureContext.KERNEL32 ref: 00007FF8A7FFAE01
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8A7FFAE1B
RtlVirtualUnwind.KERNEL32 ref: 00007FF8A7FFAE5C
memset.VCRUNTIME140 ref: 00007FF8A7FFAE8F
IsDebuggerPresent.KERNEL32 ref: 00007FF8A7FFAEB0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8A7FFAECD
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8A7FFAED8

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: ea843acdad7c56c70b9743c44a311b0c1a9b6eb90ef1f84dc8ae54790f9ea7a2
Instruction ID: f5ffe3460cf48ac39b0d5135169f7d4d3f6b22ff32d402721a1960e2b7d5a45f
Opcode Fuzzy Hash: ea843acdad7c56c70b9743c44a311b0c1a9b6eb90ef1f84dc8ae54790f9ea7a2
Instruction Fuzzy Hash: 42313272609B8196EB609F70E8407EE7361FB45788F44403ADA4E47B94DF78D648C714

Function 00007FF646ACA684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF646ACA6FD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF646ACA715
RtlVirtualUnwind.KERNEL32 ref: 00007FF646ACA750
IsDebuggerPresent.KERNEL32 ref: 00007FF646ACA789
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF646ACA793
UnhandledExceptionFilter.KERNEL32 ref: 00007FF646ACA79E

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction ID: 50dd96237e29b7b86551cdffe0ed105bee75ee508fc4e0750def38e2e7a9e7f6
Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
Instruction Fuzzy Hash: 38316036618F8186DB60EF25E8402AEB3A4FB88758F540136EB9D83B58DF3DC185CB10

Function 00007FF646AD18E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD1930
FindFirstFileExW.KERNEL32 ref: 00007FF646AD1A3A

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction ID: 6b46c94d7df38dbe31fc08cd39529078ef482a1b3dcac93b16a71b437e0770a3
Opcode Fuzzy Hash: 2ef3c37f04818ead7d44404f95bcb0bbc346a7a2ea351082cea4bee254bbf61c
Instruction Fuzzy Hash: 31B1C926B1CE9241EB61BB6194085B9E392EB44BD4F444131EE5E87BD5EF3EE8C1C320

Function 00007FF646AD5EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF646AD5F1A

Part of subcall function 00007FF646AD5668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD567C

_get_daylight.LIBCMT ref: 00007FF646AD5F2B

Part of subcall function 00007FF646AD5608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD561C

_get_daylight.LIBCMT ref: 00007FF646AD5F3C

Part of subcall function 00007FF646AD5638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD564C

Part of subcall function 00007FF646ACA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF646AD2D92,?,?,?,00007FF646AD2DCF,?,?,00000000,00007FF646AD3295,?,?,?,00007FF646AD31C7), ref: 00007FF646ACA9CE
Part of subcall function 00007FF646ACA9B8: GetLastError.KERNEL32(?,?,?,00007FF646AD2D92,?,?,?,00007FF646AD2DCF,?,?,00000000,00007FF646AD3295,?,?,?,00007FF646AD31C7), ref: 00007FF646ACA9D8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF646AD617C), ref: 00007FF646AD5F63

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction ID: 462c1a6e787762f53ce4442e65868ce01f5fa0c96262af21b11dcfb6fb0b5114
Opcode Fuzzy Hash: 4f5f64917f1a6fb99e16ec8d4eadf885fc2e5ee96e92320975b551feff7f9d51
Instruction Fuzzy Hash: 3F515332A0CA4286E714FF25D8815B9E762FF48784F449135EE4DC7696DF3EE48087A0

Function 00007FF646AB5820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB5830
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB5842
GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB5879
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB588B
GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB58A4
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB58B6
GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB58CF
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB58E1
GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB58FD
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB590F
GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB592B
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB593D
GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB5959
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB596B
GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB5987
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB5999
GetProcAddress.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB59B5
GetLastError.KERNEL32(?,00007FF646AB64BF,?,00007FF646AB336E), ref: 00007FF646AB59C7

Strings

PyPreConfig_InitIsolatedConfig, xrefs: 00007FF646AB5DCD, 00007FF646AB5DEF
PyEval_EvalCode, xrefs: 00007FF646AB5BA5, 00007FF646AB5BC7
PyUnicode_Join, xrefs: 00007FF646AB5F99, 00007FF646AB5FBB
PyConfig_Clear, xrefs: 00007FF646AB597D, 00007FF646AB599F
PyModule_GetDict, xrefs: 00007FF646AB5CB9, 00007FF646AB5CDB
PyConfig_InitIsolatedConfig, xrefs: 00007FF646AB59AB, 00007FF646AB59CD
PyImport_AddModule, xrefs: 00007FF646AB5BD3, 00007FF646AB5BF5
PyUnicode_DecodeFSDefault, xrefs: 00007FF646AB5F0F, 00007FF646AB5F31
Py_Finalize, xrefs: 00007FF646AB58C5, 00007FF646AB58E7
PyMarshal_ReadObjectFromString, xrefs: 00007FF646AB5C5D, 00007FF646AB5C7F
PyUnicode_Decode, xrefs: 00007FF646AB5EE1, 00007FF646AB5F03
PyImport_ExecCodeModule, xrefs: 00007FF646AB5C01, 00007FF646AB5C23
PyConfig_SetBytesString, xrefs: 00007FF646AB5A07, 00007FF646AB5A29
PyObject_GetAttrString, xrefs: 00007FF646AB5D43, 00007FF646AB5D65
PyUnicode_Replace, xrefs: 00007FF646AB5FC7, 00007FF646AB5FE9
PySys_SetObject, xrefs: 00007FF646AB5E85, 00007FF646AB5EA7
Py_IsInitialized, xrefs: 00007FF646AB5921, 00007FF646AB5943
Py_DecodeLocale, xrefs: 00007FF646AB586F, 00007FF646AB5891
PyErr_Print, xrefs: 00007FF646AB5B49, 00007FF646AB5B6B
PyObject_CallFunctionObjArgs, xrefs: 00007FF646AB5D15, 00007FF646AB5D37
PyStatus_Exception, xrefs: 00007FF646AB5E29, 00007FF646AB5E4B
PyErr_Fetch, xrefs: 00007FF646AB5ABF, 00007FF646AB5AE1
PyUnicode_AsUTF8, xrefs: 00007FF646AB5EB3, 00007FF646AB5ED5
PyConfig_SetString, xrefs: 00007FF646AB5A35, 00007FF646AB5A57
GetProcAddress, xrefs: 00007FF646AB5858
PyErr_Restore, xrefs: 00007FF646AB5B77, 00007FF646AB5B99
Py_DecRef, xrefs: 00007FF646AB5826, 00007FF646AB5848
Failed to get address for %hs, xrefs: 00007FF646AB5851
PyObject_SetAttrString, xrefs: 00007FF646AB5D71, 00007FF646AB5D93
PyConfig_SetWideStringList, xrefs: 00007FF646AB5A63, 00007FF646AB5A85
PyErr_NormalizeException, xrefs: 00007FF646AB5AED, 00007FF646AB5B0F
PyMem_RawFree, xrefs: 00007FF646AB5C8B, 00007FF646AB5CAD
PySys_GetObject, xrefs: 00007FF646AB5E57, 00007FF646AB5E79
PyRun_SimpleStringFlags, xrefs: 00007FF646AB5DFB, 00007FF646AB5E1D
PyObject_CallFunction, xrefs: 00007FF646AB5CE7, 00007FF646AB5D09
PyUnicode_FromString, xrefs: 00007FF646AB5F6B, 00007FF646AB5F8D
PyObject_Str, xrefs: 00007FF646AB5D9F, 00007FF646AB5DC1
Py_InitializeFromConfig, xrefs: 00007FF646AB58F3, 00007FF646AB5915
PyErr_Occurred, xrefs: 00007FF646AB5B1B, 00007FF646AB5B3D
PyConfig_Read, xrefs: 00007FF646AB59D9, 00007FF646AB59FB
PyErr_Clear, xrefs: 00007FF646AB5A91, 00007FF646AB5AB3
PyImport_ImportModule, xrefs: 00007FF646AB5C2F, 00007FF646AB5C51
Py_PreInitialize, xrefs: 00007FF646AB594F, 00007FF646AB5971
Py_ExitStatusException, xrefs: 00007FF646AB589A, 00007FF646AB58BC
PyUnicode_FromFormat, xrefs: 00007FF646AB5F3D, 00007FF646AB5F5F

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction ID: 3bfb4b33ddc7db6e6cf35bd3b5391dd9991feebdaef6050e558f8e4131e1bf98
Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
Instruction Fuzzy Hash: 0322C6A494DF4B91FA44FF65A9141B4A3A6AF09B85F845035CC1F82660FF3EB9C89330

Function 00007FF646AB76B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF646AB76C7
GetLastError.KERNEL32 ref: 00007FF646AB76D9
GetProcAddress.KERNEL32 ref: 00007FF646AB7715
GetLastError.KERNEL32 ref: 00007FF646AB7727
GetProcAddress.KERNEL32 ref: 00007FF646AB7740
GetLastError.KERNEL32 ref: 00007FF646AB7752
GetProcAddress.KERNEL32 ref: 00007FF646AB776B
GetLastError.KERNEL32 ref: 00007FF646AB777D
GetProcAddress.KERNEL32 ref: 00007FF646AB7799
GetLastError.KERNEL32 ref: 00007FF646AB77AB
GetProcAddress.KERNEL32 ref: 00007FF646AB77C7
GetLastError.KERNEL32 ref: 00007FF646AB77D9
GetProcAddress.KERNEL32 ref: 00007FF646AB77F5
GetLastError.KERNEL32 ref: 00007FF646AB7807
GetProcAddress.KERNEL32 ref: 00007FF646AB7823
GetLastError.KERNEL32 ref: 00007FF646AB7835
GetProcAddress.KERNEL32 ref: 00007FF646AB7851
GetLastError.KERNEL32 ref: 00007FF646AB7863

Strings

Tk_GetNumMainWindows, xrefs: 00007FF646AB7C97, 00007FF646AB7CB9
Tcl_NewStringObj, xrefs: 00007FF646AB7ACB, 00007FF646AB7AED
Tcl_SetVar2Ex, xrefs: 00007FF646AB7B27, 00007FF646AB7B49
Tcl_ThreadQueueEvent, xrefs: 00007FF646AB79B7, 00007FF646AB79D9
Tcl_MutexUnlock, xrefs: 00007FF646AB78D1, 00007FF646AB78F3
Tcl_GetString, xrefs: 00007FF646AB7A9D, 00007FF646AB7ABF
Tcl_ConditionNotify, xrefs: 00007FF646AB795B, 00007FF646AB797D
Tcl_ThreadAlert, xrefs: 00007FF646AB79E5, 00007FF646AB7A07
Tcl_DoOneEvent, xrefs: 00007FF646AB7761, 00007FF646AB7783
Tcl_EvalFile, xrefs: 00007FF646AB7B83, 00007FF646AB7BA5
Tcl_NewByteArrayObj, xrefs: 00007FF646AB7AF9, 00007FF646AB7B1B
Tcl_Init, xrefs: 00007FF646AB76C0, 00007FF646AB76DF
Tcl_DeleteInterp, xrefs: 00007FF646AB77EB, 00007FF646AB780D
Tcl_JoinThread, xrefs: 00007FF646AB7875, 00007FF646AB7897
GetProcAddress, xrefs: 00007FF646AB76EF
Tcl_Finalize, xrefs: 00007FF646AB778F, 00007FF646AB77B1
Failed to get address for %hs, xrefs: 00007FF646AB76E8
Tcl_EvalEx, xrefs: 00007FF646AB7BB1, 00007FF646AB7BD3
Tcl_MutexLock, xrefs: 00007FF646AB78A3, 00007FF646AB78C5
Tcl_MutexFinalize, xrefs: 00007FF646AB78FF, 00007FF646AB7921
Tcl_Alloc, xrefs: 00007FF646AB7C0D, 00007FF646AB7C2F
Tcl_Free, xrefs: 00007FF646AB7C3B, 00007FF646AB7C5D
Tcl_GetObjResult, xrefs: 00007FF646AB7B55, 00007FF646AB7B77
Tcl_CreateObjCommand, xrefs: 00007FF646AB7A6F, 00007FF646AB7A91
Tcl_ConditionFinalize, xrefs: 00007FF646AB792D, 00007FF646AB794F
Tcl_EvalObjv, xrefs: 00007FF646AB7BDF, 00007FF646AB7C01
Tcl_CreateThread, xrefs: 00007FF646AB7819, 00007FF646AB783B
Tcl_FindExecutable, xrefs: 00007FF646AB7736, 00007FF646AB7758
Tcl_CreateInterp, xrefs: 00007FF646AB770B, 00007FF646AB772D
Tcl_GetCurrentThread, xrefs: 00007FF646AB7847, 00007FF646AB7869
Tcl_GetVar2, xrefs: 00007FF646AB7A13, 00007FF646AB7A35
Tk_Init, xrefs: 00007FF646AB7C69, 00007FF646AB7C8B
Tcl_ConditionWait, xrefs: 00007FF646AB7989, 00007FF646AB79AB
Tcl_FinalizeThread, xrefs: 00007FF646AB77BD, 00007FF646AB77DF
Tcl_SetVar2, xrefs: 00007FF646AB7A41, 00007FF646AB7A63

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction ID: 714d873f52792af51d2eb95879a31041a4c2e9fb29adf144e46d7ae3e9b5053e
Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
Instruction Fuzzy Hash: C202C664A4DF0B91FA95FB55A9145B4E3A2BF08B94F845036DD1E82260EF7EF5C88330

Function 00007FF8A7FF9C40 Relevance: 89.5, APIs: 30, Strings: 21, Instructions: 211stringmemorythreadCOMMON

Download Yara Rule

APIs

PySys_GetObject.PYTHON312 ref: 00007FF8A7FF9C4B
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FF9C71
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A7FF9C87
PyModule_Create2.PYTHON312 ref: 00007FF8A7FF9CBA
PyDict_New.PYTHON312 ref: 00007FF8A7FF9CD6
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A7FF9D14
PyType_Ready.PYTHON312 ref: 00007FF8A7FF9D25
PyModule_AddObject.PYTHON312 ref: 00007FF8A7FF9D4A
PyUnicode_FromString.PYTHON312 ref: 00007FF8A7FF9D78
PyDict_SetItemString.PYTHON312 ref: 00007FF8A7FF9D98
PyUnicode_FromString.PYTHON312 ref: 00007FF8A7FF9DAD
PyDict_SetItemString.PYTHON312 ref: 00007FF8A7FF9DCD
PyCapsule_New.PYTHON312 ref: 00007FF8A7FF9DF3
PyModule_AddObject.PYTHON312 ref: 00007FF8A7FF9E0F
PyUnicode_FromString.PYTHON312 ref: 00007FF8A7FF9E24
PyModule_AddObject.PYTHON312 ref: 00007FF8A7FF9E40
PyModule_AddIntConstant.PYTHON312 ref: 00007FF8A7FF9E5E
PyModule_AddIntConstant.PYTHON312 ref: 00007FF8A7FF9E7C
PyModule_AddIntConstant.PYTHON312 ref: 00007FF8A7FF9E9A
PyModule_AddIntConstant.PYTHON312 ref: 00007FF8A7FF9ECE
TlsAlloc.KERNEL32 ref: 00007FF8A7FF9EFC
PyErr_SetString.PYTHON312 ref: 00007FF8A7FF9F1E
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FF9F24
PyThread_allocate_lock.PYTHON312 ref: 00007FF8A7FF9F48
PyErr_SetString.PYTHON312 ref: 00007FF8A7FF9F6B
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FF9F71
PyImport_ImportModule.PYTHON312 ref: 00007FF8A7FF9F96
PyObject_GetAttrString.PYTHON312 ref: 00007FF8A7FF9FAB
PyErr_Format.PYTHON312 ref: 00007FF8A7FF9FF3
PyErr_Format.PYTHON312 ref: 00007FF8A7FFA022

Strings

can't allocate cffi_zombie_lock, xrefs: 00007FF8A7FF9F61
_WIN, xrefs: 00007FF8A7FF9E90
_C_API, xrefs: 00007FF8A7FF9E05
_io, xrefs: 00007FF8A7FF9F8F
_IOBase, xrefs: 00007FF8A7FF9FA1
_cffi_backend, xrefs: 00007FF8A7FF9D71
'%s' is an ill-formed type name, xrefs: 00007FF8A7FF9FE5
__name__, xrefs: 00007FF8A7FF9DC3
this module was compiled for Python %c%c%c, xrefs: 00007FF8A7FFA004
1.17.1, xrefs: 00007FF8A7FF9E1D
_cffi_backend., xrefs: 00007FF8A7FF9D07
__version__, xrefs: 00007FF8A7FF9E36
FFI_DEFAULT_ABI, xrefs: 00007FF8A7FF9E54
__module__, xrefs: 00007FF8A7FF9D8E
3.12.4, xrefs: 00007FF8A7FF9C7D
<cdata>, xrefs: 00007FF8A7FF9DA6
cffi, xrefs: 00007FF8A7FF9DE5
FFI_CDECL, xrefs: 00007FF8A7FF9E72
1, xrefs: 00007FF8A7FFA011
TlsAlloc() failed, xrefs: 00007FF8A7FF9F14
version, xrefs: 00007FF8A7FF9C44

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Module_String$Err_$ConstantObjectUnicode_$Dict_From$FormatItemOccurredstrncmp$AllocAttrCapsule_Create2ImportImport_ModuleObject_ReadySys_Thread_allocate_lockType_
String ID: '%s' is an ill-formed type name$1$1.17.1$3.12.4$<cdata>$FFI_CDECL$FFI_DEFAULT_ABI$TlsAlloc() failed$_C_API$_IOBase$_WIN$__module__$__name__$__version__$_cffi_backend$_cffi_backend.$_io$can't allocate cffi_zombie_lock$cffi$this module was compiled for Python %c%c%c$version
API String ID: 3385652222-3179000925
Opcode ID: e35dcc5a39c1658808c63a9201d75b3221023b2b68b117264ad8d95726ba0c6a
Instruction ID: cd2f12150e43832ef3a475c9a95f00eedb9e2d5f962a9ec751671dd3de628680
Opcode Fuzzy Hash: e35dcc5a39c1658808c63a9201d75b3221023b2b68b117264ad8d95726ba0c6a
Instruction Fuzzy Hash: CCB1F922A0BA53A1FF10DF65E85427823A0FF45BC6F444135CA1E876A4EFBCE659E314

Function 00007FF8A7FE7060 Relevance: 66.9, APIs: 29, Strings: 9, Instructions: 409threadCOMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON312 ref: 00007FF8A7FE70D3
PyErr_Format.PYTHON312 ref: 00007FF8A7FE70FB
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE72D4
PyObject_Free.PYTHON312 ref: 00007FF8A7FE72E6
PyLong_AsLong.PYTHON312 ref: 00007FF8A7FE734F
PyObject_Malloc.PYTHON312 ref: 00007FF8A7FE7375
PyErr_NoMemory.PYTHON312 ref: 00007FF8A7FE7387
PyErr_Format.PYTHON312 ref: 00007FF8A7FE73AB
PyObject_Malloc.PYTHON312 ref: 00007FF8A7FE748C
memset.VCRUNTIME140 ref: 00007FF8A7FE74A9
PyErr_NoMemory.PYTHON312 ref: 00007FF8A7FE750F
PyObject_Free.PYTHON312 ref: 00007FF8A7FE7527
PyObject_Free.PYTHON312 ref: 00007FF8A7FE7535
PyEval_SaveThread.PYTHON312 ref: 00007FF8A7FE755B
TlsGetValue.KERNEL32 ref: 00007FF8A7FE756A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A7FE757D
TlsSetValue.KERNEL32 ref: 00007FF8A7FE759A
SetLastError.KERNEL32 ref: 00007FF8A7FE75A3
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A7FE75A9
PyEval_RestoreThread.PYTHON312 ref: 00007FF8A7FE75D6
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE763C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A7FE765A
PyObject_Init.PYTHON312 ref: 00007FF8A7FE766D
memcpy.VCRUNTIME140 ref: 00007FF8A7FE76A0

Strings

cdata '%s' is not callable, xrefs: 00007FF8A7FE70C5
a cdata function cannot be called with keyword arguments, xrefs: 00007FF8A7FE7122
return type is a struct/union with a varsize array member, xrefs: 00007FF8A7FE764D
int, xrefs: 00007FF8A7FE728F
argument %zd passed in the variadic part needs to be a cdata object (got %.200s), xrefs: 00007FF8A7FE73A1
return type is an opaque structure or union, xrefs: 00007FF8A7FE762B
'%s' expects at least %zd arguments, got %zd, xrefs: 00007FF8A7FE7196
'%s' expects %zd arguments, got %zd, xrefs: 00007FF8A7FE7188
cannot call null pointer pointer from cdata '%s', xrefs: 00007FF8A7FE70ED

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_Object_$FormatFree$Eval_MallocMemoryThreadValuemalloc$DeallocErrorInitLastLongLong_RestoreSaveString_errnomemcpymemset
String ID: '%s' expects %zd arguments, got %zd$'%s' expects at least %zd arguments, got %zd$a cdata function cannot be called with keyword arguments$argument %zd passed in the variadic part needs to be a cdata object (got %.200s)$cannot call null pointer pointer from cdata '%s'$cdata '%s' is not callable$int$return type is a struct/union with a varsize array member$return type is an opaque structure or union
API String ID: 2456053456-552399096
Opcode ID: c4c15c6a471b2c500a63e57da7f149bc84ee5df8078617c4f4a9f4cc3ab30684
Instruction ID: f3a4c391339cf815f6892fc758412d6cdc7d58db71e2183cc3e50c91eeab0573
Opcode Fuzzy Hash: c4c15c6a471b2c500a63e57da7f149bc84ee5df8078617c4f4a9f4cc3ab30684
Instruction Fuzzy Hash: 36023972A0AB92A6EB548F35E8442BD23A0FF48BD8F444536DA1D47794EF3CE645E310

Function 00007FF8A7FE9020 Relevance: 54.5, APIs: 21, Strings: 10, Instructions: 223libraryCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FE90E9
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FE90FA
PyUnicode_GetLength.PYTHON312 ref: 00007FF8A7FE9111
PyUnicode_AsWideChar.PYTHON312 ref: 00007FF8A7FE9155
LoadLibraryExW.KERNEL32 ref: 00007FF8A7FE919E
LoadLibraryExW.KERNEL32 ref: 00007FF8A7FE91B7
PyErr_Clear.PYTHON312 ref: 00007FF8A7FE91C5
_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FE91EC
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FE91FD
PyMem_Free.PYTHON312 ref: 00007FF8A7FE9210
GetLastError.KERNEL32 ref: 00007FF8A7FE927E
PyErr_Format.PYTHON312 ref: 00007FF8A7FE92B9
_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FE92D6
PyErr_Format.PYTHON312 ref: 00007FF8A7FE930B
PyErr_Format.PYTHON312 ref: 00007FF8A7FE9330
PyUnicode_FromFormat.PYTHON312 ref: 00007FF8A7FE9342
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FE934E
_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FE936F
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE9399

Strings

dlopen() takes a file name or 'void *' handle, not '%s', xrefs: 00007FF8A7FE92FD
<None>, xrefs: 00007FF8A7FE9379
O|i:load_library, xrefs: 00007FF8A7FE92CF
cannot call dlopen(NULL), xrefs: 00007FF8A7FE9326
dlopen(None) not supported on Windows, xrefs: 00007FF8A7FE938F
cannot load library '%s': %s, xrefs: 00007FF8A7FE92A8
et|i:load_library, xrefs: 00007FF8A7FE91DF
error 0x%x, xrefs: 00007FF8A7FE9295
U|i:load_library, xrefs: 00007FF8A7FE90E2
|Oi:load_library, xrefs: 00007FF8A7FE9368

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Unicode_$Err_$Arg_FormatParseSizeTuple_$LibraryLoad$CharClearErrorFreeFromLastLengthMem_StringWide
String ID: <None>$O|i:load_library$U|i:load_library$cannot call dlopen(NULL)$cannot load library '%s': %s$dlopen() takes a file name or 'void *' handle, not '%s'$dlopen(None) not supported on Windows$error 0x%x$et|i:load_library$|Oi:load_library
API String ID: 502613242-880521189
Opcode ID: 5f61a3c35ddf3417ad0959ded34a85f019f64529f12abbc31e34ac5d2516fa51
Instruction ID: 3c63cc402c21f6841c9b49ed3d19f28dab5b38403f70aba476e8884b16aa2953
Opcode Fuzzy Hash: 5f61a3c35ddf3417ad0959ded34a85f019f64529f12abbc31e34ac5d2516fa51
Instruction Fuzzy Hash: 08A15A22A0AA52A9EF10CF76D8446BC33A4FF44BC5B444532D91E477A4EF7CE649E311

Function 00007FF8A7FF7C20 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 216COMMON

Download Yara Rule

APIs

PyDict_GetItem.PYTHON312 ref: 00007FF8A7FF7C34

Part of subcall function 00007FF8A7FF7660: PyUnicode_AsUTF8.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF7689
Part of subcall function 00007FF8A7FF7660: PyErr_SetString.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF76FE

PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FF7C63
PyErr_Clear.PYTHON312 ref: 00007FF8A7FF7CA3

Strings

__class__, xrefs: 00007FF8A7FF7DC7
__loader__, xrefs: 00007FF8A7FF7E3B
__dict__, xrefs: 00007FF8A7FF7CBF
__all__, xrefs: 00007FF8A7FF7C7F
%s.lib, xrefs: 00007FF8A7FF7E24
__spec__, xrefs: 00007FF8A7FF7E4E
__name__, xrefs: 00007FF8A7FF7DFE

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_Unicode_$ClearDict_ItemString
String ID: %s.lib$__all__$__class__$__dict__$__loader__$__name__$__spec__
API String ID: 1723949426-3301019394
Opcode ID: 446cd733eada2a38ca04b49a6c0640e6b9ebf6b869cd275318d076a42c48d988
Instruction ID: 4b8db96f03b453b02fe31bb35a0ad4f43cdbf14498c28764d51e605cc460b818
Opcode Fuzzy Hash: 446cd733eada2a38ca04b49a6c0640e6b9ebf6b869cd275318d076a42c48d988
Instruction Fuzzy Hash: FB717023B4B616A1EA558F35EC4017C63A0EF45BE5F884431CE0D47394EEBDE685E320

Function 00007FF8A7FF6C10 Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 193threadCOMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON312 ref: 00007FF8A7FF6C4E
PyDict_New.PYTHON312 ref: 00007FF8A7FF6C61
PyDict_GetItem.PYTHON312 ref: 00007FF8A7FF6C7B
PyThread_allocate_lock.PYTHON312 ref: 00007FF8A7FF6C8D
PyCapsule_New.PYTHON312 ref: 00007FF8A7FF6CAC
PyThread_free_lock.PYTHON312 ref: 00007FF8A7FF6CBD
PyTuple_Pack.PYTHON312 ref: 00007FF8A7FF6CE2
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF6CF9
_PyObject_CallMethod_SizeT.PYTHON312 ref: 00007FF8A7FF6D1F
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF6D36
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF6D4F
PyCapsule_GetPointer.PYTHON312 ref: 00007FF8A7FF6D8A
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF6DAD
PyEval_SaveThread.PYTHON312 ref: 00007FF8A7FF6DC3
PyThread_acquire_lock.PYTHON312 ref: 00007FF8A7FF6DD4
PyEval_RestoreThread.PYTHON312 ref: 00007FF8A7FF6DDD
PyDict_GetItem.PYTHON312 ref: 00007FF8A7FF6DEB
_PyObject_CallFunction_SizeT.PYTHON312 ref: 00007FF8A7FF6E25
PyTuple_Pack.PYTHON312 ref: 00007FF8A7FF6E47
PyDict_SetItem.PYTHON312 ref: 00007FF8A7FF6E60
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF6E78
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF6E93
PyThread_release_lock.PYTHON312 ref: 00007FF8A7FF6EA1
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF6EB5

Strings

setdefault, xrefs: 00007FF8A7FF6D10
cffi_init_once_lock, xrefs: 00007FF8A7FF6CA5, 00007FF8A7FF6D80

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dealloc$Dict_$ItemSize$CallCapsule_Eval_Object_PackThreadTuple_$Arg_Function_Keywords_Method_ParsePointerRestoreSaveThread_acquire_lockThread_allocate_lockThread_free_lockThread_release_lockTuple
String ID: cffi_init_once_lock$setdefault
API String ID: 1006512166-1600032183
Opcode ID: c9f992ef7e9b3b0e609f91063d43edd59e9ce8d547b6f6717272dec2657d723a
Instruction ID: f7b1cfbb0ae9354524997b602bce7de9962ef25dfb1cddbe89787cce66808b8d
Opcode Fuzzy Hash: c9f992ef7e9b3b0e609f91063d43edd59e9ce8d547b6f6717272dec2657d723a
Instruction Fuzzy Hash: 4A814D32A0AB12A5EB158F35EC6427C23A0EF48BD5F084039CE4D467A4DFBCE658E705

Function 00007FF8A7FE8610 Relevance: 44.1, APIs: 18, Strings: 7, Instructions: 367COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON312 ref: 00007FF8A7FE86BA
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE86FF
PyObject_IsInstance.PYTHON312 ref: 00007FF8A7FE872B
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE8745
PyLong_AsUnsignedLongLongMask.PYTHON312 ref: 00007FF8A7FE8777
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE87D8
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE87F3
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE8813
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE8912
PyFloat_AsDouble.PYTHON312 ref: 00007FF8A7FE8939
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE8958
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE896A
PyComplex_AsCComplex.PYTHON312 ref: 00007FF8A7FE8A5C
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE8A7C
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE8A82
_Py_FatalErrorFunc.PYTHON312 ref: 00007FF8A7FE8AFD
PyErr_Format.PYTHON312 ref: 00007FF8A7FE8B4B
PyErr_Format.PYTHON312 ref: 00007FF8A7FE8B68

Strings

cannot cast %.200s object to ctype '%s', xrefs: 00007FF8A7FE8B25
cannot cast to ctype '%s', xrefs: 00007FF8A7FE8B5E
an integer is required, xrefs: 00007FF8A7FE8809
integer conversion failed, xrefs: 00007FF8A7FE87CE
cannot cast ctype '%s' to ctype '%s', xrefs: 00007FF8A7FE8B32
write_raw_complex_data: bad complex size, xrefs: 00007FF8A7FE8AEF
write_raw_complex_data, xrefs: 00007FF8A7FE8AF6

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$DeallocOccurred$FormatLongString$ComplexComplex_DoubleErrorFatalFloat_FuncInstanceLong_MaskObject_SubtypeType_Unsigned
String ID: an integer is required$cannot cast %.200s object to ctype '%s'$cannot cast ctype '%s' to ctype '%s'$cannot cast to ctype '%s'$integer conversion failed$write_raw_complex_data$write_raw_complex_data: bad complex size
API String ID: 1802667343-436044907
Opcode ID: 85c43f9991675b25a81feb9e4bd7e934e0bbb261e73bd2d802bf023595ce4a2f
Instruction ID: 63bbdb4492b4fb245004ba103b1fa00121682c9ad2c43948c86da07dec5ffe72
Opcode Fuzzy Hash: 85c43f9991675b25a81feb9e4bd7e934e0bbb261e73bd2d802bf023595ce4a2f
Instruction Fuzzy Hash: E6F15D62F0BA46A1EE65AF35D80027D23A0FF44BD4F086532D91D466E4EF7CEA95E301

Function 00007FF8A7FE1F10 Relevance: 43.9, APIs: 18, Strings: 7, Instructions: 199COMMON

Download Yara Rule

APIs

PyIndex_Check.PYTHON312 ref: 00007FF8A7FE1F27
PyNumber_AsSsize_t.PYTHON312 ref: 00007FF8A7FE1F42
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE1F51
PyErr_Format.PYTHON312 ref: 00007FF8A7FE1FBA
PySlice_Unpack.PYTHON312 ref: 00007FF8A7FE2021
PySlice_AdjustIndices.PYTHON312 ref: 00007FF8A7FE2045
PyObject_GetBuffer.PYTHON312 ref: 00007FF8A7FE20D8
PyBuffer_Release.PYTHON312 ref: 00007FF8A7FE218C
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE21A3

Strings

expected a pointer or array ctype, got '%s', xrefs: 00007FF8A7FE2142
buffer indices must be integers, not %.200s, xrefs: 00007FF8A7FE221A
contiguous buffer expected, xrefs: 00007FF8A7FE210B
buffer assignment index out of range, xrefs: 00007FF8A7FE1FD9
must assign a bytes of length 1, not %.200s, xrefs: 00007FF8A7FE1FAC
right operand length must match slice length, xrefs: 00007FF8A7FE2199
buffer doesn't support slicing with step != 1, xrefs: 00007FF8A7FE21F3

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$Slice_$AdjustBufferBuffer_CheckFormatIndex_IndicesNumber_Object_OccurredReleaseSsize_tStringUnpack
String ID: buffer assignment index out of range$buffer doesn't support slicing with step != 1$buffer indices must be integers, not %.200s$contiguous buffer expected$expected a pointer or array ctype, got '%s'$must assign a bytes of length 1, not %.200s$right operand length must match slice length
API String ID: 2091388830-3042757970
Opcode ID: 91d0e0add9cb049991f8c4443e78de5227e80171d3fdb8e7a0d65a9e2f0fd365
Instruction ID: ac63dffe56f816f399acec0e2b70e4f7aaf56544cb54a98d17203a44935df606
Opcode Fuzzy Hash: 91d0e0add9cb049991f8c4443e78de5227e80171d3fdb8e7a0d65a9e2f0fd365
Instruction Fuzzy Hash: 50918767B0AA52A2EA50DF35E8403BD2361FF84BE4F444131DA5D476A4EF7CE689E310

Function 00007FF8A7FF9260 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 153threadCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A7FF9287
GetLastError.KERNEL32 ref: 00007FF8A7FF928F
TlsGetValue.KERNEL32 ref: 00007FF8A7FF929E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A7FF92B1
TlsSetValue.KERNEL32 ref: 00007FF8A7FF92CE
PyThreadState_Get.PYTHON312 ref: 00007FF8A7FF92F8
PyInterpreterState_GetDict.PYTHON312 ref: 00007FF8A7FF9302
PyLong_FromVoidPtr.PYTHON312 ref: 00007FF8A7FF932C
PyErr_Clear.PYTHON312 ref: 00007FF8A7FF933A
PyDict_GetItem.PYTHON312 ref: 00007FF8A7FF9350
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF9366
PyGILState_Release.PYTHON312 ref: 00007FF8A7FF93F1
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8A7FF940C
fprintf.MSPDB140-MSVCRT ref: 00007FF8A7FF9424
memset.VCRUNTIME140 ref: 00007FF8A7FF9432
TlsGetValue.KERNEL32 ref: 00007FF8A7FF943D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A7FF9469
TlsSetValue.KERNEL32 ref: 00007FF8A7FF9486
SetLastError.KERNEL32 ref: 00007FF8A7FF948F
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A7FF9495

Strings

extern "Python": function %s() called, but %s. Returning 0., xrefs: 00007FF8A7FF9417

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Value$State_$ErrorLast_errnomalloc$ClearDeallocDictDict_Err_FromInterpreterItemLong_ReleaseThreadVoid__acrt_iob_funcfprintfmemset
String ID: extern "Python": function %s() called, but %s. Returning 0.
API String ID: 1189152460-1240277920
Opcode ID: a9c47355c123ec80a5dc8c737ca8918648251e833020a7eb4a89df78e40b714d
Instruction ID: 0027f36b79d6cc1482b92de28c713f7e19b87bcbdb67c9ac69ca85e472fb1cd4
Opcode Fuzzy Hash: a9c47355c123ec80a5dc8c737ca8918648251e833020a7eb4a89df78e40b714d
Instruction Fuzzy Hash: 75611B32A0AB46A2EB149F71A85423D63A5FF48BD1F044435DA4F87794EFBCE654E300

Function 00007FF8A7FE4510 Relevance: 42.4, APIs: 14, Strings: 10, Instructions: 362COMMON

Download Yara Rule

APIs

PyErr_WarnEx.PYTHON312(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF8A7FE4663

Strings

pointer to same type, xrefs: 00007FF8A7FE46BC
implicit cast to 'char *' from a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct), xrefs: 00007FF8A7FE461F
pointer or array, xrefs: 00007FF8A7FE46A5
implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct), xrefs: 00007FF8A7FE4626
write_raw_integer_data: bad integer size, xrefs: 00007FF8A7FE47D7
write_raw_complex_data: bad complex size, xrefs: 00007FF8A7FE4A05
cdata pointer, xrefs: 00007FF8A7FE468E
convert_from_object: '%s', xrefs: 00007FF8A7FE4A25
write_raw_complex_data, xrefs: 00007FF8A7FE4A0C
write_raw_integer_data, xrefs: 00007FF8A7FE47DE

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_Warn
String ID: cdata pointer$convert_from_object: '%s'$implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)$implicit cast to 'char *' from a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)$pointer or array$pointer to same type$write_raw_complex_data$write_raw_complex_data: bad complex size$write_raw_integer_data$write_raw_integer_data: bad integer size
API String ID: 734914325-3043910273
Opcode ID: afafe24922391c459654689ce4c6693d3d2dd3445accf8ef715d7716a803c564
Instruction ID: 9d21844ea55ed034b53b402697d62a2ccb399c02f06b876e717e4ff034c34847
Opcode Fuzzy Hash: afafe24922391c459654689ce4c6693d3d2dd3445accf8ef715d7716a803c564
Instruction Fuzzy Hash: 31E17A22E1BA42AAFA609F35980417D23A0FF55BD4F444539EA4E426D0FF7CFA55E204

Function 00007FF8A7FF4F70 Relevance: 42.3, APIs: 14, Strings: 10, Instructions: 270stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A7FF5006
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A7FF5044
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A7FF5081
_Py_FatalErrorFunc.PYTHON312 ref: 00007FF8A7FF5127
PyList_New.PYTHON312 ref: 00007FF8A7FF5154
_Py_BuildValue_SizeT.PYTHON312 ref: 00007FF8A7FF51ED
_Py_BuildValue_SizeT.PYTHON312 ref: 00007FF8A7FF5261
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF5278
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF52B6
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF52E1
PyErr_Format.PYTHON312 ref: 00007FF8A7FF52FC
PyErr_Format.PYTHON312 ref: 00007FF8A7FF534A
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF5366
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF5389

Strings

struct , xrefs: 00007FF8A7FF4FF0
field op=%d, xrefs: 00007FF8A7FF52EE
union , xrefs: 00007FF8A7FF5039
lost a struct/union!, xrefs: 00007FF8A7FF5119
(sOin), xrefs: 00007FF8A7FF51E6
do_realize_lazy_struct, xrefs: 00007FF8A7FF5120
%s: %s%s%s (cdef says %zd, but C compiler says %zd). fix it or use "...;" as the last field in the cdef for %s to make it flexible, xrefs: 00007FF8A7FF533B
enum , xrefs: 00007FF8A7FF5076
wrong size for field ', xrefs: 00007FF8A7FF532F
(OOOnii), xrefs: 00007FF8A7FF5227

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dealloc$strncmp$BuildErr_FormatSizeValue_$ErrorFatalFuncList_
String ID: %s: %s%s%s (cdef says %zd, but C compiler says %zd). fix it or use "...;" as the last field in the cdef for %s to make it flexible$(OOOnii)$(sOin)$do_realize_lazy_struct$enum $field op=%d$lost a struct/union!$struct $union $wrong size for field '
API String ID: 1048173794-2709940433
Opcode ID: 5c095b41d4125f10d06d91481f975096bd344b5c3e4f95dc5998aef9e561da3a
Instruction ID: cae059eb559bf01c7ce860b12aa02948a1c7db70b8a6285147eefcb778610d44
Opcode Fuzzy Hash: 5c095b41d4125f10d06d91481f975096bd344b5c3e4f95dc5998aef9e561da3a
Instruction Fuzzy Hash: C1C17C72A0AA82A6EB108F25E9442BD37A1FB45BE4F444231DA6E477D4DFBCE255D300

Function 00007FF8A7FE2270 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 110COMMON

Download Yara Rule

APIs

_PyObject_CallMethod_SizeT.PYTHON312 ref: 00007FF8A7FE228F
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE22AC
PyObject_GetAttrString.PYTHON312 ref: 00007FF8A7FE22BC
PyErr_Clear.PYTHON312 ref: 00007FF8A7FE22CE
PyObject_AsFileDescriptor.PYTHON312 ref: 00007FF8A7FE22D7
PyObject_GetAttrString.PYTHON312 ref: 00007FF8A7FE22F1
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FE2306
_dup.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8A7FE231A
PyErr_SetFromErrno.PYTHON312 ref: 00007FF8A7FE2330
_fdopen.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF8A7FE2340
_close.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8A7FE2350
setbuf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8A7FE235D
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE2371
PyCapsule_New.PYTHON312 ref: 00007FF8A7FE2388
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8A7FE2399
PyObject_SetAttrString.PYTHON312 ref: 00007FF8A7FE23C1
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE23D9
PyCapsule_GetPointer.PYTHON312 ref: 00007FF8A7FE23EB
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE2402

Strings

FILE, xrefs: 00007FF8A7FE2381, 00007FF8A7FE23E1
flush, xrefs: 00007FF8A7FE2285
__cffi_FILE, xrefs: 00007FF8A7FE22B2, 00007FF8A7FE23B7
mode, xrefs: 00007FF8A7FE22E7

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Object_$Dealloc$AttrString$Capsule_Err_$CallClearDescriptorErrnoFileFromMethod_PointerSizeUnicode__close_dup_fdopenfclosesetbuf
String ID: FILE$__cffi_FILE$flush$mode
API String ID: 893206650-3531628309
Opcode ID: 7a3013526266b7a646f70fbca41e08bf56b549bc88c4124df7b937eee1ac7037
Instruction ID: 86753400d05a6aba6d434f6f6d21fb0b42c3f3b05556d7c5bfbd082d64a594b5
Opcode Fuzzy Hash: 7a3013526266b7a646f70fbca41e08bf56b549bc88c4124df7b937eee1ac7037
Instruction Fuzzy Hash: 80411836A0BE23A6FA059F36A81427C23A1EF49BD5F444030C90E46764FEBCE649F704

Function 00007FF8A7FEC2C0 Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 188COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FEC311
PyErr_SetString.PYTHON312 ref: 00007FF8A7FEC347
PyErr_SetString.PYTHON312 ref: 00007FF8A7FEC371

Strings

tuple args must have the same size, xrefs: 00007FF8A7FEC33D
sO!O!O!:new_enum_type, xrefs: 00007FF8A7FEC2F3
enumerators must be a list of strings, xrefs: 00007FF8A7FEC537
expected a primitive signed or unsigned base type, xrefs: 00007FF8A7FEC367

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_String$Arg_ParseSizeTuple_
String ID: enumerators must be a list of strings$expected a primitive signed or unsigned base type$sO!O!O!:new_enum_type$tuple args must have the same size
API String ID: 3337331331-3833221460
Opcode ID: 1ce72b17df9774109b977ac5b818a0364eef8d6e6245cc2d1a3e95691f75b309
Instruction ID: 830229246e63624e5088d6f45eb498460018375a101c5a01ec285f107cc17501
Opcode Fuzzy Hash: 1ce72b17df9774109b977ac5b818a0364eef8d6e6245cc2d1a3e95691f75b309
Instruction Fuzzy Hash: 57912673A0AB52A5EA148F36D8442BD33A1FB84BD4F484035DA1D477A4EF7DE649E700

Function 00007FF8A7FE1300 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 118threadCOMMON

Download Yara Rule

APIs

PyGILState_GetThisThreadState.PYTHON312 ref: 00007FF8A7FE1306
_PyThreadState_UncheckedGet.PYTHON312 ref: 00007FF8A7FE1317
PyEval_RestoreThread.PYTHON312 ref: 00007FF8A7FE1325
PyGILState_Ensure.PYTHON312 ref: 00007FF8A7FE1352
PyGILState_GetThisThreadState.PYTHON312 ref: 00007FF8A7FE135B
PyThread_acquire_lock.PYTHON312 ref: 00007FF8A7FE138F
PyThread_release_lock.PYTHON312 ref: 00007FF8A7FE13C9
PyThreadState_Clear.PYTHON312 ref: 00007FF8A7FE13D7
PyThreadState_Delete.PYTHON312 ref: 00007FF8A7FE13E4
_Py_FatalErrorFunc.PYTHON312 ref: 00007FF8A7FE13FA
TlsGetValue.KERNEL32 ref: 00007FF8A7FE140C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A7FE141F
TlsSetValue.KERNEL32 ref: 00007FF8A7FE143C
PyThreadState_GetDict.PYTHON312 ref: 00007FF8A7FE1442
_PyObject_New.PYTHON312 ref: 00007FF8A7FE1457
PyDict_SetItemString.PYTHON312 ref: 00007FF8A7FE1482
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE1498

Strings

cffi.thread.canary, xrefs: 00007FF8A7FE146C
cffi: invalid ThreadCanaryObj->tstate, xrefs: 00007FF8A7FE13EC
thread_canary_free_zombies, xrefs: 00007FF8A7FE13F3

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: State_Thread$StateThisValue$ClearDeallocDeleteDictDict_EnsureErrorEval_FatalFuncItemObject_RestoreStringThread_acquire_lockThread_release_lockUncheckedmalloc
String ID: cffi.thread.canary$cffi: invalid ThreadCanaryObj->tstate$thread_canary_free_zombies
API String ID: 1895661259-237290086
Opcode ID: a9c94bad9972d146f96a275a8134f4a7c1f527d065d1243276536a5c43e158b3
Instruction ID: 6184681d7fbf0231acac17c119b831332582c440eeff2c33cc872296c05ad909
Opcode Fuzzy Hash: a9c94bad9972d146f96a275a8134f4a7c1f527d065d1243276536a5c43e158b3
Instruction Fuzzy Hash: FE513872A0AB52A2EB149F21E85413C73A4FF88BD1F190534CA4D077A4EF7CE699E314

Function 00007FF8A7FE4A70 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 185COMMON

Download Yara Rule

APIs

PyLong_AsLongLong.PYTHON312 ref: 00007FF8A7FE4A9C
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE4AAB

Strings

value %s outside the range allowed by the bit field width: %s <= x <= %s, xrefs: 00007FF8A7FE4C33
read_raw_unsigned_data, xrefs: 00007FF8A7FE4B9E
read_raw_unsigned_data: bad integer size, xrefs: 00007FF8A7FE4B97

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Long$Err_Long_Occurred
String ID: read_raw_unsigned_data$read_raw_unsigned_data: bad integer size$value %s outside the range allowed by the bit field width: %s <= x <= %s
API String ID: 391545614-647553974
Opcode ID: 12303eca1c576e1e3ec0f7bea286f7c74104514808cf3ac8cb2be38ebbcdd59d
Instruction ID: f7d8e76d195ed05d0b6312a734f469a038956286f6466032409204c1460cc051
Opcode Fuzzy Hash: 12303eca1c576e1e3ec0f7bea286f7c74104514808cf3ac8cb2be38ebbcdd59d
Instruction Fuzzy Hash: 2F617422B0B622AAEA14DF35A85427D2390FF45BE4F094539DE1E47794EF7CE295E300

Function 00007FF8A7FEDC70 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 155COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON312 ref: 00007FF8A7FEDCC2
PyErr_SetString.PYTHON312 ref: 00007FF8A7FEDCE8
PyObject_GetBuffer.PYTHON312 ref: 00007FF8A7FEDD5F
PyBuffer_IsContiguous.PYTHON312 ref: 00007FF8A7FEDD74
PyBuffer_Release.PYTHON312 ref: 00007FF8A7FEDD83
PyErr_SetString.PYTHON312 ref: 00007FF8A7FEDD9A
PyErr_Format.PYTHON312 ref: 00007FF8A7FEDDD0
PyObject_GetBuffer.PYTHON312 ref: 00007FF8A7FEDE1D
PyBuffer_IsContiguous.PYTHON312 ref: 00007FF8A7FEDE31
PyBuffer_Release.PYTHON312 ref: 00007FF8A7FEDE43
PyErr_SetString.PYTHON312 ref: 00007FF8A7FEDE5A
PyErr_Format.PYTHON312 ref: 00007FF8A7FEDE92
PyBuffer_Release.PYTHON312 ref: 00007FF8A7FEDE9D
memcpy.VCRUNTIME140 ref: 00007FF8A7FEDECD
PyBuffer_Release.PYTHON312 ref: 00007FF8A7FEDEDA
PyBuffer_Release.PYTHON312 ref: 00007FF8A7FEDEE5

Strings

expected a pointer or array ctype, got '%s', xrefs: 00007FF8A7FEDDC2, 00007FF8A7FEDE84
negative size, xrefs: 00007FF8A7FEDCDE
OOn, xrefs: 00007FF8A7FEDCAB
contiguous buffer expected, xrefs: 00007FF8A7FEDD90, 00007FF8A7FEDE50

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Buffer_$Err_Release$String$BufferContiguousFormatObject_$Arg_Keywords_ParseSizeTuplememcpy
String ID: OOn$contiguous buffer expected$expected a pointer or array ctype, got '%s'$negative size
API String ID: 3181281413-4176687996
Opcode ID: 5e8d3a7e044e7f15dddcf988e108217123b986eefc78d5c51fcb7b081c946e92
Instruction ID: 5f7aea0e011e5157d604147337053c2c45b4be8ffafcacd9b85adb3ff6e131ac
Opcode Fuzzy Hash: 5e8d3a7e044e7f15dddcf988e108217123b986eefc78d5c51fcb7b081c946e92
Instruction Fuzzy Hash: 60710E22A0FA46A1EA609F35E8543BD7360FB84FD4F544032C94D47AA4DFBDEA49E701

Function 00007FF8A7FF61E0 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 247COMMON

Download Yara Rule

APIs

PyTuple_Size.PYTHON312 ref: 00007FF8A7FF61F5
PyErr_SetString.PYTHON312 ref: 00007FF8A7FF6212
_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FF8274
PyUnicode_FromString.PYTHON312 ref: 00007FF8A7FF8287
PyDict_GetItem.PYTHON312 ref: 00007FF8A7FF82A5
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF82E0

Strings

O!s, xrefs: 00007FF8A7FF826D
addressof() expects at least 1 argument, xrefs: 00007FF8A7FF6208
cannot take the address of the constant '%.200s', xrefs: 00007FF8A7FF8430
expected a cdata struct/union/array object, xrefs: 00007FF8A7FF627F
expected a cdata struct/union/array/pointer object, xrefs: 00007FF8A7FF62B0

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: SizeStringTuple_$Arg_DeallocDict_Err_FromItemParseUnicode_
String ID: O!s$addressof() expects at least 1 argument$cannot take the address of the constant '%.200s'$expected a cdata struct/union/array object$expected a cdata struct/union/array/pointer object
API String ID: 3853558574-3015567189
Opcode ID: 4f1f9d8f8d3ef48fb30b7b1165c1df5992e332cca099e2fc900ce8a4c44bdcca
Instruction ID: dc1a111e36a988c1b3386f75f0a0945430e774278bf362fe5606d3c91f1da9f2
Opcode Fuzzy Hash: 4f1f9d8f8d3ef48fb30b7b1165c1df5992e332cca099e2fc900ce8a4c44bdcca
Instruction Fuzzy Hash: F3A14C22B0BA02A6EE159F25E95017D63A0FF84BD4F480435DE4D477A4EFBCE695E310

Function 00007FF8A7FEA910 Relevance: 31.7, APIs: 6, Strings: 12, Instructions: 221COMMON

Download Yara Rule

Strings

It is a struct with bit fields, which libffi does not support, xrefs: 00007FF8A7FEAAA5
ctype '%s' has size 0, xrefs: 00007FF8A7FEA999
(the support for complex types inside libffi is mostly missing at this point, so CFFI only supports complex types as arguments or return value in API-mode functions), xrefs: 00007FF8A7FEABFA
It is a struct declared with "...;", but the C calling convention may depend on the missing fields; or, it contains anonymous struct/unions, xrefs: 00007FF8A7FEA9FC
argument, xrefs: 00007FF8A7FEA927
It is a 'packed' structure, with a different layout than expected by libffi, xrefs: 00007FF8A7FEAA0E
ctype '%s' has incomplete type, xrefs: 00007FF8A7FEA992
ctype '%s' not supported as %s. %s. Such structs are only supported as %s if the function is 'API mode' and non-variadic (i.e. declared inside ffibuilder.cdef()+ffibuilder.set_source() and not taking a final '...' argument), xrefs: 00007FF8A7FEAABC
ctype '%s' not supported as %s by libffi. Unions are only supported as %s if the function is 'API mode' and non-variadic (i.e. declared inside ffibuilder.cdef()+ffibuilder.set_source() and not taking a final '...' argument), xrefs: 00007FF8A7FEABCC
ctype '%s' (size %zd) not supported as %s%s, xrefs: 00007FF8A7FEAC05
It is a struct with a zero-length array, which libffi does not support, xrefs: 00007FF8A7FEAA9C
return value, xrefs: 00007FF8A7FEA920

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID:
String ID: (the support for complex types inside libffi is mostly missing at this point, so CFFI only supports complex types as arguments or return value in API-mode functions)$It is a 'packed' structure, with a different layout than expected by libffi$It is a struct declared with "...;", but the C calling convention may depend on the missing fields; or, it contains anonymous struct/unions$It is a struct with a zero-length array, which libffi does not support$It is a struct with bit fields, which libffi does not support$argument$ctype '%s' (size %zd) not supported as %s%s$ctype '%s' has incomplete type$ctype '%s' has size 0$ctype '%s' not supported as %s by libffi. Unions are only supported as %s if the function is 'API mode' and non-variadic (i.e. declared inside ffibuilder.cdef()+ffibuilder.set_source() and not taking a final '...' argument)$ctype '%s' not supported as %s. %s. Such structs are only supported as %s if the function is 'API mode' and non-variadic (i.e. declared inside ffibuilder.cdef()+ffibuilder.set_source() and not taking a final '...' argument)$return value
API String ID: 0-3203576518
Opcode ID: 91a60309c1201fcbff79e3b7a875e322f5ef19b41dd8c5b9171f57c97773f230
Instruction ID: 95a381f225d12c628dbdb9d0da44e8ac85deb9c8c63aa5a7d43093db75851493
Opcode Fuzzy Hash: 91a60309c1201fcbff79e3b7a875e322f5ef19b41dd8c5b9171f57c97773f230
Instruction Fuzzy Hash: 7B918F22A0AB52E5EB148F29E94067E23A4FB44BD8F454032DE4D937A4EF7CD695E304

Function 00007FF8A7FF8FF0 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 161COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FF9027
PyObject_GetAttrString.PYTHON312 ref: 00007FF8A7FF904C
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FF9061
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF90E4
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF9139
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF9162
PyErr_NoMemory.PYTHON312 ref: 00007FF8A7FF9168
PyLong_FromVoidPtr.PYTHON312 ref: 00007FF8A7FF917A
PyDict_SetItem.PYTHON312 ref: 00007FF8A7FF9195
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF91AB
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF91BF
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF91F8
PyErr_Format.PYTHON312 ref: 00007FF8A7FF9224
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF923D

Strings

ffi.def_extern('%s'): no 'extern "Python"' function with this name, xrefs: 00007FF8A7FF9216
OzOO, xrefs: 00007FF8A7FF9020
__name__, xrefs: 00007FF8A7FF9042

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dealloc$Err_$Arg_AttrDict_FormatFromItemLong_MemoryObject_ParseSizeStringTuple_Unicode_Void
String ID: OzOO$__name__$ffi.def_extern('%s'): no 'extern "Python"' function with this name
API String ID: 75418018-1717190264
Opcode ID: 009146542484bd9d585af5ddf01ac4b518f2af8cd7092de8f00e9a9bf2967272
Instruction ID: 96d810f7530acb5231bfe87c4a59c471abe460582ee5cd2825b0a74378fb56b6
Opcode Fuzzy Hash: 009146542484bd9d585af5ddf01ac4b518f2af8cd7092de8f00e9a9bf2967272
Instruction Fuzzy Hash: 12613B32A0AB42A6EB559F75A8442BD33A0FF45BE5F054131CA0E87795DFBCE654E300

Function 00007FF8A7FECB70 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 254COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON312 ref: 00007FF8A7FECBBD
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FECC19
PyErr_Format.PYTHON312 ref: 00007FF8A7FECC33
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FECC4E
PyBytes_FromStringAndSize.PYTHON312 ref: 00007FF8A7FECCA3
PyDict_GetItem.PYTHON312 ref: 00007FF8A7FECDFA
PyObject_Str.PYTHON312 ref: 00007FF8A7FECE16
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FECE2D
PyBytes_FromStringAndSize.PYTHON312 ref: 00007FF8A7FECE66

Strings

cannot use string() on %s, xrefs: 00007FF8A7FECC26
O!|n:string, xrefs: 00007FF8A7FECBA2
string(): unexpected cdata '%s' argument, xrefs: 00007FF8A7FECEDA

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Size$Bytes_DeallocFromString$Arg_Dict_Err_FormatItemKeywords_Object_ParseTupleUnicode_
String ID: O!|n:string$cannot use string() on %s$string(): unexpected cdata '%s' argument
API String ID: 13065410-52486950
Opcode ID: 2d4cbdc47e6f18dc9e6c1e0fe851ba1c9a15ca21d2103c4b73810f2b925c330a
Instruction ID: 7a78cd80b9a52a36f4476eba7048b16bca99b149e7c47f60fc34757b13ff6e5a
Opcode Fuzzy Hash: 2d4cbdc47e6f18dc9e6c1e0fe851ba1c9a15ca21d2103c4b73810f2b925c330a
Instruction Fuzzy Hash: 73A19E33B0AB4291EB158F2AE54417D63A1EB84FD4F080131EE5D477A9EE6DE681E701

Function 00007FF8A7FECF00 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 206COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON312 ref: 00007FF8A7FECF57
PyErr_Format.PYTHON312 ref: 00007FF8A7FECF88
PyErr_SetString.PYTHON312 ref: 00007FF8A7FECFAA
PyUnicode_FromKindAndData.PYTHON312 ref: 00007FF8A7FED04E
PyBytes_FromStringAndSize.PYTHON312 ref: 00007FF8A7FED069
PyList_New.PYTHON312 ref: 00007FF8A7FED071
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FED09E
PyErr_Format.PYTHON312 ref: 00007FF8A7FED0C1

Strings

cannot use unpack() on %s, xrefs: 00007FF8A7FECFDB
'%s' points to items of unknown size, xrefs: 00007FF8A7FED0A8
'length' cannot be negative, xrefs: 00007FF8A7FECFA0
O!n:unpack, xrefs: 00007FF8A7FECF3E
expected a pointer or array, got '%s', xrefs: 00007FF8A7FECF7E

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$FormatFromSizeString$Arg_Bytes_DataDeallocKeywords_KindList_ParseTupleUnicode_
String ID: '%s' points to items of unknown size$'length' cannot be negative$O!n:unpack$cannot use unpack() on %s$expected a pointer or array, got '%s'
API String ID: 3473059216-2661630795
Opcode ID: 34e12fcbb80e5726260c73e6d2e536cbe86aba34bc5018269a53c7c1017e2df3
Instruction ID: b4e87a4f19cb448f2ba5672cf6f0d9d3ea9fa54375790912df1a3b28abb5e026
Opcode Fuzzy Hash: 34e12fcbb80e5726260c73e6d2e536cbe86aba34bc5018269a53c7c1017e2df3
Instruction Fuzzy Hash: 3C913E62A0B606A1FA658F35D85427D23A1FF44FE8F180436DE4E47B98EE7DE645E300

Function 00007FF8A7FF4580 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 196stringCOMMON

Download Yara Rule

APIs

_PyObject_GC_NewVar.PYTHON312 ref: 00007FF8A7FF45D1
PyObject_GC_Track.PYTHON312 ref: 00007FF8A7FF45F4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A7FF471A
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FF47D8
PyErr_Format.PYTHON312 ref: 00007FF8A7FF480E
PyErr_Format.PYTHON312 ref: 00007FF8A7FF4865
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF4878

Strings

struct , xrefs: 00007FF8A7FF46F8
FILE, xrefs: 00007FF8A7FF4615
struct _IO_FILE, xrefs: 00007FF8A7FF4710
union , xrefs: 00007FF8A7FF46EF
union, xrefs: 00007FF8A7FF47EB, 00007FF8A7FF4852
'%s %.200s' should come from ffi.include() but was not found, xrefs: 00007FF8A7FF4803
'%s %.200s' is opaque in the ffi.include(), but no longer in the ffi doing the include (workaround: don't use ffi.include() but duplicate the declarations of everything using %s %.200s), xrefs: 00007FF8A7FF4844
struct, xrefs: 00007FF8A7FF47F5, 00007FF8A7FF483A

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$FormatObject_$DeallocOccurredTrackstrcmp
String ID: '%s %.200s' is opaque in the ffi.include(), but no longer in the ffi doing the include (workaround: don't use ffi.include() but duplicate the declarations of everything using %s %.200s)$'%s %.200s' should come from ffi.include() but was not found$FILE$struct$struct $struct _IO_FILE$union$union
API String ID: 1251701841-281863512
Opcode ID: 8e036e2844b051469bcf4b31112dec2c57e13b12b28c27cd0149affa9344cf3d
Instruction ID: db7f46749ea5b180e6c56d57c88345234d330e55e0650489034c0e2a35abb639
Opcode Fuzzy Hash: 8e036e2844b051469bcf4b31112dec2c57e13b12b28c27cd0149affa9344cf3d
Instruction Fuzzy Hash: C8913872A06B52A6EB108F35E8402BC73A0FB48BE4B458236DA2D477E4DF7CE654D300

Function 00007FF8A7FE63A0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7FE61B0: PyLong_AsSsize_t.PYTHON312 ref: 00007FF8A7FE61D7
Part of subcall function 00007FF8A7FE61B0: PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE61E6
Part of subcall function 00007FF8A7FE61B0: PyErr_SetString.PYTHON312 ref: 00007FF8A7FE6243

memcpy.VCRUNTIME140 ref: 00007FF8A7FE6459
PyType_IsSubtype.PYTHON312 ref: 00007FF8A7FE64A9
PyErr_Format.PYTHON312 ref: 00007FF8A7FE64E2
memcpy.VCRUNTIME140 ref: 00007FF8A7FE6502
PyObject_GetIter.PYTHON312 ref: 00007FF8A7FE651E
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE6579
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE65AD
PyErr_Format.PYTHON312 ref: 00007FF8A7FE65C7
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE65E5
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE65EB
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE6608
PyErr_Format.PYTHON312 ref: 00007FF8A7FE662A

Strings

got more than %zd values to unpack, xrefs: 00007FF8A7FE65BA
need %zd values to unpack, got %zd, xrefs: 00007FF8A7FE661A
need a string of length %zd, got %zd, xrefs: 00007FF8A7FE64D8

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$DeallocFormatOccurred$memcpy$IterLong_Object_Ssize_tStringSubtypeType_
String ID: got more than %zd values to unpack$need %zd values to unpack, got %zd$need a string of length %zd, got %zd
API String ID: 3367705057-281290674
Opcode ID: ffccfdf67bb5514a2294067a38fbccc47c9777278039499112768b8df474f7c3
Instruction ID: c6e1195210593b1492c780ad5bdff8aa45a90082ef344196f02a66bf62a9e7f3
Opcode Fuzzy Hash: ffccfdf67bb5514a2294067a38fbccc47c9777278039499112768b8df474f7c3
Instruction Fuzzy Hash: FF713D32B0AA56A5EE558F36E85027D23A0FB84BD4F480436DE0D477A4EF7CE685E300

Function 00007FF8A7FE6B10 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 158COMMON

Download Yara Rule

APIs

PyObject_GenericGetAttr.PYTHON312 ref: 00007FF8A7FE6D1A

Strings

read_raw_signed_data: bad integer size, xrefs: 00007FF8A7FE6C49
cdata '%s' has no field '%s', xrefs: 00007FF8A7FE6D0D
cdata '%s' has no attribute '%s', xrefs: 00007FF8A7FE6B28
read_raw_unsigned_data, xrefs: 00007FF8A7FE6CC6
read_raw_unsigned_data: bad integer size, xrefs: 00007FF8A7FE6CBF
read_raw_signed_data, xrefs: 00007FF8A7FE6C50
cdata '%s' points to an opaque type: cannot read fields, xrefs: 00007FF8A7FE6B62

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: AttrGenericObject_
String ID: cdata '%s' has no attribute '%s'$cdata '%s' has no field '%s'$cdata '%s' points to an opaque type: cannot read fields$read_raw_signed_data$read_raw_signed_data: bad integer size$read_raw_unsigned_data$read_raw_unsigned_data: bad integer size
API String ID: 3652601395-836776902
Opcode ID: fec4d6c021aa731c563873d6b774b880bb1207181053925ea72ca0eef88c19d5
Instruction ID: 7d8d41acb5e75b0852cf1bd05aeb8437ec6082fa0444b86c8019c9637f55f288
Opcode Fuzzy Hash: fec4d6c021aa731c563873d6b774b880bb1207181053925ea72ca0eef88c19d5
Instruction Fuzzy Hash: 7D51A372E0E65AA2EA288F39986417C2761EF55BD4F540036DA4E077D5EF6CEB41F300

Function 00007FF8A7FEDA50 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 108COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON312 ref: 00007FF8A7FEDA8B
PyErr_SetString.PYTHON312 ref: 00007FF8A7FEDAB9

Strings

expected a pointer or array ctype, got '%s', xrefs: 00007FF8A7FEDA81
from_buffer('%s', ..): the actual length of the array cannot be computed, xrefs: 00007FF8A7FEDBBC
from_buffer() cannot return the address of a unicode object, xrefs: 00007FF8A7FEDAAF
buffer is too small (%zd bytes) for '%s' (%zd bytes), xrefs: 00007FF8A7FEDB53

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$FormatString
String ID: buffer is too small (%zd bytes) for '%s' (%zd bytes)$expected a pointer or array ctype, got '%s'$from_buffer('%s', ..): the actual length of the array cannot be computed$from_buffer() cannot return the address of a unicode object
API String ID: 4212644371-2010142110
Opcode ID: abe6d8a0bf70cae37633da0e0651984bc6223ba66e25b4b8c26269f830bf5e4c
Instruction ID: 60b4a50d60affb93cbda2abb91d22ca543024a880f74498a44b7f1392e27cfef
Opcode Fuzzy Hash: abe6d8a0bf70cae37633da0e0651984bc6223ba66e25b4b8c26269f830bf5e4c
Instruction Fuzzy Hash: 4F510E26A0AA52A6EB14DF39E85027D63A1FB48FC4F440031DE4E47BA4EF7DE655E340

Function 00007FF8A7FE61B0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 94COMMON

Download Yara Rule

APIs

PyLong_AsSsize_t.PYTHON312 ref: 00007FF8A7FE61D7
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE61E6
PyLong_AsSsize_t.PYTHON312 ref: 00007FF8A7FE620B
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE621A
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE6243
PyErr_Format.PYTHON312 ref: 00007FF8A7FE62C2
PyErr_Format.PYTHON312 ref: 00007FF8A7FE630F

Strings

slice start must be specified, xrefs: 00007FF8A7FE61FE
slice stop must be specified, xrefs: 00007FF8A7FE6232
negative index, xrefs: 00007FF8A7FE6285
slice with step not supported, xrefs: 00007FF8A7FE625D
index too large (expected %zd <= %zd), xrefs: 00007FF8A7FE62B5
cdata of type '%s' cannot be indexed, xrefs: 00007FF8A7FE6305
slice start > stop, xrefs: 00007FF8A7FE626B

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$FormatLong_OccurredSsize_t$String
String ID: cdata of type '%s' cannot be indexed$index too large (expected %zd <= %zd)$negative index$slice start > stop$slice start must be specified$slice stop must be specified$slice with step not supported
API String ID: 564475518-3973974439
Opcode ID: fc2cef9232994741ca4fe200dcfea594a668e3ee079a1f2ac3a9d476730cffc8
Instruction ID: 2cd353a9f7be7924e9dde2ea990ec852ac10fd22ad2943eacc449a45a6aba3e3
Opcode Fuzzy Hash: fc2cef9232994741ca4fe200dcfea594a668e3ee079a1f2ac3a9d476730cffc8
Instruction Fuzzy Hash: 19412B32A0BA1AA1EE108F75E86017C2360FF88BD4F444535DA6D477A4EFBCE655E301

Function 00007FF8A7FE25A0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 61COMMON

Download Yara Rule

APIs

PyImport_AddModule.PYTHON312 ref: 00007FF8A7FE25C9
PyModule_GetDict.PYTHON312 ref: 00007FF8A7FE25DB
PyImport_ImportModule.PYTHON312 ref: 00007FF8A7FE25F9
PyDict_SetItemString.PYTHON312 ref: 00007FF8A7FE2614
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE2628
PyRun_StringFlags.PYTHON312 ref: 00007FF8A7FE2649
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE2662
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE266D
PyErr_WriteUnraisable.PYTHON312 ref: 00007FF8A7FE267F
PyErr_Clear.PYTHON312 ref: 00007FF8A7FE2685

Strings

__builtins__, xrefs: 00007FF8A7FE260A
import sysclass FileLike: def write(self, x): try: of.write(x) except: pass self.buf += x def flush(self): passfl = FileLike()fl.buf = ''of = sys.stderrsys.stderr = fldef done(): sys.stderr = of return fl.buf, xrefs: 00007FF8A7FE263D
_cffi_error_capture, xrefs: 00007FF8A7FE25C2
builtins, xrefs: 00007FF8A7FE25ED

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$DeallocImport_ModuleString$ClearDictDict_FlagsImportItemModule_OccurredRun_UnraisableWrite
String ID: __builtins__$_cffi_error_capture$builtins$import sysclass FileLike: def write(self, x): try: of.write(x) except: pass self.buf += x def flush(self): passfl = FileLike()fl.buf = ''of = sys.stderrsys.stderr = fldef done(): sys.stderr = of return fl.buf
API String ID: 2387839683-950058525
Opcode ID: 19fe21f271e7442d25d3103835c50ccb39658e7b69a728fbdb021a384b3e77a4
Instruction ID: f64fec574d380cfdbc7b35c6d4b977f4c607024ff06ef88309e784ae6c0b7762
Opcode Fuzzy Hash: 19fe21f271e7442d25d3103835c50ccb39658e7b69a728fbdb021a384b3e77a4
Instruction Fuzzy Hash: 86210926A0BB12A1FA559F35ED1427C23A0EF85BD0F480535C90E467A0FFBCE688E704

Function 00007FF8A7FF5910 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 188COMMON

Download Yara Rule

APIs

PyDict_GetItem.PYTHON312 ref: 00007FF8A7FF5956
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FF596B
PyDict_SetItem.PYTHON312 ref: 00007FF8A7FF5A3C
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF5A52
PyErr_Format.PYTHON312 ref: 00007FF8A7FF5A99
PyErr_Format.PYTHON312 ref: 00007FF8A7FF5BDC

Strings

unexpected symbol, xrefs: 00007FF8A7FF59DF
expected a %s%s%s%s%s, got '%.200s', xrefs: 00007FF8A7FF5BD2
string, xrefs: 00007FF8A7FF5B2A
or , xrefs: 00007FF8A7FF5B43
ctype object, xrefs: 00007FF8A7FF5B31
cdata object, xrefs: 00007FF8A7FF5B53
the type '%s%s' is a function type, not a pointer-to-function type, xrefs: 00007FF8A7FF5A87

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dict_Err_FormatItem$DeallocUnicode_
String ID: or $cdata object$ctype object$expected a %s%s%s%s%s, got '%.200s'$string$the type '%s%s' is a function type, not a pointer-to-function type$unexpected symbol
API String ID: 3047486896-3137146848
Opcode ID: e48489101ec95c841d86b78e47a6197ee3134ba41591d101bfc84f079dba80d9
Instruction ID: a63538beb6341fdd6ab2376fed7e2f656aa816b2449d0a255b9a31053bd9af4c
Opcode Fuzzy Hash: e48489101ec95c841d86b78e47a6197ee3134ba41591d101bfc84f079dba80d9
Instruction Fuzzy Hash: 3F81BF62B0BB42A1EB508F28E5903BD67A1FB85BD4F484031DA4D47794DFBCEA99D300

Function 00007FF8A7FF7660 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

PyUnicode_AsUTF8.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF7689
PyErr_SetString.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF76FE
PyDict_GetItem.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF772F
PyTuple_GetItem.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF776F
PyErr_Occurred.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF779A
PyUnicode_AsUTF8.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF77D2
PyErr_Format.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF77EF
PyDict_SetItem.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF7AA3
_Py_Dealloc.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF7AB9
PyErr_Format.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF7AD9

Strings

recursion overflow in ffi.include() delegations, xrefs: 00007FF8A7FF76F4
in lib_build_attr: op=%d, xrefs: 00007FF8A7FF7ACF
cffi library '%.200s' has no function, constant or global variable named '%.200s', xrefs: 00007FF8A7FF77DF

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$Item$Dict_FormatUnicode_$DeallocOccurredStringTuple_
String ID: cffi library '%.200s' has no function, constant or global variable named '%.200s'$in lib_build_attr: op=%d$recursion overflow in ffi.include() delegations
API String ID: 3583525245-1263113588
Opcode ID: 3632fe1a96f4866765e8c4c9aa862c6ac1012ff48af7dff7a1c568364126c7fa
Instruction ID: c04e4d7c624c8b8fda84c278d0539d5402ea04e119435b5f377e5ef14a0ed489
Opcode Fuzzy Hash: 3632fe1a96f4866765e8c4c9aa862c6ac1012ff48af7dff7a1c568364126c7fa
Instruction Fuzzy Hash: 77518E22A1B652A2EA058F36E80457DA3A1FF88BD4F854031CE1D477A0EFBDE605E710

Function 00007FF646AB1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to write data chunk!, xrefs: 00007FF646AB17CA
Failed to extract %s: failed to open target file!, xrefs: 00007FF646AB165C
fopen, xrefs: 00007FF646AB1663
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF646AB16DA
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF646AB17DF
malloc, xrefs: 00007FF646AB1749
fseek, xrefs: 00007FF646AB16E1
Failed to create symbolic link %s!, xrefs: 00007FF646AB1622
Failed to extract %s: failed to open archive file!, xrefs: 00007FF646AB16A2
fwrite, xrefs: 00007FF646AB17D1
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF646AB1742
fread, xrefs: 00007FF646AB17E6

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 0a87ee3060ec78e21d6c2d3bfc048a27d307e8fd5641d8a78f43b3b0b6daa239
Instruction ID: 7cea0f6b518ac829e0a57dd3ded8ca75e6943cbfbf62f1eea1e4938712e7af52
Opcode Fuzzy Hash: 0a87ee3060ec78e21d6c2d3bfc048a27d307e8fd5641d8a78f43b3b0b6daa239
Instruction Fuzzy Hash: 4851CE61B0CE4B92EA10BB6194001B9E361BF44B94F404532EE0D8779ADF3EE9D9C760

Function 00007FF8A7FE99F0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FF8A7FE9A27
PyErr_Format.PYTHON312 ref: 00007FF8A7FE9A59

Strings

[%llu], xrefs: 00007FF8A7FE9BB0
first arg must be a pointer ctype, xrefs: 00007FF8A7FE9A1D
array item of unknown size: '%s', xrefs: 00007FF8A7FE9A4F
, xrefs: 00007FF8A7FE9B95
array size would overflow a Py_ssize_t, xrefs: 00007FF8A7FE9BE8

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$FormatString
String ID: $[%llu]$array item of unknown size: '%s'$array size would overflow a Py_ssize_t$first arg must be a pointer ctype
API String ID: 4212644371-3798105388
Opcode ID: 0f7ff40b9492430f6444851611742362be4f60dd5914046253e5e3483d8bcc28
Instruction ID: 2ad92f44b52539645a64d388f68417dd2d67f5422ec958eede84e7e4283bd0ef
Opcode Fuzzy Hash: 0f7ff40b9492430f6444851611742362be4f60dd5914046253e5e3483d8bcc28
Instruction Fuzzy Hash: 9B517E3261AB82A6EB10CF39E88426D73A4FB48BD8F454135DA8D47B64EF7CE245D700

Function 00007FF8A7FF9720 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

PyTuple_New.PYTHON312 ref: 00007FF8A7FF9770
PyTuple_New.PYTHON312 ref: 00007FF8A7FF977C
PyImport_ImportModule.PYTHON312 ref: 00007FF8A7FF97B3
PyObject_GetAttrString.PYTHON312 ref: 00007FF8A7FF97CF
PyObject_GetAttrString.PYTHON312 ref: 00007FF8A7FF97F2
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF9811
PyType_IsSubtype.PYTHON312 ref: 00007FF8A7FF982F
PyErr_Format.PYTHON312 ref: 00007FF8A7FF9891
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF98AA
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF98CB

Strings

while loading %.200s: failed to import ffi, lib from %.200s, xrefs: 00007FF8A7FF9881
ffi, xrefs: 00007FF8A7FF97C5
lib, xrefs: 00007FF8A7FF97E8

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dealloc$AttrObject_StringTuple_$Err_FormatImportImport_ModuleSubtypeType_
String ID: ffi$lib$while loading %.200s: failed to import ffi, lib from %.200s
API String ID: 1456096276-3368324463
Opcode ID: 26fbf7435834fbb81c118951177d6ed4611873be6c422189694af47c10966b7c
Instruction ID: 9ac0fdd4bcc4333f21916c44b6f42eedad4522fe5e71331244aa16b0dc127eb5
Opcode Fuzzy Hash: 26fbf7435834fbb81c118951177d6ed4611873be6c422189694af47c10966b7c
Instruction Fuzzy Hash: A7510872A0AB02A5EB55CF62E85437863A0FF48BD5F488035CE5E82794EFBCE645D300

Function 00007FF8A7FE1690 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON312 ref: 00007FF8A7FE16C9
TlsGetValue.KERNEL32 ref: 00007FF8A7FE16F1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A7FE1704
PyErr_NoMemory.PYTHON312 ref: 00007FF8A7FE1712

Strings

(iO), xrefs: 00007FF8A7FE17CF
Windows Error 0x%X, xrefs: 00007FF8A7FE1772

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Arg_Err_Keywords_MemoryParseSizeTupleValuemalloc
String ID: (iO)$Windows Error 0x%X
API String ID: 4153797932-3802556843
Opcode ID: aa6f1365919562944e64679afd59fa5a4f403ab1571dade86c67187814c02b34
Instruction ID: 8c0562326a464a9edd1052ba65ab89902be6d395e75b4359ead8bc0104fd7fc1
Opcode Fuzzy Hash: aa6f1365919562944e64679afd59fa5a4f403ab1571dade86c67187814c02b34
Instruction Fuzzy Hash: FB415136A1AB5292EB108F36E81067D63E1FF84BD0F540231DA5D46BA4EF7CEA45DB00

Function 00007FF8A7FEC7A0 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 94COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON312 ref: 00007FF8A7FEC800
PyDict_GetItem.PYTHON312 ref: 00007FF8A7FEC822
PyErr_SetObject.PYTHON312 ref: 00007FF8A7FEC83A
PyLong_AsSsize_t.PYTHON312 ref: 00007FF8A7FEC886
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FEC894
PyErr_SetString.PYTHON312 ref: 00007FF8A7FEC8F0

Strings

not supported for bitfields, xrefs: 00007FF8A7FEC859
with an integer argument, expected an array ctype or a pointer to non-opaque, xrefs: 00007FF8A7FEC8DF
struct/union is opaque, xrefs: 00007FF8A7FEC80F
array offset would overflow a Py_ssize_t, xrefs: 00007FF8A7FEC8D6
field name or array index expected, xrefs: 00007FF8A7FEC89F
with a field name argument, expected a struct or union ctype, xrefs: 00007FF8A7FEC7E1
0, xrefs: 00007FF8A7FEC8A8

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$Occurred$Dict_ItemLong_ObjectSsize_tString
String ID: 0$array offset would overflow a Py_ssize_t$field name or array index expected$not supported for bitfields$struct/union is opaque$with a field name argument, expected a struct or union ctype$with an integer argument, expected an array ctype or a pointer to non-opaque
API String ID: 1199264806-2423494606
Opcode ID: 15764696cd55fac5522d1ec8942211e7eebdc4d2e047d10dc843e0d7c4ae04c7
Instruction ID: 278d44844693bd8d44e2ef774c1ffee8bd1bd95b9d1b279cfed8abf994f7a65f
Opcode Fuzzy Hash: 15764696cd55fac5522d1ec8942211e7eebdc4d2e047d10dc843e0d7c4ae04c7
Instruction Fuzzy Hash: D4413D63A1AB46A1EA548F36E94023C67A0FF48BC4F445131EE4D477A4EF7CE685E300

Function 00007FF8A7FE59F0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 125COMMON

Download Yara Rule

APIs

PyLong_AsLong.PYTHON312 ref: 00007FF8A7FE5AA3

Strings

read_raw_signed_data: bad integer size, xrefs: 00007FF8A7FE5A60
read_raw_float_data: bad float size, xrefs: 00007FF8A7FE5B46
int() not supported on cdata '%s', xrefs: 00007FF8A7FE5BC4
read_raw_float_data, xrefs: 00007FF8A7FE5B4D
read_raw_signed_data, xrefs: 00007FF8A7FE5A67

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: LongLong_
String ID: int() not supported on cdata '%s'$read_raw_float_data$read_raw_float_data: bad float size$read_raw_signed_data$read_raw_signed_data: bad integer size
API String ID: 1954241474-3524632987
Opcode ID: d62b5bc8ff23949be585d8430b8588d3943835305f9611146c7a104307dac948
Instruction ID: 6d502940e01d648366636758cd14ce31a34b5e3833f023ef89281828bbe8fee3
Opcode Fuzzy Hash: d62b5bc8ff23949be585d8430b8588d3943835305f9611146c7a104307dac948
Instruction Fuzzy Hash: 2E513136E0AA42E2EA548F39D89113C63A2FF89BD4F544031C64E477A5EF7DE685E700

Function 00007FF8A7FE7B70 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A7FE7BA1
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A7FE7BAE
PyObject_Init.PYTHON312 ref: 00007FF8A7FE7BC1
_PyObject_CallFunction_SizeT.PYTHON312 ref: 00007FF8A7FE7C0A
PyErr_Format.PYTHON312 ref: 00007FF8A7FE7C89
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE7C9D
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE7CD0
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE7CF8
memset.VCRUNTIME140 ref: 00007FF8A7FE7D0D

Strings

alloc() returned NULL, xrefs: 00007FF8A7FE7CC6
alloc() must return a cdata object (got %.200s), xrefs: 00007FF8A7FE7C60
alloc() must return a cdata pointer, not '%s', xrefs: 00007FF8A7FE7C78

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: DeallocErr_Object_$CallFormatFunction_InitSizeStringcallocmallocmemset
String ID: alloc() must return a cdata object (got %.200s)$alloc() must return a cdata pointer, not '%s'$alloc() returned NULL
API String ID: 4240332552-2229446564
Opcode ID: e8505e40d4f95405b2923bb402cdf3d18fb0de832882a66e2166830acccdea2c
Instruction ID: c34caf714145f3f0c3ff40a74c784d11afd0e478e5192e0d4f0c1f60de4f5bc5
Opcode Fuzzy Hash: e8505e40d4f95405b2923bb402cdf3d18fb0de832882a66e2166830acccdea2c
Instruction Fuzzy Hash: D1514262A0BB42A5EA148F79E84437C23A5FF44BD4F444431DA0D077A4EF7CE699E351

Function 00007FF8A7FF53C0 Relevance: 21.1, APIs: 14, Instructions: 107COMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON312 ref: 00007FF8A7FF53C9
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF53E3
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF53FD
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF5417
PyMem_Free.PYTHON312 ref: 00007FF8A7FF5457
PyMem_Free.PYTHON312 ref: 00007FF8A7FF5465
PyMem_Free.PYTHON312 ref: 00007FF8A7FF5478
PyMem_Free.PYTHON312 ref: 00007FF8A7FF548B
PyMem_Free.PYTHON312 ref: 00007FF8A7FF549E
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF54C0
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF54DD
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF54FA
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF5517
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF5534

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dealloc$FreeMem_$Object_Track
String ID:
API String ID: 1636395627-0
Opcode ID: ce48e4e672e2c6818d4a73e97968dd169680a4fd601cbed6aaf2176881b5350f
Instruction ID: 78622ca7c454fdbfa01a6a6642c79e516c1ffb73a43e027c4db34f6fbb59fa8b
Opcode Fuzzy Hash: ce48e4e672e2c6818d4a73e97968dd169680a4fd601cbed6aaf2176881b5350f
Instruction Fuzzy Hash: 51513936A0BA12A5EF699F759A1433C23A0EF45FE9F184031CA4D43654CFBDE649E700

Function 00007FF8A7FE1D68 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

PyIndex_Check.PYTHON312 ref: 00007FF8A7FE1D93
PyNumber_AsSsize_t.PYTHON312 ref: 00007FF8A7FE1DAE
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE1DBD
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE1E0D
PySlice_Unpack.PYTHON312 ref: 00007FF8A7FE1E47
PySlice_AdjustIndices.PYTHON312 ref: 00007FF8A7FE1E68
PyBytes_FromStringAndSize.PYTHON312 ref: 00007FF8A7FE1EA5

Strings

buffer indices must be integers, not %.200s, xrefs: 00007FF8A7FE1EE1
buffer doesn't support slicing with step != 1, xrefs: 00007FF8A7FE1EBD
buffer index out of range, xrefs: 00007FF8A7FE1E03

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_Slice_String$AdjustBytes_CheckFromIndex_IndicesNumber_OccurredSizeSsize_tUnpack
String ID: buffer doesn't support slicing with step != 1$buffer index out of range$buffer indices must be integers, not %.200s
API String ID: 3001075121-863229255
Opcode ID: c3bbac0e351e823eb68676c4cd5ce7afb934f6ef43e78c458449ebea6c2e5c67
Instruction ID: 48a6ba7ee09dee98b0416ceaf7d7c5fbe78264b95d1bf3752d43c8aab6dfe22a
Opcode Fuzzy Hash: c3bbac0e351e823eb68676c4cd5ce7afb934f6ef43e78c458449ebea6c2e5c67
Instruction Fuzzy Hash: 0A417467B0AA92A2EF118F36E8501BD6770FF88BD4B444132DA4D43664EF6CE698D700

Function 00007FF8A7FEBD60 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 102COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON312 ref: 00007FF8A7FEBD94
PyCallable_Check.PYTHON312 ref: 00007FF8A7FEBDA9
PyCallable_Check.PYTHON312 ref: 00007FF8A7FEBDD0
PyBytes_FromStringAndSize.PYTHON312 ref: 00007FF8A7FEBE1C
memset.VCRUNTIME140 ref: 00007FF8A7FEBE33
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEBE6A
_Py_BuildValue_SizeT.PYTHON312 ref: 00007FF8A7FEBEA5
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEBEBC

Strings

expected a callable object, not %.200s, xrefs: 00007FF8A7FEBDB7
expected a callable object for 'onerror', not %.200s, xrefs: 00007FF8A7FEBDDE
expected a function ctype, got '%s', xrefs: 00007FF8A7FEBD83
OOOO, xrefs: 00007FF8A7FEBE9B

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Callable_CheckDeallocSize$BuildBytes_Err_FormatFromStringValue_memset
String ID: OOOO$expected a callable object for 'onerror', not %.200s$expected a callable object, not %.200s$expected a function ctype, got '%s'
API String ID: 2491357067-2441438866
Opcode ID: 4020317c1fca9fb9c650a107a7e6a97b17715a6bbdeb8766cf46be8e5f530d4b
Instruction ID: 373f4ad441e82db77977fb677902df3af99803eee53fbef98e158751f30cf0c3
Opcode Fuzzy Hash: 4020317c1fca9fb9c650a107a7e6a97b17715a6bbdeb8766cf46be8e5f530d4b
Instruction Fuzzy Hash: 45415B22A0AA56A2EA108F36E8405BD77A1FF49BD4F444031DE4D87764EF7CE649E701

Function 00007FF8A7FE5430 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 95COMMON

Download Yara Rule

APIs

PyUnicode_FromFormat.PYTHON312 ref: 00007FF8A7FE54F4
PyUnicode_FromString.PYTHON312 ref: 00007FF8A7FE551B
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FE5537
PyUnicode_FromFormat.PYTHON312 ref: 00007FF8A7FE5567
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE557E

Strings

<cdata '%s%s' %s>, xrefs: 00007FF8A7FE554B
sliced length %zd, xrefs: 00007FF8A7FE54ED
NULL, xrefs: 00007FF8A7FE5514
%LE, xrefs: 00007FF8A7FE548C

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Unicode_$From$Format$DeallocString
String ID: %LE$<cdata '%s%s' %s>$NULL$sliced length %zd
API String ID: 1355997861-971221297
Opcode ID: 4ad9b0ebd051aa1761897eaea9f30dd362766fc5f2269501a42982830dc0511c
Instruction ID: 1d9615168356fdf4ffe4b9c2190bd832ff29ce4cfe28a73c7d5f48244682fefa
Opcode Fuzzy Hash: 4ad9b0ebd051aa1761897eaea9f30dd362766fc5f2269501a42982830dc0511c
Instruction Fuzzy Hash: 0C411C22A0FA42E1EA609F75EC5437D63A2FF94BD4F544032DA0E476A5EF6CE605E300

Function 00007FF8A7FE4E60 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON312 ref: 00007FF8A7FE4E69
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE4E8B
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE4EB6
PyObject_ClearWeakRefs.PYTHON312 ref: 00007FF8A7FE4EDC
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE4EF1
_Py_FatalErrorFunc.PYTHON312 ref: 00007FF8A7FE4F18
PyObject_GC_UnTrack.PYTHON312 ref: 00007FF8A7FE4F31
PyObject_ClearWeakRefs.PYTHON312 ref: 00007FF8A7FE4F41
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE4F56
PyBuffer_Release.PYTHON312 ref: 00007FF8A7FE4F6C

Strings

cdata CDataOwningGC_Type with unexpected type flags, xrefs: 00007FF8A7FE4F0A
cdataowninggc_dealloc, xrefs: 00007FF8A7FE4F11

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: DeallocObject_$ClearRefsTrackWeak$Buffer_ErrorFatalFuncRelease
String ID: cdata CDataOwningGC_Type with unexpected type flags$cdataowninggc_dealloc
API String ID: 2255642161-3398618105
Opcode ID: 5edf71624d3ebf7757d260e393094d1c65f1b48ce567a2b0a6a8ba6cb1f6c516
Instruction ID: 7a1009653e7a3571d69f23f9f9741369902b85752ae19d136da3dbc17cd95e79
Opcode Fuzzy Hash: 5edf71624d3ebf7757d260e393094d1c65f1b48ce567a2b0a6a8ba6cb1f6c516
Instruction Fuzzy Hash: 9331173690AA42A6EB188F75E85423C33B0FB48FD8F141039DA1E476A4DF7CE695E300

Function 00007FF8A7FF4A05 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

PyTuple_New.PYTHON312 ref: 00007FF8A7FF4A8A
PyTuple_New.PYTHON312 ref: 00007FF8A7FF4AA3
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF4ACD
PyUnicode_FromStringAndSize.PYTHON312 ref: 00007FF8A7FF4B16
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FF4B83
_Py_BuildValue_SizeT.PYTHON312 ref: 00007FF8A7FF4BEE
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF4C08
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF4C1C
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF4C46

Strings

(sOOO), xrefs: 00007FF8A7FF4BD9
enum , xrefs: 00007FF8A7FF4BC1

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dealloc$SizeTuple_$BuildErr_FromOccurredStringUnicode_Value_
String ID: (sOOO)$enum
API String ID: 1987804237-1765524442
Opcode ID: 52308ee6e9dda6b75b2e50c26c5d93fda79e142a43ef7e3d04d888155ff1c8f1
Instruction ID: 59c0dbe402b99ad60268ac374649ae684c31b57691a71dce68aeb03c6e5c0381
Opcode Fuzzy Hash: 52308ee6e9dda6b75b2e50c26c5d93fda79e142a43ef7e3d04d888155ff1c8f1
Instruction Fuzzy Hash: 4871DD32A0AB8295EB518F35D8542BC37A0FF48BD4B488531DA5E47799DFBCE641D300

Function 00007FF8A7FE82B0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 184COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON312 ref: 00007FF8A7FE8377
PyType_IsSubtype.PYTHON312 ref: 00007FF8A7FE8407
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE8444
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE8466
PyObject_Malloc.PYTHON312 ref: 00007FF8A7FE8493
PyObject_Init.PYTHON312 ref: 00007FF8A7FE84A2
_Py_FatalErrorFunc.PYTHON312 ref: 00007FF8A7FE8522

Strings

unicode string of length %zd, xrefs: 00007FF8A7FE834C
cannot cast %s to ctype '%s', xrefs: 00007FF8A7FE836D
write_raw_integer_data: bad integer size, xrefs: 00007FF8A7FE8514
write_raw_integer_data, xrefs: 00007FF8A7FE851B

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$Object_Occurred$ErrorFatalFormatFuncInitMallocSubtypeType_
String ID: cannot cast %s to ctype '%s'$unicode string of length %zd$write_raw_integer_data$write_raw_integer_data: bad integer size
API String ID: 2324297635-3775214127
Opcode ID: a9eff805046bd2350fc0d1e81b93a758ac4aea78bcc713fe649a5e6c2cdb988f
Instruction ID: 605a178b55ec34893e9db8195fcc086923f2f90131cfdcd022c218a3fe52728e
Opcode Fuzzy Hash: a9eff805046bd2350fc0d1e81b93a758ac4aea78bcc713fe649a5e6c2cdb988f
Instruction Fuzzy Hash: 67715C32B0F642AAEE60AF35A85027D62A1FF44BD4F182431DA5E47694EF7CE645E310

Function 00007FF8A7FEB2D0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 180COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON312 ref: 00007FF8A7FEB349
_PyObject_GC_NewVar.PYTHON312 ref: 00007FF8A7FEB39B
PyObject_GC_Track.PYTHON312 ref: 00007FF8A7FEB3C0
PyErr_ExceptionMatches.PYTHON312 ref: 00007FF8A7FEB434
PyErr_Clear.PYTHON312 ref: 00007FF8A7FEB442
PyTuple_New.PYTHON312 ref: 00007FF8A7FEB454
PyLong_FromLong.PYTHON312 ref: 00007FF8A7FEB46A
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEB555

Strings

result type '%s' is opaque, xrefs: 00007FF8A7FEB33B
invalid result type: '%s', xrefs: 00007FF8A7FEB32C
(*), xrefs: 00007FF8A7FEB373, 00007FF8A7FEB3DE

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$Object_$ClearDeallocExceptionFormatFromLongLong_MatchesTrackTuple_
String ID: (*)$invalid result type: '%s'$result type '%s' is opaque
API String ID: 4166317216-2055205602
Opcode ID: 3f77c5492d3cf76c4490e1b725f4ed40f8ca7395ae54f42b26e052cd1ab5bb79
Instruction ID: a2f3ca53d06f84d1de383652e533fccc61fd7b0fafad558a3ee8b6b308558b26
Opcode Fuzzy Hash: 3f77c5492d3cf76c4490e1b725f4ed40f8ca7395ae54f42b26e052cd1ab5bb79
Instruction Fuzzy Hash: 7E818F7260AB42A6EB10CF35D8406AD33A4FF48BD8F544236DA5E47B98EF38E655D340

Function 00007FF8A7FE4330 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 123COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON312(?,?,?,?,?,00007FF8A7FE3F62), ref: 00007FF8A7FE4365
PyErr_Format.PYTHON312(?,?,?,?,?,00007FF8A7FE3F62), ref: 00007FF8A7FE4389
PyDict_Next.PYTHON312(?,?,?,?,?,00007FF8A7FE3F62), ref: 00007FF8A7FE43D2
PyDict_GetItem.PYTHON312(?,?,?,?,?,00007FF8A7FE3F62), ref: 00007FF8A7FE43E9
PyDict_Next.PYTHON312(?,?,?,?,?,00007FF8A7FE3F62), ref: 00007FF8A7FE4421

Part of subcall function 00007FF8A7FF4F70: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A7FF5006
Part of subcall function 00007FF8A7FF4F70: _Py_FatalErrorFunc.PYTHON312 ref: 00007FF8A7FF5127
Part of subcall function 00007FF8A7FF4F70: PyList_New.PYTHON312 ref: 00007FF8A7FF5154

PyErr_SetObject.PYTHON312(?,?,?,?,?,00007FF8A7FE3F62), ref: 00007FF8A7FE4453
PyErr_Format.PYTHON312(?,?,?,?,?,00007FF8A7FE3F62), ref: 00007FF8A7FE44CC

Strings

too many initializers for '%s' (got %zd), xrefs: 00007FF8A7FE44C2
list or tuple or dict, xrefs: 00007FF8A7FE446A
'%s' is opaque, xrefs: 00007FF8A7FE437F
list or tuple or dict or struct-cdata, xrefs: 00007FF8A7FE4463

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$Dict_$FormatNext$ErrorFatalFuncItemList_ObjectOccurredstrncmp
String ID: '%s' is opaque$list or tuple or dict$list or tuple or dict or struct-cdata$too many initializers for '%s' (got %zd)
API String ID: 3179473356-3352871426
Opcode ID: 5c3913ca492e5bdc01c8805f59d7d478c2bb42eb8da7ce2d44509c725c79c4bb
Instruction ID: bc264181e9e55a3b17ad3935b954f20afeb1dda5c9cde777d733ba67ed799a1e
Opcode Fuzzy Hash: 5c3913ca492e5bdc01c8805f59d7d478c2bb42eb8da7ce2d44509c725c79c4bb
Instruction Fuzzy Hash: 8F51356270EA42A5EA109F36E4441BD67A0FF88BD4F484136EE4D477A5EF7CE645E300

Function 00007FF8A7FE1970 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

PyObject_GetBuffer.PYTHON312 ref: 00007FF8A7FE19EA
PyBuffer_IsContiguous.PYTHON312 ref: 00007FF8A7FE1A04
PyBuffer_Release.PYTHON312 ref: 00007FF8A7FE1A13
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE1A2A
PyErr_Format.PYTHON312 ref: 00007FF8A7FE1A64
PyBuffer_Release.PYTHON312 ref: 00007FF8A7FE1AA8
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE1ABF
PyBuffer_Release.PYTHON312 ref: 00007FF8A7FE1ADD

Strings

expected a pointer or array ctype, got '%s', xrefs: 00007FF8A7FE1A56
contiguous buffer expected, xrefs: 00007FF8A7FE1A20
right operand length must match slice length, xrefs: 00007FF8A7FE1AB5

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Buffer_$Err_Release$String$BufferContiguousFormatObject_
String ID: contiguous buffer expected$expected a pointer or array ctype, got '%s'$right operand length must match slice length
API String ID: 917851491-2344006768
Opcode ID: c2aae864342acb74752e73ec3745920d1ba676c7a557cbc33d049a253a943c13
Instruction ID: f602545b88dd91c9bb3bdc31952b17c47b95d434f8629f44fafed3f5bd736b8e
Opcode Fuzzy Hash: c2aae864342acb74752e73ec3745920d1ba676c7a557cbc33d049a253a943c13
Instruction Fuzzy Hash: 0A415366B0AA82E2EE20DF76E85017D2361FF48BD4F544132D95E476A4EF7CEA48D300

Function 00007FF8A7FE8C50 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FE8C7C
PyErr_Format.PYTHON312 ref: 00007FF8A7FE8CA2
PyErr_Format.PYTHON312 ref: 00007FF8A7FE8CD4
GetLastError.KERNEL32 ref: 00007FF8A7FE8CE2
GetProcAddress.KERNEL32 ref: 00007FF8A7FE8D0B
PyErr_Format.PYTHON312 ref: 00007FF8A7FE8D3A

Part of subcall function 00007FF8A7FE11A0: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8A7FE11EB

Strings

function/symbol '%s' not found in library '%s': %s, xrefs: 00007FF8A7FE8D22
function or pointer or array cdata expected, got '%s', xrefs: 00007FF8A7FE8CC6
O!s:load_function, xrefs: 00007FF8A7FE8C75
library '%s' has already been closed, xrefs: 00007FF8A7FE8C94
error 0x%x, xrefs: 00007FF8A7FE8CEF

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_Format$AddressArg_ErrorLastParseProcSizeTuple___stdio_common_vsprintf
String ID: O!s:load_function$error 0x%x$function or pointer or array cdata expected, got '%s'$function/symbol '%s' not found in library '%s': %s$library '%s' has already been closed
API String ID: 1100265670-2543733793
Opcode ID: e28848603302aa5decceb4ea9c13b646fcd72f38971cde9ccdfe0c718d57e90a
Instruction ID: af69f49f1d43a678c9a148a2cc6e0fcccf6b8931c73325ae2cdccb73a5715fc7
Opcode Fuzzy Hash: e28848603302aa5decceb4ea9c13b646fcd72f38971cde9ccdfe0c718d57e90a
Instruction Fuzzy Hash: 61314F66B0AA52A1EB109F75E8402BD63A0FF84BD4F441436C94D876A4EFBCD299E340

Function 00007FF8A7FF7330 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 213COMMON

Download Yara Rule

APIs

PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FF7399
PyErr_Format.PYTHON312 ref: 00007FF8A7FF74BF
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF74DF
PyMem_Malloc.PYTHON312 ref: 00007FF8A7FF7544
PyErr_NoMemory.PYTHON312 ref: 00007FF8A7FF7552

Part of subcall function 00007FF8A7FE11A0: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8A7FE11EB

PyCMethod_New.PYTHON312 ref: 00007FF8A7FF75EB
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF7603
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF7623

Strings

;CFFI C function from %s.lib, xrefs: 00007FF8A7FF75C8
the type '%s%s' is a function type, not a pointer-to-function type, xrefs: 00007FF8A7FF749E

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dealloc$Err_$FormatMallocMem_MemoryMethod_Unicode___stdio_common_vsprintf
String ID: ;CFFI C function from %s.lib$the type '%s%s' is a function type, not a pointer-to-function type
API String ID: 1374498512-75659475
Opcode ID: f3e92e9d171f3dfcd5e58b7d7cb9247855d542b73da3129a23e94598be2d22d9
Instruction ID: edf52bcd84c17fce08c079cca8d198807be78c2305891236a4845b6d0f8b38f2
Opcode Fuzzy Hash: f3e92e9d171f3dfcd5e58b7d7cb9247855d542b73da3129a23e94598be2d22d9
Instruction Fuzzy Hash: 20A19C32A0AB829AEB10CF35D8442AD77A4FB48BD8F454231EE5D03794EF79E295D310

Function 00007FF8A7FF6340 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON312 ref: 00007FF8A7FF6390

Part of subcall function 00007FF8A7FF5910: PyDict_GetItem.PYTHON312 ref: 00007FF8A7FF5956
Part of subcall function 00007FF8A7FF5910: PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FF596B

isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A7FF63D3
isspace.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A7FF6415
PyBytes_FromStringAndSize.PYTHON312 ref: 00007FF8A7FF6480
memcpy.VCRUNTIME140 ref: 00007FF8A7FF64A6
memcpy.VCRUNTIME140 ref: 00007FF8A7FF64C4
memcpy.VCRUNTIME140 ref: 00007FF8A7FF64F8
PyUnicode_DecodeLatin1.PYTHON312 ref: 00007FF8A7FF6511
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF652E

Strings

O|s:getctype, xrefs: 00007FF8A7FF6370

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: memcpy$SizeUnicode_isspace$Arg_Bytes_DeallocDecodeDict_FromItemKeywords_Latin1ParseStringTuple
String ID: O|s:getctype
API String ID: 1974405215-2338347666
Opcode ID: e8034133fbcbcf1d20d4f4350f2741869491fde5b39f9f5417f3e7601edd3249
Instruction ID: 8142f9254f5edea8a9791ed253bc19caad7671dee9d2adead862202b9a7276a2
Opcode Fuzzy Hash: e8034133fbcbcf1d20d4f4350f2741869491fde5b39f9f5417f3e7601edd3249
Instruction Fuzzy Hash: 5951F122A0E696A1EA609F35A8647BE6791FF44FC4F084139CE4E47784DFBCD645E300

Function 00007FF8A7FE6040 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 90COMMON

Download Yara Rule

APIs

PyNumber_AsSsize_t.PYTHON312 ref: 00007FF8A7FE605D
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE606C
PyErr_Format.PYTHON312 ref: 00007FF8A7FE618E

Strings

index too large for cdata '%s' (expected %zd < %zd), xrefs: 00007FF8A7FE6135
cannot dereference null pointer from cdata '%s', xrefs: 00007FF8A7FE60B5
negative index, xrefs: 00007FF8A7FE60F1
cdata '%s' can only be indexed by 0, xrefs: 00007FF8A7FE60D1
cdata of type '%s' cannot be indexed, xrefs: 00007FF8A7FE6180

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$FormatNumber_OccurredSsize_t
String ID: cannot dereference null pointer from cdata '%s'$cdata '%s' can only be indexed by 0$cdata of type '%s' cannot be indexed$index too large for cdata '%s' (expected %zd < %zd)$negative index
API String ID: 2356906851-315104295
Opcode ID: 1e7b630bd5c526ef6c7075673091452f5f8fbe11da2cefb666558952b158651c
Instruction ID: 16e86db691f494661bc3d38088211b6d6cedef25271a9d6677693886581ccf75
Opcode Fuzzy Hash: 1e7b630bd5c526ef6c7075673091452f5f8fbe11da2cefb666558952b158651c
Instruction Fuzzy Hash: F3411166B0BA56A1EE51CF39E85017C6361FF84BE8F480531CA1D877A5EF6CE694E300

Function 00007FF8A7FE8EA0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FE8EDA
PyErr_Format.PYTHON312 ref: 00007FF8A7FE8F00

Part of subcall function 00007FF8A7FE11A0: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8A7FE11EB

GetLastError.KERNEL32 ref: 00007FF8A7FE8F13
GetProcAddress.KERNEL32 ref: 00007FF8A7FE8F3F
GetLastError.KERNEL32 ref: 00007FF8A7FE8F4A
PyErr_Format.PYTHON312 ref: 00007FF8A7FE8F89

Strings

variable '%s' not found in library '%s': %s, xrefs: 00007FF8A7FE8F71
O!sO:write_variable, xrefs: 00007FF8A7FE8ED0
library '%s' has already been closed, xrefs: 00007FF8A7FE8EF2
error 0x%x, xrefs: 00007FF8A7FE8F27, 00007FF8A7FE8F5B

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_ErrorFormatLast$AddressArg_ParseProcSizeTuple___stdio_common_vsprintf
String ID: O!sO:write_variable$error 0x%x$library '%s' has already been closed$variable '%s' not found in library '%s': %s
API String ID: 1423611193-1606821111
Opcode ID: d834ad5416b59c683c1ef897ad01fb44601a43a73b6a999b7fea32b09cc2a9e8
Instruction ID: c0127ead8851b0c0acd513bd99bac71739f5cc78e0cc9fe5a0b5386a89ac7b9d
Opcode Fuzzy Hash: d834ad5416b59c683c1ef897ad01fb44601a43a73b6a999b7fea32b09cc2a9e8
Instruction Fuzzy Hash: 83314D62B0AB42A2EB109F36E84017D2361FF88BD4F445136DA5D87754EF7CE258E740

Function 00007FF8A7FE9E70 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

_PyObject_New.PYTHON312 ref: 00007FF8A7FE9E99
PyUnicode_InternInPlace.PYTHON312 ref: 00007FF8A7FE9EE9
PyDict_Size.PYTHON312 ref: 00007FF8A7FE9EF2
PyDict_SetItem.PYTHON312 ref: 00007FF8A7FE9F06
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE9F1E
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE9F32
PyDict_Size.PYTHON312 ref: 00007FF8A7FE9F3F
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FE9F53
PyErr_Format.PYTHON312 ref: 00007FF8A7FE9F6D

Strings

duplicate field name '%s', xrefs: 00007FF8A7FE9F60

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dict_$DeallocSizeUnicode_$Err_FormatInternItemObject_Place
String ID: duplicate field name '%s'
API String ID: 4240887453-3400721703
Opcode ID: 4abbc0d4fcf44b16489248f50e7b2221ef56aa351b393893ec3ce001d24608ae
Instruction ID: 23ad27e872ad16cee1fa9df1bd21b2d344e4fc9fc4c04eda77c1aa26a34ef8dd
Opcode Fuzzy Hash: 4abbc0d4fcf44b16489248f50e7b2221ef56aa351b393893ec3ce001d24608ae
Instruction Fuzzy Hash: F5311336A0AA92A6DB008F35E85417D73B0FB89BD5F180031DA4E83764EFBDE655E701

Function 00007FF8A7FE8D80 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FE8DAC
PyErr_Format.PYTHON312 ref: 00007FF8A7FE8DD2

Part of subcall function 00007FF8A7FE34F0: _PyObject_New.PYTHON312 ref: 00007FF8A7FE351D

GetLastError.KERNEL32 ref: 00007FF8A7FE8DEA
GetProcAddress.KERNEL32 ref: 00007FF8A7FE8E16
GetLastError.KERNEL32 ref: 00007FF8A7FE8E24
PyErr_Format.PYTHON312 ref: 00007FF8A7FE8E5F

Strings

variable '%s' not found in library '%s': %s, xrefs: 00007FF8A7FE8E47
library '%s' has already been closed, xrefs: 00007FF8A7FE8DC4
error 0x%x, xrefs: 00007FF8A7FE8DFE, 00007FF8A7FE8E31
O!s:read_variable, xrefs: 00007FF8A7FE8DA5

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_ErrorFormatLast$AddressArg_Object_ParseProcSizeTuple_
String ID: O!s:read_variable$error 0x%x$library '%s' has already been closed$variable '%s' not found in library '%s': %s
API String ID: 4169278214-767532634
Opcode ID: f1854dddd00d2dc07dbc5580063100e3c2a1b95eca19e54a93221191acd3c986
Instruction ID: b9cef8686cbd074957d22fb10a3d5db5a7043d6ba75ef3d92ccbf150813bb2c9
Opcode Fuzzy Hash: f1854dddd00d2dc07dbc5580063100e3c2a1b95eca19e54a93221191acd3c986
Instruction Fuzzy Hash: DA316D66B1AA52A1EB009F35E84017E63A0FF84BC4F441532DE4D87B68EF7CD259D740

Function 00007FF646AB80B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF646AB80EF
GetWindowLongPtrW.USER32 ref: 00007FF646AB816F
ShutdownBlockReasonCreate.USER32 ref: 00007FF646AB8182
GetLastError.KERNEL32 ref: 00007FF646AB818C
SetWindowLongPtrW.USER32 ref: 00007FF646AB81A3

Strings

Needs to remove its temporary files., xrefs: 00007FF646AB8175

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction ID: 49fb1d1a2cd9831c95365f66379ace5cf215a7cfb8f841da46c25e108772c34f
Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
Instruction Fuzzy Hash: 30218B61A0DE4682E781BB7AB854169E261EF88F90F484231DF2EC3798DE2DD5C58231

Function 00007FF8A7FF8450 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FF846D
PyErr_Format.PYTHON312 ref: 00007FF8A7FF8484
GetLastError.KERNEL32 ref: 00007FF8A7FF84A1
GetProcAddress.KERNEL32 ref: 00007FF8A7FF84CA
GetLastError.KERNEL32 ref: 00007FF8A7FF84D8
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FF84FB
PyErr_Format.PYTHON312 ref: 00007FF8A7FF851A

Strings

library '%s' has been closed, xrefs: 00007FF8A7FF847A
symbol '%s' not found in library '%s': %s, xrefs: 00007FF8A7FF8508
error 0x%x, xrefs: 00007FF8A7FF84B5, 00007FF8A7FF84E9

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_ErrorFormatLastUnicode_$AddressProc
String ID: error 0x%x$library '%s' has been closed$symbol '%s' not found in library '%s': %s
API String ID: 3000000035-2382056100
Opcode ID: a6a57e7dff6c6103324552777f93e54becfae5a7bac4de5ab0b1a612f0a09a44
Instruction ID: ab247fbe4780e3f1a3f588c1f260ff02feffc0b992081659a443b732f750088a
Opcode Fuzzy Hash: a6a57e7dff6c6103324552777f93e54becfae5a7bac4de5ab0b1a612f0a09a44
Instruction Fuzzy Hash: 4E213925B0EA52A5EB109F26B84407D6360FF85BD4F481135DE0E47BA4EFBCE205E304

Function 00007FF8A7FF69E0 Relevance: 16.6, APIs: 11, Instructions: 128COMMON

Download Yara Rule

APIs

PyList_New.PYTHON312 ref: 00007FF8A7FF6A2F
PyList_New.PYTHON312 ref: 00007FF8A7FF6A48
PyList_New.PYTHON312 ref: 00007FF8A7FF6A61
PyUnicode_FromString.PYTHON312 ref: 00007FF8A7FF6A8F
PyUnicode_FromString.PYTHON312 ref: 00007FF8A7FF6ADE
PyList_Append.PYTHON312 ref: 00007FF8A7FF6AFC
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF6B13
PyTuple_Pack.PYTHON312 ref: 00007FF8A7FF6B45
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF6B85
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF6BA5
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF6BC4

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: DeallocList_$FromStringUnicode_$AppendPackTuple_
String ID:
API String ID: 1902583452-0
Opcode ID: 9280075ff307f06dbeda912c69eef76fb2f4c3556412a018c406dc5bcd8cee40
Instruction ID: 6a7f1300c745b888ab5610417c31b09e499ab908ffcbb66f5805ec5a75f7fcaa
Opcode Fuzzy Hash: 9280075ff307f06dbeda912c69eef76fb2f4c3556412a018c406dc5bcd8cee40
Instruction Fuzzy Hash: D0516836A0AB52A5EA149F35A86827D63A0FB88FD8F084039CF4D47755DFBCE645D700

Function 00007FF8A7FEBC60 Relevance: 16.6, APIs: 11, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A7FEBC81
GetLastError.KERNEL32 ref: 00007FF8A7FEBC89
TlsGetValue.KERNEL32 ref: 00007FF8A7FEBC97
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A7FEBCAA
TlsSetValue.KERNEL32 ref: 00007FF8A7FEBCC7
PyGILState_Release.PYTHON312 ref: 00007FF8A7FEBCEF
TlsGetValue.KERNEL32 ref: 00007FF8A7FEBCFB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A7FEBD0E
TlsSetValue.KERNEL32 ref: 00007FF8A7FEBD2B
SetLastError.KERNEL32 ref: 00007FF8A7FEBD34
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A7FEBD3A

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Value$ErrorLast_errnomalloc$ReleaseState_
String ID:
API String ID: 3175917953-0
Opcode ID: 38fb3d2d0f60556b14f0495fd9d4d32ec89c594f68a2ec04fa11d50a441e41c8
Instruction ID: c892aa6625358ad72aa5635e006c800edcc9ef8e523045ebc481f538d44a1d02
Opcode Fuzzy Hash: 38fb3d2d0f60556b14f0495fd9d4d32ec89c594f68a2ec04fa11d50a441e41c8
Instruction Fuzzy Hash: 57217832A0AB1296EB109F31E85462D63A1FF88BD4F084538DE4D073A5EF7CEA95D710

Function 00007FF8A7FE9570 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 186COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312(?,?,?,?,00000000,00000000,00007FF8A7FE729B), ref: 00007FF8A7FE95D1
_PyObject_GC_NewVar.PYTHON312(?,?,?,?,00000000,00000000,00007FF8A7FE729B), ref: 00007FF8A7FE9768
PyObject_GC_Track.PYTHON312(?,?,?,?,00000000,00000000,00007FF8A7FE729B), ref: 00007FF8A7FE97AA
memcpy.VCRUNTIME140(?,?,?,?,00000000,00000000,00007FF8A7FE729B), ref: 00007FF8A7FE97BA

Strings

long double, xrefs: 00007FF8A7FE96A0
primitive type '%s' has size %d; the supported sizes are 1, 2, 4, 8, xrefs: 00007FF8A7FE96E5
float, xrefs: 00007FF8A7FE9647
double, xrefs: 00007FF8A7FE9674

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Object_$Err_StringTrackmemcpy
String ID: double$float$long double$primitive type '%s' has size %d; the supported sizes are 1, 2, 4, 8
API String ID: 1250498430-2195461940
Opcode ID: b9b4bd686c0b7d980a607a1e1505f7a2736158eea20b8c1650ff5888c06c7e61
Instruction ID: 73a7ea74cb6dec8e38d662f9040a9026eb75720939449bab543bf0dc076c300f
Opcode Fuzzy Hash: b9b4bd686c0b7d980a607a1e1505f7a2736158eea20b8c1650ff5888c06c7e61
Instruction Fuzzy Hash: B081A062A1E782A1EB54CF35A85007C27A0FF45BD6F440036DA8E17A98EF7CE655E321

Function 00007FF8A7FE7D20 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FF8A7FE7E5C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A7FE7E9B
PyObject_Init.PYTHON312 ref: 00007FF8A7FE7EAE
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE7F55
PyErr_Format.PYTHON312 ref: 00007FF8A7FE7F77

Strings

expected a pointer or array ctype, got '%s', xrefs: 00007FF8A7FE7F66
cannot instantiate ctype '%s' of unknown size, xrefs: 00007FF8A7FE7D6B
array size would overflow a Py_ssize_t, xrefs: 00007FF8A7FE7E52

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$DeallocFormatInitObject_Stringmalloc
String ID: array size would overflow a Py_ssize_t$cannot instantiate ctype '%s' of unknown size$expected a pointer or array ctype, got '%s'
API String ID: 3721622924-1738891937
Opcode ID: 203bd65f97b3b91bf9145b79f1931da84dd3c818db7281400d4032b7af9e5268
Instruction ID: 988d7753b74cc84ad87514f5e7bd1a4210fb34f7d32f31ad287e661146832226
Opcode Fuzzy Hash: 203bd65f97b3b91bf9145b79f1931da84dd3c818db7281400d4032b7af9e5268
Instruction Fuzzy Hash: B3716F22A0B742A1EA149F36E4402BD23A0FB44BD8F540535DE5D477A4EF7CFA86E350

Function 00007FF8A7FE5340 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7FE34F0: _PyObject_New.PYTHON312 ref: 00007FF8A7FE351D

PyDict_GetItem.PYTHON312 ref: 00007FF8A7FE5384
PyObject_Str.PYTHON312 ref: 00007FF8A7FE5399
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE5411

Strings

%s: %s, xrefs: 00007FF8A7FE53C3

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Object_$DeallocDict_Item
String ID: %s: %s
API String ID: 22580554-3740598653
Opcode ID: 28746dd814fc3743f830dc76f4eb43fb0c73353e8198c2ca47858735e79e809f
Instruction ID: 31d13fcb1d4b79eeeca6d07a73f665f39a8bedace7b57a5453e3614b76546d0c
Opcode Fuzzy Hash: 28746dd814fc3743f830dc76f4eb43fb0c73353e8198c2ca47858735e79e809f
Instruction Fuzzy Hash: 5C213D32E0FA5292EA148F66A95417D63A2EF49FC5F280031CE4E07755EF6CE646E700

Function 00007FF8A7FF8F20 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57threadCOMMON

Download Yara Rule

APIs

PyThreadState_Get.PYTHON312 ref: 00007FF8A7FF8F26
PyInterpreterState_GetDict.PYTHON312 ref: 00007FF8A7FF8F39
PyUnicode_InternFromString.PYTHON312 ref: 00007FF8A7FF8F63
PyDict_GetItem.PYTHON312 ref: 00007FF8A7FF8F7B
PyDict_New.PYTHON312 ref: 00007FF8A7FF8F89
PyDict_SetItem.PYTHON312 ref: 00007FF8A7FF8FA4
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF8FBA
PyErr_Clear.PYTHON312 ref: 00007FF8A7FF8FC4

Strings

__cffi_backend_extern_py, xrefs: 00007FF8A7FF8F5C

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dict_$ItemState_$ClearDeallocDictErr_FromInternInterpreterStringThreadUnicode_
String ID: __cffi_backend_extern_py
API String ID: 2738494814-865530817
Opcode ID: 848e42f0217935a16e66fd4db591153a2f895bdfe1b74589055b6e1d468eb191
Instruction ID: 0cdfa10a79927304f5c77365f0de23865fa62ab51b17737a63dfff4be745234c
Opcode Fuzzy Hash: 848e42f0217935a16e66fd4db591153a2f895bdfe1b74589055b6e1d468eb191
Instruction Fuzzy Hash: 83110D26B1BB02A5EF458F75E85423D22E1EF68BD1F480434D91E467E4EF7CE684E210

Function 00007FF646AC1038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC1078
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC1440
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC16DF

Strings

f, xrefs: 00007FF646AC117A
f, xrefs: 00007FF646AC12C5
f, xrefs: 00007FF646AC1110
p, xrefs: 00007FF646AC1182
p, xrefs: 00007FF646AC111D

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 28290d89d08414d8567abeafee8764f8486b2777e875aa6f8eefec77dc04a77b
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: F9127271F0C98385FB60BA15E15C679E2A1EB40758F984035D79B866C4DF7EECC09B24

Function 00007FF8A7FEADE0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 208COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF8A7FEAE2F
memcpy.VCRUNTIME140 ref: 00007FF8A7FEAEB1
memcpy.VCRUNTIME140 ref: 00007FF8A7FEAF82
PyErr_SetString.PYTHON312 ref: 00007FF8A7FEAFD2
memcpy.VCRUNTIME140 ref: 00007FF8A7FEB07E

Strings

expected a tuple of ctypes, xrefs: 00007FF8A7FEAFC8
(, xrefs: 00007FF8A7FEAE3C
..., xrefs: 00007FF8A7FEAFF5

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: memcpy$Err_String
String ID: ($...$expected a tuple of ctypes
API String ID: 629984673-1295035442
Opcode ID: f1854efa52403ce88a6defa8e061232ed205aa23c369b6f954f753c50e4d75d0
Instruction ID: bd064afe84ef678cf4bbfea8ebf5511cf9cd169f6f5e7c21373be7d00a29d6f0
Opcode Fuzzy Hash: f1854efa52403ce88a6defa8e061232ed205aa23c369b6f954f753c50e4d75d0
Instruction Fuzzy Hash: 4681B472A0AB86A6EB258F25E54077E77A1EB15BD0F198132CB6D07390EF3CE5859300

Function 00007FF8A7FE8000 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

_PyLong_Sign.PYTHON312 ref: 00007FF8A7FE801C
PyType_IsSubtype.PYTHON312 ref: 00007FF8A7FE8041

Strings

integer/float expected, xrefs: 00007FF8A7FE81EB
integer/float conversion failed, xrefs: 00007FF8A7FE817C

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Long_SignSubtypeType_
String ID: integer/float conversion failed$integer/float expected
API String ID: 3148124222-1774177493
Opcode ID: cbe909d874529a4ce723fa37f86186a71358f8b5156f028e2dfde0e227453eed
Instruction ID: 8e4952f095a9a2c35365bb07116161b24912be910836d648f4fb449dc699faa9
Opcode Fuzzy Hash: cbe909d874529a4ce723fa37f86186a71358f8b5156f028e2dfde0e227453eed
Instruction Fuzzy Hash: F451D462F0AA42A1EF559F35D44013C23A1FF85BE4F086136DA0E47794EE6CEAD1E300

Function 00007FF646AB1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF646AB10CC
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF646AB11F6
malloc, xrefs: 00007FF646AB110F
fseek, xrefs: 00007FF646AB10D3
Failed to extract %s: failed to open archive file!, xrefs: 00007FF646AB1098
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF646AB1108
fread, xrefs: 00007FF646AB11FD

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: e30da66bd449e278f4e1a8a1da43a6fc232ee02027dbecaf9a0becaf305aee32
Instruction ID: 75acdbc43d5ab413e49369bbaf7646ea72df2cf47cc4fe4bc891f38b3f50b0f9
Opcode Fuzzy Hash: e30da66bd449e278f4e1a8a1da43a6fc232ee02027dbecaf9a0becaf305aee32
Instruction Fuzzy Hash: 1F41A061B0CE5686EA00FB12A8046B9E391FF54FC4F444432EE0D8779ADF3EE5858760

Function 00007FF8A7FF4C72 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7FF4480: PyErr_Format.PYTHON312(?,?,?,00007FF8A7FF51B4), ref: 00007FF8A7FF44CA
Part of subcall function 00007FF8A7FF4480: _Py_Dealloc.PYTHON312(?,?,?,00007FF8A7FF51B4), ref: 00007FF8A7FF44E7

PyErr_Format.PYTHON312 ref: 00007FF8A7FF4CF1
PyTuple_New.PYTHON312 ref: 00007FF8A7FF4D08
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF4D7E
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF4D91
PyTuple_Pack.PYTHON312 ref: 00007FF8A7FF4DA6
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF4DCA
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF4DDE

Strings

abi number %d not supported, xrefs: 00007FF8A7FF4CEA

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dealloc$Err_FormatTuple_$Pack
String ID: abi number %d not supported
API String ID: 3887392137-1298965716
Opcode ID: daea80570288f162babb6434e8d73fde46a3de03784f133d8ddc03d0cec998e8
Instruction ID: df374651f53836141adc1a1aecbd0f497e8a5b6a812469fd27262460728b269a
Opcode Fuzzy Hash: daea80570288f162babb6434e8d73fde46a3de03784f133d8ddc03d0cec998e8
Instruction Fuzzy Hash: A6417132A0A652A5EB558F31D8043BC77A1EF45BD4F448031CA0E57B95DFBCE681E300

Function 00007FF646AB8850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF646AB3CBB), ref: 00007FF646AB88F4
GetCurrentProcessId.KERNEL32(?,00000000,00007FF646AB3CBB), ref: 00007FF646AB88FA
CreateDirectoryW.KERNEL32(?,00000000,00007FF646AB3CBB), ref: 00007FF646AB893C

Part of subcall function 00007FF646AB8A20: GetEnvironmentVariableW.KERNEL32(00007FF646AB388E), ref: 00007FF646AB8A57
Part of subcall function 00007FF646AB8A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF646AB8A79

Part of subcall function 00007FF646AC82A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC82C1

Part of subcall function 00007FF646AB2810: MessageBoxW.USER32 ref: 00007FF646AB28EA

Strings

LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF646AB896E
TMP, xrefs: 00007FF646AB888C, 00007FF646AB8993
_MEI%d, xrefs: 00007FF646AB8902
TMP, xrefs: 00007FF646AB88B2
LOADER: failed to set the TMP environment variable., xrefs: 00007FF646AB88CC

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 6ea14b1c2d16789ddeaa0d8cc05df9935aa6d91fa7ad17376743f3d33dced37a
Instruction ID: 2546f8c976cc7f5e1d053ae623ef2df7c0b73ed9b1cb8fb79c5707d50c9421b4
Opcode Fuzzy Hash: 6ea14b1c2d16789ddeaa0d8cc05df9935aa6d91fa7ad17376743f3d33dced37a
Instruction Fuzzy Hash: E341C211A0DE4645FA20FB65A8552FA9391AF89FC4F400031EE0ED77DADE3EE585C361

Function 00007FF8A7FEDF30 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON312 ref: 00007FF8A7FEDF74
PyType_IsSubtype.PYTHON312 ref: 00007FF8A7FEDFBD
PyErr_SetString.PYTHON312 ref: 00007FF8A7FEDFD8

Strings

O!O|n:gc, xrefs: 00007FF8A7FEDF54
Can remove destructor only on a object previously returned by ffi.gc(), xrefs: 00007FF8A7FEDFCE

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Arg_Err_Keywords_ParseSizeStringSubtypeTupleType_
String ID: Can remove destructor only on a object previously returned by ffi.gc()$O!O|n:gc
API String ID: 2258746257-2175166513
Opcode ID: e3a5cf178e5a69bcc67de852dd7062f429d1c813df3dff71a7469cb62966c711
Instruction ID: 31b5bd6cb45228035a086add1263bba915b8c14420e0788632f2e6bb5451db3d
Opcode Fuzzy Hash: e3a5cf178e5a69bcc67de852dd7062f429d1c813df3dff71a7469cb62966c711
Instruction Fuzzy Hash: 8841F736A0AB4292EB60CF25E84426D33A1FB48BD0F844136DB9D87B58EF7DE559D700

Function 00007FF8A7FE3B40 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 81COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON312 ref: 00007FF8A7FE3BAD
PyErr_Format.PYTHON312 ref: 00007FF8A7FE3C10
PyErr_Format.PYTHON312 ref: 00007FF8A7FE3C3F
PyErr_Format.PYTHON312 ref: 00007FF8A7FE3C66

Strings

initializer for ctype '%s' must be a %s, not %.200s, xrefs: 00007FF8A7FE3B9B
initializer for ctype '%s' must be a %s, not cdata '%s', xrefs: 00007FF8A7FE3BFE
initializer for ctype '%s' appears indeed to be '%s', but the types are different (check that you are not e.g. mixing up different ffi instances), xrefs: 00007FF8A7FE3C32
initializer for ctype '%s' is correct, but we get an internal mismatch--please report a bug, xrefs: 00007FF8A7FE3C5C

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_Format
String ID: initializer for ctype '%s' appears indeed to be '%s', but the types are different (check that you are not e.g. mixing up different ffi instances)$initializer for ctype '%s' is correct, but we get an internal mismatch--please report a bug$initializer for ctype '%s' must be a %s, not %.200s$initializer for ctype '%s' must be a %s, not cdata '%s'
API String ID: 376477240-1352286566
Opcode ID: f320ca696e307b7e8ba0fac4e3850166535296ae0181565a196ad7c80b2c7ab3
Instruction ID: c0b78bf467df46699e51d9d96e1d2e3b8c7352320154a9a4090ab651808bb0af
Opcode Fuzzy Hash: f320ca696e307b7e8ba0fac4e3850166535296ae0181565a196ad7c80b2c7ab3
Instruction Fuzzy Hash: E9315066A0AA46A1EE008F29E85007C3361FF88BD4F484531DE6D473E4EFBDDA58D304

Function 00007FF8A7FF42A0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66COMMON

Download Yara Rule

Strings

prim=%d, xrefs: 00007FF8A7FF4374
primitive floating-point type is 'long double', not supported for now with the syntax 'typedef double... xxx;', xrefs: 00007FF8A7FF4357
primitive floating-point type with an unexpected size (or not a float type at all), xrefs: 00007FF8A7FF4331
primitive integer type with an unexpected size (or not an integer type at all), xrefs: 00007FF8A7FF430B

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Object_$Track
String ID: prim=%d$primitive floating-point type is 'long double', not supported for now with the syntax 'typedef double... xxx;'$primitive floating-point type with an unexpected size (or not a float type at all)$primitive integer type with an unexpected size (or not an integer type at all)
API String ID: 16854473-3944103904
Opcode ID: faa758031222a6cc76c542af6647647ffec1296893555f385ace537a3077dca6
Instruction ID: 7fefc64dad7421764016687d4c81f3c21c7c560befc3dd7d80b2da85960b4abb
Opcode Fuzzy Hash: faa758031222a6cc76c542af6647647ffec1296893555f385ace537a3077dca6
Instruction Fuzzy Hash: 2A217E22F1A902A1EF548F79F89007D23A0FF487E4F951135DA2E4B2A4EF6CD6A49304

Function 00007FF8A7FF5F90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON312 ref: 00007FF8A7FF5FF0
PyErr_SetString.PYTHON312 ref: 00007FF8A7FF6020
PyBool_FromLong.PYTHON312 ref: 00007FF8A7FF6035
PyTuple_Pack.PYTHON312 ref: 00007FF8A7FF6052
PyCMethod_New.PYTHON312 ref: 00007FF8A7FF6075
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF608C

Strings

|OOi:new_allocator, xrefs: 00007FF8A7FF5FB1
cannot pass 'free' without 'alloc', xrefs: 00007FF8A7FF6016

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Arg_Bool_DeallocErr_FromKeywords_LongMethod_PackParseSizeStringTupleTuple_
String ID: cannot pass 'free' without 'alloc'$|OOi:new_allocator
API String ID: 3165387783-375137214
Opcode ID: 8619190078572a5ff1f93501410df266657b6abe7660833b568527782c0aa0dd
Instruction ID: 0c51d418b12b3f2b9678687e0c288647a76fa14243f67a29f66fb4cab2c43e04
Opcode Fuzzy Hash: 8619190078572a5ff1f93501410df266657b6abe7660833b568527782c0aa0dd
Instruction Fuzzy Hash: ED216132A0EB4292EB108F21F85026973B0FB49BC4F544035DA8D47B64DFBDD194D700

Function 00007FF8A7FE5750 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 60COMMON

Download Yara Rule

APIs

PyObject_Repr.PYTHON312 ref: 00007FF8A7FE5770
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FE5790
PyUnicode_FromFormat.PYTHON312 ref: 00007FF8A7FE57AF
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE57C6

Strings

calling, xrefs: 00007FF8A7FE57FB
<cdata '%s' %s %s>, xrefs: 00007FF8A7FE57A5
handle to, xrefs: 00007FF8A7FE579A
<cdata '%s' owning %zd bytes>, xrefs: 00007FF8A7FE5818

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Unicode_$DeallocFormatFromObject_Repr
String ID: <cdata '%s' %s %s>$<cdata '%s' owning %zd bytes>$calling$handle to
API String ID: 3526755465-2632218437
Opcode ID: 597212b7671f7fb5f942f3f9ed8acfd309a1245cc953ec0d53327de69b19cd3c
Instruction ID: f768c871636bfe28027aacf97fb0beec6a8e1c28109fdd1e01d211f61d5b1820
Opcode Fuzzy Hash: 597212b7671f7fb5f942f3f9ed8acfd309a1245cc953ec0d53327de69b19cd3c
Instruction Fuzzy Hash: A8215E72A1BB46E2EA118F6AE95007C2361FF49BD4F441031CA0E07765EE7CD391E704

Function 00007FF8A7FF85B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FF85D5
PyDict_Clear.PYTHON312 ref: 00007FF8A7FF8604
FreeLibrary.KERNEL32 ref: 00007FF8A7FF8616
GetLastError.KERNEL32 ref: 00007FF8A7FF8620
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FF8646
PyErr_Format.PYTHON312 ref: 00007FF8A7FF8660

Part of subcall function 00007FF8A7FE11A0: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8A7FE11EB

Strings

closing library '%s': %s, xrefs: 00007FF8A7FF8653
error 0x%x, xrefs: 00007FF8A7FF8637

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Arg_ClearDict_Err_ErrorFormatFreeLastLibraryParseSizeTuple_Unicode___stdio_common_vsprintf
String ID: closing library '%s': %s$error 0x%x
API String ID: 3709125606-4000567706
Opcode ID: 11cee66fe837d19775e87c6625fade0d4b2f2581af4f54aab030b7b6574c378d
Instruction ID: d292a4cff23a93e6804632839d02d891b986e008bfb245fcbebc37b3fafdd869
Opcode Fuzzy Hash: 11cee66fe837d19775e87c6625fade0d4b2f2581af4f54aab030b7b6574c378d
Instruction Fuzzy Hash: 83213C22B1AA92A2EB448F26E88006D3770FF88FC0F545032DA4D93764DF7CEA45E704

Function 00007FF8A7FEEAA0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON312 ref: 00007FF8A7FEEAC7
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FEEAD2
PyObject_Str.PYTHON312 ref: 00007FF8A7FEEAE0
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FEEAF1
PyErr_Format.PYTHON312 ref: 00007FF8A7FEEB12
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEEB26

Strings

integer %s does not fit '%s', xrefs: 00007FF8A7FEEB08
32-bit int, xrefs: 00007FF8A7FEEAFE

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$Occurred$DeallocFormatObject_Unicode_
String ID: 32-bit int$integer %s does not fit '%s'
API String ID: 4129581467-810487915
Opcode ID: 36b12394ac6193a4cc45a9ad7eeba973ec5097458df3955d7616972b085294d3
Instruction ID: fd7f48ae2ef1b3b76ee6e6cdf2e6e467ae15018e0f6a9f73ba0fbfebafbe091e
Opcode Fuzzy Hash: 36b12394ac6193a4cc45a9ad7eeba973ec5097458df3955d7616972b085294d3
Instruction Fuzzy Hash: E8110022F0B602A1FE545F79F84427C2291EF88BE4F085235E95E46399EF7CE644D700

Function 00007FF8A7FEE940 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON312 ref: 00007FF8A7FEE965
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FEE970
PyObject_Str.PYTHON312 ref: 00007FF8A7FEE97E
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FEE98F
PyErr_Format.PYTHON312 ref: 00007FF8A7FEE9B0
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEE9C4

Strings

integer %s does not fit '%s', xrefs: 00007FF8A7FEE9A6
8-bit int, xrefs: 00007FF8A7FEE99C

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$Occurred$DeallocFormatObject_Unicode_
String ID: 8-bit int$integer %s does not fit '%s'
API String ID: 4129581467-3624244522
Opcode ID: dc085fcf2b57c0e09125b0cb8cb07fc8f99a36aa64b17531676cd353cc19aeac
Instruction ID: a75c70fa39b4d1692f458a3d8fea8cc784d6077f0c6032e29ce780c0c1fd125c
Opcode Fuzzy Hash: dc085fcf2b57c0e09125b0cb8cb07fc8f99a36aa64b17531676cd353cc19aeac
Instruction Fuzzy Hash: A7113C22E0AA02A1FA945F75F85437C22E0EF48BD4F484035D94E4A799EFBCE684E301

Function 00007FF8A7FEE9F0 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON312 ref: 00007FF8A7FEEA15
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FEEA20
PyObject_Str.PYTHON312 ref: 00007FF8A7FEEA2E
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FEEA3F
PyErr_Format.PYTHON312 ref: 00007FF8A7FEEA60
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEEA74

Strings

integer %s does not fit '%s', xrefs: 00007FF8A7FEEA56
16-bit int, xrefs: 00007FF8A7FEEA4C

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$Occurred$DeallocFormatObject_Unicode_
String ID: 16-bit int$integer %s does not fit '%s'
API String ID: 4129581467-4142791282
Opcode ID: 2caa50001df5dfa3399e96b5a1aa8e995700632d9b155835259a430637cd0d84
Instruction ID: e840dbbcbd4cfb119f1d318458f8333815fedcd321a13c873e2ed945de6c44b6
Opcode Fuzzy Hash: 2caa50001df5dfa3399e96b5a1aa8e995700632d9b155835259a430637cd0d84
Instruction Fuzzy Hash: 60111C22A0BA02A1FA549F75F84437C22A0FF44FD4F484039E90D46798EF6CE654D700

Function 00007FF8A7FEEB60 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7FE31F0: _PyLong_Sign.PYTHON312 ref: 00007FF8A7FE3218
Part of subcall function 00007FF8A7FE31F0: PyErr_SetString.PYTHON312 ref: 00007FF8A7FE330C

PyErr_Occurred.PYTHON312 ref: 00007FF8A7FEEB82
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FEEB8D
PyObject_Str.PYTHON312 ref: 00007FF8A7FEEB9B
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FEEBAC
PyErr_Format.PYTHON312 ref: 00007FF8A7FEEBCD
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEEBE1

Strings

8-bit unsigned int, xrefs: 00007FF8A7FEEBB9
integer %s does not fit '%s', xrefs: 00007FF8A7FEEBC3

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$Occurred$DeallocFormatLong_Object_SignStringUnicode_
String ID: 8-bit unsigned int$integer %s does not fit '%s'
API String ID: 198760793-3731599500
Opcode ID: 9e703b4bbcd8911ee5849571e574c289719175e73c9bfc9667675a2bdae30fd8
Instruction ID: 18974b477a243ef4f5328213c0ba7972c2e0048cc57e42c83bfa06d41d424eba
Opcode Fuzzy Hash: 9e703b4bbcd8911ee5849571e574c289719175e73c9bfc9667675a2bdae30fd8
Instruction Fuzzy Hash: CD111E22E1B752A1FA545F79F84437C22A0EF48BE4F084134E95E467A9EF7CE684E300

Function 00007FF8A7FEEC10 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7FE31F0: _PyLong_Sign.PYTHON312 ref: 00007FF8A7FE3218
Part of subcall function 00007FF8A7FE31F0: PyErr_SetString.PYTHON312 ref: 00007FF8A7FE330C

PyErr_Occurred.PYTHON312 ref: 00007FF8A7FEEC32
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FEEC3D
PyObject_Str.PYTHON312 ref: 00007FF8A7FEEC4B
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FEEC5C
PyErr_Format.PYTHON312 ref: 00007FF8A7FEEC7D
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FEEC91

Strings

integer %s does not fit '%s', xrefs: 00007FF8A7FEEC73
16-bit unsigned int, xrefs: 00007FF8A7FEEC69

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$Occurred$DeallocFormatLong_Object_SignStringUnicode_
String ID: 16-bit unsigned int$integer %s does not fit '%s'
API String ID: 198760793-331574723
Opcode ID: 0fe9db819802c4d93fcf6734ddb347999dbb8c1e8b80f5ec2e2c1211c6d880aa
Instruction ID: b0818b0c573e5fc6516c51698182376135720bd73c6bf7557f20aca3062d375b
Opcode Fuzzy Hash: 0fe9db819802c4d93fcf6734ddb347999dbb8c1e8b80f5ec2e2c1211c6d880aa
Instruction Fuzzy Hash: 7F110C22B0BA42A1FA555F79F84427C27A0EF48BD4F184134D91E467A9EE7CE6C4E300

Function 00007FF8A7FE1BD0 Relevance: 13.6, APIs: 9, Instructions: 95COMMON

Download Yara Rule

APIs

PyObject_IsInstance.PYTHON312 ref: 00007FF8A7FE1BF2
PyObject_IsInstance.PYTHON312 ref: 00007FF8A7FE1C06
PyObject_GetBuffer.PYTHON312 ref: 00007FF8A7FE1C26
PyErr_Clear.PYTHON312 ref: 00007FF8A7FE1C30
PyObject_GetBuffer.PYTHON312 ref: 00007FF8A7FE1C48
PyErr_Clear.PYTHON312 ref: 00007FF8A7FE1C52
PyBuffer_Release.PYTHON312 ref: 00007FF8A7FE1C5D
PyBuffer_Release.PYTHON312 ref: 00007FF8A7FE1D33
PyBuffer_Release.PYTHON312 ref: 00007FF8A7FE1D3E

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Object_$Buffer_Release$BufferClearErr_Instance
String ID:
API String ID: 3750329280-0
Opcode ID: 521cdb7d3d03546320b66de061579e722a750754d8dfef82b8805fce3310aff6
Instruction ID: b9114f0c4ffff3e53a9a36f93a33c46d12527e9f7467a0812404772968d358d4
Opcode Fuzzy Hash: 521cdb7d3d03546320b66de061579e722a750754d8dfef82b8805fce3310aff6
Instruction Fuzzy Hash: B6417622B0EA53A2EB609F3AE8402BD63A1FF44BC4F544431D94D83664EF6CE645E740

Function 00007FF8A7FE9460 Relevance: 13.6, APIs: 9, Instructions: 76COMMON

Download Yara Rule

APIs

PyBytes_FromStringAndSize.PYTHON312(?,?,?,00007FF8A7FE9BAB), ref: 00007FF8A7FE9486
memcpy.VCRUNTIME140(?,?,?,00007FF8A7FE9BAB), ref: 00007FF8A7FE94A2
PyDict_GetItem.PYTHON312(?,?,?,00007FF8A7FE9BAB), ref: 00007FF8A7FE94B1
_Py_Dealloc.PYTHON312(?,?,?,00007FF8A7FE9BAB), ref: 00007FF8A7FE94CD
_Py_Dealloc.PYTHON312(?,?,?,00007FF8A7FE9BAB), ref: 00007FF8A7FE94EA
PyDict_SetItem.PYTHON312(?,?,?,00007FF8A7FE9BAB), ref: 00007FF8A7FE9502
_Py_Dealloc.PYTHON312(?,?,?,00007FF8A7FE9BAB), ref: 00007FF8A7FE951A
_Py_Dealloc.PYTHON312(?,?,?,00007FF8A7FE9BAB), ref: 00007FF8A7FE952E
PyObject_GC_UnTrack.PYTHON312(?,?,?,00007FF8A7FE9BAB), ref: 00007FF8A7FE9552

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dealloc$Dict_Item$Bytes_FromObject_SizeStringTrackmemcpy
String ID:
API String ID: 1819324212-0
Opcode ID: 10dd33285bf39167ec24cafbda5630ec4e52906e5030b9548a34149d46781ed2
Instruction ID: 9c183d13e5034b968563a145cbeb4ed4c5aa4f4be9fe9c5888573102da0b06fc
Opcode Fuzzy Hash: 10dd33285bf39167ec24cafbda5630ec4e52906e5030b9548a34149d46781ed2
Instruction Fuzzy Hash: 06313872A0AB52A1EB148F31E94423D63E0EB48BD6F089031CA0E46799EF7CE651E711

Function 00007FF8A7FF6880 Relevance: 13.6, APIs: 9, Instructions: 55COMMON

Download Yara Rule

APIs

PyLong_AsLong.PYTHON312 ref: 00007FF8A7FF6889
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FF6896
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A7FF68AA
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A7FF68B2
TlsGetValue.KERNEL32 ref: 00007FF8A7FF68C0
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A7FF68D3
TlsSetValue.KERNEL32 ref: 00007FF8A7FF68F0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A7FF68F9
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF693C

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: _errno$Value$DeallocErr_LongLong_Occurredmalloc
String ID:
API String ID: 1551808740-0
Opcode ID: 68f3a9b78e3be72a959a71ca5eae25652b8b683c127bea553681060075fa99aa
Instruction ID: d5ba8f3037bd64369ef4ce2b50cf921eff94fffc9ac37ce205ddf823959c0629
Opcode Fuzzy Hash: 68f3a9b78e3be72a959a71ca5eae25652b8b683c127bea553681060075fa99aa
Instruction Fuzzy Hash: 67211F36E0B61296EB554F74AC6423C33A0FF48BA5F145138CA5D46390EFBCA695E710

Function 00007FF8A7FE5C70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

cannot use <cdata '%s'> in a comparison, xrefs: 00007FF8A7FE5E60

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID:
String ID: cannot use <cdata '%s'> in a comparison
API String ID: 0-3474358591
Opcode ID: c5e331fd3171f7dac3e799057ca81497e548b3efce0c31a355493e8c05cadf0e
Instruction ID: a40c66879b0782745c00aecbdb469a70ebc036eea2ca01d1418b4736c35001fd
Opcode Fuzzy Hash: c5e331fd3171f7dac3e799057ca81497e548b3efce0c31a355493e8c05cadf0e
Instruction Fuzzy Hash: 4D614136A0AA46E2EA648F35EC5417D73A2FB44BD4F480432CA4D47794EF7CE686D701

Function 00007FF646ACED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF646ACF11A,?,?,-00000018,00007FF646ACADC3,?,?,?,00007FF646ACACBA,?,?,?,00007FF646AC5FAE), ref: 00007FF646ACEEFC
GetProcAddress.KERNEL32(?,?,?,00007FF646ACF11A,?,?,-00000018,00007FF646ACADC3,?,?,?,00007FF646ACACBA,?,?,?,00007FF646AC5FAE), ref: 00007FF646ACEF08

Strings

api-ms-, xrefs: 00007FF646ACEE46
ext-ms-, xrefs: 00007FF646ACEE59

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction ID: 14ecf939b8a505e272a2ee51ba5cea1676fcc5a38141318f937c7cfc00b2c5a6
Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
Instruction Fuzzy Hash: 4141F261B1DE1291FB16FB16A804675A3D1BF49BD0F884539ED1EC7784EE3EE8858320

Function 00007FF8A7FE67E0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

PyNumber_AsSsize_t.PYTHON312 ref: 00007FF8A7FE6882
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE6891
_PyObject_New.PYTHON312 ref: 00007FF8A7FE68EC
PyErr_Format.PYTHON312 ref: 00007FF8A7FE6944
PyErr_Format.PYTHON312 ref: 00007FF8A7FE6963

Strings

ctype '%s' points to items of unknown size, xrefs: 00007FF8A7FE6936
cannot add a cdata '%s' and a number, xrefs: 00007FF8A7FE6955

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$Format$Number_Object_OccurredSsize_t
String ID: cannot add a cdata '%s' and a number$ctype '%s' points to items of unknown size
API String ID: 3506362094-755949881
Opcode ID: c2efb5d05a2d3b88d1a7755e517a8200a62e1477812044be39661a1839469e58
Instruction ID: e528fc5f1e61396e4f476a5c6bf3719b0e07e805b7140eefcaf86e3a1794897f
Opcode Fuzzy Hash: c2efb5d05a2d3b88d1a7755e517a8200a62e1477812044be39661a1839469e58
Instruction Fuzzy Hash: 08413E32A0BA46E1EA54CF25E86017C23A1FF48BD4F584532DA4D577A4EF7CEA55E300

Function 00007FF8A7FE2BF0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

PyList_New.PYTHON312 ref: 00007FF8A7FE2C38
PyTuple_Pack.PYTHON312 ref: 00007FF8A7FE2C69
PyList_Append.PYTHON312 ref: 00007FF8A7FE2C7D
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE2C93

Part of subcall function 00007FF8A7FF4F70: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A7FF5006
Part of subcall function 00007FF8A7FF4F70: _Py_FatalErrorFunc.PYTHON312 ref: 00007FF8A7FF5127
Part of subcall function 00007FF8A7FF4F70: PyList_New.PYTHON312 ref: 00007FF8A7FF5154

_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE2CD2
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE2D0B

Strings

fields, xrefs: 00007FF8A7FE2D01

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: List_$Dealloc$AppendErr_ErrorFatalFuncPackStringTuple_strncmp
String ID: fields
API String ID: 1806387768-2128995208
Opcode ID: 1de2d5332e17e85d5dc8c83ce253931b447faedcb9ff6807fb712ce2a2eb0ce5
Instruction ID: 4b286503748192f7c34b64d9c0e0f537435617a0db184484700f3dfe5a38be0d
Opcode Fuzzy Hash: 1de2d5332e17e85d5dc8c83ce253931b447faedcb9ff6807fb712ce2a2eb0ce5
Instruction Fuzzy Hash: 9A313032A0AA5291EB258F39E84423D63A0EF48BE4F440435CE4D477A4FF7CE685E704

Function 00007FF8A7FE3C80 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

negative array length, xrefs: 00007FF8A7FE3D6A
expected new array length or list/tuple/str, not %.200s, xrefs: 00007FF8A7FE3D36

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID:
String ID: expected new array length or list/tuple/str, not %.200s$negative array length
API String ID: 0-630084864
Opcode ID: 892606e70f02ff47bb33e3f4324523b3daf652738aee88c1b788a2eeff9f6216
Instruction ID: b7f10a1f9d5ac883515696365dd74c85f1b3af1aa6e7ee484984db6a0170268d
Opcode Fuzzy Hash: 892606e70f02ff47bb33e3f4324523b3daf652738aee88c1b788a2eeff9f6216
Instruction Fuzzy Hash: 7C315C62B1AA0591EB548F2AF48017C2360FF88FE4B085231DE2D477A5EE6CE594D700

Function 00007FF8A7FE31F0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

_PyLong_Sign.PYTHON312 ref: 00007FF8A7FE3218
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE32E2
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE330C

Strings

can't convert negative number to unsigned, xrefs: 00007FF8A7FE3229
an integer is required, xrefs: 00007FF8A7FE3302
integer conversion failed, xrefs: 00007FF8A7FE32BD

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: DeallocErr_Long_SignString
String ID: an integer is required$can't convert negative number to unsigned$integer conversion failed
API String ID: 2527065810-2728004092
Opcode ID: 50a59338c99dfe6c9e4e28f1ce5a28eddca145c5707da92acfc7a868a9e21f7d
Instruction ID: 7ae479e3f619ddceb9ebef3f1adbcacd66c46c362b3eeacfc53a063faa32b9ff
Opcode Fuzzy Hash: 50a59338c99dfe6c9e4e28f1ce5a28eddca145c5707da92acfc7a868a9e21f7d
Instruction Fuzzy Hash: 69317522B0AA52A1EA548F36E54427D6360FF48BE0F1C4131DEAD477D4EF6CE655E300

Function 00007FF8A7FF7891 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7FF4480: PyErr_Format.PYTHON312(?,?,?,00007FF8A7FF51B4), ref: 00007FF8A7FF44CA
Part of subcall function 00007FF8A7FF4480: _Py_Dealloc.PYTHON312(?,?,?,00007FF8A7FF51B4), ref: 00007FF8A7FF44E7

PyErr_Format.PYTHON312 ref: 00007FF8A7FF78CE
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF7A8C
PyDict_SetItem.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF7AA3
_Py_Dealloc.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF7AB9

Strings

constant '%s' is of type '%s', whose size is not known, xrefs: 00007FF8A7FF78C7

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dealloc$Err_Format$Dict_Item
String ID: constant '%s' is of type '%s', whose size is not known
API String ID: 3830123900-580431848
Opcode ID: 6fc4e4bc58be4fb527064c909f452ad2242212ac3f3d94e60b08bfb62660448c
Instruction ID: c595ea8d7786621ad7f76836e4688fd114e6a7300b4f86955f1b69ced9f31fae
Opcode Fuzzy Hash: 6fc4e4bc58be4fb527064c909f452ad2242212ac3f3d94e60b08bfb62660448c
Instruction Fuzzy Hash: BA314C22A0FA46A1EE519F35984027DA3A1EF44FD4F494435CE0E473A4EEBDEB45A320

Function 00007FF8A7FE6D50 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

PyDict_GetItem.PYTHON312 ref: 00007FF8A7FE6DBB
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE6E03

Part of subcall function 00007FF8A7FE4A70: PyLong_AsLongLong.PYTHON312 ref: 00007FF8A7FE4A9C
Part of subcall function 00007FF8A7FE4A70: PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE4AAB

PyObject_GenericSetAttr.PYTHON312 ref: 00007FF8A7FE6E20

Strings

cdata '%s' has no field '%s', xrefs: 00007FF8A7FE6E10
cdata '%s' points to an opaque type: cannot write fields, xrefs: 00007FF8A7FE6DAB
cdata '%s' has no attribute '%s', xrefs: 00007FF8A7FE6D6E
cannot delete struct field, xrefs: 00007FF8A7FE6DF9

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_Long$AttrDict_GenericItemLong_Object_OccurredString
String ID: cannot delete struct field$cdata '%s' has no attribute '%s'$cdata '%s' has no field '%s'$cdata '%s' points to an opaque type: cannot write fields
API String ID: 3507916589-3282381042
Opcode ID: 9b29c16fa045ca136bcacd05488022c57aab267b6520d96aa7ddc49fd6ce27a7
Instruction ID: 6fd0fb2ff1f3922b0b7f824898c337a67e2937bf4f0ace52dc0d63ca93d18550
Opcode Fuzzy Hash: 9b29c16fa045ca136bcacd05488022c57aab267b6520d96aa7ddc49fd6ce27a7
Instruction Fuzzy Hash: D6318A21A0AB46A1EA248F36D86027C2760FB44FD8F480232DE4D477D9EF7CE652E305

Function 00007FF8A7FF43A0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON312 ref: 00007FF8A7FF4422

Part of subcall function 00007FF8A7FE11A0: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8A7FE11EB

PyLong_FromLongLong.PYTHON312 ref: 00007FF8A7FF443A
PyLong_FromLong.PYTHON312 ref: 00007FF8A7FF4454
PyLong_FromUnsignedLongLong.PYTHON312 ref: 00007FF8A7FF445C

Strings

the C compiler says '%.200s' is equal to %s, but the cdef disagrees, xrefs: 00007FF8A7FF441B
%llu (0x%llx), xrefs: 00007FF8A7FF43F2
%lld, xrefs: 00007FF8A7FF4400

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Long$FromLong_$Err_FormatUnsigned__stdio_common_vsprintf
String ID: %lld$%llu (0x%llx)$the C compiler says '%.200s' is equal to %s, but the cdef disagrees
API String ID: 2237024420-3737824454
Opcode ID: 0ab413eaa7f16fe4a3d2974242eaa0135d84b9118cc3b85c767991a37cbc0278
Instruction ID: 3bbe0533e6d22514bc246002cb5d599cded18278f4def61748b10cfd2049dd41
Opcode Fuzzy Hash: 0ab413eaa7f16fe4a3d2974242eaa0135d84b9118cc3b85c767991a37cbc0278
Instruction Fuzzy Hash: 5F215E2290E942A5EE20AF30E45037D6370FF84BC5F544132DA9E566E4DF6CE645E704

Function 00007FF8A7FE26E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47threadCOMMON

Download Yara Rule

APIs

PyRun_StringFlags.PYTHON312 ref: 00007FF8A7FE2716
PyUnicode_AsWideCharString.PYTHON312 ref: 00007FF8A7FE2729
CreateThread.KERNEL32 ref: 00007FF8A7FE2752
CloseHandle.KERNEL32 ref: 00007FF8A7FE2760
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE2773
PyErr_Clear.PYTHON312 ref: 00007FF8A7FE2782

Strings

done(), xrefs: 00007FF8A7FE270F

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: String$CharClearCloseCreateDeallocErr_FlagsHandleRun_ThreadUnicode_Wide
String ID: done()
API String ID: 168230354-3016733518
Opcode ID: dc2926677b4cad4f42074df862bef11821c116c181b1e3c06f314a515a354f73
Instruction ID: 803c615a935cf803886d04134f5e48931db97dc4da9699acacce02c3fa2d2419
Opcode Fuzzy Hash: dc2926677b4cad4f42074df862bef11821c116c181b1e3c06f314a515a354f73
Instruction Fuzzy Hash: 45111936A1BB42A1EB148F71B91417D67A0FF84BC1F480535D98E42A64FF7CE249E604

Function 00007FF8A7FFA650 Relevance: 12.2, APIs: 8, Instructions: 227COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF8A7FFA678
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF8A7FFA6CA
_RTC_Initialize.LIBCMT ref: 00007FF8A7FFA6F8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF8A7FFA71E
__scrt_release_startup_lock.LIBCMT ref: 00007FF8A7FFA749

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 1a88d5e129af8f8e9a06888864d203883e398308e02297e2ddab19384919b000
Instruction ID: 0d17171654f074756c36f10aa6b8f861a738ef0d99eac10df479d912d533c944
Opcode Fuzzy Hash: 1a88d5e129af8f8e9a06888864d203883e398308e02297e2ddab19384919b000
Instruction Fuzzy Hash: 0A819122E1A243A5FA64AF75984127F22A0EF46BC0F558037DA4D47396DFBCEA45E700

Function 00007FF8A7FE2F00 Relevance: 12.1, APIs: 8, Instructions: 66COMMON

Download Yara Rule

APIs

PyList_New.PYTHON312 ref: 00007FF8A7FE2F17
PyObject_GetAttrString.PYTHON312 ref: 00007FF8A7FE2F43
PyErr_Clear.PYTHON312 ref: 00007FF8A7FE2F51
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE2F64
PyUnicode_FromString.PYTHON312 ref: 00007FF8A7FE2F6D
PyList_Append.PYTHON312 ref: 00007FF8A7FE2F81
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE2F97
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE2FC1

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dealloc$List_String$AppendAttrClearErr_FromObject_Unicode_
String ID:
API String ID: 2809749462-0
Opcode ID: 5f7001363ee2e3e1e24e9347cfe3456a083445a969597ef583d071dd1216ae2a
Instruction ID: 540ad50e87e457cb8f6fc3b5a85a5df569b4d8019afc02bf0a407fb739a30a69
Opcode Fuzzy Hash: 5f7001363ee2e3e1e24e9347cfe3456a083445a969597ef583d071dd1216ae2a
Instruction Fuzzy Hash: F4212A32F0EA52A6EA195F75A90423D62A0FF48BD5F088434DA1D46794FFBCE645E308

Function 00007FF8A7FED750 Relevance: 12.0, APIs: 8, Instructions: 47COMMON

Download Yara Rule

APIs

PyLong_AsLong.PYTHON312 ref: 00007FF8A7FED759
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FED766
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A7FED77E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A7FED786
TlsGetValue.KERNEL32 ref: 00007FF8A7FED794
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A7FED7A7
TlsSetValue.KERNEL32 ref: 00007FF8A7FED7C4
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A7FED7CD

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: _errno$Value$Err_LongLong_Occurredmalloc
String ID:
API String ID: 262410431-0
Opcode ID: 143ad8097e68d886845f92d8a0cab5f2b489c72b8dff9bee63b1868e0b542dec
Instruction ID: 149081f8b94b6ee05a5b89b0d056446e10951f195be6b9fb2387410d50c02b1e
Opcode Fuzzy Hash: 143ad8097e68d886845f92d8a0cab5f2b489c72b8dff9bee63b1868e0b542dec
Instruction Fuzzy Hash: 2D112876A1BB1296EB154F34E89423C33A0FF88B95F085534CA5D477A0EF7CAA94E710

Function 00007FF8A7FF2778 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 132COMMON

Download Yara Rule

Strings

__stdcal, xrefs: 00007FF8A7FF27A4
internal error, please report!, xrefs: 00007FF8A7FF28A6
unsigned, xrefs: 00007FF8A7FF3456
undefined type name, xrefs: 00007FF8A7FF28EF
__stdcal, xrefs: 00007FF8A7FF2900
__stdcal, xrefs: 00007FF8A7FF27E0

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: strncmp
String ID: __stdcal$__stdcal$__stdcal$internal error, please report!$undefined type name$unsigned
API String ID: 1114863663-2565106455
Opcode ID: a60b716f1b9cc4aa5d75289d4cc4827581d064da47f4e050f02a43019d6b9f62
Instruction ID: 03bf0a75c261ee2d4a020fcbba41d23599ea297c5cdda4ccc14492445fe10d7c
Opcode Fuzzy Hash: a60b716f1b9cc4aa5d75289d4cc4827581d064da47f4e050f02a43019d6b9f62
Instruction Fuzzy Hash: 1E51C172A0AA4696EB249F2AD4442BC37A1FB44FE4F540232DE6D873D5DF78E241E344

Function 00007FF8A7FE5890 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

read_raw_complex_data: bad complex size, xrefs: 00007FF8A7FE59C1
read_raw_unsigned_data, xrefs: 00007FF8A7FE590B
read_raw_complex_data, xrefs: 00007FF8A7FE59C8
read_raw_unsigned_data: bad integer size, xrefs: 00007FF8A7FE5904

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID:
String ID: read_raw_complex_data$read_raw_complex_data: bad complex size$read_raw_unsigned_data$read_raw_unsigned_data: bad integer size
API String ID: 0-1204700216
Opcode ID: ad663ebdf663ba745235886c23d750f202d7ae20290f1215730e6ea7fda71956
Instruction ID: a8fa6c23ca3e0d6c146c8be0b20262b0d431cab4c36e5b6b20aaf62f296ed0b9
Opcode Fuzzy Hash: ad663ebdf663ba745235886c23d750f202d7ae20290f1215730e6ea7fda71956
Instruction Fuzzy Hash: E141B662E1A606E6EA459F398CA107C2392FF557E0F644631D64EE3190FF1CEAD6E700

Function 00007FF646ABDD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF646ABDFEA,?,?,?,00007FF646ABDCDC,?,?,?,00007FF646ABD8D9), ref: 00007FF646ABDDBD
GetLastError.KERNEL32(?,?,?,00007FF646ABDFEA,?,?,?,00007FF646ABDCDC,?,?,?,00007FF646ABD8D9), ref: 00007FF646ABDDCB
LoadLibraryExW.KERNEL32(?,?,?,00007FF646ABDFEA,?,?,?,00007FF646ABDCDC,?,?,?,00007FF646ABD8D9), ref: 00007FF646ABDDF5
FreeLibrary.KERNEL32(?,?,?,00007FF646ABDFEA,?,?,?,00007FF646ABDCDC,?,?,?,00007FF646ABD8D9), ref: 00007FF646ABDE63
GetProcAddress.KERNEL32(?,?,?,00007FF646ABDFEA,?,?,?,00007FF646ABDCDC,?,?,?,00007FF646ABD8D9), ref: 00007FF646ABDE6F

Strings

api-ms-, xrefs: 00007FF646ABDDDD

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction ID: ba447dd26a55f1580cd122c3252bf3c7c0b2209d998c564449d5e35bd34a7759
Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
Instruction Fuzzy Hash: 6C317E21B1EE4A91EE52BB02A800579E394FF59FA0F594536EE1D87380EF3DE4848624

Function 00007FF8A7FECA40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FECA8A
memcpy.VCRUNTIME140 ref: 00007FF8A7FECB02
memcpy.VCRUNTIME140 ref: 00007FF8A7FECB1C
memcpy.VCRUNTIME140 ref: 00007FF8A7FECB3A
PyUnicode_FromStringAndSize.PYTHON312 ref: 00007FF8A7FECB45

Strings

O!s:getcname, xrefs: 00007FF8A7FECA83

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: memcpy$Size$Arg_FromParseStringTuple_Unicode_
String ID: O!s:getcname
API String ID: 714380276-3937919902
Opcode ID: 2e85fb79fad885fd9e833b6e31f0d80e5dc855ab3c0854f2ce48e6f0148d5109
Instruction ID: cb8dcd8d0c58d1d5cb16d18e90a3b0725f5c964bac00b348155fbe9d7d17105e
Opcode Fuzzy Hash: 2e85fb79fad885fd9e833b6e31f0d80e5dc855ab3c0854f2ce48e6f0148d5109
Instruction Fuzzy Hash: 45316962605A86EADB10CF75D8501ED3760FB45BE8B444722EA2D0BBD9DF38D256D340

Function 00007FF8A7FF6750 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON312 ref: 00007FF8A7FF67B7

Part of subcall function 00007FF8A7FF5910: PyDict_GetItem.PYTHON312 ref: 00007FF8A7FF5956
Part of subcall function 00007FF8A7FF5910: PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FF596B

_Py_BuildValue_SizeT.PYTHON312 ref: 00007FF8A7FF6807
PyCMethod_New.PYTHON312 ref: 00007FF8A7FF6844
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF685B

Part of subcall function 00007FF8A7FEBED0: _PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FEBF1C
Part of subcall function 00007FF8A7FEBED0: GetSystemInfo.KERNEL32 ref: 00007FF8A7FEBF91
Part of subcall function 00007FF8A7FEBED0: VirtualAlloc.KERNEL32 ref: 00007FF8A7FEC009
Part of subcall function 00007FF8A7FEBED0: _Py_Dealloc.PYTHON312 ref: 00007FF8A7FEC060
Part of subcall function 00007FF8A7FEBED0: PyErr_SetString.PYTHON312 ref: 00007FF8A7FEC077

Strings

O|OOO, xrefs: 00007FF8A7FF6774
(OOOO), xrefs: 00007FF8A7FF67EE

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Size$Arg_DeallocParse$AllocBuildDict_Err_InfoItemKeywords_Method_StringSystemTupleTuple_Unicode_Value_Virtual
String ID: (OOOO)$O|OOO
API String ID: 164275408-1768548383
Opcode ID: 007a6adfdea7edddd031857b16fb3ef72d70f6da05746cc2e868e7309ea663a9
Instruction ID: 9ade335c3ec712491e0bd2ea6c668e34ce03cf40932a26fa68e48d10b65e0352
Opcode Fuzzy Hash: 007a6adfdea7edddd031857b16fb3ef72d70f6da05746cc2e868e7309ea663a9
Instruction Fuzzy Hash: DB314132A0AB46D1DB608F25F85026AB3A4FF88BD0F540039DA8D47B58DF7DD254DB00

Function 00007FF646AB8760 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF646AB8780
OpenProcessToken.ADVAPI32 ref: 00007FF646AB8793
GetTokenInformation.ADVAPI32 ref: 00007FF646AB87B8
GetLastError.KERNEL32 ref: 00007FF646AB87C2
GetTokenInformation.ADVAPI32 ref: 00007FF646AB8802
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF646AB881E
CloseHandle.KERNEL32 ref: 00007FF646AB8836

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 1e3bf3a8b1345e2c0c0bdd6ff4e06add0bb9355989cc78c5a669156b3459c754
Instruction ID: e922f539595c6da0abe4fc4c8d9879105661e91a21a22ea4e74c9b48d0e8e5d1
Opcode Fuzzy Hash: 1e3bf3a8b1345e2c0c0bdd6ff4e06add0bb9355989cc78c5a669156b3459c754
Instruction Fuzzy Hash: F1215121A0CE4642EB50BB99F45422AE3A1FF85BE0F100235EA6D83AE4DE6ED4848750

Function 00007FF8A7FF7EE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

PyDict_GetItem.PYTHON312 ref: 00007FF8A7FF7F01
PyErr_SetString.PYTHON312 ref: 00007FF8A7FF7F3F

Part of subcall function 00007FF8A7FF7660: PyUnicode_AsUTF8.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF7689
Part of subcall function 00007FF8A7FF7660: PyErr_SetString.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF76FE

PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FF7F85
PyErr_Format.PYTHON312 ref: 00007FF8A7FF7FA8

Part of subcall function 00007FF8A7FF70C0: PyEval_SaveThread.PYTHON312(?,?,00000000,00007FF8A7FF8342), ref: 00007FF8A7FF70DF
Part of subcall function 00007FF8A7FF70C0: TlsGetValue.KERNEL32(?,?,00000000,00007FF8A7FF8342), ref: 00007FF8A7FF70EE
Part of subcall function 00007FF8A7FF70C0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FF8A7FF8342), ref: 00007FF8A7FF7101
Part of subcall function 00007FF8A7FF70C0: TlsSetValue.KERNEL32(?,?,00000000,00007FF8A7FF8342), ref: 00007FF8A7FF711E
Part of subcall function 00007FF8A7FF70C0: SetLastError.KERNEL32(?,?,00000000,00007FF8A7FF8342), ref: 00007FF8A7FF7127
Part of subcall function 00007FF8A7FF70C0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FF8A7FF8342), ref: 00007FF8A7FF712D
Part of subcall function 00007FF8A7FF70C0: PyEval_RestoreThread.PYTHON312(?,?,00000000,00007FF8A7FF8342), ref: 00007FF8A7FF7149
Part of subcall function 00007FF8A7FF70C0: PyUnicode_AsUTF8.PYTHON312(?,?,00000000,00007FF8A7FF8342), ref: 00007FF8A7FF715D
Part of subcall function 00007FF8A7FF70C0: PyErr_Format.PYTHON312(?,?,00000000,00007FF8A7FF8342), ref: 00007FF8A7FF7174

Strings

C attribute cannot be deleted, xrefs: 00007FF8A7FF7F35
cannot write to function or constant '%.200s', xrefs: 00007FF8A7FF7F9B

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$Unicode_$Eval_FormatStringThreadValue$Dict_ErrorItemLastRestoreSave_errnomalloc
String ID: C attribute cannot be deleted$cannot write to function or constant '%.200s'
API String ID: 3181857070-1071161328
Opcode ID: fad06088634bfd1fbfbf3eb47ddf1e8c66b0f447a4e8b21ec7c8bc15754f5b28
Instruction ID: 24c898f6a2df4a13d1f45983b3fdcae0ba5a6c16af05bd4520fc3469d9b1e677
Opcode Fuzzy Hash: fad06088634bfd1fbfbf3eb47ddf1e8c66b0f447a4e8b21ec7c8bc15754f5b28
Instruction Fuzzy Hash: 9A216021A0AB42A1EF549F26E84017DA360EF48FC0F984035EE1E07BE4DF6DE645E350

Function 00007FF8A7FE7A00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FF8A7FE7A2F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A7FE7A62
PyObject_Init.PYTHON312 ref: 00007FF8A7FE7A75
memcpy.VCRUNTIME140 ref: 00007FF8A7FE7AA8

Strings

return type is a struct/union with a varsize array member, xrefs: 00007FF8A7FE7A50
return type is an opaque structure or union, xrefs: 00007FF8A7FE7A1E

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_InitObject_Stringmallocmemcpy
String ID: return type is a struct/union with a varsize array member$return type is an opaque structure or union
API String ID: 673089332-262380981
Opcode ID: bfd66b53dfe05172c11c1f0ecb5d33bca5e1d540f5dc4c788623ec16cdb41bee
Instruction ID: f4ee779f4b7d3b430357807142677b8deb9c37e208856fac6083fd72a48c30d9
Opcode Fuzzy Hash: bfd66b53dfe05172c11c1f0ecb5d33bca5e1d540f5dc4c788623ec16cdb41bee
Instruction Fuzzy Hash: A8216D32A0AB51A2EB54DF26E44426D73A1FB48FD0F480035DA4D47B64EF7CE6A4E710

Function 00007FF8A7FF6640 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON312 ref: 00007FF8A7FF669D
_Py_BuildValue_SizeT.PYTHON312 ref: 00007FF8A7FF66C8
PyCMethod_New.PYTHON312 ref: 00007FF8A7FF66EB
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF6702

Strings

|OOO, xrefs: 00007FF8A7FF6661
(OOOO), xrefs: 00007FF8A7FF66AF

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Size$Arg_BuildDeallocKeywords_Method_ParseTupleValue_
String ID: (OOOO)$|OOO
API String ID: 1859027967-2767428988
Opcode ID: c1c22f69095526a158d93733b1236ca31807cbeb396342611cd2cff1a23f6d7c
Instruction ID: 009cebbfe5c0a61036a204aeeac01ab0d345424a507c389aa633b1797ee0b94b
Opcode Fuzzy Hash: c1c22f69095526a158d93733b1236ca31807cbeb396342611cd2cff1a23f6d7c
Instruction Fuzzy Hash: 41213E36A1AB8691DB108F21F8506AAB3E4FB49BD0F540036DE8C43B68EF7CD154DB00

Function 00007FF8A7FE2920 Relevance: 10.6, APIs: 7, Instructions: 50COMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON312 ref: 00007FF8A7FE2929
PyObject_ClearWeakRefs.PYTHON312 ref: 00007FF8A7FE2939
PyDict_DelItem.PYTHON312 ref: 00007FF8A7FE295B
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE297C
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE2996
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE29B0
PyObject_Free.PYTHON312 ref: 00007FF8A7FE29C3

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: DeallocObject_$ClearDict_FreeItemRefsTrackWeak
String ID:
API String ID: 2303943592-0
Opcode ID: 5281ba59460151379513deaece5fbc7f97450a4c9895c88d5ea50fc7f3853007
Instruction ID: 6fc5527df77725d479051c2dd3aa30925c514c4a6447b6e17f1466e6ab2f34c8
Opcode Fuzzy Hash: 5281ba59460151379513deaece5fbc7f97450a4c9895c88d5ea50fc7f3853007
Instruction Fuzzy Hash: 0721953290AE12A1EB599F75D85837C33A0FB48F99F086031CA0D462A4EF7DA685E305

Function 00007FF646AD7DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF646AD7E0D
GetLastError.KERNEL32 ref: 00007FF646AD7E19
CloseHandle.KERNEL32 ref: 00007FF646AD7E31
CreateFileW.KERNEL32 ref: 00007FF646AD7E5C
WriteConsoleW.KERNEL32 ref: 00007FF646AD7E7B

Strings

CONOUT$, xrefs: 00007FF646AD7E3D

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction ID: 873558190367a4d2a237d141310b78e621a26cc4aadf2a4411ebacf0bb35fd4f
Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
Instruction Fuzzy Hash: 62116021B1CE4286E750BB52E854369A6A1FB88FE4F044234EE5DC77A4DF7ED8848750

Function 00007FF8A7FE7720 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

PyComplex_FromCComplex.PYTHON312 ref: 00007FF8A7FE777E
_Py_FatalErrorFunc.PYTHON312 ref: 00007FF8A7FE7797
PyErr_Format.PYTHON312 ref: 00007FF8A7FE77B3

Strings

read_raw_complex_data: bad complex size, xrefs: 00007FF8A7FE7789
complex() not supported on cdata '%s', xrefs: 00007FF8A7FE77A5
read_raw_complex_data, xrefs: 00007FF8A7FE7790

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: ComplexComplex_Err_ErrorFatalFormatFromFunc
String ID: complex() not supported on cdata '%s'$read_raw_complex_data$read_raw_complex_data: bad complex size
API String ID: 1922044008-1323234755
Opcode ID: b628bd0cfb1c42fad71d6a92584b4695d23458dcf6edd97101d687094bb75b49
Instruction ID: 4583ffe001ed3ed3eadb5def99fce965881e36d997b26a47f175cce228a86130
Opcode Fuzzy Hash: b628bd0cfb1c42fad71d6a92584b4695d23458dcf6edd97101d687094bb75b49
Instruction Fuzzy Hash: 71119132D0968697EB10CF38D45106D6360FF957C8F604232D64C96564EF6CE65ADB00

Function 00007FF8A7FE9950 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FE9977
PyNumber_AsSsize_t.PYTHON312 ref: 00007FF8A7FE99B2
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE99BD
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE99D9

Part of subcall function 00007FF8A7FE99F0: PyErr_SetString.PYTHON312 ref: 00007FF8A7FE9A27

Strings

negative array length, xrefs: 00007FF8A7FE99CF
O!O:new_array_type, xrefs: 00007FF8A7FE9970

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$String$Arg_Number_OccurredParseSizeSsize_tTuple_
String ID: O!O:new_array_type$negative array length
API String ID: 3893677698-1806197627
Opcode ID: 667bbbe7a2185914b3b4b824aba0e42bf06a34faae8301afd8c22bcf33a742a6
Instruction ID: 2a8e9047e14dbaffc7b1bdcad831eb634943caa8ef96265cc72978644f92748a
Opcode Fuzzy Hash: 667bbbe7a2185914b3b4b824aba0e42bf06a34faae8301afd8c22bcf33a742a6
Instruction Fuzzy Hash: 3D012D66B0EA42A0EE00DF75E85007D6361FF84BE4B844232D95D477A4EFBCE648E310

Function 00007FF8A7FE37F0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE3800
PyObject_Str.PYTHON312 ref: 00007FF8A7FE380E
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FE381F
PyErr_Format.PYTHON312 ref: 00007FF8A7FE383C
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE3850

Strings

integer %s does not fit '%s', xrefs: 00007FF8A7FE382C

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$DeallocFormatObject_OccurredUnicode_
String ID: integer %s does not fit '%s'
API String ID: 1393314426-3740469958
Opcode ID: 9dda8ed7cafac19a58ef1854290d42d6d9f235014fdb1a7dfd31a9aafc488a0d
Instruction ID: 4d892a69aaacd4d0ade9f8dd3a2babe72db7cc25c9bd0481a685636820536017
Opcode Fuzzy Hash: 9dda8ed7cafac19a58ef1854290d42d6d9f235014fdb1a7dfd31a9aafc488a0d
Instruction Fuzzy Hash: 7AF0C922E0AB12A2EA449F76E95817C22A4FF49FE4F085034DE1E477A4EE7CE644D300

Function 00007FF646AB8560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF646AB9216), ref: 00007FF646AB8592
K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF646AB9216), ref: 00007FF646AB85E9

Part of subcall function 00007FF646AB9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF646AB45E4,00000000,00007FF646AB1985), ref: 00007FF646AB9439

K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF646AB9216), ref: 00007FF646AB8678
K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF646AB9216), ref: 00007FF646AB86E4
FreeLibrary.KERNEL32(?,?,00000000,00007FF646AB9216), ref: 00007FF646AB86F5
FreeLibrary.KERNEL32(?,?,00000000,00007FF646AB9216), ref: 00007FF646AB870A

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: b2770b171440e78660be4c91fda42c27049aa369c6710ced6bdf6821ec2ad01d
Instruction ID: ad8de16c187df3f2852ea0ae3ac4c055481e7318f227933dd2571555c14f3504
Opcode Fuzzy Hash: b2770b171440e78660be4c91fda42c27049aa369c6710ced6bdf6821ec2ad01d
Instruction Fuzzy Hash: 2141B462B1DA8A81EB30BB15A5406AAA394FF84FC8F440135DF8DD7B89DE3DD581C721

Function 00007FF646AB90E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF646AB8760: GetCurrentProcess.KERNEL32 ref: 00007FF646AB8780
Part of subcall function 00007FF646AB8760: OpenProcessToken.ADVAPI32 ref: 00007FF646AB8793
Part of subcall function 00007FF646AB8760: GetTokenInformation.ADVAPI32 ref: 00007FF646AB87B8
Part of subcall function 00007FF646AB8760: GetLastError.KERNEL32 ref: 00007FF646AB87C2
Part of subcall function 00007FF646AB8760: GetTokenInformation.ADVAPI32 ref: 00007FF646AB8802
Part of subcall function 00007FF646AB8760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF646AB881E
Part of subcall function 00007FF646AB8760: CloseHandle.KERNEL32 ref: 00007FF646AB8836

LocalFree.KERNEL32(?,00007FF646AB3C55), ref: 00007FF646AB916C
LocalFree.KERNEL32(?,00007FF646AB3C55), ref: 00007FF646AB9175

Strings

Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF646AB9183
S-1-3-4, xrefs: 00007FF646AB9121
D:(A;;FA;;;%s), xrefs: 00007FF646AB9157
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF646AB9142

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction ID: 702e8323489f964ad7221e3df6f26ae13b47c2394ded001998fd0ca9d72cdbbc
Opcode Fuzzy Hash: 3eb7115bd34229e0b110e4578eeeb93c66e7230f7a251aed45e8d0dbb8b27e08
Instruction Fuzzy Hash: 88216D21A0CF4681F750BB10E8152EAA265FF89B80F444036EA4E93796DF3ED885C760

Function 00007FF8A7FF8080 Relevance: 9.1, APIs: 6, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

PyUnicode_FromString.PYTHON312 ref: 00007FF8A7FF80A6
PyDict_New.PYTHON312 ref: 00007FF8A7FF80B4
PyType_GenericAlloc.PYTHON312 ref: 00007FF8A7FF80CB
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF80E6
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF80FA
FreeLibrary.KERNEL32 ref: 00007FF8A7FF810D

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dealloc$AllocDict_FreeFromGenericLibraryStringType_Unicode_
String ID:
API String ID: 3239884862-0
Opcode ID: be2aba3d24c1ada56db06f01110a32629b58641e6e655dadaad03aa7c6967eec
Instruction ID: 77b88a85025482ec38ea1d7abd9ba644567e73a1a830e58c19c63c972975cfb3
Opcode Fuzzy Hash: be2aba3d24c1ada56db06f01110a32629b58641e6e655dadaad03aa7c6967eec
Instruction Fuzzy Hash: 73214A32B0AB42A5EB648F25E84027D73E8FB48BD4F184134DA8D42764DFBCE652D300

Function 00007FF8A7FED6E0 Relevance: 9.0, APIs: 6, Instructions: 28COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FF8A7FED6EC
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A7FED6FF
TlsSetValue.KERNEL32 ref: 00007FF8A7FED71C
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A7FED722
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A7FED72D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A7FED735

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: _errno$Value$malloc
String ID:
API String ID: 2897262332-0
Opcode ID: 7c89d1e7b46bceea5cab29fc1de263db9d067b15880768255f3937c3ff3dfe8d
Instruction ID: 9e7fd37ff34fa77eeb4d4da0fcb42131a43fcae2b6281cb0054e351df8c187f2
Opcode Fuzzy Hash: 7c89d1e7b46bceea5cab29fc1de263db9d067b15880768255f3937c3ff3dfe8d
Instruction Fuzzy Hash: A7F03C76A0BA1696EB154F30E85423C23A1FF88B89F055134CA4D063A0EF7CA998D610

Function 00007FF8A7FF56A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON312 ref: 00007FF8A7FF5718

Strings

recursion overflow in ffi.include() delegations, xrefs: 00007FF8A7FF5769
function, global variable or non-integer constant '%.200s' must be fetched from its original 'lib' object, xrefs: 00007FF8A7FF570E

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_Format
String ID: function, global variable or non-integer constant '%.200s' must be fetched from its original 'lib' object$recursion overflow in ffi.include() delegations
API String ID: 376477240-3674543662
Opcode ID: b8ff02f170859be29615f4bcde8e3fdc89724505101976f2779168ed6f99660e
Instruction ID: b7cf777865f994f457db161e4ff94cff2109330ce86f2b96a499ec28ecdb1a11
Opcode Fuzzy Hash: b8ff02f170859be29615f4bcde8e3fdc89724505101976f2779168ed6f99660e
Instruction Fuzzy Hash: 6931CF27B1AA56D6EA118F32F54027E63A0FB84BE0F480531CE5E47795DFBCE642A300

Function 00007FF646AB2910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF646AB1B6A), ref: 00007FF646AB295E

Strings

Error, xrefs: 00007FF646AB2A0E
[PYI-%d:ERROR] , xrefs: 00007FF646AB2966
Error [ANSI Fallback], xrefs: 00007FF646AB29FF
%s: %s, xrefs: 00007FF646AB29E8

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction ID: d37e2d4d2308dea67e29211079533e7d7725b0c4c17ce40f7ef0c1dc1b714c33
Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
Instruction Fuzzy Hash: 0B31C762B1CA8552E760B761A8406F6A695BF88BD4F400132FE8DC3759DF3DD586C610

Function 00007FF8A7FF792B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7FF4480: PyErr_Format.PYTHON312(?,?,?,00007FF8A7FF51B4), ref: 00007FF8A7FF44CA
Part of subcall function 00007FF8A7FF4480: _Py_Dealloc.PYTHON312(?,?,?,00007FF8A7FF51B4), ref: 00007FF8A7FF44E7

PyErr_Format.PYTHON312 ref: 00007FF8A7FF7977
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF7A8C
PyDict_SetItem.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF7AA3
_Py_Dealloc.PYTHON312(?,?,00000000,?,?,00007FF8A7FF82C3), ref: 00007FF8A7FF7AB9

Strings

global variable '%.200s' should be %zd bytes according to the cdef, but is actually %zd, xrefs: 00007FF8A7FF7968

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dealloc$Err_Format$Dict_Item
String ID: global variable '%.200s' should be %zd bytes according to the cdef, but is actually %zd
API String ID: 3830123900-276371364
Opcode ID: bc69f846bbe908aa3b1f298b2c6cab019fc9750a59e2bab75fff88cb0835d384
Instruction ID: fbc6e712b83d6b0674fa1586ae9e0e4e4185cbd7acd561ed3b47bc35ae3b319a
Opcode Fuzzy Hash: bc69f846bbe908aa3b1f298b2c6cab019fc9750a59e2bab75fff88cb0835d384
Instruction Fuzzy Hash: 5921A222A0B64291FA519F76D84067DA3A1EF84FD4F890035CE0D473A4DEBEE741A320

Function 00007FF646AB2710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF646AB1B99), ref: 00007FF646AB2760

Strings

Error, xrefs: 00007FF646AB27DE
Error [ANSI Fallback], xrefs: 00007FF646AB27CF
ERROR, xrefs: 00007FF646AB276F
[PYI-%d:%s] , xrefs: 00007FF646AB2768

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction ID: 5277d9acfab89ab9d99eefbe351da8155980cb4421cfd4bf95e27f7c4d2a6c8b
Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
Instruction Fuzzy Hash: 1A217C72A1CB8582E660BB50B8817E6A3A4FB887C4F400136EE8D83659DF7DD6898750

Function 00007FF8A7FE3110 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE31B2

Strings

an integer is required, xrefs: 00007FF8A7FE31CD
integer conversion failed, xrefs: 00007FF8A7FE318D

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dealloc
String ID: an integer is required$integer conversion failed
API String ID: 3617616757-1846422268
Opcode ID: 7809733d7cd1f8e9f7524f195d2639f2e74a98a67b81af8ddee571cc842d2f0a
Instruction ID: a6026f9d4c78f509153016077f81afa2b5a07a0b2e5f73d04c9a709c90c3fc26
Opcode Fuzzy Hash: 7809733d7cd1f8e9f7524f195d2639f2e74a98a67b81af8ddee571cc842d2f0a
Instruction Fuzzy Hash: EF21E022F0AA46A1EA558F36E94427C63A4EF44BF4F1C5235DE2D077E4EE6CE694D300

Function 00007FF8A7FE9D90 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37stringCOMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FE9DA3
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A7FE9DD2

Strings

FILE, xrefs: 00007FF8A7FE9DDD
struct _IO_FILE, xrefs: 00007FF8A7FE9DB9
s:new_struct_type, xrefs: 00007FF8A7FE9D9C

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Arg_ParseSizeTuple_strcmp
String ID: FILE$s:new_struct_type$struct _IO_FILE
API String ID: 3757293142-674226114
Opcode ID: fd3a60de0ca84b9ee791de28b189f2f851fb8b2f8231fe578e3776eb59bb0570
Instruction ID: aec88668daf246a8e603e69c5404322a77bb3c9e728f8f197dfc986ccc9820be
Opcode Fuzzy Hash: fd3a60de0ca84b9ee791de28b189f2f851fb8b2f8231fe578e3776eb59bb0570
Instruction Fuzzy Hash: B801B162A0D68292DB10CF35E8402BD73A1FB857C1F885132DB8E43658EE7CD646D710

Function 00007FF8A7FE55B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

PyObject_Repr.PYTHON312 ref: 00007FF8A7FE55C8
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FE55E9
PyUnicode_FromFormat.PYTHON312 ref: 00007FF8A7FE5604
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE561B

Strings

<cdata '%s' %s %s>, xrefs: 00007FF8A7FE55F3

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Unicode_$DeallocFormatFromObject_Repr
String ID: <cdata '%s' %s %s>
API String ID: 3526755465-1199376545
Opcode ID: 92e8b411aa87ab1fc87cb18141ce1d7fd9f4644be2a94bc0e60e910f9e080c53
Instruction ID: b357b91affecb7607533da63fa271eed810545029fc21dfd9f8f175438fdf625
Opcode Fuzzy Hash: 92e8b411aa87ab1fc87cb18141ce1d7fd9f4644be2a94bc0e60e910f9e080c53
Instruction Fuzzy Hash: DC012822A0AA9292EA548F66FD4012D63A1FB88FD4F485031EE4E07B59EF7CD691D700

Function 00007FF8A7FEC9A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FEC9DD
PyErr_SetString.PYTHON312 ref: 00007FF8A7FECA07

Strings

O!O!n:rawaddressof, xrefs: 00007FF8A7FEC9D3
expected a pointer ctype, xrefs: 00007FF8A7FECA1F
expected a cdata struct/union/array/pointer object, xrefs: 00007FF8A7FEC9F6

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Arg_Err_ParseSizeStringTuple_
String ID: O!O!n:rawaddressof$expected a cdata struct/union/array/pointer object$expected a pointer ctype
API String ID: 4247878537-375230600
Opcode ID: ff3d13d3c1bd2ecf70dcc6f6de814df9574445e062849f9b6d2bb57c48f062f7
Instruction ID: 78219703b8c7ed7fae1b6b8271604b7c52410126f3e53059d373eeb8ba954963
Opcode Fuzzy Hash: ff3d13d3c1bd2ecf70dcc6f6de814df9574445e062849f9b6d2bb57c48f062f7
Instruction Fuzzy Hash: 32112E62A0DA86A1EE11CF24E8501BD33A0FB84BD4F940132DA9D436A4DF7CD649E700

Function 00007FF8A7FE5BE0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

_Py_FatalErrorFunc.PYTHON312 ref: 00007FF8A7FE5C30
PyErr_Format.PYTHON312 ref: 00007FF8A7FE5C5B

Strings

read_raw_float_data: bad float size, xrefs: 00007FF8A7FE5C22
float() not supported on cdata '%s', xrefs: 00007FF8A7FE5C4D
read_raw_float_data, xrefs: 00007FF8A7FE5C29

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_ErrorFatalFormatFunc
String ID: float() not supported on cdata '%s'$read_raw_float_data$read_raw_float_data: bad float size
API String ID: 4046554067-1430910167
Opcode ID: cca38cd799a4194b9cc09f102081e57649ff986fa1583fdc2600aa6cd8071237
Instruction ID: ddd5b8d84b433e5abc877918e0c0bc435d3a38e97132d25eaef0417857107ddf
Opcode Fuzzy Hash: cca38cd799a4194b9cc09f102081e57649ff986fa1583fdc2600aa6cd8071237
Instruction Fuzzy Hash: BA017172E0AA06E2EA44CF39E89047C23A1FF45BC4B904032C50D57664EF7CE6CAEB10

Function 00007FF8A7FE2FE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

PyDict_Next.PYTHON312 ref: 00007FF8A7FE300C
PyDict_Next.PYTHON312 ref: 00007FF8A7FE3030
_Py_FatalErrorFunc.PYTHON312 ref: 00007FF8A7FE3048

Strings

_cffi_backend: get_field_name(), xrefs: 00007FF8A7FE303A
get_field_name, xrefs: 00007FF8A7FE3041

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dict_Next$ErrorFatalFunc
String ID: _cffi_backend: get_field_name()$get_field_name
API String ID: 3667637998-2451131939
Opcode ID: 83c9e2edf1c90e3bb5b73ef7b7146cbf376fbd351d02ab754c5f6e28380c3fb2
Instruction ID: 625625d9b01c1e0ccbd9aec1ad3bf127a210321af006904b53ab286019e75174
Opcode Fuzzy Hash: 83c9e2edf1c90e3bb5b73ef7b7146cbf376fbd351d02ab754c5f6e28380c3fb2
Instruction Fuzzy Hash: C5014F22619A87A2DB10CF25F4442AE6371FF847C8F541032EB8D47928EFBDD659D740

Function 00007FF8A7FED9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

PyObject_GetBuffer.PYTHON312 ref: 00007FF8A7FED9F5
PyBuffer_IsContiguous.PYTHON312 ref: 00007FF8A7FEDA04
PyBuffer_Release.PYTHON312 ref: 00007FF8A7FEDA11
PyErr_SetString.PYTHON312 ref: 00007FF8A7FEDA28

Strings

contiguous buffer expected, xrefs: 00007FF8A7FEDA1E

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Buffer_$BufferContiguousErr_Object_ReleaseString
String ID: contiguous buffer expected
API String ID: 2934809616-3992619153
Opcode ID: d6b75a9f0b40574fef19843038d3722adfd3bfe2648668ed4aff4fa49dce6ba1
Instruction ID: cc3277adf09072fdf04e79d806adb1c88bcc4fe4f08ed04d7450a5ee56389b65
Opcode Fuzzy Hash: d6b75a9f0b40574fef19843038d3722adfd3bfe2648668ed4aff4fa49dce6ba1
Instruction Fuzzy Hash: E3F0A062B1A52392FB109F76AC4013C1361DF84FE0B482030CC1E8B3A0EE6CE6D9E300

Function 00007FF8A7FE27F0 Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

_PyObject_GC_NewVar.PYTHON312 ref: 00007FF8A7FE2848
PyObject_GC_Track.PYTHON312 ref: 00007FF8A7FE286F
memcpy.VCRUNTIME140 ref: 00007FF8A7FE28A1
memcpy.VCRUNTIME140 ref: 00007FF8A7FE28BA
memcpy.VCRUNTIME140 ref: 00007FF8A7FE28D6

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: memcpy$Object_$Track
String ID:
API String ID: 2188153816-0
Opcode ID: 2ffe7a5f7058f47fe5cd9df19c3e406a6f0f16ceb72a15f06e52b1da7f32a6c2
Instruction ID: 6fb7e29c26f8f2a0fd26c1373417e8044afa8a85f07dcf1ec27cae9e0eba675b
Opcode Fuzzy Hash: 2ffe7a5f7058f47fe5cd9df19c3e406a6f0f16ceb72a15f06e52b1da7f32a6c2
Instruction Fuzzy Hash: 0C21F532605B909ADB04CF25E88416D77A5FB48BE8B490135EE4D87B95EF3CD256C300

Function 00007FF646AD93D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF646AD9400
_set_statfp.LIBCMT ref: 00007FF646AD941B
_set_statfp.LIBCMT ref: 00007FF646AD9437
_set_statfp.LIBCMT ref: 00007FF646AD9473

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 12fd4369076be84bdc41967321dd05b3af15b2017aa65e09af264655ccb87287
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 0C1191B2E5CE1301F754B124D456375A0466F59374F050634EE7E8A2D7CE2EE9C14124

Function 00007FF646ACB400 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF646ACA613,?,?,00000000,00007FF646ACA8AE,?,?,?,?,?,00007FF646ACA83A), ref: 00007FF646ACB41F
FlsSetValue.KERNEL32(?,?,?,00007FF646ACA613,?,?,00000000,00007FF646ACA8AE,?,?,?,?,?,00007FF646ACA83A), ref: 00007FF646ACB43E
FlsSetValue.KERNEL32(?,?,?,00007FF646ACA613,?,?,00000000,00007FF646ACA8AE,?,?,?,?,?,00007FF646ACA83A), ref: 00007FF646ACB466
FlsSetValue.KERNEL32(?,?,?,00007FF646ACA613,?,?,00000000,00007FF646ACA8AE,?,?,?,?,?,00007FF646ACA83A), ref: 00007FF646ACB477
FlsSetValue.KERNEL32(?,?,?,00007FF646ACA613,?,?,00000000,00007FF646ACA8AE,?,?,?,?,?,00007FF646ACA83A), ref: 00007FF646ACB488

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction ID: ab841c59357fbc51218342ff9f52246f9c9d86c21f1757fdbedd7b2e82a45e22
Opcode Fuzzy Hash: 43a5c13e669b9c0dc60c9d5204f3187f9cebb30c335aac4df6ce1d0b58ad24f5
Instruction Fuzzy Hash: 35116020F0DE4281FA58B765A651179E142AF847B0F488734E93FDA6D6EE2FF4C58321

Function 00007FF8A7FF7210 Relevance: 7.5, APIs: 5, Instructions: 32COMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON312 ref: 00007FF8A7FF7219
FreeLibrary.KERNEL32 ref: 00007FF8A7FF722E
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF7243
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF7258
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF726D

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Dealloc$FreeLibraryObject_Track
String ID:
API String ID: 2674720036-0
Opcode ID: b5063930d8c60cc215c3057d7fcac7dc0d69dba4791599d4b43e0b87794572c6
Instruction ID: 2e1caa8271de6dd66d8f9f38567812f1e6277bd8fce256ecefc38243fcba4ba6
Opcode Fuzzy Hash: b5063930d8c60cc215c3057d7fcac7dc0d69dba4791599d4b43e0b87794572c6
Instruction Fuzzy Hash: 9101D633D0BA12E5EB954F71DD4827C73A0EB45FA9F545030DA0E85191CFBEA686EB10

Function 00007FF8A7FE15B0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A7FE15BF
GetLastError.KERNEL32 ref: 00007FF8A7FE15C7
TlsGetValue.KERNEL32 ref: 00007FF8A7FE15D5
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A7FE15E8
TlsSetValue.KERNEL32 ref: 00007FF8A7FE1605

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Value$ErrorLast_errnomalloc
String ID:
API String ID: 2411484184-0
Opcode ID: e488a826f195c001651052e684a3a9f0d19f84a96cf89817c6b9f1d79835e855
Instruction ID: 12a52755558a4b299d2d59aa669a910912422aa10890a050dd58df318ce50824
Opcode Fuzzy Hash: e488a826f195c001651052e684a3a9f0d19f84a96cf89817c6b9f1d79835e855
Instruction Fuzzy Hash: 0E014B32E0AB5192EB108F21E45412863A1FF88B94F098535DA4D47354EF7CE995DB10

Function 00007FF8A7FE1630 Relevance: 7.5, APIs: 5, Instructions: 25COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FF8A7FE163C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF8A7FE164F
TlsSetValue.KERNEL32 ref: 00007FF8A7FE166C
SetLastError.KERNEL32 ref: 00007FF8A7FE1675
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A7FE167B

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Value$ErrorLast_errnomalloc
String ID:
API String ID: 2411484184-0
Opcode ID: 938e482ca38ea7b382a05e366784367b7899dc8e576a2d46c98cab6c7a6c2be2
Instruction ID: da75839637dd5b71146fda9aa5a54b16f5fa2c520db6b0923e412371059c048f
Opcode Fuzzy Hash: 938e482ca38ea7b382a05e366784367b7899dc8e576a2d46c98cab6c7a6c2be2
Instruction Fuzzy Hash: 66F03A32E0760697EB158F31E8642386361FF88B95F094138C94D063A4EF6C6A98D610

Function 00007FF646AC6010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC604C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC6176
_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC622C

Strings

verbose, xrefs: 00007FF646AC6020

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: b7f936ef77a05fbbf5bcbdb9318f582ee60864c70ac4e53c8cb264772f776e68
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: D091BD22B0CE4681F761FF28D46877DB391AB40B94F489136DA5B873C5DE3EE8858321

Function 00007FF646ABD6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF646ABD6E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF646ABD77A
RtlUnwindEx.KERNEL32 ref: 00007FF646ABD7D4

Strings

csm, xrefs: 00007FF646ABD761

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction ID: f828acd0bc2dcb960bfc5a8e9d4a57377a6c33b733f08c646bd0f2cee17a734c
Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
Instruction Fuzzy Hash: 88518D32A1DA468ADB14BF15E444A78A791EB44F98F108136DB4E87788EF7EE8C1C710

Function 00007FF646ABEF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF646ABEFA7
_CallSETranslator.LIBVCRUNTIME ref: 00007FF646ABEFF3

Strings

RCC, xrefs: 00007FF646ABEFC3
MOC, xrefs: 00007FF646ABEFBB

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction ID: dae0add7e3fb6d68b07cc8d1a71a599aaa782982d38f98aaaa4431fecfb95fb4
Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
Instruction Fuzzy Hash: AA61807290CBC981EB60AB15E4403AAF7A0FB85B84F084625EB9D47B55DF7DD1D0CB20

Function 00007FF8A7FE6E60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FF8A7FE7000

Strings

array size would overflow a Py_ssize_t, xrefs: 00007FF8A7FE6FF6

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_String
String ID: array size would overflow a Py_ssize_t
API String ID: 1450464846-3850734049
Opcode ID: 33cdaf1584b82da621bae8fdbdf860ffc2a95cdbf945a7e33592c68d286ca6e9
Instruction ID: 332dedb694154fb81180c47e74a293691f9556ecb3cda93e0d2b8fa5c3626910
Opcode Fuzzy Hash: 33cdaf1584b82da621bae8fdbdf860ffc2a95cdbf945a7e33592c68d286ca6e9
Instruction Fuzzy Hash: 57515E22B0A686A1EE948F26E85017D3360FF48BD0F441231EE6E43BD4EF6CE9909744

Function 00007FF646AB7E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,?,00007FF646AB352C,?,00000000,00007FF646AB3F23), ref: 00007FF646AB7F22

Strings

\, xrefs: 00007FF646AB7E87
%.*s, xrefs: 00007FF646AB7EDB
%s%c, xrefs: 00007FF646AB7E94

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
Instruction ID: 9a82708fdc449c614e7bcfd2c244fa198ab62936b17c0f83a15d30f1cbdf31d0
Opcode Fuzzy Hash: 517c45005fecb665460f06d6deeb7a52b86fc8f3bacaeb8cdec2a0b3fdaf0698
Instruction Fuzzy Hash: 4531D22161DEC945EA61BB20E8507EAA354EF84FE4F044231EF6D837C9DE2DD681C710

Function 00007FF8A7FE6980 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FF8A7FE6A56
PyErr_Format.PYTHON312 ref: 00007FF8A7FE6A8C

Strings

pointer subtraction: the distance between the two pointers is not a multiple of the item size, xrefs: 00007FF8A7FE6A4C
cannot subtract cdata '%s' and cdata '%s', xrefs: 00007FF8A7FE6A7A

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$FormatString
String ID: cannot subtract cdata '%s' and cdata '%s'$pointer subtraction: the distance between the two pointers is not a multiple of the item size
API String ID: 4212644371-3794040536
Opcode ID: 395e169c5739ba28758f6a1c21c95846833e8ea4a1d44cf29ab1dbb009c727f8
Instruction ID: 1f271b2effab59ca5499f8168a51cabae7c8cb8b3da8d79c782455252a8fab7b
Opcode Fuzzy Hash: 395e169c5739ba28758f6a1c21c95846833e8ea4a1d44cf29ab1dbb009c727f8
Instruction Fuzzy Hash: 9F314F72E0BA4EA1EE648F65D86067C23A1FB44BC4F455976C91C072D0EE7CEAD5E301

Function 00007FF8A7FEC610 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON312 ref: 00007FF8A7FEC682
PyErr_SetString.PYTHON312 ref: 00007FF8A7FEC6A0

Strings

expected a 'cdata' or 'ctype' object, xrefs: 00007FF8A7FEC696
ctype '%s' is of unknown size, xrefs: 00007FF8A7FEC678

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$FormatString
String ID: ctype '%s' is of unknown size$expected a 'cdata' or 'ctype' object
API String ID: 4212644371-2764735189
Opcode ID: 5810c187a67809cb4b130ed5f0013bfbd1904b457718a229d1d8487af58f6217
Instruction ID: e04810eced7f336fc949633cf5602943e9dbb321136ee6f59c1f4011c2226c2c
Opcode Fuzzy Hash: 5810c187a67809cb4b130ed5f0013bfbd1904b457718a229d1d8487af58f6217
Instruction Fuzzy Hash: 0631EA63B0BA06E1EE54CF25D49067923A1FF94BC4F451432D50E876A0EF7CE6A9E701

Function 00007FF8A7FE3920 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON312 ref: 00007FF8A7FE3A11

Part of subcall function 00007FF8A7FE11A0: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8A7FE11EB

Strings

unicode string of length %zd, xrefs: 00007FF8A7FE3963
larger-than-0xFFFF character, xrefs: 00007FF8A7FE3983
initializer for ctype 'char16_t' must be a unicode string of length 1, not %.200s, xrefs: 00007FF8A7FE3A07

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_Format__stdio_common_vsprintf
String ID: initializer for ctype 'char16_t' must be a unicode string of length 1, not %.200s$larger-than-0xFFFF character$unicode string of length %zd
API String ID: 3682193652-3085492373
Opcode ID: b42d2b992fd0f15b7e2c26160689cf66ed3603904f2301dfe72343b861151498
Instruction ID: 70e7d4311296136a17020851d91e968bb7fa13a5af3c0d3fcc78776c63b39078
Opcode Fuzzy Hash: b42d2b992fd0f15b7e2c26160689cf66ed3603904f2301dfe72343b861151498
Instruction Fuzzy Hash: BA317222A0E682A1EE60CF35D45537C63A5FF84BC8F980132D98D462E4EF7DEA49D700

Function 00007FF646AB2810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF646AB28EA

Strings

Error, xrefs: 00007FF646AB28DD
ERROR, xrefs: 00007FF646AB286F
[PYI-%d:%ls] , xrefs: 00007FF646AB2868

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction ID: 9e8d19d2ed1f2bc9a69fc9b3d6ec2212395e429851e979d2b3735ae190349c10
Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
Instruction Fuzzy Hash: 50219FA2B0CB4182E650BB54F8447EAA3A4FB88784F400136EE8D93659DE3DD689C710

Function 00007FF8A7FF6100 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

PyTuple_Size.PYTHON312 ref: 00007FF8A7FF6113
PyErr_SetString.PYTHON312 ref: 00007FF8A7FF6130
PyLong_FromSsize_t.PYTHON312 ref: 00007FF8A7FF61B5

Strings

offsetof() expects at least 2 arguments, xrefs: 00007FF8A7FF6126

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_FromLong_SizeSsize_tStringTuple_
String ID: offsetof() expects at least 2 arguments
API String ID: 1664805531-4287892465
Opcode ID: f00b09bba9f38762a77f4bafc419a15b5121ad400c08834d8ddbbda3a053e21e
Instruction ID: 1551f768e2bda3aade5f0d7b9e087c76b4e582d48e5555a06a64d2bd456b6f9a
Opcode Fuzzy Hash: f00b09bba9f38762a77f4bafc419a15b5121ad400c08834d8ddbbda3a053e21e
Instruction Fuzzy Hash: B5119D22B1AA5195EB148F31E8501BD23A0FB8DBD4F081431EE4E43B55DFBCD695D700

Function 00007FF8A7FF6950 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON312 ref: 00007FF8A7FF697D
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FF69A7
PyErr_Format.PYTHON312 ref: 00007FF8A7FF69C8

Strings

integer constant '%.200s' not found, xrefs: 00007FF8A7FF69B9

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$Arg_FormatKeywords_OccurredParseSizeTuple
String ID: integer constant '%.200s' not found
API String ID: 2363003521-2598228679
Opcode ID: 672c97ed1388c1b5454143079bf92689344c8bb2180d1a9fbbd5984362136aff
Instruction ID: d003d171857f1903d4b8fa2741cdbe6805e085ea1801523e11793cf37a87117c
Opcode Fuzzy Hash: 672c97ed1388c1b5454143079bf92689344c8bb2180d1a9fbbd5984362136aff
Instruction Fuzzy Hash: FF016265B1AA16A1EE108F71E8105B9A3A0EF88FD0F480035DD4D47764EF7CE258D714

Function 00007FF8A7FEC910 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FEC949

Part of subcall function 00007FF8A7FEC7A0: PyErr_SetString.PYTHON312 ref: 00007FF8A7FEC8F0

_Py_BuildValue_SizeT.PYTHON312 ref: 00007FF8A7FEC980

Strings

(On), xrefs: 00007FF8A7FEC976
O!O|i:typeoffsetof, xrefs: 00007FF8A7FEC942

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Size$Arg_BuildErr_ParseStringTuple_Value_
String ID: (On)$O!O|i:typeoffsetof
API String ID: 1294453720-945657874
Opcode ID: a9e96af6e96d563c977228fa90480bf78f758e699be6a10abd642ecc536274d7
Instruction ID: 57d2ba544de3c1c87734358845bb0b71de1936d849ae2cd03bc45b6c957ed735
Opcode Fuzzy Hash: a9e96af6e96d563c977228fa90480bf78f758e699be6a10abd642ecc536274d7
Instruction Fuzzy Hash: A101177661DB46A1DE10CF61E8401AE7760FB857D4F841136E98E43764EF7CE249DB40

Function 00007FF8A7FED880 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FED8A7
PyErr_Format.PYTHON312 ref: 00007FF8A7FED8D4

Strings

needs 'void *', got '%s', xrefs: 00007FF8A7FED8CA
O!O, xrefs: 00007FF8A7FED8A0

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Arg_Err_FormatParseSizeTuple_
String ID: O!O$needs 'void *', got '%s'
API String ID: 365124298-685417567
Opcode ID: f09494dd2b88f10b23476fc2a386a7864d06bc62aa949ad35e8d89ceb211845d
Instruction ID: 7fd2cebc190a6511344d5a526a42163bcdd1928fa22706d4777616ee17f83d30
Opcode Fuzzy Hash: f09494dd2b88f10b23476fc2a386a7864d06bc62aa949ad35e8d89ceb211845d
Instruction Fuzzy Hash: D5F0FF66A0EA42A1EA00DF65E8511AD63A1FB84BD4F804132D94D47A64DFBCD75EE700

Function 00007FF646ACC610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF646ACC68F
WriteFile.KERNEL32 ref: 00007FF646ACC957
WriteFile.KERNEL32 ref: 00007FF646ACC99D
GetLastError.KERNEL32 ref: 00007FF646ACCA53

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction ID: 0dba6a515fa2e01f3673ed82e3a01550e4808a6e0913874a808adb3bc7c19de5
Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
Instruction Fuzzy Hash: 42D114B2B1CE808AE710EF65D4442AC77B2FB44B98B448235DE5F97B89DE39D046C350

Function 00007FF646ACCFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF646ACCFBB), ref: 00007FF646ACD0EC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF646ACCFBB), ref: 00007FF646ACD177

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction ID: db8144fa8de4560c9db26a591e74a51a30638b8b82208d5df199264a3feb93ce
Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
Instruction Fuzzy Hash: 2A91B572F1CA5185F750BF6994502BDABA1BB44B88F14413ADE0F97A85CE3ED4C2D720

Function 00007FF8A7FF7B08 Relevance: 6.1, APIs: 4, Instructions: 128COMMON

Download Yara Rule

APIs

PyList_New.PYTHON312 ref: 00007FF8A7FF7B70
PyUnicode_FromString.PYTHON312 ref: 00007FF8A7FF7BB4
PyList_SetSlice.PYTHON312 ref: 00007FF8A7FF7BE5
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF7BFD

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: List_$DeallocFromSliceStringUnicode_
String ID:
API String ID: 2856216243-0
Opcode ID: a060fcd1d1d0bc63c597a10254fac5962edccef78e3cd3d07f34a90fd84b24d2
Instruction ID: 233995145fca5f1aee5dba4a6a359f161208227766d30312ab5a9f9802dfb8c4
Opcode Fuzzy Hash: a060fcd1d1d0bc63c597a10254fac5962edccef78e3cd3d07f34a90fd84b24d2
Instruction Fuzzy Hash: BA31C333A0F64297E70A4F3A984117CBBA1EB52BD5B548431CF4982754EFBEE542D710

Function 00007FF646AC57EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF646AC581F
GetFileInformationByHandle.KERNEL32 ref: 00007FF646AC5881
GetLastError.KERNEL32 ref: 00007FF646AC5912
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF646AC5724), ref: 00007FF646AC595E

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction ID: eeb62928c636e0669b382bade804c40e460ad5be323f962b1659bec64547a717
Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
Instruction Fuzzy Hash: 39519E62E0CA418AFB50FFB1D4503BDA3B1AF48B98F144435EE0E97689DF39D8918720

Function 00007FF8A7FF5D20 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7FF5910: PyDict_GetItem.PYTHON312 ref: 00007FF8A7FF5956
Part of subcall function 00007FF8A7FF5910: PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FF596B

PyType_IsSubtype.PYTHON312 ref: 00007FF8A7FF5D68
PyErr_Clear.PYTHON312 ref: 00007FF8A7FF5DA3
PyTuple_GetItem.PYTHON312 ref: 00007FF8A7FF5DD7
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF5DFC

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Item$ClearDeallocDict_Err_SubtypeTuple_Type_Unicode_
String ID:
API String ID: 2830349452-0
Opcode ID: 7247e3d3d3da37e9cbc845cff0bd3705929a9b1aa68531a92463a3f350e90a1c
Instruction ID: 5dea38815c6c30458af169fcd1cba0b3ff85419eae7ef2123849b38a8b93a600
Opcode Fuzzy Hash: 7247e3d3d3da37e9cbc845cff0bd3705929a9b1aa68531a92463a3f350e90a1c
Instruction Fuzzy Hash: 33313C32A0BB12A2EA588F26D65423C67E1FF48BD0F084035CA1D47B90EFACE555D740

Function 00007FF8A7FF7FD0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

PyList_New.PYTHON312 ref: 00007FF8A7FF7FEE
PyUnicode_FromString.PYTHON312 ref: 00007FF8A7FF8019
PyList_SetSlice.PYTHON312 ref: 00007FF8A7FF8046
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FF805E

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: List_$DeallocFromSliceStringUnicode_
String ID:
API String ID: 2856216243-0
Opcode ID: 3af2a3771d165e4ed7308a0aa5761afe4799a0c283cf7672543a36ad24db933a
Instruction ID: a409fe69c6a95d056f52c4e59787877548b891b5c73b5428016626f7b8392b23
Opcode Fuzzy Hash: 3af2a3771d165e4ed7308a0aa5761afe4799a0c283cf7672543a36ad24db933a
Instruction Fuzzy Hash: 41119023B0AA02D5EA119F66A68017D67A0FB44BE4F450031CF0D47750DEB9E692A300

Function 00007FF646ABD080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF646ABD0AC
GetCurrentThreadId.KERNEL32 ref: 00007FF646ABD0BA
GetCurrentProcessId.KERNEL32 ref: 00007FF646ABD0C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF646ABD0D6

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction ID: 16d320fcbef588b419c15c560a1ae3d5b6c9ac3e4547a7c55e05ff67ae357075
Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
Instruction Fuzzy Hash: 23117036B58F058AEB40EF60E8442B973A4FB19758F040E35DE2D867A4DF3CD1988350

Function 00007FF8A7FFA9A0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF8A7FFA9CC
GetCurrentThreadId.KERNEL32 ref: 00007FF8A7FFA9DA
GetCurrentProcessId.KERNEL32 ref: 00007FF8A7FFA9E6
QueryPerformanceCounter.KERNEL32 ref: 00007FF8A7FFA9F6

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 596be0927f78f84991075cbdc7975b617f20e2a8a8906028a2789e57974fb007
Instruction ID: 4412d02a726c9453209c8723d3b0a4df6709f3fee284910c1be20d648a34b54c
Opcode Fuzzy Hash: 596be0927f78f84991075cbdc7975b617f20e2a8a8906028a2789e57974fb007
Instruction Fuzzy Hash: 65111822B15F019AEB00CF70E8542A833B4FB59798F440A31DA6D867A4DF7CD5A9C340

Function 00007FF8A7FE93D0 Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7FE9020: _PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FE90E9
Part of subcall function 00007FF8A7FE9020: PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FE90FA
Part of subcall function 00007FF8A7FE9020: PyUnicode_GetLength.PYTHON312 ref: 00007FF8A7FE9111
Part of subcall function 00007FF8A7FE9020: PyUnicode_AsWideChar.PYTHON312 ref: 00007FF8A7FE9155
Part of subcall function 00007FF8A7FE9020: LoadLibraryExW.KERNEL32 ref: 00007FF8A7FE919E
Part of subcall function 00007FF8A7FE9020: GetLastError.KERNEL32 ref: 00007FF8A7FE927E

_PyObject_New.PYTHON312 ref: 00007FF8A7FE9402
FreeLibrary.KERNEL32 ref: 00007FF8A7FE9413
_strdup.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A7FE9424
_Py_Dealloc.PYTHON312 ref: 00007FF8A7FE944A

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Unicode_$Library$Arg_CharDeallocErrorFreeLastLengthLoadObject_ParseSizeTuple_Wide_strdup
String ID:
API String ID: 401954816-0
Opcode ID: d448c56beaffd09715bd41e11c35a37641729b34c4a5d25298aeeb40dc85d46a
Instruction ID: 47615a46fb5d7996fab71c46f59fdb2042b33234d20b6b21faf0271b192bbedc
Opcode Fuzzy Hash: d448c56beaffd09715bd41e11c35a37641729b34c4a5d25298aeeb40dc85d46a
Instruction Fuzzy Hash: D2013976A0EA42A2EB15CF74E44017DA3A0FF88BD9F444035DA4D42754EFBCD645D711

Function 00007FF8A7FE6AA0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

PyErr_ExceptionMatches.PYTHON312 ref: 00007FF8A7FE6AC2
PyErr_Clear.PYTHON312 ref: 00007FF8A7FE6ACC
PyUnicode_AsUTF8.PYTHON312 ref: 00007FF8A7FE6AD5
PyErr_Format.PYTHON312 ref: 00007FF8A7FE6AF8

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$ClearExceptionFormatMatchesUnicode_
String ID:
API String ID: 3412208678-0
Opcode ID: 937af04d1200e84c7176cf5eec324f504c542d33950e4b6559967da55c4092cf
Instruction ID: 8e8b84bdb4cf5cb84a3757a861d0e3980375f7e86b47e85b4cd51dbdcadd6018
Opcode Fuzzy Hash: 937af04d1200e84c7176cf5eec324f504c542d33950e4b6559967da55c4092cf
Instruction Fuzzy Hash: 5BF0F926B0AB92A2EA408F76E89403D6360FB88FC0B088035DE5E97B64DE6CD594D300

Function 00007FF646AC9084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AC90B6

Part of subcall function 00007FF646ACA9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF646AD2D92,?,?,?,00007FF646AD2DCF,?,?,00000000,00007FF646AD3295,?,?,?,00007FF646AD31C7), ref: 00007FF646ACA9CE
Part of subcall function 00007FF646ACA9B8: GetLastError.KERNEL32(?,?,?,00007FF646AD2D92,?,?,?,00007FF646AD2DCF,?,?,00000000,00007FF646AD3295,?,?,?,00007FF646AD31C7), ref: 00007FF646ACA9D8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF646ABCC15), ref: 00007FF646AC90D4

Strings

C:\Users\user\Desktop\qhos.exe, xrefs: 00007FF646AC90C2

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\qhos.exe
API String ID: 3580290477-2817503745
Opcode ID: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction ID: b9cd7c38ff6c84f88980d320efce69b329563604248803c2d62eb1080271ffe3
Opcode Fuzzy Hash: 2cf9991d5cc0f55d4af5251d222b056ff2fa25707e1fd1ed9fb4097698885552
Instruction Fuzzy Hash: 6B416032A0CF5286EB54FF25A4420BDA795EF457D4B554035EA4F83B85DE3EE4C18360

Function 00007FF8A7FF6ED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312(?,?,?,?,?,00007FF8A7FF47D0), ref: 00007FF8A7FF6F13
PyErr_Occurred.PYTHON312(?,?,?,?,?,00007FF8A7FF47D0), ref: 00007FF8A7FF6FC1

Strings

recursion overflow in ffi.include() delegations, xrefs: 00007FF8A7FF6F09

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$OccurredString
String ID: recursion overflow in ffi.include() delegations
API String ID: 114435612-2249810312
Opcode ID: 4909c9b511e2c0b31c2cd97bbd258bb9a808b8332b7f05489945ee6e26e49877
Instruction ID: 1ec371c99b9cfeaa8b1bbf1a65c1a96bb01c90c19308f98a4a64c7d01fddcdb6
Opcode Fuzzy Hash: 4909c9b511e2c0b31c2cd97bbd258bb9a808b8332b7f05489945ee6e26e49877
Instruction Fuzzy Hash: F431A332B0AA42A5EB14CF22E81066D6760FB44BD8F444536EE6D43785EF7CE512D300

Function 00007FF8A7FF57E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF8A7FF58BA
PyErr_Format.PYTHON312 ref: 00007FF8A7FF58DB

Strings

%s%s, xrefs: 00007FF8A7FF58CA

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_Formatmemset
String ID: %s%s
API String ID: 1100529188-3252725368
Opcode ID: 6da30f56e8015e3a1d7d2734413e7b8b409e5e6b94874cc5211c7e7bd792728b
Instruction ID: cb7cdf24bc733133f7bd2197115ad7844f3862563952576da1370785653bb659
Opcode Fuzzy Hash: 6da30f56e8015e3a1d7d2734413e7b8b409e5e6b94874cc5211c7e7bd792728b
Instruction Fuzzy Hash: 4D317222A09B8599EB108F35D4502AC37A1FB49BE8F485331DA6E177D9DF7DD255C300

Function 00007FF646ACF628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF646ACF668
GetCurrentDirectoryW.KERNEL32 ref: 00007FF646ACF6BA

Strings

:, xrefs: 00007FF646ACF67E

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction ID: 8beab3b547bb5766f344f132f6ee627726beca0c861ab153c26e978782805346
Opcode Fuzzy Hash: 779a21297323b81187f7e0c7d27b40be9ec8fbab2d126766b2de98969da868de
Instruction Fuzzy Hash: 6B21B662A0CE8182FB20BB15D04426DB3B1FF84B44F954035DA9E83694DF7EE9C58761

Function 00007FF8A7FE3A40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A7FE11A0: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF8A7FE11EB

PyErr_Format.PYTHON312 ref: 00007FF8A7FE3B15

Strings

initializer for ctype 'char32_t' must be a unicode string of length 1, not %.200s, xrefs: 00007FF8A7FE3B0B
unicode string of length %zd, xrefs: 00007FF8A7FE3A7F

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_Format__stdio_common_vsprintf
String ID: initializer for ctype 'char32_t' must be a unicode string of length 1, not %.200s$unicode string of length %zd
API String ID: 3682193652-4170590841
Opcode ID: 3c6d72cb6482390d1f6e8d6967e0b6c0bb6f4ae1d620c188bf85d2c4d03a0e74
Instruction ID: 55c6c4bef2504aa6e90694ed85c8acacd10bd96f7684d619eb9ce165e3f81b42
Opcode Fuzzy Hash: 3c6d72cb6482390d1f6e8d6967e0b6c0bb6f4ae1d620c188bf85d2c4d03a0e74
Instruction Fuzzy Hash: A4314126A0A686A1EE20DF29D4542BD2375FF85BC8F884131D94D476E4EF7CEA89D700

Function 00007FF8A7FE7830 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FF8A7FE78B2

Part of subcall function 00007FF8A7FE50A0: PyErr_Fetch.PYTHON312 ref: 00007FF8A7FE50CA
Part of subcall function 00007FF8A7FE50A0: PyObject_CallFunctionObjArgs.PYTHON312 ref: 00007FF8A7FE50D9
Part of subcall function 00007FF8A7FE50A0: _Py_Dealloc.PYTHON312 ref: 00007FF8A7FE50FA
Part of subcall function 00007FF8A7FE50A0: _Py_Dealloc.PYTHON312 ref: 00007FF8A7FE51FD
Part of subcall function 00007FF8A7FE50A0: PyErr_Restore.PYTHON312 ref: 00007FF8A7FE5215
Part of subcall function 00007FF8A7FE50A0: _Py_Dealloc.PYTHON312 ref: 00007FF8A7FE5233

Strings

only 'cdata' object from ffi.new(), ffi.gc(), ffi.from_buffer() or ffi.new_allocator()() can be used with the 'with' keyword or ffi.release(), xrefs: 00007FF8A7FE78A8

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: DeallocErr_$ArgsCallFetchFunctionObject_RestoreString
String ID: only 'cdata' object from ffi.new(), ffi.gc(), ffi.from_buffer() or ffi.new_allocator()() can be used with the 'with' keyword or ffi.release()
API String ID: 1646949248-4224388032
Opcode ID: aa63ce304cdc2b21f3c42e19cb5892ebf741b955057ef031d4102737c2678c8b
Instruction ID: b292d6a79999840ecca7e52f5b601c64d3a0686863f589a8f8ab025cf8decada
Opcode Fuzzy Hash: aa63ce304cdc2b21f3c42e19cb5892ebf741b955057ef031d4102737c2678c8b
Instruction Fuzzy Hash: 71210136E0B646A1EA50DF65D89017C3361FFA4BC4B941432DA0E477A0DF7CDA58E311

Function 00007FF8A7FEB620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON312 ref: 00007FF8A7FEB65E
PyErr_Occurred.PYTHON312 ref: 00007FF8A7FEB697

Strings

callback with the return type 'void' must return None, xrefs: 00007FF8A7FEB654

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$OccurredString
String ID: callback with the return type 'void' must return None
API String ID: 114435612-1821524162
Opcode ID: ae7b6f80f023880edb94a5da8e51c10f15895ed8fcf9e2dde7b7f5fbeedea884
Instruction ID: 292c1385234973736fc35055e216aa153c300718b4c208657a7514a043002464
Opcode Fuzzy Hash: ae7b6f80f023880edb94a5da8e51c10f15895ed8fcf9e2dde7b7f5fbeedea884
Instruction Fuzzy Hash: EC119432A1A602E2EE548F39F44197C22A0EF14BE4F084635DA2C477D5FE6CE6909700

Function 00007FF646ABFDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF646ABFE08
RaiseException.KERNEL32 ref: 00007FF646ABFE49

Strings

csm, xrefs: 00007FF646ABFE36

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction ID: 7d9e53c96976b0a9da84be20f7235d8270a38c20977b9f41d312cad6607664ba
Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
Instruction Fuzzy Hash: 8311193261CF8582EB61AB15F440269B7E5FB88B88F584234DF8D47B69DF3DD5918B00

Function 00007FF8A7FE7960 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON312 ref: 00007FF8A7FE7989
_PyObject_New.PYTHON312 ref: 00007FF8A7FE799E

Strings

cdata '%s' does not support iteration, xrefs: 00007FF8A7FE797B

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_FormatObject_
String ID: cdata '%s' does not support iteration
API String ID: 2473357163-1739368148
Opcode ID: 6c488f7799fa390b29dea17249abf4c880117c5121d23be5963cdd351ac3da00
Instruction ID: bbbb7a19daeecf03e7a57478cee720bd2bf38a3e898a118f622d0d24cef85b81
Opcode Fuzzy Hash: 6c488f7799fa390b29dea17249abf4c880117c5121d23be5963cdd351ac3da00
Instruction Fuzzy Hash: B2113CB2A06B0592EF19CF79D49016C23A0FB98F98B041036CE4C87364EF38D5A4D350

Function 00007FF8A7FE6740 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON312 ref: 00007FF8A7FE6786
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE67A7

Strings

'del x[n]' not supported for cdata objects, xrefs: 00007FF8A7FE679D

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_$OccurredString
String ID: 'del x[n]' not supported for cdata objects
API String ID: 114435612-201749645
Opcode ID: f720e1f39a2eb0efaf902be54d2bea477f9509a7fcba676635de80ebcb984ae1
Instruction ID: 710e4433bff67b3bd97a607bd1880b5c72fca33e532c666f913c4babed255d11
Opcode Fuzzy Hash: f720e1f39a2eb0efaf902be54d2bea477f9509a7fcba676635de80ebcb984ae1
Instruction Fuzzy Hash: 21016132B2AB5591EE508F26E95013D6360FB48FD4F181031EF5E07795EF6CEA91A700

Function 00007FF646AD07AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF646AD07DC
GetDriveTypeW.KERNEL32 ref: 00007FF646AD081C

Strings

:, xrefs: 00007FF646AD0805

Memory Dump Source

Source File: 00000002.00000002.2248277956.00007FF646AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF646AB0000, based on PE: true

Associated: 00000002.00000002.2248248660.00007FF646AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248314117.00007FF646ADB000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AEE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248346388.00007FF646AF1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2248420949.00007FF646AF9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff646ab0000_qhos.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction ID: 9151ae9870f228d7b05f5a075ce259a5260c193ca323c73bcf92ff579b76113a
Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
Instruction Fuzzy Hash: 3D01676291CE0785FB60BF60A46627EA3A0FF44744F840135D95DC6695DF3EE5848B34

Function 00007FF8A7FF4480 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON312(?,?,?,00007FF8A7FF51B4), ref: 00007FF8A7FF44CA
_Py_Dealloc.PYTHON312(?,?,?,00007FF8A7FF51B4), ref: 00007FF8A7FF44E7

Strings

the type '%s%s' is a function type, not a pointer-to-function type, xrefs: 00007FF8A7FF44A4

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: DeallocErr_Format
String ID: the type '%s%s' is a function type, not a pointer-to-function type
API String ID: 186121651-1909832095
Opcode ID: 64ab044391dccdbd6a1c55b012bd2c3716ff9c8927066ae23d857c7a5b707b1b
Instruction ID: ec4b1d39e5d93f04dec573d6ab194fc2ed3e9348ea56536e28a756920d5e6a36
Opcode Fuzzy Hash: 64ab044391dccdbd6a1c55b012bd2c3716ff9c8927066ae23d857c7a5b707b1b
Instruction Fuzzy Hash: 25011A22E0AA82A1EF509F75E5852BC23A1FF44B94F498031CA1D06695EF7CE2A9D350

Function 00007FF8A7FE9C40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_PyObject_GC_NewVar.PYTHON312 ref: 00007FF8A7FE9C52
PyObject_GC_Track.PYTHON312 ref: 00007FF8A7FE9C75

Part of subcall function 00007FF8A7FE9460: PyBytes_FromStringAndSize.PYTHON312(?,?,?,00007FF8A7FE9BAB), ref: 00007FF8A7FE9486
Part of subcall function 00007FF8A7FE9460: memcpy.VCRUNTIME140(?,?,?,00007FF8A7FE9BAB), ref: 00007FF8A7FE94A2
Part of subcall function 00007FF8A7FE9460: PyDict_GetItem.PYTHON312(?,?,?,00007FF8A7FE9BAB), ref: 00007FF8A7FE94B1
Part of subcall function 00007FF8A7FE9460: _Py_Dealloc.PYTHON312(?,?,?,00007FF8A7FE9BAB), ref: 00007FF8A7FE94CD
Part of subcall function 00007FF8A7FE9460: _Py_Dealloc.PYTHON312(?,?,?,00007FF8A7FE9BAB), ref: 00007FF8A7FE94EA

Strings

void, xrefs: 00007FF8A7FE9C7B, 00007FF8A7FE9C9C

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: DeallocObject_$Bytes_Dict_FromItemSizeStringTrackmemcpy
String ID: void
API String ID: 2546078241-3531332078
Opcode ID: 4c094f274a6ea7267a5ac3d88bf51addd8cd5ffdee27056a3ad5142d784a6b84
Instruction ID: 063b1dba0e845770ccb15fd8823398f4f44bb8d9e29856b68e10cfd4a1dd5d8e
Opcode Fuzzy Hash: 4c094f274a6ea7267a5ac3d88bf51addd8cd5ffdee27056a3ad5142d784a6b84
Instruction Fuzzy Hash: 68019E72A0AB5196EB408F35E84022C37E0FB08BA8F040234CA6D463C4EF7CD194DB10

Function 00007FF8A7FE3330 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

Strings

write_raw_integer_data: bad integer size, xrefs: 00007FF8A7FE336A
write_raw_integer_data, xrefs: 00007FF8A7FE3371

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID:
String ID: write_raw_integer_data$write_raw_integer_data: bad integer size
API String ID: 0-2904179195
Opcode ID: 788fb9f4567cdc27bf4120c71a56f576d2c2369954c6e97c64edf891cec12b5b
Instruction ID: 13872a198e00949e7f5126e30d7632bd71c35d164bc64e8b49a0695f7d51cebe
Opcode Fuzzy Hash: 788fb9f4567cdc27bf4120c71a56f576d2c2369954c6e97c64edf891cec12b5b
Instruction Fuzzy Hash: C7E06575E1B112FDDE255F35C85582C3264EF59794FE44470C20C05A54ED9EA29FAB00

Function 00007FF8A7FE3380 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

Strings

read_raw_float_data: bad float size, xrefs: 00007FF8A7FE33B5
read_raw_float_data, xrefs: 00007FF8A7FE33BC

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID:
String ID: read_raw_float_data$read_raw_float_data: bad float size
API String ID: 0-3717373606
Opcode ID: dc5a5fbde97426e1895f415c3e0f2b016b9a9dc5067fe02518ca64e991821a09
Instruction ID: 50d6ac894721b466d7789d9b3191a386a5394a274bb1fd373cd47cbb308fb4a5
Opcode Fuzzy Hash: dc5a5fbde97426e1895f415c3e0f2b016b9a9dc5067fe02518ca64e991821a09
Instruction Fuzzy Hash: 25E06571E0A906AAE640CF39E49042C7364FF89784F604131D24D12628EF2CD689DB00

Function 00007FF8A7FE2D70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

PyTuple_GetItem.PYTHON312 ref: 00007FF8A7FE2D86
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE2DB0

Strings

result, xrefs: 00007FF8A7FE2DA6

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_ItemStringTuple_
String ID: result
API String ID: 2162364271-325763347
Opcode ID: 4cec6cef12b53bdbeb5f8dc1b09f4298dac28b4045d4d1e57bcfb86b228623e1
Instruction ID: 191648ca60278413168e1bafe61e5c955becdb6a4f4326f87a1aa3881244e9e8
Opcode Fuzzy Hash: 4cec6cef12b53bdbeb5f8dc1b09f4298dac28b4045d4d1e57bcfb86b228623e1
Instruction Fuzzy Hash: D6F0C032A0650296EB159F25C85527C23A0FF88B84FD44035C60D47360EEADE65AE700

Function 00007FF8A7FE2E10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

PyTuple_GetItem.PYTHON312 ref: 00007FF8A7FE2E23
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE2E4D

Strings

abi, xrefs: 00007FF8A7FE2E43

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_ItemStringTuple_
String ID: abi
API String ID: 2162364271-3589384412
Opcode ID: 619fa9de396bd3482c321f948884e66e22dfe0a9027d5e8740db5fa946ded6da
Instruction ID: b9fdabbd2b432bfbb96bff1d3210c30da405fbd8cf841c9ed2c60e2b53ebce06
Opcode Fuzzy Hash: 619fa9de396bd3482c321f948884e66e22dfe0a9027d5e8740db5fa946ded6da
Instruction Fuzzy Hash: 35E0C932A4691292EB199F35C8A517C33A0FFCCB85F884035C60D4A360EEBCE65BE704

Function 00007FF8A7FEE570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON312 ref: 00007FF8A7FEE583
PyErr_SetNone.PYTHON312 ref: 00007FF8A7FEE7B8

Strings

i:_testfunc, xrefs: 00007FF8A7FEE57C

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Arg_Err_NoneParseSizeTuple_
String ID: i:_testfunc
API String ID: 3294110026-2179347680
Opcode ID: 1f52de62a1cd60aaddd131ee0ce51f825f6e8d6aaecd181c1331260fdbbf3fd6
Instruction ID: 497ad4513bc5c265fa6f82d2e3cd3e275a88c794bead370c5c92889e8a80550c
Opcode Fuzzy Hash: 1f52de62a1cd60aaddd131ee0ce51f825f6e8d6aaecd181c1331260fdbbf3fd6
Instruction Fuzzy Hash: 3EF0E562B0E542E1EB049F65E89017C23A1FF84BC5F945435D60D47664DE6CD689D700

Function 00007FF8A7FE33D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON

Download Yara Rule

Strings

write_raw_float_data, xrefs: 00007FF8A7FE3400
write_raw_float_data: bad float size, xrefs: 00007FF8A7FE33F9

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID:
String ID: write_raw_float_data$write_raw_float_data: bad float size
API String ID: 0-3509257061
Opcode ID: 038a4621818376051a9cc1456757b0f6d31ce2c7002fac2137a316bc100ea136
Instruction ID: 01bbc17c63693119da38333b5808dd3fb2010989f0ef80ba0dccf190ef26f895
Opcode Fuzzy Hash: 038a4621818376051a9cc1456757b0f6d31ce2c7002fac2137a316bc100ea136
Instruction Fuzzy Hash: 32E08674E17A06B5D9659F37DC914782221EF66780FA44731C20C15414FE5D62DAB700

Function 00007FF8A7FE2E60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

PyTuple_GetItem.PYTHON312 ref: 00007FF8A7FE2E76
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE2EA0

Strings

elements, xrefs: 00007FF8A7FE2E96

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_ItemStringTuple_
String ID: elements
API String ID: 2162364271-1145702237
Opcode ID: ac0cd38b110f2b26480fc63e173de6174b40e1c81e00c27d14ea549e116ff3b2
Instruction ID: 1000b196df8c73c4e2a61d315b1f46914f0defe4f1fa7d76977280437e7c45fb
Opcode Fuzzy Hash: ac0cd38b110f2b26480fc63e173de6174b40e1c81e00c27d14ea549e116ff3b2
Instruction Fuzzy Hash: 97E09266B0BA1391EB049F35D85527C23E1FF88B95F944035C90D46360EFADE69BE701

Function 00007FF8A7FE2EB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

PyTuple_GetItem.PYTHON312 ref: 00007FF8A7FE2EC3
PyErr_SetString.PYTHON312 ref: 00007FF8A7FE2EED

Strings

relements, xrefs: 00007FF8A7FE2EE3

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: Err_ItemStringTuple_
String ID: relements
API String ID: 2162364271-422848457
Opcode ID: 63a911fc31dd61c34cbd01cd92c7998490e3c19749229aff379a075a4898c19c
Instruction ID: 18b9ec9870072e13274d97e4489ffb9e67ae559e039e47e90385db6d41430852
Opcode Fuzzy Hash: 63a911fc31dd61c34cbd01cd92c7998490e3c19749229aff379a075a4898c19c
Instruction Fuzzy Hash: 32E0ED26A0BA1291EA049F35D85513C23A0FF8CB84F444035C90D4A260EEACE69BE700

Function 00007FF8A7FE26A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12sleepwindowCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FF8A7FE26A9
MessageBoxW.USER32 ref: 00007FF8A7FE26C5

Strings

Python-CFFI error, xrefs: 00007FF8A7FE26B6

Memory Dump Source

Source File: 00000002.00000002.2249603453.00007FF8A7FE1000.00000020.00000001.01000000.00000024.sdmp, Offset: 00007FF8A7FE0000, based on PE: true

Associated: 00000002.00000002.2249578233.00007FF8A7FE0000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249634454.00007FF8A7FFC000.00000002.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249660754.00007FF8A8009000.00000004.00000001.01000000.00000024.sdmpDownload File
Associated: 00000002.00000002.2249686478.00007FF8A800F000.00000002.00000001.01000000.00000024.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a7fe0000_qhos.jbxd

Similarity

API ID: MessageSleep
String ID: Python-CFFI error
API String ID: 578018706-1839111994
Opcode ID: ede8aa22deb80eaa6ab3546a15dcbbc0ec76f4b222b413cb8c77dff3dd07da66
Instruction ID: 05a19aaa399aaaaa122bd3a3602fe036f871457c9f6a98c5bb67b15fa8602e28
Opcode Fuzzy Hash: ede8aa22deb80eaa6ab3546a15dcbbc0ec76f4b222b413cb8c77dff3dd07da66
Instruction Fuzzy Hash: FBD05EB5E0AA16A1FB046F31FC057A82270EB087C5F801837C40DA32A0CFBC929EE300

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qhos.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI42042\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI42042\_asyncio.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\_cffi_backend.cp312-win_amd64.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\_ctypes.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\_decimal.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\_hashlib.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\_lzma.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\_multiprocessing.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\_overlapped.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\_queue.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\_socket.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\_sqlite3.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\_ssl.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\_uuid.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\_wmi.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_http_parser.cp312-win_amd64.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_http_writer.cp312-win_amd64.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_websocket\mask.cp312-win_amd64.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\aiohttp\_websocket\reader_c.cp312-win_amd64.pyd

C:\Users\user\AppData\Local\Temp\_MEI42042\attrs-24.2.0.dist-info\INSTALLER

Windows Analysis Report
qhos.exe

Function 00007FF646AB8BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON