Edit tour

Windows Analysis Report
winws1.exe

Overview

General Information

Sample name:	winws1.exe
Analysis ID:	1576658
MD5:	37e06d6e36e5f993a465b266ade15ea2
SHA1:	e05d11786a37ec01145209156efc92e4ebf1ea38
SHA256:	74ee005a858f35d69b9f32921ccf1039babc70e3a70872b5fd38edeadc0069c4
Tags:	exeuser-sa6ta6ni6c
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected AntiVM5

AI detected suspicious sample

Contains functionality to infect the boot sector

Potentially malicious time measurement code found

Binary contains a suspicious time stamp

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May check the online IP address of the machine

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

winws1.exe (PID: 5776 cmdline: "C:\Users\user\Desktop\winws1.exe" MD5: 37E06D6E36E5F993A465B266ADE15EA2)

winws1.exe (PID: 5392 cmdline: "C:\Users\user\Desktop\winws1.exe" MD5: 37E06D6E36E5F993A465B266ADE15EA2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AntiVM_5	Yara detected AntiVM_5	Joe Security
Process Memory Space: winws1.exe PID: 5392	JoeSecurity_AntiVM_5	Yara detected AntiVM_5	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: winws1.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: winws1.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 91.6% probability

Source: C:\Users\user\Desktop\winws1.exe

Code function: 3_2_655E4530 PyCMethod_New,CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,clock,clock,clock,clock,CryptReleaseContext,

3_2_655E4530

Source: winws1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\win32api.pdb source: winws1.exe, 00000003.00000002.2277598800.00007FFDA3453000.00000002.00000001.01000000.0000000E.sdmp, win32api.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pywintypes.pdb** source: winws1.exe, 00000003.00000002.2274272378.00007FFD9DFD0000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdb source: mfc140u.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\select.pdb source: winws1.exe, 00000000.00000003.2221428860.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2280744509.00007FFDA4DA3000.00000002.00000001.01000000.00000011.sdmp, select.pyd.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_uuid.pdb source: winws1.exe, 00000000.00000003.2206923198.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2279229897.00007FFDA3BF2000.00000002.00000001.01000000.0000001B.sdmp, _uuid.pyd.0.dr
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb source: winws1.exe, 00000003.00000002.2272888024.00007FFD94116000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: winws1.exe, 00000000.00000003.2205389681.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2279018485.00007FFDA3AED000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pythoncom.pdb source: winws1.exe, 00000003.00000002.2277927035.00007FFDA34CC000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: winws1.exe, 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: winws1.exe, 00000000.00000003.2206364856.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2280410219.00007FFDA4633000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: winws1.exe, 00000000.00000003.2204338546.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2282140094.00007FFDAC141000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\win32api.pdb!! source: winws1.exe, 00000003.00000002.2277598800.00007FFDA3453000.00000002.00000001.01000000.0000000E.sdmp, win32api.pyd.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_ssl.pdb source: winws1.exe, 00000003.00000002.2277230122.00007FFDA341D000.00000002.00000001.01000000.00000013.sdmp, _ssl.pyd.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: winws1.exe, 00000000.00000003.2204338546.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2282140094.00007FFDAC141000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: winws1.exe, 00000000.00000003.2206011466.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2277031140.00007FFDA2E97000.00000002.00000001.01000000.00000016.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2275448309.00007FFD9F3DC000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: winws1.exe, 00000000.00000003.2205224817.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2281709657.00007FFDA5495000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_decimal.pdb$$ source: _decimal.pyd.0.dr
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdbGCTL source: mfc140u.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbNN source: winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2275448309.00007FFD9F3DC000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_ctypes.pdb source: winws1.exe, 00000003.00000002.2281120901.00007FFDA5470000.00000002.00000001.01000000.00000007.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\win32ui.pdb source: win32ui.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\_win32sysloader.pdb source: winws1.exe, 00000000.00000003.2223739369.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\win32trace.pdb source: winws1.exe, 00000000.00000003.2224106785.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, win32trace.pyd.0.dr
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: winws1.exe, 00000003.00000002.2272888024.00007FFD94116000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\win32ui.pdbOO source: win32ui.pyd.0.dr
Source:	Binary string: .Pdb'L source: winws1.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: winws1.exe, 00000000.00000003.2206520208.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2280102430.00007FFDA4168000.00000002.00000001.01000000.00000010.sdmp, _socket.pyd.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\python3.pdb source: winws1.exe, 00000000.00000003.2210888476.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264576711.000001EE73AF0000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_decimal.pdb source: _decimal.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pywintypes.pdb source: winws1.exe, 00000003.00000002.2274272378.00007FFD9DFD0000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\unicodedata.pdb source: winws1.exe, 00000000.00000003.2223260935.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2270931396.00007FFD94090000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pythoncom.pdb}},GCTL source: winws1.exe, 00000003.00000002.2277927035.00007FFDA34CC000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\python311.pdb source: winws1.exe, 00000003.00000002.2268959946.00007FFD93783000.00000002.00000001.01000000.00000004.sdmp, python311.dll.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1q 5 Jul 2022built on: Thu Aug 18 20:15:42 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-1_1"not available source: winws1.exe, 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: winws1.exe, 00000000.00000003.2205224817.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2281709657.00007FFDA5495000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: winws1.exe, 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmp

Source: C:\Users\user\Desktop\winws1.exe	Code function: 0_2_00007FF6113093B0 FindFirstFileExW,FindClose,	0_2_00007FF6113093B0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 0_2_00007FF611329618 FindFirstFileExW,	0_2_00007FF611329618
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FF6113093B0 FindFirstFileExW,FindClose,	3_2_00007FF6113093B0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FF611329618 FindFirstFileExW,	3_2_00007FF611329618

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\winws1.exe

Code function: 3_2_655D3480 strchr,WSAStartup,gethostbyname,socket,htons,ioctlsocket,ioctlsocket,connect,ioctlsocket,send,send,WSAGetLastError,closesocket,WSACleanup,SetLastError,recv,recv,closesocket,WSACleanup,strstr,toupper,strstr,toupper,toupper,toupper,toupper,strstr,memcmp,memcmp,_mktime64,gethostbyname,WSAGetLastError,WSAGetLastError,ioctlsocket,WSAGetLastError,WSAGetLastError,WSACleanup,SetLastError,WSAGetLastError,select,ioctlsocket,

3_2_655D3480

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: winws1.exe, 00000003.00000003.2243831229.000001EE75F8E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244289625.000001EE75FD8000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2266330558.000001EE76568000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75E50000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244480093.000001EE75EC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://9x9o.com/ss122007.txt
Source: winws1.exe, 00000000.00000003.2208853652.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206520208.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2210888476.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205752372.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206766928.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206011466.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205389681.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205538641.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2221428860.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206364856.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209988756.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2213362525.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2223260935.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209791088.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206923198.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: winws1.exe, 00000000.00000003.2208853652.000001F33E4C9000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206520208.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2210888476.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205752372.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206766928.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206011466.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205389681.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205538641.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2221428860.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206364856.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209988756.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2213362525.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2223260935.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209791088.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206923198.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: winws1.exe, 00000000.00000003.2208853652.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206520208.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2210888476.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205752372.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206766928.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206011466.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205389681.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205538641.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2221428860.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206364856.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209988756.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2213362525.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2223260935.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209791088.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206923198.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: winws1.exe, 00000000.00000003.2208853652.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2208853652.000001F33E4C9000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206520208.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2210888476.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205752372.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206766928.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206011466.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205389681.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205538641.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2221428860.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206364856.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209988756.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2213362525.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2223260935.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209791088.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206923198.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedZ
Source: winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: winws1.exe, 00000003.00000002.2265424392.000001EE76070000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75EE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75E50000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE76070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75EE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75EE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crlv;u
Source: winws1.exe, 00000003.00000002.2265424392.000001EE76070000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75EE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: winws1.exe, 00000003.00000002.2264865831.000001EE75700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75EE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: winws1.exe, 00000003.00000002.2264865831.000001EE75700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crld
Source: winws1.exe, 00000003.00000002.2264865831.000001EE75700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: winws1.exe, 00000003.00000002.2264865831.000001EE75700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crle
Source: winws1.exe, 00000003.00000002.2264865831.000001EE75700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: winws1.exe, 00000003.00000002.2265424392.000001EE76070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: winws1.exe, 00000000.00000003.2208853652.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206520208.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2210888476.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205752372.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206766928.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206011466.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205389681.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205538641.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2221428860.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206364856.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209988756.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2213362525.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2223260935.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209791088.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206923198.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: winws1.exe, 00000000.00000003.2208853652.000001F33E4C9000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206520208.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2210888476.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205752372.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206766928.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206011466.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205389681.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205538641.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2221428860.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206364856.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209988756.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2213362525.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2223260935.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209791088.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206923198.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: winws1.exe, 00000000.00000003.2208853652.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206520208.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2210888476.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205752372.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206766928.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206011466.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205389681.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205538641.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2221428860.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206364856.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209988756.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2213362525.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2223260935.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209791088.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206923198.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: _hashlib.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: winws1.exe, 00000000.00000003.2208853652.000001F33E4C9000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206520208.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2210888476.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205752372.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206766928.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206011466.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205389681.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205538641.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2221428860.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206364856.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209988756.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2213362525.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2223260935.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209791088.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206923198.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: winws1.exe, 00000003.00000003.2243831229.000001EE75F8E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2241708243.000001EE75FAE000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244565857.000001EE75F9E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2266330558.000001EE764C0000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244602379.000001EE75FB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: winws1.exe, 00000003.00000003.2233299071.000001EE75ACF000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265345694.000001EE75CC0000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2234597826.000001EE75A44000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2234530611.000001EE75AD0000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2233299071.000001EE75A33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl.
Source: winws1.exe, 00000003.00000003.2240225562.000001EE75AC5000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242671953.000001EE75AB5000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240154677.000001EE75AA3000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244418170.000001EE75AC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: winws1.exe, 00000003.00000003.2240403329.000001EE75A70000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75E50000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244523998.000001EE75E49000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240991420.000001EE75E43000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240686911.000001EE75E33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: winws1.exe, 00000003.00000003.2234597826.000001EE75ACF000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2233299071.000001EE75ACF000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265345694.000001EE75CC0000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2234597826.000001EE75A44000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2234530611.000001EE75AD0000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2233299071.000001EE75A33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: winws1.exe, 00000000.00000003.2208853652.000001F33E4C9000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206520208.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2210888476.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205752372.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206766928.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206011466.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205389681.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205538641.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2221428860.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206364856.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209988756.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2213362525.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2223260935.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209791088.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206923198.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: winws1.exe, 00000000.00000003.2208853652.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2208853652.000001F33E4C9000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206520208.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2210888476.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205752372.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206766928.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206011466.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205389681.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205538641.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2221428860.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206364856.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209988756.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2213362525.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2223260935.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209791088.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206923198.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: winws1.exe, 00000000.00000003.2208853652.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206520208.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2210888476.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205752372.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206766928.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206011466.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205389681.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205538641.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2221428860.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206364856.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209988756.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2213362525.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2223260935.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209791088.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206923198.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: winws1.exe, 00000000.00000003.2208853652.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206520208.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2210888476.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205752372.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206766928.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206011466.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205389681.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205538641.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2221428860.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206364856.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209988756.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2213362525.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2223260935.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209791088.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206923198.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75FB9000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE76070000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264865831.000001EE7570C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: winws1.exe, 00000003.00000002.2266470651.000001EE76600000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://timgolden.me.uk/python/wmi.html
Source: winws1.exe, 00000003.00000002.2266212495.000001EE763C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75E50000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75EE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75F16000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: winws1.exe, 00000003.00000002.2265424392.000001EE76070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75FA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/1t#
Source: winws1.exe, 00000003.00000003.2231035265.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230561158.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230455090.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230561158.000001EE759CA000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230534520.000001EE759C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: winws1.exe, 00000000.00000003.2208853652.000001F33E4C9000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206520208.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2210888476.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205752372.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206766928.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206011466.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205389681.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2205538641.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2221428860.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206364856.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209988756.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2213362525.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2223260935.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2209791088.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000000.00000003.2206923198.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: winws1.exe, 00000003.00000002.2265424392.000001EE76070000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: winws1.exe, 00000003.00000003.2244629038.000001EE75E33000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75E25000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2239379563.000001EE75E84000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240991420.000001EE75E43000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240686911.000001EE75E33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: winws1.exe, 00000003.00000003.2231035265.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230561158.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230455090.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2231133560.000001EE75925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: winws1.exe, 00000003.00000002.2266470651.000001EE76600000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE76151000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: winws1.exe, 00000003.00000002.2266470651.000001EE76600000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.opensource.org/licenses/mit-license.phptrols
Source: winws1.exe, 00000003.00000003.2231035265.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230561158.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230455090.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230561158.000001EE759CA000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230534520.000001EE759C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cpsaV
Source: winws1.exe, 00000003.00000003.2243831229.000001EE75F8E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242071793.000001EE75F94000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2241708243.000001EE75FAE000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244565857.000001EE75F9E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75F16000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244602379.000001EE75FB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: winws1.exe, 00000003.00000002.2267484754.000001EE76F68000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: winws1.exe, 00000003.00000003.2238188206.000001EE75E66000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2238736422.000001EE7597C000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264865831.000001EE7570C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue42195.
Source: winws1.exe, 00000003.00000003.2240403329.000001EE75A2F000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240301436.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: winws1.exe, 00000003.00000002.2266031231.000001EE761C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: winws1.exe, 00000003.00000003.2243831229.000001EE75F8E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242071793.000001EE75F94000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: winws1.exe, 00000003.00000003.2226170168.000001EE739E7000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264378119.000001EE738A1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2228474249.000001EE738D1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2229614156.000001EE738D1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2231508099.000001EE738C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: winws1.exe, 00000003.00000002.2265345694.000001EE75CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: winws1.exe, winws1.exe, 00000003.00000002.2277723700.00007FFDA3461000.00000002.00000001.01000000.0000000E.sdmp, winws1.exe, 00000003.00000002.2278571156.00007FFDA3514000.00000002.00000001.01000000.0000000D.sdmp, winws1.exe, 00000003.00000002.2274605182.00007FFD9DFE1000.00000002.00000001.01000000.0000000B.sdmp, win32api.pyd.0.dr, win32trace.pyd.0.dr, win32ui.pyd.0.dr	String found in binary or memory: https://github.com/mhammond/pywin32
Source: winws1.exe, 00000003.00000002.2266330558.000001EE76568000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: winws1.exe, 00000003.00000003.2226170168.000001EE739E7000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264660625.000001EE75348000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: winws1.exe, 00000003.00000003.2231508099.000001EE738C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: winws1.exe, 00000003.00000003.2226170168.000001EE739E7000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264378119.000001EE738A1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2228474249.000001EE738D1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2229614156.000001EE738D1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2231508099.000001EE738C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: winws1.exe, 00000003.00000003.2226170168.000001EE739E7000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264378119.000001EE738A1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2228474249.000001EE738D1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2229614156.000001EE738D1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2231508099.000001EE738C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: winws1.exe, 00000003.00000003.2236513135.000001EE75ACF000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2238285987.000001EE75AD0000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2237770651.000001EE75ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/216
Source: winws1.exe, 00000003.00000002.2266031231.000001EE761C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: winws1.exe, 00000003.00000003.2240154677.000001EE75AA3000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: winws1.exe, 00000003.00000003.2243831229.000001EE75F8E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244629038.000001EE75E33000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2266115396.000001EE762C0000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242071793.000001EE75F94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: winws1.exe, 00000003.00000003.2236513135.000001EE75ACF000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2238285987.000001EE75AD0000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2237770651.000001EE75ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3020
Source: winws1.exe, 00000003.00000003.2240403329.000001EE75A2F000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2266212495.000001EE763C0000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240301436.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: winws1.exe, 00000003.00000002.2264865831.000001EE7570C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google.com/api/195988555454
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://google.com/api/195988555454cached__
Source: winws1.exe, 00000003.00000003.2244629038.000001EE75E33000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE75910000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264865831.000001EE7570C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: winws1.exe, 00000003.00000003.2240154677.000001EE75AA3000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: winws1.exe, 00000003.00000002.2264865831.000001EE7570C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: winws1.exe, 00000003.00000002.2266330558.000001EE764C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: winws1.exe, 00000003.00000003.2237770651.000001EE75A18000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2236513135.000001EE75A0D000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2237770651.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240154677.000001EE75AA3000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2238285987.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2239299568.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: winws1.exe, 00000003.00000002.2266212495.000001EE763C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: winws1.exe, 00000003.00000003.2240686911.000001EE75E33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: winws1.exe, 00000003.00000003.2243831229.000001EE75F8E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242071793.000001EE75F26000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242071793.000001EE75F94000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2243831229.000001EE75F26000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244565857.000001EE75F9E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75FA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: winws1.exe, 00000003.00000002.2266115396.000001EE762C0000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2266212495.000001EE763C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: winws1.exe, 00000003.00000002.2264660625.000001EE752C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: winws1.exe, 00000003.00000002.2268959946.00007FFD93783000.00000002.00000001.01000000.00000004.sdmp, python311.dll.0.dr	String found in binary or memory: https://peps.python.org/pep-0263/
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/gabjohn3/nb/main/BIOS_Serial_List.txt
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/gabjohn3/nb/main/BaseBoard_Manufacturer_List.txt
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/gabjohn3/nb/main/BaseBoard_Manufacturer_List.txtpyd0
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/gabjohn3/nb/main/BaseBoard_Serial_List.txt
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/gabjohn3/nb/main/CPU_Serial_List.txt
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/gabjohn3/nb/main/DiskDrive_Serial_List.txt
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/gabjohn3/nb/main/HwProfileGuid_List.txt
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/gabjohn3/nb/main/MachineGuid.txt
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/gabjohn3/nb/main/gpu_list.txt
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/gabjohn3/nb/main/hwid_list.txt
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/gabjohn3/nb/main/hwid_list.txt0
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/gabjohn3/nb/main/ip_list.txt
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/gabjohn3/nb/main/mac_list.txt
Source: winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/gabjohn3/nb/main/pc_platforms.txt
Source: winws1.exe, 00000003.00000003.2237770651.000001EE75A18000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2236513135.000001EE75A0D000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2237770651.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240154677.000001EE75AA3000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2238285987.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2266470651.000001EE76600000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2239299568.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: winws1.exe, 00000003.00000002.2266470651.000001EE76600000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io0
Source: winws1.exe, 00000003.00000002.2265345694.000001EE75CC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: winws1.exe, 00000003.00000002.2264865831.000001EE7570C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: winws1.exe, 00000003.00000003.2243831229.000001EE75F8E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244629038.000001EE75E33000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242071793.000001EE75F94000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244565857.000001EE75F9E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75E25000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264865831.000001EE7570C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: winws1.exe, 00000003.00000002.2266115396.000001EE762C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: winws1.exe, 00000003.00000002.2266115396.000001EE762C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: winws1.exe, 00000000.00000003.2209988756.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2272951519.00007FFD9414B000.00000002.00000001.01000000.00000015.sdmp, winws1.exe, 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: winws1.exe, 00000003.00000003.2237770651.000001EE75A18000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2236513135.000001EE75A0D000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2237770651.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240154677.000001EE75AA3000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2238285987.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2239299568.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: winws1.exe, 00000003.00000003.2243831229.000001EE75F8E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242071793.000001EE75F26000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242071793.000001EE75F94000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2243831229.000001EE75F26000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244565857.000001EE75F9E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75FA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: winws1.exe, 00000003.00000003.2229717057.000001EE75749000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264660625.000001EE752C0000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2228526070.000001EE75757000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: winws1.exe, 00000003.00000002.2269198177.00007FFD93818000.00000004.00000001.01000000.00000004.sdmp, python311.dll.0.dr	String found in binary or memory: https://www.python.org/psf/license/
Source: winws1.exe, 00000003.00000003.2242671953.000001EE75AB5000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240154677.000001EE75AA3000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: winws1.exe, 00000003.00000002.2265424392.000001EE76070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: winws1.exe, 00000003.00000002.2265424392.000001EE75EE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: winws1.exe, 00000003.00000003.2244629038.000001EE75E33000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE75910000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264865831.000001EE7570C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: C:\Users\user\Desktop\winws1.exe

Code function: 3_2_655D31A0 WSAStartup,gethostbyname,socket,setsockopt,setsockopt,setsockopt,htons,sendto,sendto,recvfrom,recvfrom,ntohl,ntohl,ntohl,closesocket,WSACleanup,WSAGetLastError,closesocket,WSACleanup,SetLastError,WSAGetLastError,WSACleanup,SetLastError,

3_2_655D31A0

Source: C:\Users\user\Desktop\winws1.exe

Code function: 3_2_655D2390: memset,wsprintfA,CreateFileA,memset,DeviceIoControl,CloseHandle,isxdigit,isxdigit,isxdigit,isprint,memcpy,CloseHandle,strlen,memcpy,

3_2_655D2390

Source: C:\Users\user\Desktop\winws1.exe	Code function: 0_2_00007FF61130AAA0	0_2_00007FF61130AAA0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 0_2_00007FF611307F60	0_2_00007FF611307F60
Source: C:\Users\user\Desktop\winws1.exe	Code function: 0_2_00007FF61130B278	0_2_00007FF61130B278
Source: C:\Users\user\Desktop\winws1.exe	Code function: 0_2_00007FF611309A60	0_2_00007FF611309A60
Source: C:\Users\user\Desktop\winws1.exe	Code function: 0_2_00007FF611302710	0_2_00007FF611302710
Source: C:\Users\user\Desktop\winws1.exe	Code function: 0_2_00007FF611315D5A	0_2_00007FF611315D5A
Source: C:\Users\user\Desktop\winws1.exe	Code function: 0_2_00007FF61130B478	0_2_00007FF61130B478
Source: C:\Users\user\Desktop\winws1.exe	Code function: 0_2_00007FF61130B458	0_2_00007FF61130B458
Source: C:\Users\user\Desktop\winws1.exe	Code function: 0_2_00007FF61130D100	0_2_00007FF61130D100
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655C7590	3_2_655C7590
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655C6580	3_2_655C6580
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655D3CE0	3_2_655D3CE0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655D5540	3_2_655D5540
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655D7500	3_2_655D7500
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_656165E0	3_2_656165E0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655D4710	3_2_655D4710
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655E0730	3_2_655E0730
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_656277E0	3_2_656277E0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655E67D0	3_2_655E67D0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655EC7B0	3_2_655EC7B0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655E96F0	3_2_655E96F0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_65617685	3_2_65617685
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655E46B0	3_2_655E46B0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655EE140	3_2_655EE140
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655EB170	3_2_655EB170
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_656180A0	3_2_656180A0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655D7360	3_2_655D7360
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655DB300	3_2_655DB300
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_65627300	3_2_65627300
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655EE3C0	3_2_655EE3C0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655CF240	3_2_655CF240
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655E8270	3_2_655E8270
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655E92D0	3_2_655E92D0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655C7D50	3_2_655C7D50
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_65601DE0	3_2_65601DE0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_65616DA0	3_2_65616DA0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655E7D80	3_2_655E7D80
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655C9CD0	3_2_655C9CD0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_65627F00	3_2_65627F00
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655DFE70	3_2_655DFE70
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655D3E60	3_2_655D3E60
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655C1E10	3_2_655C1E10
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_6563EE30	3_2_6563EE30
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655E7990	3_2_655E7990
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655D69A0	3_2_655D69A0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655CB840	3_2_655CB840
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_65619830	3_2_65619830
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655C38D6	3_2_655C38D6
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655E3880	3_2_655E3880
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_65640B60	3_2_65640B60
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_65618BC0	3_2_65618BC0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_65608BB0	3_2_65608BB0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_65620B80	3_2_65620B80
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_65601A52	3_2_65601A52
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655D7A20	3_2_655D7A20
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_655C3AC1	3_2_655C3AC1
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FF61130B278	3_2_00007FF61130B278
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FF61130AAA0	3_2_00007FF61130AAA0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FF611309A60	3_2_00007FF611309A60
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FF61130B478	3_2_00007FF61130B478
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FF61130B458	3_2_00007FF61130B458
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FF611302710	3_2_00007FF611302710
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FF611315D5A	3_2_00007FF611315D5A
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FF61130D100	3_2_00007FF61130D100
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FF611307F60	3_2_00007FF611307F60
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B5F0B	3_2_00007FFD930B5F0B
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B5510	3_2_00007FFD930B5510
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B44C6	3_2_00007FFD930B44C6
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930CD260	3_2_00007FFD930CD260
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B53A8	3_2_00007FFD930B53A8
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B4287	3_2_00007FFD930B4287
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B5BF0	3_2_00007FFD930B5BF0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD93269210	3_2_00007FFD93269210
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930D5200	3_2_00007FFD930D5200
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B68C5	3_2_00007FFD930B68C5
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B7108	3_2_00007FFD930B7108
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B216C	3_2_00007FFD930B216C
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B4F3E	3_2_00007FFD930B4F3E
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B2135	3_2_00007FFD930B2135
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B53C1	3_2_00007FFD930B53C1
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B6389	3_2_00007FFD930B6389
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B15C8	3_2_00007FFD930B15C8
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B54CF	3_2_00007FFD930B54CF
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD931F15C0	3_2_00007FFD931F15C0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B54CA	3_2_00007FFD930B54CA
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B3A8F	3_2_00007FFD930B3A8F
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B542F	3_2_00007FFD930B542F
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B655F	3_2_00007FFD930B655F
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B1299	3_2_00007FFD930B1299
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B4AC5	3_2_00007FFD930B4AC5
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B5047	3_2_00007FFD930B5047
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B560F	3_2_00007FFD930B560F
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B7252	3_2_00007FFD930B7252
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B3832	3_2_00007FFD930B3832
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B35FD	3_2_00007FFD930B35FD
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B1CFD	3_2_00007FFD930B1CFD
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B59F7	3_2_00007FFD930B59F7
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B3A85	3_2_00007FFD930B3A85
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD932699E0	3_2_00007FFD932699E0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B50AB	3_2_00007FFD930B50AB
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD93251920	3_2_00007FFD93251920
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B4746	3_2_00007FFD930B4746
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B57D1	3_2_00007FFD930B57D1
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B4359	3_2_00007FFD930B4359
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B378D	3_2_00007FFD930B378D
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B7365	3_2_00007FFD930B7365
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B1D83	3_2_00007FFD930B1D83
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD931E5E30	3_2_00007FFD931E5E30
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B266C	3_2_00007FFD930B266C
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B72A7	3_2_00007FFD930B72A7
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B3BA2	3_2_00007FFD930B3BA2
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B2982	3_2_00007FFD930B2982
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B2D0B	3_2_00007FFD930B2D0B
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B1622	3_2_00007FFD930B1622
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD93160440	3_2_00007FFD93160440
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B2C75	3_2_00007FFD930B2C75
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD932682E0	3_2_00007FFD932682E0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B1424	3_2_00007FFD930B1424
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B2E8C	3_2_00007FFD930B2E8C

Source: C:\Users\user\Desktop\winws1.exe	Code function: String function: 65662CA8 appears 44 times
Source: C:\Users\user\Desktop\winws1.exe	Code function: String function: 00007FFD930B2A04 appears 91 times
Source: C:\Users\user\Desktop\winws1.exe	Code function: String function: 00007FFD930B1EF1 appears 462 times
Source: C:\Users\user\Desktop\winws1.exe	Code function: String function: 00007FF611302F40 appears 178 times
Source: C:\Users\user\Desktop\winws1.exe	Code function: String function: 65662C60 appears 59 times
Source: C:\Users\user\Desktop\winws1.exe	Code function: String function: 00007FF611302FE0 appears 32 times
Source: C:\Users\user\Desktop\winws1.exe	Code function: String function: 00007FFD930B4057 appears 251 times
Source: C:\Users\user\Desktop\winws1.exe	Code function: String function: 00007FFD930B483B appears 42 times
Source: C:\Users\user\Desktop\winws1.exe	Code function: String function: 00007FFD930B2734 appears 152 times
Source: C:\Users\user\Desktop\winws1.exe	Code function: String function: 00007FF611302E60 appears 98 times
Source: C:\Users\user\Desktop\winws1.exe	Code function: String function: 655DD200 appears 235 times

Source: unicodedata.pyd.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: pyarmor_runtime.pyd.0.dr	Static PE information: Number of sections : 11 > 10
Source: winws1.exe	Static PE information: Number of sections : 12 > 10

Source: python3.dll.0.dr

Static PE information: No import functions for PE file found

Source: winws1.exe, 00000000.00000003.2204338546.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs winws1.exe
Source: winws1.exe, 00000000.00000003.2224106785.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32trace.pyd0 vs winws1.exe
Source: winws1.exe, 00000000.00000003.2223785951.000001F33E4CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs winws1.exe
Source: winws1.exe, 00000000.00000003.2206520208.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs winws1.exe
Source: winws1.exe, 00000000.00000003.2210888476.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs winws1.exe
Source: winws1.exe, 00000000.00000003.2216061386.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepythoncom311.dll0 vs winws1.exe
Source: winws1.exe, 00000000.00000003.2205224817.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs winws1.exe
Source: winws1.exe, 00000000.00000003.2205752372.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs winws1.exe
Source: winws1.exe, 00000000.00000003.2206766928.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs winws1.exe
Source: winws1.exe, 00000000.00000003.2223739369.000001F33E4CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs winws1.exe
Source: winws1.exe, 00000000.00000003.2206011466.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs winws1.exe
Source: winws1.exe, 00000000.00000003.2203404766.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32ui.pyd0 vs winws1.exe
Source: winws1.exe, 00000000.00000003.2223885708.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs winws1.exe
Source: winws1.exe, 00000000.00000003.2205389681.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs winws1.exe
Source: winws1.exe, 00000000.00000003.2205538641.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs winws1.exe
Source: winws1.exe, 00000000.00000003.2221428860.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs winws1.exe
Source: winws1.exe, 00000000.00000003.2206364856.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs winws1.exe
Source: winws1.exe, 00000000.00000003.2209988756.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs winws1.exe
Source: winws1.exe, 00000000.00000003.2223739369.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs winws1.exe
Source: winws1.exe, 00000000.00000003.2223260935.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs winws1.exe
Source: winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs winws1.exe
Source: winws1.exe, 00000000.00000003.2206923198.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs winws1.exe
Source: winws1.exe, 00000000.00000003.2219807134.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepywintypes311.dll0 vs winws1.exe
Source: winws1.exe	Binary or memory string: OriginalFilename vs winws1.exe
Source: winws1.exe, 00000003.00000002.2264576711.000001EE73AF0000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs winws1.exe
Source: winws1.exe, 00000003.00000002.2277723700.00007FFDA3461000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs winws1.exe
Source: winws1.exe, 00000003.00000002.2272951519.00007FFD9414B000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: OriginalFilenamelibsslH vs winws1.exe
Source: winws1.exe, 00000003.00000002.2278571156.00007FFDA3514000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenamepythoncom311.dll0 vs winws1.exe
Source: winws1.exe, 00000003.00000002.2276415063.00007FFD9F3E5000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs winws1.exe
Source: winws1.exe, 00000003.00000002.2281856248.00007FFDA5499000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs winws1.exe
Source: winws1.exe, 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs winws1.exe
Source: winws1.exe, 00000003.00000002.2277399779.00007FFDA3435000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs winws1.exe
Source: winws1.exe, 00000003.00000002.2280898704.00007FFDA4DA6000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs winws1.exe
Source: winws1.exe, 00000003.00000002.2280527674.00007FFDA4636000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs winws1.exe
Source: winws1.exe, 00000003.00000002.2279355980.00007FFDA3BF4000.00000002.00000001.01000000.0000001B.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs winws1.exe
Source: winws1.exe, 00000003.00000002.2277120403.00007FFDA2E9E000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs winws1.exe
Source: winws1.exe, 00000003.00000002.2274605182.00007FFD9DFE1000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilenamepywintypes311.dll0 vs winws1.exe
Source: winws1.exe, 00000003.00000002.2270761344.00007FFD939B7000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython311.dll. vs winws1.exe
Source: winws1.exe, 00000003.00000002.2272668848.00007FFD94095000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs winws1.exe
Source: winws1.exe, 00000003.00000002.2282178975.00007FFDAC147000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs winws1.exe
Source: winws1.exe, 00000003.00000002.2279094842.00007FFDA3AF2000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs winws1.exe
Source: winws1.exe, 00000003.00000002.2281293693.00007FFDA547D000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs winws1.exe
Source: winws1.exe, 00000003.00000002.2280201912.00007FFDA4172000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs winws1.exe

Source: classification engine

Classification label: mal76.evad.winEXE@3/34@1/1

Source: C:\Users\user\Desktop\winws1.exe

Code function: 0_2_00007FF611308CD0 FormatMessageW,WideCharToMultiByte,GetLastError,

0_2_00007FF611308CD0

Source: C:\Users\user\Desktop\winws1.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI57762

Jump to behavior

Source: winws1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\winws1.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: winws1.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\winws1.exe

File read: C:\Users\user\Desktop\winws1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\winws1.exe "C:\Users\user\Desktop\winws1.exe"
Source: C:\Users\user\Desktop\winws1.exe	Process created: C:\Users\user\Desktop\winws1.exe "C:\Users\user\Desktop\winws1.exe"
Source: C:\Users\user\Desktop\winws1.exe	Process created: C:\Users\user\Desktop\winws1.exe "C:\Users\user\Desktop\winws1.exe"	Jump to behavior

Source: C:\Users\user\Desktop\winws1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\winws1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: winws1.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: winws1.exe

Static file information: File size 11878277 > 1048576

Source: winws1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\win32api.pdb source: winws1.exe, 00000003.00000002.2277598800.00007FFDA3453000.00000002.00000001.01000000.0000000E.sdmp, win32api.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pywintypes.pdb** source: winws1.exe, 00000003.00000002.2274272378.00007FFD9DFD0000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdb source: mfc140u.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\select.pdb source: winws1.exe, 00000000.00000003.2221428860.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2280744509.00007FFDA4DA3000.00000002.00000001.01000000.00000011.sdmp, select.pyd.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_uuid.pdb source: winws1.exe, 00000000.00000003.2206923198.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2279229897.00007FFDA3BF2000.00000002.00000001.01000000.0000001B.sdmp, _uuid.pyd.0.dr
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb source: winws1.exe, 00000003.00000002.2272888024.00007FFD94116000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: winws1.exe, 00000000.00000003.2205389681.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2279018485.00007FFDA3AED000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pythoncom.pdb source: winws1.exe, 00000003.00000002.2277927035.00007FFDA34CC000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: winws1.exe, 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: winws1.exe, 00000000.00000003.2206364856.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2280410219.00007FFDA4633000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: winws1.exe, 00000000.00000003.2204338546.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2282140094.00007FFDAC141000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\win32api.pdb!! source: winws1.exe, 00000003.00000002.2277598800.00007FFDA3453000.00000002.00000001.01000000.0000000E.sdmp, win32api.pyd.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_ssl.pdb source: winws1.exe, 00000003.00000002.2277230122.00007FFDA341D000.00000002.00000001.01000000.00000013.sdmp, _ssl.pyd.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: winws1.exe, 00000000.00000003.2204338546.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2282140094.00007FFDAC141000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: winws1.exe, 00000000.00000003.2206011466.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2277031140.00007FFDA2E97000.00000002.00000001.01000000.00000016.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2275448309.00007FFD9F3DC000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: winws1.exe, 00000000.00000003.2205224817.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2281709657.00007FFDA5495000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_decimal.pdb$$ source: _decimal.pyd.0.dr
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdbGCTL source: mfc140u.dll.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbNN source: winws1.exe, 00000000.00000003.2206185222.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2275448309.00007FFD9F3DC000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_ctypes.pdb source: winws1.exe, 00000003.00000002.2281120901.00007FFDA5470000.00000002.00000001.01000000.00000007.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\win32ui.pdb source: win32ui.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\_win32sysloader.pdb source: winws1.exe, 00000000.00000003.2223739369.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\win32trace.pdb source: winws1.exe, 00000000.00000003.2224106785.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, win32trace.pyd.0.dr
Source:	Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: winws1.exe, 00000003.00000002.2272888024.00007FFD94116000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\win32ui.pdbOO source: win32ui.pyd.0.dr
Source:	Binary string: .Pdb'L source: winws1.exe
Source:	Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: winws1.exe, 00000000.00000003.2206520208.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2280102430.00007FFDA4168000.00000002.00000001.01000000.00000010.sdmp, _socket.pyd.0.dr
Source:	Binary string: D:\_w\1\b\bin\amd64\python3.pdb source: winws1.exe, 00000000.00000003.2210888476.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264576711.000001EE73AF0000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\_decimal.pdb source: _decimal.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pywintypes.pdb source: winws1.exe, 00000003.00000002.2274272378.00007FFD9DFD0000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\unicodedata.pdb source: winws1.exe, 00000000.00000003.2223260935.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2270931396.00007FFD94090000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-311\Release\pythoncom.pdb}},GCTL source: winws1.exe, 00000003.00000002.2277927035.00007FFDA34CC000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\_w\1\b\bin\amd64\python311.pdb source: winws1.exe, 00000003.00000002.2268959946.00007FFD93783000.00000002.00000001.01000000.00000004.sdmp, python311.dll.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1q 5 Jul 2022built on: Thu Aug 18 20:15:42 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"userSDIR: "C:\Program Files\OpenSSL\lib\users-1_1"not available source: winws1.exe, 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: winws1.exe, 00000000.00000003.2205224817.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2281709657.00007FFDA5495000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: winws1.exe, 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmp

Source: VCRUNTIME140.dll.0.dr

Static PE information: 0x8E79CD85 [Sat Sep 30 01:19:01 2045 UTC]

Source: C:\Users\user\Desktop\winws1.exe

Code function: 0_2_00007FF6113015E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF6113015E0

Source: md__mypyc.cp311-win_amd64.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x2d0f2
Source: _win32sysloader.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x461e
Source: pyarmor_runtime.pyd.0.dr	Static PE information: real checksum: 0x9fa51 should be: 0xa7a13
Source: win32trace.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x78df
Source: pywintypes311.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x24bee
Source: win32api.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x27e47
Source: _psutil_windows.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1f645
Source: win32ui.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x11d72e
Source: md.cp311-win_amd64.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x8d57
Source: pythoncom311.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xa5763

Source: winws1.exe	Static PE information: section name: /4
Source: winws1.exe	Static PE information: section name: .xdata
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: mfc140u.dll.0.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: python311.dll.0.dr	Static PE information: section name: PyRuntim
Source: pyarmor_runtime.pyd.0.dr	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\winws1.exe

Code function: 3_2_65662C28 push rax; retf 9381h

3_2_65662C31

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\winws1.exe	Code function: memset,wsprintfA,CreateFileA,memset,DeviceIoControl,CloseHandle,isxdigit,isxdigit,isxdigit,isprint,memcpy,CloseHandle,strlen,memcpy, \\.\PhysicalDrive%d		3_2_655D2390
Source: C:\Users\user\Desktop\winws1.exe	Code function: _snprintf,_snprintf,CreateFileA,CreateFileA,GlobalAlloc,DeviceIoControl,GlobalFree,_snprintf,CreateFileA,GlobalAlloc,GlobalAlloc,GlobalAlloc,DeviceIoControl,GlobalFree,GlobalFree,GlobalFree,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle, \\.\PhysicalDrive%d		3_2_655D1FE0

Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32\pythoncom311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\pyarmor_runtime_000000\pyarmor_runtime.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32\pywintypes311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI57762\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\winws1.exe	Code function: memset,wsprintfA,CreateFileA,memset,DeviceIoControl,CloseHandle,isxdigit,isxdigit,isxdigit,isprint,memcpy,CloseHandle,strlen,memcpy, \\.\PhysicalDrive%d		3_2_655D2390
Source: C:\Users\user\Desktop\winws1.exe	Code function: _snprintf,_snprintf,CreateFileA,CreateFileA,GlobalAlloc,DeviceIoControl,GlobalFree,_snprintf,CreateFileA,GlobalAlloc,GlobalAlloc,GlobalAlloc,DeviceIoControl,GlobalFree,GlobalFree,GlobalFree,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle, \\.\PhysicalDrive%d		3_2_655D1FE0

Source: C:\Users\user\Desktop\winws1.exe

Code function: 0_2_00007FF611307680 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF611307680

Source: C:\Users\user\Desktop\winws1.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM5

Source: Yara match	File source: 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: winws1.exe PID: 5392, type: MEMORYSTR

Source: C:\Users\user\Desktop\winws1.exe

Code function: 3_2_00007FFD930B572C rdtsc

3_2_00007FFD930B572C

Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32\pythoncom311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\pyarmor_runtime_000000\pyarmor_runtime.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32\pywintypes311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\winws1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI57762\_ctypes.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\winws1.exe

API coverage: 3.6 %

Source: C:\Users\user\Desktop\winws1.exe	Code function: 0_2_00007FF6113093B0 FindFirstFileExW,FindClose,	0_2_00007FF6113093B0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 0_2_00007FF611329618 FindFirstFileExW,	0_2_00007FF611329618
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FF6113093B0 FindFirstFileExW,FindClose,	3_2_00007FF6113093B0
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FF611329618 FindFirstFileExW,	3_2_00007FF611329618

Source: winws1.exe, 00000000.00000003.2207638760.000001F33E4C1000.00000004.00000020.00020000.00000000.sdmp, cacert.pem.0.dr	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: winws1.exe, 00000003.00000003.2236513135.000001EE75A0D000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2238285987.000001EE759B2000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE75910000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2238285987.000001EE75A0D000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2236513135.000001EE759B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: cacert.pem.0.dr	Binary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B572C		3_2_00007FFD930B572C
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B4241		3_2_00007FFD930B4241

Source: C:\Users\user\Desktop\winws1.exe

Code function: 3_2_00007FFD930B572C rdtsc

3_2_00007FFD930B572C

Source: C:\Users\user\Desktop\winws1.exe

Code function: 3_2_655C2C80 PyEval_GetGlobals,PyFunction_NewWithQualName,_PyObject_CallFunction_SizeT,_Py_Dealloc,PyExc_RuntimeError,PyErr_Format,GetProcAddress,strlen,IsDebuggerPresent,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,PyExc_RuntimeError,PyErr_Format,PyExc_RuntimeError,PyErr_Format,PyExc_RuntimeError,PyErr_Format,PyExc_SystemExit,PyExc_SystemExit,PyExc_SystemExit,_errno,_errno,_errno,PyExc_SystemExit,_errno,_errno,_Py_Dealloc,_Py_Dealloc,

3_2_655C2C80

Source: C:\Users\user\Desktop\winws1.exe

Code function: 0_2_00007FF6113015E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF6113015E0

Source: C:\Users\user\Desktop\winws1.exe

Code function: 3_2_655D4710 GetComputerNameA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetAdaptersAddresses,HeapFree,strlen,GetProcessHeap,HeapFree,malloc,GetAdaptersAddresses,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersAddresses,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersAddresses,RegOpenKeyExA,RegEnumKeyExA,RegEnumKeyExA,RegGetValueA,strlen,memcmp,RegGetValueA,RegCloseKey,

3_2_655D4710

Source: C:\Users\user\Desktop\winws1.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\winws1.exe	Code function: 0_2_00007FF611301154 Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,exit,_cexit,	0_2_00007FF611301154
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_656633B8 SetUnhandledExceptionFilter,	3_2_656633B8
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_65641291 SetUnhandledExceptionFilter,	3_2_65641291
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_6563F900 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	3_2_6563F900
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FF611301154 Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,exit,_cexit,	3_2_00007FF611301154
Source: C:\Users\user\Desktop\winws1.exe	Code function: 3_2_00007FFD930B5A1F IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FFD930B5A1F

Source: C:\Users\user\Desktop\winws1.exe

Process created: C:\Users\user\Desktop\winws1.exe "C:\Users\user\Desktop\winws1.exe"

Jump to behavior

Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\libffi-8.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\libssl-1_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\python3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\VCRUNTIME140_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32\pythoncom311.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmpqxtmfx2p VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pyarmor_runtime_000000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pyarmor_runtime_000000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pyarmor_runtime_000000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pyarmor_runtime_000000\pyarmor_runtime.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\psutil\_psutil_windows.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\charset_normalizer\md.cp311-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\charset_normalizer\md__mypyc.cp311-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\certifi\cacert.pem VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\_uuid.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmpqxtmfx2p VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmpqxtmfx2p\gen_py\__init__.py VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmpqxtmfx2p\gen_py\dicts.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\winws1.exe	Queries volume information: C:\Users\user\Desktop\winws1.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\winws1.exe

Code function: 3_2_6563F820 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_6563F820

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Bootkit	11 Process Injection	11 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Bootkit	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
winws1.exe	50%	ReversingLabs	Win64.Adware.RedCap
winws1.exe	100%	Avira	HEUR/AGEN.1354936

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin\mfc140u.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin\win32ui.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\_uuid.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\charset_normalizer\md.cp311-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\psutil\_psutil_windows.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\pyarmor_runtime_000000\pyarmor_runtime.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\python3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\python311.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32\pythoncom311.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32\pywintypes311.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\win32\_win32sysloader.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\win32\win32api.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI57762\win32\win32trace.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.opensource.org/licenses/mit-license.phptrols	0%	Avira URL Cloud	safe
http://9x9o.com/ss122007.txt	0%	Avira URL Cloud	safe
https://requests.readthedocs.io0	0%	Avira URL Cloud	safe
https://bugs.python.org/issue42195.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/giampaolo/psutil/issues/875.	winws1.exe, 00000003.00000002.2265345694.000001EE75CC0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://requests.readthedocs.io0	winws1.exe, 00000003.00000002.2266470651.000001EE76600000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/216	winws1.exe, 00000003.00000003.2236513135.000001EE75ACF000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2238285987.000001EE75AD0000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2237770651.000001EE75ACF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://9x9o.com/ss122007.txt	winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mhammond/pywin32	winws1.exe, winws1.exe, 00000003.00000002.2277723700.00007FFDA3461000.00000002.00000001.01000000.0000000E.sdmp, winws1.exe, 00000003.00000002.2278571156.00007FFDA3514000.00000002.00000001.01000000.0000000D.sdmp, winws1.exe, 00000003.00000002.2274605182.00007FFD9DFE1000.00000002.00000001.01000000.0000000B.sdmp, win32api.pyd.0.dr, win32trace.pyd.0.dr, win32ui.pyd.0.dr	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	winws1.exe, 00000003.00000003.2226170168.000001EE739E7000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264378119.000001EE738A1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2228474249.000001EE738D1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2229614156.000001EE738D1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2231508099.000001EE738C9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.opensource.org/licenses/mit-license.phptrols	winws1.exe, 00000003.00000002.2266470651.000001EE76600000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://goo.gl/zeJZl.	winws1.exe, 00000003.00000003.2233299071.000001EE75ACF000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265345694.000001EE75CC0000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2234597826.000001EE75A44000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2234530611.000001EE75AD0000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2233299071.000001EE75A33000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	winws1.exe, 00000003.00000002.2264865831.000001EE7570C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cpsaV	winws1.exe, 00000003.00000002.2265424392.000001EE75E50000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	winws1.exe, 00000003.00000003.2240403329.000001EE75A2F000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240301436.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.opensource.org/licenses/mit-license.php	winws1.exe, 00000003.00000002.2266470651.000001EE76600000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE76151000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	winws1.exe, 00000003.00000002.2266031231.000001EE761C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0205/	winws1.exe, 00000003.00000002.2264660625.000001EE752C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	winws1.exe, 00000003.00000002.2265424392.000001EE76070000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75EE2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curl.haxx.se/rfc/cookie_spec.html	winws1.exe, 00000003.00000003.2243831229.000001EE75F8E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2241708243.000001EE75FAE000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244565857.000001EE75F9E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2266330558.000001EE764C0000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244602379.000001EE75FB3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.accv.es	winws1.exe, 00000003.00000002.2265424392.000001EE75E50000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/3020	winws1.exe, 00000003.00000003.2236513135.000001EE75ACF000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2238285987.000001EE75AD0000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2237770651.000001EE75ACF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/gabjohn3/nb/main/pc_platforms.txt	winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://google.com/api/195988555454cached__	winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	winws1.exe, 00000003.00000002.2266115396.000001EE762C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	winws1.exe, 00000003.00000003.2226170168.000001EE739E7000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264660625.000001EE75348000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/get	winws1.exe, 00000003.00000002.2266330558.000001EE764C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/gabjohn3/nb/main/mac_list.txt	winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	winws1.exe, 00000003.00000002.2265424392.000001EE75EE2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	winws1.exe, 00000003.00000003.2226170168.000001EE739E7000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264378119.000001EE738A1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2228474249.000001EE738D1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2229614156.000001EE738D1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2231508099.000001EE738C9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/1t#	winws1.exe, 00000003.00000002.2265424392.000001EE75FA5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	winws1.exe, 00000003.00000003.2234597826.000001EE75ACF000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2233299071.000001EE75ACF000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265345694.000001EE75CC0000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2234597826.000001EE75A44000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2234530611.000001EE75AD0000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2233299071.000001EE75A33000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/	winws1.exe, 00000003.00000002.2264865831.000001EE7570C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/gabjohn3/nb/main/hwid_list.txt0	winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/	winws1.exe, 00000003.00000002.2265424392.000001EE76070000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	winws1.exe, 00000003.00000003.2231035265.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230561158.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230455090.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230561158.000001EE759CA000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230534520.000001EE759C6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/gabjohn3/nb/main/BaseBoard_Manufacturer_List.txt	winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	winws1.exe, 00000003.00000002.2265424392.000001EE75E50000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244523998.000001EE75E49000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240991420.000001EE75E43000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240686911.000001EE75E33000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	winws1.exe, 00000003.00000003.2226170168.000001EE739E7000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264378119.000001EE738A1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2228474249.000001EE738D1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2229614156.000001EE738D1000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2231508099.000001EE738C9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/gabjohn3/nb/main/DiskDrive_Serial_List.txt	winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.python.org/psf/license/	winws1.exe, 00000003.00000002.2269198177.00007FFD93818000.00000004.00000001.01000000.00000004.sdmp, python311.dll.0.dr	false		high
http://crl.securetrust.com/STCA.crle	winws1.exe, 00000003.00000002.2264865831.000001EE75700000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	winws1.exe, 00000003.00000002.2264865831.000001EE75700000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wwwsearch.sf.net/):	winws1.exe, 00000003.00000003.2243831229.000001EE75F8E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242071793.000001EE75F94000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2241708243.000001EE75FAE000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244565857.000001EE75F9E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75F16000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244602379.000001EE75FB3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/	winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	winws1.exe, 00000003.00000002.2265424392.000001EE75E50000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75F16000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm	winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	winws1.exe, 00000003.00000002.2266212495.000001EE763C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	winws1.exe, 00000003.00000002.2265424392.000001EE76070000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/	winws1.exe, 00000003.00000002.2265424392.000001EE76070000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail	winws1.exe, 00000003.00000003.2244629038.000001EE75E33000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE75910000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264865831.000001EE7570C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/specifications/entry-points/	winws1.exe, 00000003.00000002.2266115396.000001EE762C0000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2266212495.000001EE763C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es00	winws1.exe, 00000003.00000002.2265424392.000001EE75F16000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	winws1.exe, 00000003.00000003.2231508099.000001EE738C9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	winws1.exe, 00000003.00000003.2231035265.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230561158.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230455090.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230561158.000001EE759CA000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230534520.000001EE759C6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://foss.heptapod.net/pypy/pypy/-/issues/3539	winws1.exe, 00000003.00000002.2266031231.000001EE761C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	winws1.exe, 00000003.00000003.2240154677.000001EE75AA3000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/	winws1.exe, 00000003.00000003.2240225562.000001EE75AC5000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242671953.000001EE75AB5000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240154677.000001EE75AA3000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244418170.000001EE75AC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	winws1.exe, 00000003.00000003.2243831229.000001EE75F8E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242071793.000001EE75F26000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242071793.000001EE75F94000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2243831229.000001EE75F26000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244565857.000001EE75F9E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75FA5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl	winws1.exe, 00000003.00000002.2264865831.000001EE75700000.00000004.00000020.00020000.00000000.sdmp	false		high
http://.../back.jpeg	winws1.exe, 00000003.00000003.2243831229.000001EE75F8E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244289625.000001EE75FD8000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2266330558.000001EE76568000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75E50000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244480093.000001EE75EC2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/download/releases/2.3/mro/.	winws1.exe, 00000003.00000003.2229717057.000001EE75749000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264660625.000001EE752C0000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2228526070.000001EE75757000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	false		high
https://httpbin.org/post	winws1.exe, 00000003.00000003.2237770651.000001EE75A18000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2236513135.000001EE75A0D000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2237770651.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240154677.000001EE75AA3000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2238285987.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2239299568.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/gabjohn3/nb/main/ip_list.txt	winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/Ousret/charset_normalizer	winws1.exe, 00000003.00000003.2243831229.000001EE75F8E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242071793.000001EE75F94000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75F16000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.firmaprofesional.com/cps0	winws1.exe, 00000003.00000002.2265424392.000001EE76070000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2920	winws1.exe, 00000003.00000003.2243831229.000001EE75F8E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244629038.000001EE75E33000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2266115396.000001EE762C0000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242071793.000001EE75F94000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl0	winws1.exe, 00000003.00000002.2265424392.000001EE75EE2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/gabjohn3/nb/main/BaseBoard_Manufacturer_List.txtpyd0	winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://yahoo.com/	winws1.exe, 00000003.00000003.2244629038.000001EE75E33000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE75910000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264865831.000001EE7570C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/gabjohn3/nb/main/hwid_list.txt	winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/gabjohn3/nb/main/BIOS_Serial_List.txt	winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://api.ipify.org	winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	winws1.exe, 00000003.00000003.2244629038.000001EE75E33000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75E25000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2239379563.000001EE75E84000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240991420.000001EE75E43000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240686911.000001EE75E33000.00000004.00000020.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/	winws1.exe, 00000003.00000003.2240154677.000001EE75AA3000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	winws1.exe, 00000003.00000002.2265424392.000001EE75F16000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl	winws1.exe, 00000003.00000002.2265424392.000001EE75EE2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	winws1.exe, 00000003.00000002.2266115396.000001EE762C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0	winws1.exe, 00000003.00000002.2265424392.000001EE75F16000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/gabjohn3/nb/main/MachineGuid.txt	winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	winws1.exe, 00000003.00000003.2242671953.000001EE75AB5000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240154677.000001EE75AA3000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iana.org/time-zones/repository/tz-link.html	winws1.exe, 00000003.00000003.2231035265.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230561158.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2230455090.000001EE75A23000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2231133560.000001EE75925000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/gabjohn3/nb/main/HwProfileGuid_List.txt	winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://requests.readthedocs.io	winws1.exe, 00000003.00000003.2237770651.000001EE75A18000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2236513135.000001EE75A0D000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2237770651.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240154677.000001EE75AA3000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2238285987.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2266470651.000001EE76600000.00000004.00001000.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2239299568.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/	winws1.exe, 00000003.00000002.2265424392.000001EE75FB9000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE76070000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264865831.000001EE7570C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org/	winws1.exe, 00000003.00000002.2267484754.000001EE76F68000.00000004.00001000.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/gabjohn3/nb/main/CPU_Serial_List.txt	winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl	winws1.exe, 00000003.00000002.2264865831.000001EE75700000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org	winws1.exe, 00000003.00000003.2237770651.000001EE75A18000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2236513135.000001EE75A0D000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2237770651.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2240154677.000001EE75AA3000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2238285987.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2239299568.000001EE75A90000.00000004.00000020.00020000.00000000.sdmp	false		high
http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/	winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm0U	winws1.exe, 00000003.00000002.2265424392.000001EE75F16000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crld	winws1.exe, 00000003.00000002.2264865831.000001EE75700000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.accv.es0	winws1.exe, 00000003.00000002.2265424392.000001EE75F16000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/	winws1.exe, 00000003.00000003.2243831229.000001EE75F8E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242071793.000001EE75F26000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242071793.000001EE75F94000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2243831229.000001EE75F26000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244565857.000001EE75F9E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75FA5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://json.org	winws1.exe, 00000003.00000003.2240686911.000001EE75E33000.00000004.00000020.00020000.00000000.sdmp	false		high
https://twitter.com/	winws1.exe, 00000003.00000003.2243831229.000001EE75F8E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244629038.000001EE75E33000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2242071793.000001EE75F94000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2244565857.000001EE75F9E000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265424392.000001EE75E25000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264865831.000001EE7570C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://stackoverflow.com/questions/4457745#4457745.	winws1.exe, 00000003.00000002.2265345694.000001EE75CC0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps	winws1.exe, 00000003.00000002.2265424392.000001EE75E50000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/	winws1.exe, 00000003.00000002.2264865831.000001EE7570C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail/	winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/gabjohn3/nb/main/BaseBoard_Serial_List.txt	winws1.exe, 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp	false		high
https://bugs.python.org/issue42195.	winws1.exe, 00000003.00000003.2238188206.000001EE75E66000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000003.2238736422.000001EE7597C000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2264865831.000001EE7570C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://google.com/mail/	winws1.exe, 00000003.00000003.2240403329.000001EE75A70000.00000004.00000020.00020000.00000000.sdmp, winws1.exe, 00000003.00000002.2265054149.000001EE759EC000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576658
Start date and time:	2024-12-17 11:28:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	winws1.exe
Detection:	MAL
Classification:	mal76.evad.winEXE@3/34@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 82% Number of executed functions: 58 Number of non-executed functions: 206
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 40.126.53.8, 20.223.35.26, 13.107.246.63, 20.199.58.43, 2.16.158.169, 172.202.163.200, 150.171.27.10, 20.103.156.88
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net
VT rate limit hit for: winws1.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	jgbC220X2U.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/?format=text
	xKvkNk9SXR.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	GD8c7ARn8q.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	8AbMCL2dxM.exe	Get hash	malicious	RCRU64, TrojanRansom	Browse	api.ipify.org/
	Simple2.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	KASHI SHIP PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	PO.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	rDOC24INV0616.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://cavotec-au.sharefile.com/public/share/web-1271a93971714a91	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	PqCznDthHP.exe	Get hash	malicious	Edge Stealer	Browse	104.26.13.205
	https://www.canva.com/design/DAGZLdpMEGI/O58JBUDFuRvFcdZ0tgIwgA/edit?utm_content=DAGZLdpMEGI&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	https://go.eu.sparkpostmail1.com/f/a/IgPiUnQgGsgttR90IQc-hw~~/AAGCxAA~/RgRpOpvrP0QqaHR0cHM6Ly9tYXNzd29vZHBvbGlzaC5pbi93YXRlci9jb2xkL2luZGV4VwVzcGNldUIKZ1XrFlhnca8zKlISemFyZ2FyQGZhcmlkZWEuY29tWAQAAAAB#YmlsbC5ob2l0dEBwYXJ0bmVyc21ndS5jb20=	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	duschno.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	chos.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	http://ap2vxmyqxf.ballyentoe.shop	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://aweitapp.com/zeng/advance/auth	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://eol-group.jimdosite.com/?utm_source=newsletter&utm_medium=email&utm_campaign=ce	Get hash	malicious	HTMLPhisher	Browse	162.159.128.70
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, Xmrig	Browse	172.67.129.27
	jYd7FUgGZc.exe	Get hash	malicious	LummaC, Stealc	Browse	188.114.96.6
	sfWmEoGJQR.exe	Get hash	malicious	LummaC	Browse	172.67.129.27
	V65xPrgEHH.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.2.110
	pN6iTXbhhc.exe	Get hash	malicious	LummaC	Browse	172.67.129.27
	81eivTbdp6.exe	Get hash	malicious	LummaC	Browse	104.21.2.110
	greatnicefeatureswithsupercodebnaturalthingsinlineforgiven.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.67.187.200
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	104.21.56.70

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin\mfc140u.dll	zapret.exe	Get hash	malicious	Unknown	Browse
	zapret.exe	Get hash	malicious	Unknown	Browse
	discord.exe	Get hash	malicious	Unknown	Browse
	main.exe	Get hash	malicious	Unknown	Browse
	zapret.exe	Get hash	malicious	Unknown	Browse
	Payload.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	Payload.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe	Get hash	malicious	Python Stealer, BLX Stealer, XLABB Grabber	Browse
	SecuriteInfo.com.FileRepMalware.25861.18393.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin\mfc140u.dll

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5653536
Entropy (8bit):	6.729079283804055
Encrypted:	false
SSDEEP:	49152:ULnsrdZXUTQyJa9qgUUjlQNXkW8GCBTDgHsYogTYn3s3pQMqSj+vTCfEs7ATWYls:UoJUEUYS3zUQFLOAkGkzdnEVomFHKnP+
MD5:	CD1D99DF975EE5395174DF834E82B256
SHA1:	F395ADA2EFC6433B34D5FBC5948CB47C7073FA43
SHA-256:	D8CA1DEA862085F0204680230D29BFF4D168FFF675AB4700EEAF63704D995CB3
SHA-512:	397F725E79CA2C68799CF68DFB111A1570427F3D2175D740758C387BDAA508BC9014613E997B92FC96E884F66BB17F453F8AA035731AFD022D9A4E7095616F87
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: zapret.exe, Detection: malicious, Browse Filename: zapret.exe, Detection: malicious, Browse Filename: discord.exe, Detection: malicious, Browse Filename: main.exe, Detection: malicious, Browse Filename: zapret.exe, Detection: malicious, Browse Filename: Payload.exe, Detection: malicious, Browse Filename: Payload.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Python.Stealer.1251.9496.6786.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.25861.18393.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.cu...&...&...&...'...&...'...&...'...&..&...&G..'...&G..'...&...'...&...&..&G..'...&G..'...&G..'...&G..'...&G..&...&G..'...&Rich...&................PE..d...9.:e.........." .....(-..X)......X,.......................................V.....&~V...`A..........................................:.....h.;.......?......`=..8....V. (...PU.0p..P.5.T...........................`...8............@-.P...(.:......................text....&-......(-................. ..`.rdata.......@-......,-.............@..@.data....6... <.......<.............@....pdata...8...`=..:....<.............@..@.didat..H.....?.......?.............@....rsrc.........?.......?.............@..@.reloc..0p...PU..r....T.............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin\win32ui.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1143296
Entropy (8bit):	6.0410832425584795
Encrypted:	false
SSDEEP:	12288:dk6co2gGIs7ZetrV6LMEsKK+Onc8fUqzFVVppS6yZAXz:dkG2QQetrgsK79qzFHL
MD5:	F0116137D0674482247D056642DC06BF
SHA1:	5BB63FCF5E569D94B61383D1921F758BCC48EF81
SHA-256:	8ECA3ED313003D3F3DEE1B7A5CE90B50E8477EC6E986E590E5ED91C919FC7564
SHA-512:	A8D6420C491766302C615E38DAF5D9B1698E5765125FD256530508E5C0A5675A7BF2F338A22368E0B4DDFA507D8D377507376C477CF9B829E28F3C399203CDE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.K.K...K...K...3]..K..Y>...K.......K...3...K...>...K...>...K...>...K...K...M...>...K..Y>...K..Y>...K..Y>1..K..Y>...K..Rich.K..........................PE..d......g.........." .........r......4.....................................................`.........................................`....T..hr..h...............................l\......T.......................(.......8................0...........................text............................... ..`.rdata..\|...........................@..@.data...............................@....pdata...............d..............@..@.rsrc...............................@..@.reloc..l\.......^..................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109392
Entropy (8bit):	6.643764685776923
Encrypted:	false
SSDEEP:	1536:DcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/Auecbq8qZU34zW/K0zD:DV3iC0h9q4v6XjKAuecbq8qGISb/
MD5:	870FEA4E961E2FBD00110D3783E529BE
SHA1:	A948E65C6F73D7DA4FFDE4E8533C098A00CC7311
SHA-256:	76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
SHA-512:	0B636A3CDEFA343EB4CB228B391BB657B5B4C20DF62889CD1BE44C7BEE94FFAD6EC82DC4DB79949EDEF576BFF57867E0D084E0A597BF7BF5C8E4ED1268477E88
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d.....y..........." ...".....`.......................................................5....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49488
Entropy (8bit):	6.652691609629867
Encrypted:	false
SSDEEP:	768:8EgYXUcHJcUJSDW/tfxL1qBS3hO6nb/TEHEXi9zufUKQXi9zug:8vGS8fZ1eUpreA+zuTc+zug
MD5:	BBA9680BC310D8D25E97B12463196C92
SHA1:	9A480C0CF9D377A4CAEDD4EA60E90FA79001F03A
SHA-256:	E0B66601CC28ECB171C3D4B7AC690C667F47DA6B6183BFF80604C84C00D265AB
SHA-512:	1575C786AC3324B17057255488DA5F0BC13AD943AC9383656BAF98DB64D4EC6E453230DE4CD26B535CE7E8B7D41A9F2D3F569A0EFF5A84AEB1C2F9D6E3429739
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............L...L...L...M...L...M...L.FL...L...L...L...M...L...M...L...M...L...M...L..*L...L...M...LRich...L........................PE..d...%CU..........." ...".<...8.......A...............................................@....`A........................................0m.......m..x....................r..PO......D....c..p...........................pb..@............P..h............................text...0:.......<.................. ..`.rdata..."...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83320
Entropy (8bit):	6.534357225224291
Encrypted:	false
SSDEEP:	1536:KouLz7p5TcaWlZkKWVa5cP6T8MsAUxZIgtVt7SyKrPxji2:JuLz9tVaDQMslxZIgtVtozxj/
MD5:	10D42EFAC304861AD19821B4594FA959
SHA1:	1A65F60BBA991BC7E9322AF1E19F193DAE76D77A
SHA-256:	8EECDCC250637652E6BABC306EA6B8820E9E835DDD2434816D0E0FD0CA67FD14
SHA-512:	3F16DBA627A133586E9D1C16D383B9461424D31892278AB984F7E6932A1CDC51445E1BEC017A665BD66C0F2A9BA417387FECC5FDEDE36D67F8343B82A2CEB9AE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................a.........................................t.........................................Rich....................PE..d...j..c.........." ...".....^......,........................................P............`.........................................p...H............0....... .. .......x)...@..........T...........................p...@............................................text...O........................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123256
Entropy (8bit):	5.999431491646041
Encrypted:	false
SSDEEP:	3072:aBxSn2prY3+52vWqw9RQfLIgRr5kNIgQPUZxhT:acuY3+uWHQfLIIkFT
MD5:	DF6BE515E183A0E4DBE9CDDA17836664
SHA1:	A5E8796189631C1AACA6B1C40BC5A23EB20B85DB
SHA-256:	AF598AE52DDC6869F24D36A483B77988385A5BBBF4618B2E2630D89D10A107EE
SHA-512:	B3F23530DE7386CC4DCF6AD39141240E56D36322E3D4041E40D69D80DD529D1F8EF5F65B55CDCA9641E378603B5252ACFE5D50F39F0C6032FD4C307F73EF9253
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................................................u.................D........?...u.....u.....u.x....u.....Rich...........................PE..d...p..c.........." ...".............\..............................................Z"....`..........................................P.......Q..........................x)..............T...........................`...@............................................text............................... ..`.rdata...l.......n..................@..@.data...$=...p...8...`..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	251768
Entropy (8bit):	6.5390336301750915
Encrypted:	false
SSDEEP:	6144:3Zu25e1itIj95vlqyhw+H8DOdKd2vk6LhKwwI9qWM53pLW1AxzwhtTYW3iQ:Jhe1oIj7vlpN8D0KA3swwJ/wzTYWf
MD5:	A1FFC2A156E9266932C351A88E5E7FAB
SHA1:	EBFC901C28035264FBB5B0F30E68AB3B45410D13
SHA-256:	B8409829DC4FDE70F38754DE55D3090A1CD52C78FFECE2A08572A58DE3AF294D
SHA-512:	74FECAAC362DEFF5139EA8553142BA7E8A7740B757A06EDF16CF4A9320A20E7A1567380BFE2F40A3B7E8508F9715EFEDF27C6C23D2B2FB3ED7664CB81F6D58D9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\|RTy..Ty..Ty..]...Zy......Vy......Yy......\y......Py......Wy......Vy..Ty...y......Uy......[y......Uy......Uy......Uy..RichTy..........PE..d...]..c.........." ...".v...<......................................................".....`..........................................S..P...@T...................&......x)......P.......T...........................@...@............................................text....u.......v.................. ..`.rdata...............z..............@..@.data....*...p...$...R..............@....pdata...&.......(...v..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	63864
Entropy (8bit):	6.167124957336244
Encrypted:	false
SSDEEP:	1536:aS8njpHxGkYjEbEJkn8cw6TxIg5Iyv7SyKPxk:InjpHxYJ8w6TxIg5IyvMxk
MD5:	F419AC6E11B4138EEA1FE8C86689076A
SHA1:	886CDA33FA3A4C232CAA0FA048A08380971E8939
SHA-256:	441D32922122E59F75A728CC818F8E50613866A6C3DEC627098E6CC6C53624E2
SHA-512:	6B5AA5F5FBC00FB48F49B441801EE3F3214BD07382444569F089EFB02A93CE907F6F4E0DF281BDA81C80F2D6A247B0ADC7C2384A2E484BC7EF43B43C84756D2B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.A.>...>...>...F2..>...B...>...B...>...B...>...B...>..iB...>...L...>...D...>...>..Q>..iB...>..iB...>..iB^..>..iB...>..Rich.>..........................PE..d...y..c.........." ...".T...~......@?..............................................T.....`.............................................P.......................,.......x)......\...0}..T............................{..@............p..(............................text...YR.......T.................. ..`.rdata...N...p...P...X..............@..@.data...8...........................@....pdata..,...........................@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	157560
Entropy (8bit):	6.834915161510991
Encrypted:	false
SSDEEP:	3072:jlirS97HrdVmEkGCm5heznf49mNo2OOvJ72ZIge1z7axC:jlirG0EkT7AYO2OQSE
MD5:	3230404A7191C6228A8772D3610E49E5
SHA1:	4E8E36C89B4FF440DDFF9A5B084B262C9B2394EC
SHA-256:	33AE42F744D2688BB7D5519F32FF7B7489B96F4EEA47F66D2009DBA6A0023903
SHA-512:	6ECCE0C8E8B3D42275D486E8FF495E81E36ADAAACAAA3DB37844E204FCDAA6D89CB3D81C43D9E16D938CD8B6671B8800FE74A1E723A9187B0566A8F3C39D5D5B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.[&.D.&.D.&.D./...".D.i.E.$.D.i.A..D.i.@...D.i.G.%.D...E.%.D...E.$.D.&.E.@.D...I...D...D.'.D....'.D...F.'.D.Rich&.D.................PE..d...\|..c.........." ...".b...........5...............................................0....`..........................................%..L...\%..x....p.......P.......>..x)......8.......T...........................p...@............................................text....a.......b.................. ..`.rdata..............f..............@..@.data........@......................@....pdata.......P......................@..@.rsrc........p.......2..............@..@.reloc..8............<..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31096
Entropy (8bit):	6.359436989118125
Encrypted:	false
SSDEEP:	768:o+yFs6rXkmk5sNIg7UOYiSyvqdPxWEpnl:o+wNXkP5sNIg7UO7SySdPx7l
MD5:	045EF55136B1E580582199B3399267A2
SHA1:	DE54519C67A996D0A8B4164417058F4610A57376
SHA-256:	39BD456267FE228A505EF4E9C8D28F948DD65123CB4D48B77DA51910013FA582
SHA-512:	7B764FDC92BF10EB05BDD4116A549DE67F0FA92F807D8B0ECA9D718361C546DBEC16EA68EF8DDEC1C417530C6EB234C657E45F8C522852AB1BD7CB21976DAD1C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._XF.1.F.1.F.1.O..D.1...0.D.1...4.J.1...5.N.1...2.E.1...0.E.1...0.D.1.F.0...1...<.G.1...1.G.1.....G.1...3.G.1.RichF.1.................PE..d...^..c.........." ...".....8.......................................................?....`..........................................C..L....C..d....p.......`.......P..x)..........p4..T...........................03..@............0..0............................text............................... ..`.rdata..R....0......................@..@.data...x....P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	78208
Entropy (8bit):	6.237216760115608
Encrypted:	false
SSDEEP:	1536:/2JlcAdpEVuji9/s+S+pmGQRivVia3iNIgQw97Sy2Pxe:/27ce+uji9/sT+pmGdvVp3iNIgQw9cxe
MD5:	0FC65EC300553D8070E6B44B9B23B8C0
SHA1:	F8DB6AF578CF417CFCDDB2ED798C571C1ABD878F
SHA-256:	360744663FCE8DEC252ABBDA1168F470244FDB6DA5740BB7AB3171E19106E63C
SHA-512:	CBA375A815DB973B4E8BABDA951D1A4CA90A976E9806E9A62520A0729937D25DE8E600E79A7A638D77DF7F47001D8F884E88EE4497BD1E05C1DAE6FA67FB3DD8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z..\|4..\|4..\|4......\|4...5..\|4...1..\|4...0..\|4...7..\|4...5..\|4..\|5..\|4.y.5..\|4...9..\|4...4..\|4......\|4...6..\|4.Rich.\|4.........................PE..d...\|..c.........." ...".l...........%.......................................P......3:....`.........................................@...P............0....... ..x........)...@..........T...............................@............................................text....k.......l.................. ..`.rdata..Dt.......v...p..............@..@.data...............................@....pdata..x.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	159616
Entropy (8bit):	5.995615055409981
Encrypted:	false
SSDEEP:	3072:EFrIQQey4VWR98w/PQQcXobuO0rGxn+SQOXLkd1ItS+Q8YuAfxZIgt7YZx:0EeRV29//4QcCuO7nyvx
MD5:	93905020F4158C5119D16EE6792F8057
SHA1:	EB613C31F26ED6D80681815193FFAFDF30314A07
SHA-256:	D9CC4358D9351FED11EEC03753A8FA8ED981A6C2246BBD7CB0B0A3472C09FDC4
SHA-512:	0DE43B4FAFDD39EAAFF6CAB613708D56B697C0C17505E4132D652FB3F878C2114F5E682745A41219193C75E783AEDE524685B77BD31620F8AFE9C7B250F92609
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,z..h.g,h.g,h.g,ac.,n.g,'gf-j.g,'gb-e.g,'gc-`.g,'gd-k.g,.gf-j.g,.af-l.g,h.f,..g,.if-o.g,.gj-j.g,.gg-i.g,.g.,i.g,.ge-i.g,Richh.g,........PE..d......c.........." ..."............l+..............................................l.....`.............................................d............`.......P.......F...)...p..4... ...T...............................@...............x............................text............................... ..`.rdata..............................@..@.data....j.......f..................@....pdata.......P......."..............@..@.rsrc........`......................@..@.reloc..4....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\_uuid.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23936
Entropy (8bit):	6.534526451093787
Encrypted:	false
SSDEEP:	384:ofwFpEWx6TfQZIgewfAIYiSy1pCQwpxPxh8E9VF0Ny82e:oqpEHjQZIgewxYiSyvIPxWEuV
MD5:	13CC10D148B921F68E218DD912CC6EE4
SHA1:	930CEF88B581FB4D1B88FBDBAF64D34EFA582F90
SHA-256:	D17E20063243A71B4331C7A8902451C6911FD87475EC918633C6388D6155CE52
SHA-512:	8AF81D78A778875E63F99D7434724D772147DA7EC07B88FB7094C9DCD02B86D08CE2BB3D3EE94D8C62156D2BF8331562B8C91B5E36A1278B64D0B6FD7EFF45E6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;$p^ZJ#^ZJ#^ZJ#W".#\ZJ#.&K"\ZJ#.&O"RZJ#.&N"VZJ#.&I"]ZJ#.&K"\ZJ#.(K"[ZJ#^ZK#tZJ#.&B"_ZJ#.&J"_ZJ#.&.#_ZJ#.&H"_ZJ#Rich^ZJ#................PE..d...f..c.........." ...".....&...... ........................................p............`.........................................`)..L....)..x....P.......@.......4...)...`..@...`#..T........................... "..@............ ..8............................text...h........................... ..`.rdata....... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..@....`.......2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1437281
Entropy (8bit):	5.590853297284865
Encrypted:	false
SSDEEP:	24576:mQR5pATt7xm4lUKdcubgAnyfbTD0iwhBdYf9P3sGHH0:mQR5pQxmfjW
MD5:	9DC12EA9F7821873DA74C772ABB280F0
SHA1:	3F271C9F54BC7740B95EAA20DEBBD156EBD50760
SHA-256:	C5EC59385BFAC2A0AC38ABF1377360CD1FDDD05C31F8A8B4E44252E0E63ACB10
SHA-512:	A3175C170BBB28C199AB74AD3116E71F03F124D448BF0E9DD4AFCACDC08A7A52284CF858CFD7E72D35BD1E68C6BA0C2A1A0025199AEB671777977EA53E1F2535
Malicious:	false
Preview:	PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

C:\Users\user\AppData\Local\Temp\_MEI57762\certifi\cacert.pem

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI57762\charset_normalizer\md.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.8208567868970675
Encrypted:	false
SSDEEP:	96:Y0fK74ACb0xx2uKynu10YLsgxwJiUNiL0U5IZsJFPGDtCFuCQAAZWQcX6g8H4a81:gFCk2z1/t12iwU5usJFKCyHcqgg
MD5:	CBF62E25E6E036D3AB1946DBAFF114C1
SHA1:	B35F91EAF4627311B56707EF12E05D6D435A4248
SHA-256:	06032E64E1561251EA3035112785F43945B1E959A9BF586C35C9EA1C59585C37
SHA-512:	04B694D0AE99D5786FA19F03C5B4DD8124C4F9144CFE7CA250B48A3C0DE0883E06A6319351AE93EA95B55BBBFA69525A91E9407478E40AD62951F1D63D45FF18
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................X......o..............o.......o.......o......j..............n......n......n4.....n......Rich....................PE..d....#.g.........." ...).....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	121344
Entropy (8bit):	5.899699901799497
Encrypted:	false
SSDEEP:	3072:3Ives1m094QtwqlaZTwuQMS/Pf+vGTVmEU:3PsQIJmE
MD5:	BAC273806F46CFFB94A84D7B4CED6027
SHA1:	773FBC0435196C8123EE89B0A2FC4D44241FF063
SHA-256:	1D9ABA3FF1156EA1FBE10B8AA201D4565AE6022DAF2117390D1D8197B80BB70B
SHA-512:	EAEC1F072C2C0BC439AC7B4E3AEA6E75C07BD4CD2D653BE8500BBFFE371FBFE045227DAEAD653C162D972CCAADFF18AC7DA4D366D1200618B0291D76E18B125C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........yB............................................................................................Rich...........................PE..d....#.g.........." ...).2..........@4.......................................0............`.............................................d...d...................p............ ......@...................................@............P...............................text...x0.......2.................. ..`.rdata...Y...P...Z...6..............@..@.data....=.......0..................@....pdata..p...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3441504
Entropy (8bit):	6.097985120800337
Encrypted:	false
SSDEEP:	49152:8TKuk2CQIU6iV9OjPWgBqIVRIaEv5LY/RnQ2ETEvrPnkbsYNPsNwsML1CPwDv3u6:Vv+KRi5KsEKsY+NwsG1CPwDv3uFfJu
MD5:	6F4B8EB45A965372156086201207C81F
SHA1:	8278F9539463F0A45009287F0516098CB7A15406
SHA-256:	976CE72EFD0A8AEEB6E21AD441AA9138434314EA07F777432205947CDB149541
SHA-512:	2C5C54842ABA9C82FB9E7594AE9E264AC3CBDC2CC1CD22263E9D77479B93636799D0F28235AC79937070E40B04A097C3EA3B7E0CD4376A95ED8CA90245B7891F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2..3...2..3...2..3...2...2...2L.3...2..3...2..3.2..3...2..p2...2..3...2Rich...2........................PE..d...m..b.........." ... ..$...................................................4....../5...`..........................................h/..h...*4.@....`4.\|....`2.....Z4.`)...p4..O....,.8...........................`.,.@............ 4..............................text.....$.......$................. ..`.rdata........$.......$.............@..@.data...!z....1..,....1.............@....pdata.......`2.......1.............@..@.idata..^#... 4..$....3.............@..@.00cfg..u....P4.......3.............@..@.rsrc...\|....`4.......3.............@..@.reloc...x...p4..z....3.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38232
Entropy (8bit):	6.57967863494938
Encrypted:	false
SSDEEP:	768:4iQfxQemQJNrPN+mGyijAeYiSyvOPxWESW7t:YfxIQvPkmGyijj7SymPxlp
MD5:	D86A9D75380FAB7640BB950AEB05E50E
SHA1:	1C61AAF9022CD1F09A959F7B2A65FB1372D187D7
SHA-256:	68FBA9DD89BFAD35F8FD657B9AF22A8AEBDA31BFFDA35058A7F5AE376136E89B
SHA-512:	18437E64061221BE411A1587F634B4B8EFA60E661DBC35FD96A6D0E7EFF812752DE0ADA755C01F286EFEFC47FB5F2DAF07953B4CFC4119121B6BEE7756C88D0F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.r...........................Y...........;....................................................Rich............PE..d....-c.........." ...!.H...(.......L....................................................`......................................... l.......p..P...............P....l..X)......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\libssl-1_1.dll

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	702816
Entropy (8bit):	5.547832370836076
Encrypted:	false
SSDEEP:	12288:UUnBMlBGdU/t0voUYHgqRJd7a7+JLvrfX7bOI8Fp0D6WuHU2lvzR:UN/t0vMnffOI8Fp0D6TU2lvzR
MD5:	8769ADAFCA3A6FC6EF26F01FD31AFA84
SHA1:	38BAEF74BDD2E941CCD321F91BFD49DACC6A3CB6
SHA-256:	2AEBB73530D21A2273692A5A3D57235B770DAF1C35F60C74E01754A5DAC05071
SHA-512:	FAC22F1A2FFBFB4789BDEED476C8DAF42547D40EFE3E11B41FADBC4445BB7CA77675A31B5337DF55FDEB4D2739E0FB2CBCAC2FEABFD4CD48201F8AE50A9BD90B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.p..p..p......p...+..p.\.+..p.../..p......p...)..p...+..p..p+.iq......p.....p.....p...(..p.Rich.p*.........PE..d......b.........." ... .B...T......<.....................................................`.........................................@A...N..@U..........s........M......`)......h...0...8...............................@............@..@............................text....@.......B.................. ..`.rdata..J/...`...0...F..............@..@.data...AM.......D...v..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............j..............@..@.rsrc...s............l..............@..@.reloc..l............t..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.909456553599775
Encrypted:	false
SSDEEP:	1536:j3sHmR02IvVxv7WCyKm7c5Th4JBHTOvyyaZE:jnIvryCyKx5Th4J5OvyyO
MD5:	49AC12A1F10AB93FAFAB064FD0523A63
SHA1:	3AD6923AB0FB5D3DD9D22ED077DB15B42C2FBD4F
SHA-256:	BA033B79E858DBFCBA6BF8FB5AFE10DEFD1CB03957DBBC68E8E62E4DE6DF492D
SHA-512:	1BC0F50E0BB0A9D9DDDAD31390E5C73B0D11C2B0A8C5462065D477E93FF21F7EDC7AA2B2B36E478BE0A797A38F43E3FBEB6AAABEF0BADEC1D8D16EB73DF67255
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nT..5..5..5..#M2. 5..x@..(5..x@..&5..x@.."5..x@...5...k..(5..aM..;5..5...5...@..:5...@..+5...@^.+5...@..+5..Rich*5..................PE..d...._.g.........." .........h......\........................................@............`.........................................0...`.......@.... .......................0..(.......................................8............................................text...h........................... ..`.rdata..\I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\pyarmor_runtime_000000\pyarmor_runtime.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	631296
Entropy (8bit):	6.203979773542914
Encrypted:	false
SSDEEP:	12288:1pE0yRzkaywctjdcg7fUoPM5pSOnE7G1:Cctjdcg7fUoPM5pSOnq
MD5:	892A73390C93223518B1A7B5624F77D7
SHA1:	9D02DEBA198F6FE4BE2FE429DA3556F9ED3AAB33
SHA-256:	AD11E98C0EF951AC6E4AFD608D6BB2E7758157B838EE865F7499118A7E85E647
SHA-512:	59B14B40F1B00A0C61884157EB37EE29C8BD3D9D20CCF2C2BB7BE75BFBABAFE6CAA6B5F15BDA82701C077A7E4EAB4A8895BD44425DFBA783C33639E167CDF836
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".............h..0.........\e....................................Q......... .........................................].... ..l4...........@...#.......................................... ...(...................h+...............................text...............................`.P`.data....E... ...F..................@.`..rdata.......p.......P..............@.`@.pdata...#...@...$..................@.0@.xdata...&...p...(...:..............@.0@.bss.....f............................`..edata..]............b..............@.0@.idata..l4... ...6...d..............@.0..CRT....X....`......................@.@..tls.........p......................@.@..reloc..............................@.0B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\python3.dll

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65912
Entropy (8bit):	6.084559408369445
Encrypted:	false
SSDEEP:	768:xw/EsYpkVgBaz57kcDA7QKFmpz7cnzH/ks/KF61xubwmB1Cf//yhC74JFmpktJS7:O/5k8cnzeJ4NIgQ0D7SyVPx5
MD5:	7FEB3DA304A2FEAD0BB07D06C6C6A151
SHA1:	EE4122563D9309926BA32BE201895D4905D686CE
SHA-256:	DDD2C77222E2C693EF73D142422D6BF37D6A37DEEAD17E70741B0AC5C9FE095B
SHA-512:	325568BCF1835DD3F454A74012F5D7C6877496068AD0C2421BF65E0640910AE43B06E920F4D0024277EEE1683F0CE27959843526D0070683DA0C02F1EAC0E7D2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]{....e...e...e..fm...e..fe...e..f....e..fg...e.Rich..e.........................PE..d...S..c.........." ..."..................................................................`.........................................`...P...............................x)..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\python311.dll

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5761912
Entropy (8bit):	6.088523424589967
Encrypted:	false
SSDEEP:	98304:qvpgHup+dhRXLPw3W47SrSUHfMWdPrjUOYmIF:qvpgHup+XJrYWYWdjUOYmU
MD5:	A72993488CECD88B3E19487D646F88F6
SHA1:	5D359F4121E0BE04A483F9AD1D8203FFC958F9A0
SHA-256:	AA1E959DCFF75A343B448A797D8A5A041EB03B27565A30F70FD081DF7A285038
SHA-512:	C895176784B9AC89C9B996C02EC0D0A3F7CD6EBF653A277C20DEC104DA6A11DB084C53DD47C7B6653A448D877AD8E5E79C27DB4EA6365EBB8CA2A78AA9C61B38
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................m....l.................y........................Rich....................PE..d...H..c.........." ...".\%..27.....\|J........................................\.....}.X...`...........................................@.....\|TA......p[.......V.X0....W.x)....[..B....).T.............................).@............p%..............................text....Z%......\%................. ..`.rdata.......p%......`%.............@..@.data.........A..L...jA.............@....pdata..X0....V..2....Q.............@..@PyRuntim......X.......S.............@....rsrc........p[......tV.............@..@.reloc...B....[..D...~V.............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32\pythoncom311.dll

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	670208
Entropy (8bit):	6.035999626973864
Encrypted:	false
SSDEEP:	12288:ngSkceIv3zBJBQoXNi4LCQqAOffa1tpd5g:gSkc/v3zB9NiEWfa
MD5:	31C1BF2ACA5DF417F6CE2618C3EEFE7E
SHA1:	4C2F7FE265FF28396D03BA0CAB022BBD1785DBF2
SHA-256:	1DAF7C87B48554F1481BA4431102D0429704832E42E3563501B1FFDD3362FCD1
SHA-512:	5723145F718CC659ADD658BA545C5D810E7032842907BAB5C2335E3DE7F20FE69B58AA42512FD67EA8C6AA133E59E0C26BD90700BDD0D0171AF6C1E1C73A2719
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."..~f..-f..-f..-o..-l..-4..,b..-4..,q..-4..,n..-4..,b..-...,d..--..,k..-...,d..--..,o..-f..-5..-...,7..-...,g..-...,g..-Richf..-................PE..d...&..g.........." ......................................................................`..........................................U...c..(...........l....@...z............... ..P...T...............................8............................................text............................... ..`.rdata..x$.......&..................@..@.data....I..........................@....pdata...z...@...\|..................@..@.rsrc...l...........................@..@.reloc... ......."..................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\pywin32_system32\pywintypes311.dll

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	134656
Entropy (8bit):	5.999117329459055
Encrypted:	false
SSDEEP:	3072:kLcVKY3tOSjPenBttgY/r06Yr27vJmxETaTX7wevxJ:kLcVKY3tOWPxY/rkqzJmxEmTXMev
MD5:	5D67ABF69A8939D13BEFB7DE9889B253
SHA1:	BCBBF88C05732D4E1E3811FD312425C1C92018D1
SHA-256:	615EB8A75F9ED9371A59DA8F31E27EE091C013DB0B9164A5124CA0656EA47CB4
SHA-512:	FA34EB05996C41F23524A8B4F1FAED0BDD41224D8E514AA57D568A55D2044C32798C1357F22C72AD79FD02948CAAD89B98B8E9B0AD2927E4A0169739335271CE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I+.j'x.j'x.j'x...x.j'x..&y.j'x...x.j'x.."y.j'x..#y.j'x..$y.j'x..#y.j'x..&y.j'x..&y.j'x.j&xCj'xk..y.j'xk.'y.j'xk.%y.j'xRich.j'x................PE..d......g.........." ................,........................................P............`..........................................u..lB......,....0..l.......L............@..0....Q..T............................R..8............................................text...y........................... ..`.rdata..............................@..@.data....-.......(..................@....pdata..L...........................@..@.rsrc...l....0......................@..@.reloc..0....@......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\select.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29056
Entropy (8bit):	6.492672207841723
Encrypted:	false
SSDEEP:	384:Ag1ecReJK4HquuI7A70RUZNIg7GXIYiSy1pCQm3MnfPxh8E9VF0NyyRt:AseUeJRHqgbGNIg7GYYiSyvwMfPxWEo
MD5:	116335EBC419DD5224DD9A4F2A765467
SHA1:	482EF3D79BFD6B6B737F8D546CD9F1812BD1663D
SHA-256:	813EEDE996FC08E1C9A6D45AAA4CBAE1E82E781D69885680A358B4D818CFC0D4
SHA-512:	41DC7FACAB0757ED1E286AE8E41122E09738733AD110C2918F5E2120DFB0DBFF0DAEFCAD2BFFD1715B15B44C861B1DD7FB0D514983DB50DDC758F47C1B9B3BF3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].t.<t'.<t'.<t'.D.'.<t'.@u&.<t'.@q&.<t'.@p&.<t'.@w&.<t'i@u&.<t'.<u'.<t'.Nu&.<t'i@y&.<t'i@t&.<t'i@.'.<t'i@v&.<t'Rich.<t'................PE..d...^..c.........." ...".....2.......................................................!....`..........................................@..L...,A..x....p.......`.......H...)......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1139576
Entropy (8bit):	5.430913356361142
Encrypted:	false
SSDEEP:	12288:g32YbfjwR6nbVonRiPDjRrO5184EPYPx++ZiLKGZ5KXyVH4eD1ub:gGYbM00IDJcjEwPgPOG6Xyd461ub
MD5:	CDB5F373D24ADCEB4DC4FA1677757F0C
SHA1:	AF6B381EED65D244C57129346008EC8532BA336B
SHA-256:	175C4CB528F1AC4E285C575CC3F5E85EC4B3AE88860210B5D795B580C7F0B5D9
SHA-512:	429A326648C761BF068CA7735094644F532D631CF9355C9F1A5743A5791837A36CD6AA2EFE2265C7541FEB06310D0C07B634DD04438D8EDDBDF1C4147938A868
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t..t..t..}...r..;...v..;...y..;...\|..;...w.....w......v..t..%.....u.....u...y.u.....u..Richt..........PE..d...j..c.........." ...".@..........P*..............................................u.....`.............................................X............`.......P..0....:..x)...p.......]..T............................[..@............P..x............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..0....P.......&..............@..@.rsrc........`......................@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\win32\_win32sysloader.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.113812591033072
Encrypted:	false
SSDEEP:	192:rCm72PEO1jIUs0YqEcPbF55UgCWV4rofnDPdRD0hvHvcqvn7ycIt/G/:rardA0Bzx14r6nDrOhv+O/
MD5:	B58CA169FDCFFAB726391D3906DD9A4E
SHA1:	C4BB8DA84A5D9C31D0ACB7A4127F55E696F414DF
SHA-256:	1A8DCDBD730166889C03FAF285DC1DD9F16090DFE81043D80A9D6308300EBAC9
SHA-512:	AA23DEBF80D89A40677D1BF1C7C6C3445A79E76419865B86D0D6A605656478067EBEA2752348FCF77D583D2E5DCD284DA7F55F751D6441E647565DA77F982966
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Dg..%..%..%..]..%...P..%...]..%...P..%...P..%...P..%.....%..%..%..LP..%..LP..%..LP..%..Rich.%..................PE..d......g.........." ......................................................................`..........................................;..`...p;..d....p..t....`..................@...\|2..T............................2..8............0..p............................text............................... ..`.rdata..4....0......................@..@.data........P......................@....pdata.......`.......0..............@..@.rsrc...t....p.......4..............@..@.reloc..@............8..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\win32\win32api.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	133120
Entropy (8bit):	5.849201651779307
Encrypted:	false
SSDEEP:	3072:znvpE3JJ/Q7DspOCQUUU40Oc3lRVFhLaNzvBii7qQvmwCoY9LQPe:T4xG4pOCQUUU4rWlRVgv5qQSoY9
MD5:	D02300D803850C3B0681E16130FECEE4
SHA1:	6411815E2A908432A640719ECFE003B43BBBA35C
SHA-256:	B938C8CD68B15EC62F053045A764D8DD38162A75373B305B4CF1392AC05DF5F9
SHA-512:	6FAD1836614869AB3BB624BDA9943CEAF9E197B17CA4F4FFE78699492B72F95EEE02AE1BB07C0508438956BEF10CC1E656DDF75D0EDC9EF71A3860AF39075564
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..Vx...x...x...q...p.....\|.....p.....\|......z.......z.....o...3..s...x...-......z......y......y...Richx...........PE..d......g.........." .........................................................P............`.........................................P...............0..\....................@..X....v..T............................;..8............0.........@....................text............................... ..`.rdata..b....0......................@..@.data...X(......."..................@....pdata..............................@..@.rsrc...\....0......................@..@.reloc..X....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI57762\win32\win32trace.pyd

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.281874510289411
Encrypted:	false
SSDEEP:	384:9eeH8ZmV+zknwMswDuVQO0T8DmMel2/QEVR7AWCq5yn9ukF1B3:N+zi/uVQ1Q/QEVR1NUpB
MD5:	965E9833F4CD7A45C2C1EE85EFC2DA3B
SHA1:	3C6888194AD30E17DC5EEA7418133A541BCDDF07
SHA-256:	5ECD0274DC220312824BB3086B3E129E38A9DCB06913A2F6173A94DC256BF4C5
SHA-512:	F8C4E0C82A8229B3BDB897B536EE73B5D2A9A2810B73DCC77C880961A9A16E43746234A108A9A15BF18638FCFB3086E0F5EEFD85D5BF6F799718DC6F199C4A26
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(U.wF..wF..wF......wF...G..wF...C..wF...B..wF...E..wF.D.G..wF...G..wF...G..wF..wG..wF.D.O..wF.D.F..wF.D.D..wF.Rich.wF.................PE..d......g.........." .....,...,.......(....................................................`......................................... Q..T...tQ..........d....p.......................G..T...........................0H..8............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...(....`.......L..............@....pdata.......p.......R..............@..@.rsrc...d............V..............@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\gh99bdov

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:qn:qn
MD5:	3F1D1D8D87177D3D8D897D7E421F84D6
SHA1:	DD082D742A5CB751290F1DB2BD519C286AA86D95
SHA-256:	F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
SHA-512:	2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
Malicious:	false
Preview:	blat

C:\Users\user\AppData\Local\Temp\tmpqxtmfx2p\gen_py\init.py

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	176
Entropy (8bit):	4.713840781302666
Encrypted:	false
SSDEEP:	3:S3yE25MOWrYXtHVE/DRFrgm5/gvJgXDLAUDA+ERo6+aEYqVS1f6gq1WGgVSBn:S3mSOWWHVUDjrgmxgRgzLXDA6Va8VeuR
MD5:	8C7CA775CF482C6027B4A2D3DB0F6A31
SHA1:	E3596A87DD6E81BA7CF43B0E8E80DA5BC823EA1A
SHA-256:	52C72CF96B12AE74D84F6C049775DA045FAE47C007DC834CA4DAC607B6F518EA
SHA-512:	19C7D229723249885B125121B3CC86E8C571360C1FB7F2AF92B251E6354A297B4C2B9A28E708F2394CA58C35B20987F8B65D9BD6543370F063BBD59DB4A186AC
Malicious:	false
Preview:	# Generated file - this directory may be deleted to reset the COM cache.....import win32com..if __path__[:-1] != win32com.__gen_path__: __path__.append(win32com.__gen_path__)..

C:\Users\user\AppData\Local\Temp\tmpqxtmfx2p\gen_py\dicts.dat

Download File

Process:	C:\Users\user\Desktop\winws1.exe
File Type:	data
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.7219280948873625
Encrypted:	false
SSDEEP:	3:qW6:qW6
MD5:	2C7344F3031A5107275CE84AED227411
SHA1:	68ACAD72A154CBE8B2D597655FF84FD31D57C43B
SHA-256:	83CDA9FECC9C008B22C0C8E58CBCBFA577A3EF8EE9B2F983ED4A8659596D5C11
SHA-512:	F58362C70A2017875D231831AE5868DF22D0017B00098A28AACB5753432E8C4267AA7CBF6C5680FEB2DC9B7ABADE5654C3651685167CC26AA208A9EB71528BB6
Malicious:	false
Preview:	..K....}..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.9967380377698465
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	winws1.exe
File size:	11'878'277 bytes
MD5:	37e06d6e36e5f993a465b266ade15ea2
SHA1:	e05d11786a37ec01145209156efc92e4ebf1ea38
SHA256:	74ee005a858f35d69b9f32921ccf1039babc70e3a70872b5fd38edeadc0069c4
SHA512:	4152d1c58af81504b0b5d6a5b9327077f2ee8161aaace6a6ab415946f6df4dd2e4db4300ee5d266e413a5694b10c259bc5a52d2134ad62c98a9c96da4c738f21
SSDEEP:	196608:EV1Z2azjvj8p5drY+zg+oqiJFdQmR5dA6leJuErSEEJwlCfFshhnPM9ks8nYIi:EVlj87dtFDMdQ2li+9JUJhhbYIi
TLSH:	0CC6337692A378D5C11F41B0C19AC6A078A4FE7413F1743C07E90BBA6F9BAB46F7A441
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...A.Tg.J.............(.....<... .............@....................................D.....`................................

File Icon


Icon Hash:	4a464cd47461e179

Static PE Info

General

Entrypoint:	0x1400010f6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6754DC41 [Sat Dec 7 23:37:37 2024 UTC]
TLS Callbacks:	0x4000dab0, 0x1, 0x4000db70, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	cf8ad0ecdb3ba4aa29003f793248ec72

Entrypoint Preview

Instruction
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
mov dword ptr [ebp-04h], 000000FFh
dec eax
mov eax, dword ptr [000206F4h]
mov dword ptr [eax], 00000001h
call 00007F6EC4993872h
mov dword ptr [ebp-04h], eax
nop
nop
mov eax, dword ptr [ebp-04h]
dec eax
add esp, 30h
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
mov dword ptr [ebp-04h], 000000FFh
dec eax
mov eax, dword ptr [000206C5h]
mov dword ptr [eax], 00000000h
call 00007F6EC4993843h
mov dword ptr [ebp-04h], eax
nop
nop
mov eax, dword ptr [ebp-04h]
dec eax
add esp, 30h
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 70h
dec eax
mov dword ptr [ebp-10h], 00000000h
mov dword ptr [ebp-1Ch], 00000030h
mov eax, dword ptr [ebp-1Ch]
dec eax
mov eax, dword ptr [eax]
dec eax
mov dword ptr [ebp-28h], eax
dec eax
mov eax, dword ptr [ebp-28h]
dec eax
mov eax, dword ptr [eax+08h]
dec eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-04h], 00000000h
jmp 00007F6EC4993853h
dec eax
mov eax, dword ptr [ebp-10h]
dec eax
cmp eax, dword ptr [ebp-18h]
jne 00007F6EC499383Bh
mov dword ptr [ebp-04h], 00000001h
jmp 00007F6EC4993877h
mov ecx, 000003E8h
dec eax
mov eax, dword ptr [0002853Eh]
call eax
dec eax
mov eax, dword ptr [0002069Dh]
dec eax
mov dword ptr [ebp-30h], eax
dec eax
mov eax, dword ptr [ebp-18h]
dec eax
mov dword ptr [ebp+00h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29000	0x15fc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2d000	0xf41c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x25000	0xf6c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3d000	0x13c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x20a60	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x29580	0x4f0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x183c8	0x18400	616d6c6e51c5e392d4ec9a3ff55d8079	False	0.444164787371134	data	6.169519932682489	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x1a000	0x150	0x200	0121ce293810747daec3ebac9cc32327	False	0.189453125	data	1.3863555132737315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x1b000	0x8200	0x8200	23c563a29a4a256b26cd20c230b9aa44	False	0.48115985576923076	data	6.585400510346943	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
/4	0x24000	0x4	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x25000	0xf6c	0x1000	68aa1eabf500d997f09cbe9273da2d29	False	0.47412109375	data	5.06511475769715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x26000	0xfc4	0x1000	faa06eeea841bc050055ea29bac6cbc1	False	0.25390625	shared library	4.378695124603942	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x27000	0x1ed0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x29000	0x15fc	0x1600	784cf13538071a0d21100682f50e9e8d	False	0.33203125	data	4.563031060063162	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x2b000	0x60	0x200	d44f86b8c428e457de2de5ea3e40aa46	False	0.06640625	data	0.29046607431271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x2c000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2d000	0xf41c	0xf600	4c8f6d330806f9f4616d141f80690999	False	0.8030678353658537	data	7.55489091318796	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3d000	0x13c	0x200	08adfa9e87cba7e06bbfd839064387ca	False	0.490234375	data	3.5698192923734458	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x2d208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.585820895522388
RT_ICON	0x2e0b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7360108303249098
RT_ICON	0x2e958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.755057803468208
RT_ICON	0x2eec0	0x952c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9975384937676757
RT_ICON	0x383ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.3887966804979253
RT_ICON	0x3a994	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.49530956848030017
RT_ICON	0x3ba3c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.7207446808510638
RT_GROUP_ICON	0x3bea4	0x68	data	0.7019230769230769
RT_MANIFEST	0x3bf0c	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
ADVAPI32.dll	ConvertSidToStringSidW, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetTokenInformation, OpenProcessToken
COMCTL32.dll	LoadIconMetric
GDI32.dll	CreateFontIndirectW, DeleteObject, SelectObject
KERNEL32.dll	CloseHandle, CreateDirectoryW, CreateProcessW, CreateSymbolicLinkW, DeleteCriticalSection, EnterCriticalSection, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FormatMessageW, FreeLibrary, GetCommandLineW, GetCurrentProcess, GetEnvironmentVariableW, GetExitCodeProcess, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoW, GetTempPathW, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LocalFree, MulDiv, MultiByteToWideChar, SetConsoleCtrlHandler, SetDllDirectoryW, SetEnvironmentVariableW, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte, __C_specific_handler
msvcrt.dll	___lc_codepage_func, ___mb_cur_max_func, __argc, __iob_func, __set_app_type, __setusermatherr, __wargv, __wgetmainargs, __winitenv, _amsg_exit, _cexit, _commode, _errno, _filelengthi64, _fileno, _findclose, _fileno, _fmode, _get_osfhandle, _getpid, _initterm, _lock, _onexit, _snwprintf, _stat64, _strdup, _unlock, _wcmdln, _wcsdup, _wcsdup, _wfindfirst64, _wfindnext64, _wfopen, _wfullpath, _wputenv_s, _wremove, _wrmdir, _wstat64, _wtempnam, abort, calloc, clearerr, exit, fclose, feof, ferror, fflush, fgetpos, fprintf, fputc, fputwc, fread, free, fsetpos, fwprintf, fwrite, iswctype, localeconv, malloc, mbstowcs, memcmp, memcpy, memset, perror, realloc, setlocale, signal, strcat, strchr, strcmp, strcpy, strerror, strlen, strncat, strncmp, strncpy, strtok, strtoul, vfprintf, wcscat, wcschr, wcscmp, wcscpy, wcslen, wcsncpy, wcstombs
USER32.dll	CreateWindowExW, DestroyIcon, DialogBoxIndirectParamW, DrawTextW, EndDialog, GetClientRect, GetDC, GetDialogBaseUnits, GetWindowLongPtrW, InvalidateRect, MessageBoxA, MessageBoxW, MoveWindow, ReleaseDC, SendMessageW, SetWindowLongPtrW, SystemParametersInfoW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 11:29:16.885458946 CET	49731	443	192.168.2.6	104.26.12.205
Dec 17, 2024 11:29:16.885503054 CET	443	49731	104.26.12.205	192.168.2.6
Dec 17, 2024 11:29:16.885664940 CET	49731	443	192.168.2.6	104.26.12.205
Dec 17, 2024 11:29:16.886481047 CET	49731	443	192.168.2.6	104.26.12.205
Dec 17, 2024 11:29:16.886493921 CET	443	49731	104.26.12.205	192.168.2.6
Dec 17, 2024 11:29:18.110347986 CET	443	49731	104.26.12.205	192.168.2.6
Dec 17, 2024 11:29:18.110985041 CET	49731	443	192.168.2.6	104.26.12.205
Dec 17, 2024 11:29:18.110996962 CET	443	49731	104.26.12.205	192.168.2.6
Dec 17, 2024 11:29:18.112437963 CET	443	49731	104.26.12.205	192.168.2.6
Dec 17, 2024 11:29:18.112508059 CET	49731	443	192.168.2.6	104.26.12.205
Dec 17, 2024 11:29:18.113152981 CET	49731	443	192.168.2.6	104.26.12.205
Dec 17, 2024 11:29:18.113312006 CET	49731	443	192.168.2.6	104.26.12.205

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 11:29:16.743837118 CET	52389	53	192.168.2.6	1.1.1.1
Dec 17, 2024 11:29:16.883126974 CET	53	52389	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 11:29:16.743837118 CET	192.168.2.6	1.1.1.1	0x8a40	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 11:29:16.883126974 CET	1.1.1.1	192.168.2.6	0x8a40	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 17, 2024 11:29:16.883126974 CET	1.1.1.1	192.168.2.6	0x8a40	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 17, 2024 11:29:16.883126974 CET	1.1.1.1	192.168.2.6	0x8a40	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:29:10
Start date:	17/12/2024
Path:	C:\Users\user\Desktop\winws1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\winws1.exe"
Imagebase:	0x7ff611300000
File size:	11'878'277 bytes
MD5 hash:	37E06D6E36E5F993A465B266ADE15EA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:29:13
Start date:	17/12/2024
Path:	C:\Users\user\Desktop\winws1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\winws1.exe"
Imagebase:	0x7ff611300000
File size:	11'878'277 bytes
MD5 hash:	37E06D6E36E5F993A465B266ADE15EA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AntiVM_5, Description: Yara detected AntiVM_5, Source: 00000003.00000002.2265230040.000001EE75B30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.5%
Total number of Nodes:	1169
Total number of Limit Nodes:	13

Executed Functions

Function 00007FF611307F60 Relevance: 49.2, APIs: 20, Strings: 8, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF611307FC1
free.MSVCRT ref: 00007FF611307FCC

Part of subcall function 00007FF611309420: wcslen.MSVCRT ref: 00007FF611309429

_wfullpath.MSVCRT ref: 00007FF611307FF4
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,?,_MEIPASS2,00000000,?,00007FF6113024CC), ref: 00007FF61130805D
wcschr.MSVCRT(?,?,_MEIPASS2,00000000,?,00007FF6113024CC), ref: 00007FF611308068
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,?,_MEIPASS2,00000000,?,00007FF6113024CC), ref: 00007FF61130807A
_wputenv_s.MSVCRT ref: 00007FF611308086
free.MSVCRT ref: 00007FF611308091
GetTempPathW.KERNEL32 ref: 00007FF6113080AB
_getpid.MSVCRT(?,?,_MEIPASS2,00000000,?,00007FF6113024CC), ref: 00007FF6113080B1
_wtempnam.MSVCRT ref: 00007FF6113080DA
free.MSVCRT ref: 00007FF6113080EF
free.MSVCRT ref: 00007FF611308119

Part of subcall function 00007FF611307E30: GetEnvironmentVariableW.KERNEL32 ref: 00007FF611307E5C

Part of subcall function 00007FF611309090: MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6

_wcsdup.MSVCRT ref: 00007FF61130813B

Strings

_MEI%d, xrefs: 00007FF6113080B6
LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF611308210
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6113081E0
TMP, xrefs: 00007FF611307F88, 00007FF611308107, 00007FF61130818F, 00007FF6113081B5, 00007FF611308237
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF611308221
TMP, xrefs: 00007FF61130807C
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF6113081F8
_MEIPASS2, xrefs: 00007FF611307F69

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: free$CreateDirectoryEnvironment$ByteCharExpandMultiPathStringsTempVariableWide_getpid_wcsdup_wfullpath_wputenv_s_wtempnamwcschrwcslen
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.$LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d$_MEIPASS2
API String ID: 2274789544-3119237222
Opcode ID: 671dda77df2ef5e6ce07f0f1f353edfb057de789b396c98f01983217660df552
Instruction ID: 727f2a12e79b7da31d9e4b5a610f38af72b660992e3f0f6dfc138cee1b0007ad
Opcode Fuzzy Hash: 671dda77df2ef5e6ce07f0f1f353edfb057de789b396c98f01983217660df552
Instruction Fuzzy Hash: 62612A21F49E5681FB59BB66A8192BA52E9AF49FE0F484431DD0ED778EED2CE405C300

Function 00007FF611301154 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_amsg_exit.MSVCRT ref: 00007FF6113011F6
_initterm.MSVCRT ref: 00007FF61130122B
_initterm.MSVCRT ref: 00007FF61130125E
exit.MSVCRT ref: 00007FF611301358
_cexit.MSVCRT ref: 00007FF611301367

Strings

0, xrefs: 00007FF611301164

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: _initterm$_amsg_exit_cexitexit
String ID: 0
API String ID: 602970348-4108050209
Opcode ID: 68b42a7169f47ea2a0c2489e8fdb899db89ccd3641b59c7d876ca4fdc4d75048
Instruction ID: 32e468780db96470642340ab7d6b11e790d630cf4aa8f3085b8af854b9925a1a
Opcode Fuzzy Hash: 68b42a7169f47ea2a0c2489e8fdb899db89ccd3641b59c7d876ca4fdc4d75048
Instruction Fuzzy Hash: C2619279A08F0689FB01ABA9E98436937A8BB48FA4F404435DD0DD7769DF7CE4448790

Function 00007FF61130AAA0 Relevance: 6.9, Strings: 5, Instructions: 602
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

invalid block type, xrefs: 00007FF61130C02F
invalid stored block lengths, xrefs: 00007FF61130AD99
too many length or distance symbols, xrefs: 00007FF61130B83E
incorrect data check, xrefs: 00007FF61130ABE1
invalid literal/length code, xrefs: 00007FF61130C174

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID:
String ID: incorrect data check$invalid block type$invalid literal/length code$invalid stored block lengths$too many length or distance symbols
API String ID: 0-817236767
Opcode ID: edda78cfee263c1a0d51050989b18d83d5165dd7758e07e4666f51b0d9e6ee7b
Instruction ID: 33b95c9e2ed047d787a537b61443be09714c678ab8fc6b4d304ee8bb5b743ba0
Opcode Fuzzy Hash: edda78cfee263c1a0d51050989b18d83d5165dd7758e07e4666f51b0d9e6ee7b
Instruction Fuzzy Hash: 9C32D377A18A928BD3548F25E48893E7BE9F744BA4F154235DA5AC3788DF3CE944CB00

Function 00007FF61130B278 Relevance: 5.4, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

invalid code -- missing end-of-block, xrefs: 00007FF61130BD0D
invalid distances set, xrefs: 00007FF61130C732
invalid bit length repeat, xrefs: 00007FF61130C645
invalid literal/lengths set, xrefs: 00007FF61130C61E

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid distances set$invalid literal/lengths set
API String ID: 0-1153561608
Opcode ID: cff788bb3bcb304cddf1bce8afa9734ec4ede5906092ff3c2facd10851e22f08
Instruction ID: 9041bf5dcb0937a8eb4fdb0fb32992a5deacdd2685749f55536b79c7ca3971f7
Opcode Fuzzy Hash: cff788bb3bcb304cddf1bce8afa9734ec4ede5906092ff3c2facd10851e22f08
Instruction Fuzzy Hash: 6CF1B376A18B528BD7548F14E488A3E77EDFB44B94F564139DA4AC3788DF38E944CB00

Function 00007FF6113093B0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF6113093D5
FindClose.KERNEL32 ref: 00007FF6113093E4

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 59c1ec81a29a6fab549a8afeeca284bc4e0314e0ec4df424a70acac61bdd8c3c
Instruction ID: 911223ba2b06bfe54a495350715599a45f4ae040ae2179c3ebef1167a2d09539
Opcode Fuzzy Hash: 59c1ec81a29a6fab549a8afeeca284bc4e0314e0ec4df424a70acac61bdd8c3c
Instruction Fuzzy Hash: BCF03029A19A4181F7A0AB70B4083696790A784BB8F804734DABD816D8DF7C8149CB40

Function 00007FF611301D40 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF611301DCB
fread.MSVCRT ref: 00007FF611301E31
free.MSVCRT ref: 00007FF611301E59
fclose.MSVCRT ref: 00007FF611301E96
fclose.MSVCRT ref: 00007FF611301E9E

Part of subcall function 00007FF611304650: _wfopen.MSVCRT ref: 00007FF611304695

Strings

Failed to create symbolic link %s!, xrefs: 00007FF611301EBC
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF611301F23
pyi_arch_extract2fs was called before temporary directory was initialized!, xrefs: 00007FF611301F40
malloc, xrefs: 00007FF611301F78
fwrite, xrefs: 00007FF611301F0A
Failed to extract %s: failed to open target file!, xrefs: 00007FF611301F59
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF611301F03
Failed to extract %s: failed to open archive file!, xrefs: 00007FF611301ED3
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF611301F71
fseek, xrefs: 00007FF611301F2A
fread, xrefs: 00007FF611301E45
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF611301E3E
fopen, xrefs: 00007FF611301F60

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: fclose$_wfopenfreadfreemalloc
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
API String ID: 414440483-3833288071
Opcode ID: b8326de1dd1da5a01a039f0c6865c55c65bdf7ac7e71c07fea9abcbacca4f40a
Instruction ID: 4b9eb521ea7793155c10e2113c74a54d2ecae7714d3d2acfba578de245b604be
Opcode Fuzzy Hash: b8326de1dd1da5a01a039f0c6865c55c65bdf7ac7e71c07fea9abcbacca4f40a
Instruction Fuzzy Hash: 69518021E0DD5741FB15972598506FA12A9AF14FF8F88023AED0DCB2DEEE6CE949C340

Function 00007FF611309210 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF611309247
OpenProcessToken.ADVAPI32 ref: 00007FF611309258
free.MSVCRT ref: 00007FF611309270
CloseHandle.KERNEL32 ref: 00007FF611309280
_snwprintf.MSVCRT ref: 00007FF6113092A8
LocalFree.KERNEL32 ref: 00007FF6113092B1
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF6113092D7
CreateDirectoryW.KERNEL32 ref: 00007FF6113092EB
GetTokenInformation.KERNELBASE(00000000,?,00000005,?,?,00000000,00007FF6113080E8,?,?,_MEIPASS2,00000000,?,00007FF6113024CC), ref: 00007FF611309331
GetLastError.KERNEL32 ref: 00007FF611309337
calloc.MSVCRT ref: 00007FF611309352
GetTokenInformation.KERNELBASE(?,00000000,00007FF6113080E8,?,?,_MEIPASS2,00000000,?,00007FF6113024CC), ref: 00007FF611309378
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF61130938D

Strings

D:(A;;FA;;;%s), xrefs: 00007FF61130929A
S-1-3-4, xrefs: 00007FF61130928B

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen_snwprintfcallocfree
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 1339360106-2855260032
Opcode ID: 840785790ae47b5b900202a130df978d56d1b00df71af0a86b378aa74ba62265
Instruction ID: 370e3472d99b040be8d805f18e9f9b5db98e5ff1070d36b127e2876611467d72
Opcode Fuzzy Hash: 840785790ae47b5b900202a130df978d56d1b00df71af0a86b378aa74ba62265
Instruction Fuzzy Hash: C5318121708A4682E710AB61F8047AA63A9FB85FB4F140235EE6DC7AD8EF7CE445C740

Function 00007FF61130F3B0 Relevance: 25.8, APIs: 17, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strdup.MSVCRT(00000000,00000000,?,?,?,00007FF611303E16), ref: 00007FF61130F3E0
setlocale.MSVCRT ref: 00007FF61130F3F8
mbstowcs.MSVCRT(00000000,00000000,?,?,?,00007FF611303E16), ref: 00007FF61130F42F
mbstowcs.MSVCRT(00000000,00000000,?,?,?,00007FF611303E16), ref: 00007FF61130F48F
setlocale.MSVCRT ref: 00007FF61130F4FA
free.MSVCRT ref: 00007FF61130F506
wcstombs.MSVCRT(00000000,00000000,?,?,?,00007FF611303E16), ref: 00007FF61130F73A
wcstombs.MSVCRT(00000000,00000000,?,?,?,00007FF611303E16), ref: 00007FF61130F7AE
realloc.MSVCRT ref: 00007FF61130F7C9
wcstombs.MSVCRT(00000000,00000000,?,?,?,00007FF611303E16), ref: 00007FF61130F7F2
setlocale.MSVCRT ref: 00007FF61130F803
free.MSVCRT ref: 00007FF61130F80F
wcstombs.MSVCRT(00000000,00000000,?,?,?,00007FF611303E16), ref: 00007FF61130F839
realloc.MSVCRT ref: 00007FF61130F854
wcstombs.MSVCRT(00000000,00000000,?,?,?,00007FF611303E16), ref: 00007FF61130F878
setlocale.MSVCRT ref: 00007FF61130F889
free.MSVCRT ref: 00007FF61130F895

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: wcstombs$setlocale$free$mbstowcsrealloc$_strdup
String ID:
API String ID: 918573998-0
Opcode ID: bc37caea81c3f1b4857c0da5a89418885bf617b27b1e748d0f14d2c635658186
Instruction ID: 8f5bee2cb25e0e19cbce18612337648e828bf28c2b5ca53fac248c82cb0a813c
Opcode Fuzzy Hash: bc37caea81c3f1b4857c0da5a89418885bf617b27b1e748d0f14d2c635658186
Instruction Fuzzy Hash: 65F1F866F04B1989EB509BAAD4412BC27F9FB48FA8F804436DE4CA7798EF38D451C351

Function 00007FF611301710 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 231
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61130A920: malloc.MSVCRT ref: 00007FF61130A889

malloc.MSVCRT ref: 00007FF611301788
malloc.MSVCRT ref: 00007FF61130179E
fread.MSVCRT ref: 00007FF6113017EF
ferror.MSVCRT ref: 00007FF611301800
free.MSVCRT ref: 00007FF6113018A2
free.MSVCRT ref: 00007FF6113018AA
fwrite.MSVCRT ref: 00007FF6113018FC
ferror.MSVCRT ref: 00007FF611301917

Strings

malloc, xrefs: 00007FF611301AA3, 00007FF611301AC2
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF611301A64
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF611301886
1.2.13, xrefs: 00007FF61130173F
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF611301A9C
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF611301ABB

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: malloc$ferrorfree$freadfwrite
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 1635854594-1655038675
Opcode ID: c7dad65b08eccfe109ea056ce5c20d395fae7623f7bcb11bc371ddcf49c6912d
Instruction ID: 0f5177cb95451457f0e952c0fc06814180a0d22c16884b2a576d92242c99b95f
Opcode Fuzzy Hash: c7dad65b08eccfe109ea056ce5c20d395fae7623f7bcb11bc371ddcf49c6912d
Instruction Fuzzy Hash: 8791CF22B08A9641E7208F12A8403BA66E8BB45FF4F544231DE9DD3BDDEE7CE585D700

Function 00007FF611308820 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 99
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF611309090: MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6

SetConsoleCtrlHandler.KERNEL32 ref: 00007FF61130886A
GetStartupInfoW.KERNEL32 ref: 00007FF61130888C
_get_osfhandle.MSVCRT ref: 00007FF6113088DF
_fileno.MSVCRT ref: 00007FF6113088FC
_get_osfhandle.MSVCRT ref: 00007FF611308903
_fileno.MSVCRT ref: 00007FF611308920
_get_osfhandle.MSVCRT ref: 00007FF611308927
GetCommandLineW.KERNEL32 ref: 00007FF611308939
CreateProcessW.KERNEL32 ref: 00007FF611308981
WaitForSingleObject.KERNEL32 ref: 00007FF611308998
GetExitCodeProcess.KERNEL32 ref: 00007FF6113089AB

Strings

Error creating child process!, xrefs: 00007FF6113089C8
CreateProcessW, xrefs: 00007FF6113089CF

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: _get_osfhandle$Process_fileno$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2399235724-3524285272
Opcode ID: 2bb69f242d9541d69d1b049c92316138750a043074f1ee99989ea41868e2982c
Instruction ID: c0089ae21c8403b2a97eafd0122c2a33b277d6032b14fe060f121b25def22bf8
Opcode Fuzzy Hash: 2bb69f242d9541d69d1b049c92316138750a043074f1ee99989ea41868e2982c
Instruction Fuzzy Hash: 3D414432A08B8145EB609B64F8557AA73A4EB857B4F404335EAAD877D8EF7CD084C740

Function 00007FF6113016D0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 342
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF611308FE0: free.MSVCRT ref: 00007FF611309047
Part of subcall function 00007FF611308FE0: free.MSVCRT ref: 00007FF611309054

Part of subcall function 00007FF6113021D0: calloc.MSVCRT ref: 00007FF6113021DE

Part of subcall function 00007FF6113045A0: GetModuleFileNameW.KERNEL32 ref: 00007FF6113045C2

Part of subcall function 00007FF611307E30: GetEnvironmentVariableW.KERNEL32 ref: 00007FF611307E5C

SetDllDirectoryW.KERNEL32 ref: 00007FF611303DD9

Part of subcall function 00007FF611307020: calloc.MSVCRT ref: 00007FF61130702E

Part of subcall function 00007FF611307060: free.MSVCRT ref: 00007FF61130707D
Part of subcall function 00007FF611307060: free.MSVCRT ref: 00007FF61130708E
Part of subcall function 00007FF611307060: free.MSVCRT ref: 00007FF61130709F
Part of subcall function 00007FF611307060: free.MSVCRT ref: 00007FF6113070A7

free.MSVCRT ref: 00007FF611303D5E

Part of subcall function 00007FF611307F20: SetEnvironmentVariableW.KERNEL32 ref: 00007FF611307F3B
Part of subcall function 00007FF611307F20: free.MSVCRT ref: 00007FF611307F46

strcmp.MSVCRT ref: 00007FF611303E93
strcpy.MSVCRT ref: 00007FF611303ED9
SetDllDirectoryW.KERNEL32 ref: 00007FF6113040E5

Part of subcall function 00007FF611309090: MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6

Strings

Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF61130405C
_PYI_ONEDIR_MODE, xrefs: 00007FF611303D38, 00007FF611303D63
Failed to convert DLL search path!, xrefs: 00007FF6113042A5
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF611304211
_MEIPASS2, xrefs: 00007FF611303D1D

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: free$DirectoryEnvironmentVariablecalloc$ByteCharFileModuleMultiNameWidestrcmpstrcpy
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2187479179-3096095006
Opcode ID: 1f15bd69bbc3f3c24b7a495f441c003db60766bb70107ae8481ff2041d2710a3
Instruction ID: 0e977f339c364287317b8045a5fd6242561dea83be5132dfacc858a02cdec789
Opcode Fuzzy Hash: 1f15bd69bbc3f3c24b7a495f441c003db60766bb70107ae8481ff2041d2710a3
Instruction Fuzzy Hash: B6E18F21A0CE4280EB64EB22A9502BB66EDAF44FE0F444135EE4ED77DEDE3CE5058750

Function 00007FF611301F90 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF611304650: _wfopen.MSVCRT ref: 00007FF611304695

Part of subcall function 00007FF611308BB0: malloc.MSVCRT ref: 00007FF611308BCE
Part of subcall function 00007FF611308BB0: free.MSVCRT ref: 00007FF611308CA5

fclose.MSVCRT ref: 00007FF611301FF3
fread.MSVCRT ref: 00007FF61130202F
malloc.MSVCRT ref: 00007FF61130208D
fread.MSVCRT ref: 00007FF6113020AE

Strings

malloc, xrefs: 00007FF6113021A2
Could not read full TOC!, xrefs: 00007FF611302120
fseek, xrefs: 00007FF611302147
fread, xrefs: 00007FF611302127, 00007FF611302167
Failed to read cookie!, xrefs: 00007FF611302160
Failed to seek to cookie position!, xrefs: 00007FF611302140
Error on file., xrefs: 00007FF611302180
Could not allocate buffer for TOC!, xrefs: 00007FF61130219B

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: freadmalloc$_wfopenfclosefree
String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$fread$fseek$malloc
API String ID: 2617120823-2084260460
Opcode ID: 5bce95ee8fb63d5300fe38628ad1002844fa94faa99f8bb8496a8220ff03f0bc
Instruction ID: 6a7e4713da0cd09ce4828a6ce8d251fee3b1e603478eb1b654140d261a6bc9f9
Opcode Fuzzy Hash: 5bce95ee8fb63d5300fe38628ad1002844fa94faa99f8bb8496a8220ff03f0bc
Instruction Fuzzy Hash: 33516C71B09E0682EB189B29D8442B867F9AF88FA4F54823AD90DC779DDF3CE505C744

Function 00007FF611308260 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF611309090: MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6

wcslen.MSVCRT ref: 00007FF6113082B0
wcscat.MSVCRT ref: 00007FF6113082DE
_wrmdir.MSVCRT ref: 00007FF6113082FC
wcscat.MSVCRT ref: 00007FF61130832E

Strings

_MEIPASS2, xrefs: 00007FF611308269

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: wcscat$ByteCharMultiWide_wrmdirwcslen
String ID: _MEIPASS2
API String ID: 3789554339-3944641314
Opcode ID: fb5fa8b4530e7b2c41102c59ccc0b32c935fc7947f7e5b4f43b1699e594ef5fd
Instruction ID: 73bab770df99253c07fb571ba9c9c54f1d84fd9bb2a882a5b0dce12228a7bd77
Opcode Fuzzy Hash: fb5fa8b4530e7b2c41102c59ccc0b32c935fc7947f7e5b4f43b1699e594ef5fd
Instruction Fuzzy Hash: 2721AD52B08D4244EB64A612A8146FE92A8BB86FF0FC84571ED1ED77DEEE3CE445C305

Function 00007FF611308590 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WARNING: file already exists but should not: %s, xrefs: 00007FF611308622
\, xrefs: 00007FF6113085B8
%s%c%s, xrefs: 00007FF6113085A1
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF611308648
ERROR: file already exists but should not: %s, xrefs: 00007FF611308683

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: strlen$_wfopenstrcpystrtok
String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
API String ID: 1482442392-3501660386
Opcode ID: 5fad58f6d195ab0a3039cc78234095d5774b2b1d52e7f46b521baf6d6253a7c3
Instruction ID: 03200e64dd8320341658c664ef6508b1484b7e350b924097a3b7cb6e269cfc5c
Opcode Fuzzy Hash: 5fad58f6d195ab0a3039cc78234095d5774b2b1d52e7f46b521baf6d6253a7c3
Instruction Fuzzy Hash: A521E060E0CE4785FB20AB25AD142BA22ED5F04FF4F494572EA5DC62DEEE2CE5428200

Function 00007FF6113083A0 Relevance: 9.1, APIs: 6, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcscmp.MSVCRT ref: 00007FF6113083EA
wcscat.MSVCRT ref: 00007FF611308400

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: wcscatwcscmp
String ID:
API String ID: 3846154227-0
Opcode ID: 540d919613c492cef5aa6eb646dd1b1cb3c8d339fc27a6144501ec21207fb444
Instruction ID: 8e6fd7d5c96a9720805716239bed22239ecd372163d41879fbea657f466d91d8
Opcode Fuzzy Hash: 540d919613c492cef5aa6eb646dd1b1cb3c8d339fc27a6144501ec21207fb444
Instruction Fuzzy Hash: 2A116D14E08E428AFB64AB22A8102FE13DC5F84FE4F0840B1DD0EC66DEEE6CE5018301

Function 00007FF611308480 Relevance: 6.3, APIs: 5, Instructions: 77
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF6113084F1
strlen.MSVCRT ref: 00007FF611308513
strlen.MSVCRT ref: 00007FF611308529
strcpy.MSVCRT(?,?,00000000,00000000,?,00007FF611301CDA,00000000,?,?,00000000,00007FF611301E65), ref: 00007FF61130853A
strtok.MSVCRT(?,?,00000000,00000000,?,00007FF611301CDA,00000000,?,?,00000000,00007FF611301E65), ref: 00007FF611308544

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: strlen$strcpystrtok
String ID:
API String ID: 3698421117-0
Opcode ID: 86c057e636391070db3999e02b4ec4b0961dea1a697d128733877af77779c05a
Instruction ID: 3c0976ed524fc1e886d7767cd73579945dea498afd8a60da550a383558e21deb
Opcode Fuzzy Hash: 86c057e636391070db3999e02b4ec4b0961dea1a697d128733877af77779c05a
Instruction Fuzzy Hash: 3C219011B49E4285FB22A651A8053FA52995F45FF0F880531ED0DC77CEEE3CE556C344

Function 00007FF61130A4F0 Relevance: 5.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF61130A54E
malloc.MSVCRT ref: 00007FF61130A5C4

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: mallocmemcpy
String ID:
API String ID: 4276657696-0
Opcode ID: 425d4c8a08875ec74439c914d8f05ade38285fd10358b5af06c5e2fac6744273
Instruction ID: 88de212dc3f674f2e69dd41fd447c29670beda3cdc48c3b91330c042b5ef1030
Opcode Fuzzy Hash: 425d4c8a08875ec74439c914d8f05ade38285fd10358b5af06c5e2fac6744273
Instruction Fuzzy Hash: 2B31C472B259418BD7608A26F4846AEB6E5FB84F90F145234DB8AD7F44EE7DF4418B00

Function 00007FF611308BB0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF611308BCE
free.MSVCRT ref: 00007FF611308CA5

Strings

_MEIPASS2, xrefs: 00007FF611308BB4

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: freemalloc
String ID: _MEIPASS2
API String ID: 3061335427-3944641314
Opcode ID: 6e5bc360a876c164f27c815032cb47837420bf40ba37871437629ced47b6ff38
Instruction ID: 31d736820ee6db04093ef4c6f9896fd2b50ee26e50706fd6a4c1a1260301bf2d
Opcode Fuzzy Hash: 6e5bc360a876c164f27c815032cb47837420bf40ba37871437629ced47b6ff38
Instruction Fuzzy Hash: 0C21B012B5AD5681FF11DA2299047FAD6A96F45FE8F880471DE0CCB68AEE3DE542C200

Function 00007FF611307020 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF61130702E

Strings

Cannot allocate memory for SPLASH_STATUS., xrefs: 00007FF61130703D
calloc, xrefs: 00007FF611307044

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: calloc
String ID: Cannot allocate memory for SPLASH_STATUS.$calloc
API String ID: 2635317215-799113134
Opcode ID: f2af3c9f5e49862c4fdb12449ad5d52b59e493735a903b8862745a60d1d68c81
Instruction ID: a4db885e7fb9adeb9a252c813abdb801886f8b64749be8aa9518b9d365af448b
Opcode Fuzzy Hash: f2af3c9f5e49862c4fdb12449ad5d52b59e493735a903b8862745a60d1d68c81
Instruction Fuzzy Hash: BBE01265E08E0280EF159710A4511B923A8FF85BA4F944138DA4CC77EDED3CE545CB84

Function 00007FF6113022C0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 93stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00007FF6113023D2

Strings

pyi-contents-directory, xrefs: 00007FF61130238B

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: strcpy
String ID: pyi-contents-directory
API String ID: 3177657795-2617349511
Opcode ID: 5bf9b9d7ed3ee3d6fd6229c4798420956e625b75858e8fae20c676d5f28f119e
Instruction ID: beb355618fcbd02f6dbb066d42b8b7063f3f3d2d4380c325e3a1015924a389ef
Opcode Fuzzy Hash: 5bf9b9d7ed3ee3d6fd6229c4798420956e625b75858e8fae20c676d5f28f119e
Instruction Fuzzy Hash: CA318362B09E8284FB619A65E8083F91399AF44FE4F484131ED0DCB78EDE3CE545C710

Function 00007FF611310060 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

fsetpos.MSVCRT ref: 00007FF611310105

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: fsetpos
String ID:
API String ID: 850078086-0
Opcode ID: 465717a23ec0afd49ac1cc4503031fffc665e619fc2808689674e9d738e7ebcb
Instruction ID: 8fbe51eea9154128745f2afa209e5bb9ad3423301091d52a15b8e6968331372a
Opcode Fuzzy Hash: 465717a23ec0afd49ac1cc4503031fffc665e619fc2808689674e9d738e7ebcb
Instruction Fuzzy Hash: FD113376F04F469AEB109F7588450AC33B8AB09BA8F504A35EE5D8779DDF38D1918350

Function 00007FF61130FF1B Relevance: 2.6, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61130FD30: wcslen.MSVCRT ref: 00007FF61130FD66

free.MSVCRT ref: 00007FF61130FF5F
memset.MSVCRT ref: 00007FF61130FF7C

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: freememsetwcslen
String ID:
API String ID: 2332356550-0
Opcode ID: c2e1b32b20ba580d70b52182103e0aee796dda81a15ec91a94acdf2495544fb0
Instruction ID: c57a86ef9d78d6b86cf63e6b8d1460ce5ac0b377950596c0c4f38e4305235a93
Opcode Fuzzy Hash: c2e1b32b20ba580d70b52182103e0aee796dda81a15ec91a94acdf2495544fb0
Instruction Fuzzy Hash: BE31B466B04B1489EB14CF7AD48109C3BB5FB98BA8B108526EE1C57B6CEB38C591C790

Function 00007FF61130FC50 Relevance: 2.5, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF61130FCA5
memcpy.MSVCRT ref: 00007FF61130FD16

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 5d324b82e055cafc44ef2489a603cddb014aa3137ca6904158de945bf2753727
Instruction ID: 35cf5c01a2dc5a6fd9c37bdfc83903c8077d85e5d88506520d68970e78520929
Opcode Fuzzy Hash: 5d324b82e055cafc44ef2489a603cddb014aa3137ca6904158de945bf2753727
Instruction Fuzzy Hash: 1C21F476B40B8689DB64CF6AD8843ED37B5FB49BA8F018126CE2C5BB58DE34C641C740

Function 00007FF61130FB70 Relevance: 2.5, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF61130FBC7
memcpy.MSVCRT ref: 00007FF61130FC3A

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 86a4f9779090a5a3b7ad0aee4b266cf8ba49ffbde6d478c0951e5b4311ae9909
Instruction ID: bf945f19ddbcfe00457798748ceb40312958f666c80b793c315a6a45f4afbd73
Opcode Fuzzy Hash: 86a4f9779090a5a3b7ad0aee4b266cf8ba49ffbde6d478c0951e5b4311ae9909
Instruction Fuzzy Hash: 2521E876B40F8A89DB64CF69D8843ED33A5E749BB8F114225CE3C5BB98DE34C5418340

Function 00007FF611304650 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF611309090: MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6

_wfopen.MSVCRT ref: 00007FF611304695

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: ByteCharMultiWide_wfopen
String ID:
API String ID: 372205238-0
Opcode ID: 8e21174acb464d8d1757056906152d011765c52c98c26f0b73aa27ab55bd4878
Instruction ID: 6b06dd2b62576c8f81ae7b8d371d63d0cc2b2708278ba82037bfd7d4375f0b85
Opcode Fuzzy Hash: 8e21174acb464d8d1757056906152d011765c52c98c26f0b73aa27ab55bd4878
Instruction Fuzzy Hash: 90E09251B0861041EA14A222A9143E9829A6F49FE0F448030EE0C9BB8E9D1DD2438701

Function 00007FF61130B150 Relevance: 1.4, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF61130B18E

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 885c1ada9ef54120341bcedc4c9a71be298787a9b6042cca5f6a765c25f5e263
Instruction ID: 02b1ece8e128eee68243e40d2cf9aa4b6da6929ae2f8462f1086f02b4006af70
Opcode Fuzzy Hash: 885c1ada9ef54120341bcedc4c9a71be298787a9b6042cca5f6a765c25f5e263
Instruction Fuzzy Hash: 6B51C737A196828BD7558E19E488A2F77EDFB44BA4F158139DA45C3A98CF38D881CB00

Function 00007FF61130D990 Relevance: 1.3, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF61130DA4A

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: a1c7189d00abfc9b8276c972b3be7d95addfd7c87cd30e887ec7055d5bdc4fb6
Instruction ID: 63dee087bdf0a544bbbe868f2dc468b06e5b9f19f7c972023103ac7626a25950
Opcode Fuzzy Hash: a1c7189d00abfc9b8276c972b3be7d95addfd7c87cd30e887ec7055d5bdc4fb6
Instruction Fuzzy Hash: 6131F326F08B1599FB109BA6D4443BC37F8A704BA8F904076DE8CA7B98DF3C9691C754

Function 00007FF61130A920 Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF61130A889

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 70144d6ec82bfe141b5cbf93c26a1062560a1e9f03a4e2e5c767b20eb75f5ad6
Instruction ID: 36b0b58fb2304a27edfa2adfe9f5b024120aca135dc81ba736022c0fecf52110
Opcode Fuzzy Hash: 70144d6ec82bfe141b5cbf93c26a1062560a1e9f03a4e2e5c767b20eb75f5ad6
Instruction Fuzzy Hash: B0216D22B09E0686EB614B19A4403393AD9AB44FF4F294334C94EC73D8DF39D983D340

Non-executed Functions

Function 00007FF611307680 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 324libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF61130769B
GetProcAddress.KERNEL32 ref: 00007FF6113076B7
GetProcAddress.KERNEL32 ref: 00007FF6113076D3
GetProcAddress.KERNEL32 ref: 00007FF6113076EF
GetProcAddress.KERNEL32 ref: 00007FF61130770B
GetProcAddress.KERNEL32 ref: 00007FF611307727
GetProcAddress.KERNEL32 ref: 00007FF611307743
GetProcAddress.KERNEL32 ref: 00007FF61130775F
GetProcAddress.KERNEL32 ref: 00007FF61130777B
GetProcAddress.KERNEL32 ref: 00007FF611307797
GetProcAddress.KERNEL32 ref: 00007FF6113077B3
GetProcAddress.KERNEL32 ref: 00007FF6113077CF
GetProcAddress.KERNEL32 ref: 00007FF6113077EB
GetProcAddress.KERNEL32 ref: 00007FF611307807
GetProcAddress.KERNEL32 ref: 00007FF611307823
GetProcAddress.KERNEL32 ref: 00007FF61130783F
GetProcAddress.KERNEL32 ref: 00007FF61130785B
GetProcAddress.KERNEL32 ref: 00007FF611307877
GetProcAddress.KERNEL32 ref: 00007FF611307893
GetProcAddress.KERNEL32 ref: 00007FF6113078AF
GetProcAddress.KERNEL32 ref: 00007FF6113078CB
GetProcAddress.KERNEL32 ref: 00007FF6113078E7
GetProcAddress.KERNEL32 ref: 00007FF611307903
GetProcAddress.KERNEL32 ref: 00007FF61130791F
GetProcAddress.KERNEL32 ref: 00007FF61130793B
GetProcAddress.KERNEL32 ref: 00007FF611307957
GetProcAddress.KERNEL32 ref: 00007FF611307973
GetProcAddress.KERNEL32 ref: 00007FF61130798F
GetProcAddress.KERNEL32 ref: 00007FF6113079AB
GetProcAddress.KERNEL32 ref: 00007FF6113079C7
GetProcAddress.KERNEL32 ref: 00007FF6113079E3

Strings

Tk_Init, xrefs: 00007FF6113079BD
Tcl_DeleteInterp, xrefs: 00007FF611307739
Tcl_ConditionFinalize, xrefs: 00007FF6113077C5
Tcl_Finalize, xrefs: 00007FF611307701
Tcl_NewByteArrayObj, xrefs: 00007FF6113078DD
Tcl_SetVar2, xrefs: 00007FF61130786D
Failed to get address for Tcl_MutexLock, xrefs: 00007FF611307B18
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF611307A5E
Tcl_GetString, xrefs: 00007FF6113078A5
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF611307AA0
Tcl_CreateThread, xrefs: 00007FF611307755
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF611307AD0
Tcl_Free, xrefs: 00007FF6113079A1
Tcl_FinalizeThread, xrefs: 00007FF61130771D
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF611307BF0
Tcl_MutexUnlock, xrefs: 00007FF6113077A9
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF611307C08
Failed to get address for Tcl_Alloc, xrefs: 00007FF611307C68
Tcl_SetVar2Ex, xrefs: 00007FF6113078F9
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF611307B60
Tcl_EvalObjv, xrefs: 00007FF611307969
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF611307AE8
Tcl_CreateObjCommand, xrefs: 00007FF611307889
Tcl_ThreadQueueEvent, xrefs: 00007FF611307819
GetProcAddress, xrefs: 00007FF611307A06, 00007FF611307A26, 00007FF611307A3B, 00007FF611307A50, 00007FF611307A65, 00007FF611307A7A, 00007FF611307A8F, 00007FF611307AA7, 00007FF611307ABF, 00007FF611307AD7, 00007FF611307AEF, 00007FF611307B07, 00007FF611307B1F, 00007FF611307B37, 00007FF611307B4F, 00007FF611307B67, 00007FF611307B7F, 00007FF611307B97, 00007FF611307BAF, 00007FF611307BC7, 00007FF611307BDF, 00007FF611307BF7, 00007FF611307C0F, 00007FF611307C27, 00007FF611307C3F, 00007FF611307C57, 00007FF611307C6F, 00007FF611307C87, 00007FF611307C9F, 00007FF611307CB7, 00007FF611307CCF
Failed to get address for Tcl_EvalEx, xrefs: 00007FF611307C98
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF611307AB8
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF611307A1F
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF611307B00
Tcl_NewStringObj, xrefs: 00007FF6113078C1
Tcl_FindExecutable, xrefs: 00007FF6113076C9
Failed to get address for Tcl_Init, xrefs: 00007FF6113079FF
Failed to get address for Tcl_GetVar2, xrefs: 00007FF611307B30
Tcl_CreateInterp, xrefs: 00007FF6113076AD
Tcl_GetVar2, xrefs: 00007FF611307851
Tcl_EvalFile, xrefs: 00007FF611307931
Tcl_Alloc, xrefs: 00007FF611307985
Tcl_MutexLock, xrefs: 00007FF61130778D
Tcl_ConditionWait, xrefs: 00007FF6113077FD
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF611307C20
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF611307A88
Tk_GetNumMainWindows, xrefs: 00007FF6113079D9
Failed to get address for Tcl_Finalize, xrefs: 00007FF611307A49
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF611307BC0
Tcl_GetCurrentThread, xrefs: 00007FF611307771
Failed to get address for Tcl_Free, xrefs: 00007FF611307C50
Tcl_ConditionNotify, xrefs: 00007FF6113077E1
Tcl_EvalEx, xrefs: 00007FF61130794D
Tcl_Init, xrefs: 00007FF611307694
Failed to get address for Tcl_SetVar2, xrefs: 00007FF611307B90
Failed to get address for Tcl_GetString, xrefs: 00007FF611307BD8
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF611307C80
Tcl_DoOneEvent, xrefs: 00007FF6113076E5
Failed to get address for Tk_Init, xrefs: 00007FF611307CB0
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF611307BA8
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF611307CC8
Tcl_ThreadAlert, xrefs: 00007FF611307835
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF611307A34
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF611307B78
Failed to get address for Tcl_CreateThread, xrefs: 00007FF611307A73
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF611307B48
Failed to get address for Tcl_EvalFile, xrefs: 00007FF611307C38
Tcl_GetObjResult, xrefs: 00007FF611307915

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-2208601799
Opcode ID: bd663cd79cc008e1fc6f487746503f053cd2f66c41a095d1ba5e11cdaee36601
Instruction ID: 4ae7d2a216f3e0059a1e070bf8d7edda1573c9c8b6ae2da92e8bd57570d55d0d
Opcode Fuzzy Hash: bd663cd79cc008e1fc6f487746503f053cd2f66c41a095d1ba5e11cdaee36601
Instruction Fuzzy Hash: 85F17360A0DF0790FF16EB28A8550B423ADAF55FB0B945436D44EC62ADEF7CE64AC350

Function 00007FF611302710 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 00007FF611302743
MulDiv.KERNEL32 ref: 00007FF611302760
MulDiv.KERNEL32 ref: 00007FF611302779
SystemParametersInfoW.USER32 ref: 00007FF6113027BF
LoadIconMetric.COMCTL32 ref: 00007FF6113027F3
CreateWindowExW.USER32 ref: 00007FF611302851
CreateWindowExW.USER32 ref: 00007FF6113028AB
CreateWindowExW.USER32 ref: 00007FF61130290C
CreateWindowExW.USER32 ref: 00007FF61130296E
SendMessageW.USER32 ref: 00007FF611302991
SendMessageW.USER32 ref: 00007FF6113029A9
SendMessageW.USER32 ref: 00007FF6113029C4
SendMessageW.USER32 ref: 00007FF6113029E1
SendMessageW.USER32 ref: 00007FF6113029FC
SendMessageW.USER32 ref: 00007FF611302A17
SendMessageW.USER32 ref: 00007FF611302A32
SendMessageW.USER32 ref: 00007FF611302A46
SendMessageW.USER32 ref: 00007FF611302A5B
GetClientRect.USER32 ref: 00007FF611302A66
CreateFontIndirectW.GDI32 ref: 00007FF611302A88

Strings

BUTTON, xrefs: 00007FF611302924
Failed to execute script '%ls' due to unhandled exception: %ls, xrefs: 00007FF61130271B
Close, xrefs: 00007FF611302914
EDIT, xrefs: 00007FF6113028C2
, xrefs: 00007FF6113027AD
STATIC, xrefs: 00007FF6113027EC

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: MessageSend$Create$Window$BaseClientDialogFontIconIndirectInfoLoadMetricParametersRectSystemUnits
String ID: $BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
API String ID: 3223904152-1365983254
Opcode ID: 23d76df661166ccc8bf8808f21f1e890a82357284aeaf219810838731c85fa8c
Instruction ID: 71ff43d844c84a8a613212993264d43aaf56f03bbba0739b1e19ffdf6de324d7
Opcode Fuzzy Hash: 23d76df661166ccc8bf8808f21f1e890a82357284aeaf219810838731c85fa8c
Instruction Fuzzy Hash: 58917736218B9582E7508F61E45479A7764F788BD8F24413AEE8C4BB9CCF7EC185CB50

Function 00007FF611308CD0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00007FF611308D12
WideCharToMultiByte.KERNEL32 ref: 00007FF611308D52
GetLastError.KERNEL32 ref: 00007FF611308D98

Strings

PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF611308DC3
No error messages generated., xrefs: 00007FF611308D70
WideCharToMultiByte, xrefs: 00007FF611308CD6, 00007FF611308DB7
Failed to encode wchar_t as UTF-8., xrefs: 00007FF611308DB0
FormatMessageW, xrefs: 00007FF611308D77
PyInstaller: FormatMessageW failed., xrefs: 00007FF611308D83

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: ByteCharErrorFormatLastMessageMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 1653872744-2573406579
Opcode ID: 024fbe4156dcd0bd8b1afa62f143db975c9d56f4e4c52d1d88309cd898284ba8
Instruction ID: c9ac70e996a78456ca74bd52e1d2cbdda75d1d182bfa108752427fcce29453be
Opcode Fuzzy Hash: 024fbe4156dcd0bd8b1afa62f143db975c9d56f4e4c52d1d88309cd898284ba8
Instruction Fuzzy Hash: F421A571E0CE0281F720AB14F8583AA23A8BF55BB4F844534EA4DC66ACEF3CD549C700

Function 00007FF6113015E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6113015F7
LoadLibraryA.KERNEL32 ref: 00007FF611301608
GetProcAddress.KERNEL32 ref: 00007FF611301626
GetProcAddress.KERNEL32 ref: 00007FF611301635

Strings

__register_frame_info, xrefs: 00007FF611301615
__deregister_frame_info, xrefs: 00007FF611301628
libgcc_s_dw2-1.dll, xrefs: 00007FF6113015ED

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: c987cd605a046c4775a246cf352f7a0ef9f3b92eb4b15ad4de75813f5d1440e3
Instruction ID: 93bfa6b5016b5c9158fa77e4a97cc2c9e01a359e92fd018dc08700346b207ebe
Opcode Fuzzy Hash: c987cd605a046c4775a246cf352f7a0ef9f3b92eb4b15ad4de75813f5d1440e3
Instruction Fuzzy Hash: B5017E25A0AE1B95EB25AB15BC505B423A8BF49FF5F884131D80ED736CAF2CE54AC340

Function 00007FF611315D5A Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 1364COMMON

Download Yara Rule

Strings

Infinity, xrefs: 00007FF611315E5D
NaN, xrefs: 00007FF611315E8E

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID:
String ID: Infinity$NaN
API String ID: 0-4285296124
Opcode ID: beb020b211eaaca1f32f7ce65c3d9009a7195868fcd7db736676572f372752d4
Instruction ID: e54f2f3a109da1592c8b37d48c7c300ef4054ff5412b469f7aab858d5894ea82
Opcode Fuzzy Hash: beb020b211eaaca1f32f7ce65c3d9009a7195868fcd7db736676572f372752d4
Instruction Fuzzy Hash: BCE22672A04B858EE751CFB9C4442AC37B9FB45BA8F148225EA0D97B5DDF78E481CB40

Function 00007FF61130B458 Relevance: 3.9, Strings: 3, Instructions: 138COMMON

Download Yara Rule

Strings

incorrect header check, xrefs: 00007FF61130C1CD
unknown compression method, xrefs: 00007FF61130BF69
invalid window size, xrefs: 00007FF61130C58A

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size$unknown compression method
API String ID: 0-1186847913
Opcode ID: 4496b91970aba0857bed3007b949b9b7e2b63f9dde9968431ed31718af5f9cf1
Instruction ID: e2a983b76a32b9b17178149b9e4158321bd8b09f415521fe6eb24b6f9aff4b0a
Opcode Fuzzy Hash: 4496b91970aba0857bed3007b949b9b7e2b63f9dde9968431ed31718af5f9cf1
Instruction Fuzzy Hash: 6751D476A18B168BE7688E24948C53E36EDEB44B90F118139DB1EC7788DF3CE905DB04

Function 00007FF61130B478 Relevance: 1.5, APIs: 1, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa4ac71a5e31e2cc150ff49e4ee7ea9fb9e70d7c6dba1bfe7d3f5ad9a10a4b2
Instruction ID: 2f56806fa9027c50701d10015d3b5b0034a5a2b2b280206c0f0006c35e1b6c1f
Opcode Fuzzy Hash: 1fa4ac71a5e31e2cc150ff49e4ee7ea9fb9e70d7c6dba1bfe7d3f5ad9a10a4b2
Instruction Fuzzy Hash: 47B18076E08A518AE7698F149048B3A7BE9EB85BA4F154138DF4DC7B8CDF39D900CB40

Function 00007FF61130D100 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82756fd2ac5761be83388b480f9d5e46744741ce7b61d765b3fcf86fb2cc7fb8
Instruction ID: e68c483f4ed0dd3e1a9e2b9c9fbc1b1a9613480910b59918f00109ff08243364
Opcode Fuzzy Hash: 82756fd2ac5761be83388b480f9d5e46744741ce7b61d765b3fcf86fb2cc7fb8
Instruction Fuzzy Hash: ABE1C533A1CA9286D7658F14E00427EB7E4FB94B68F454135EA8AD3B98DF3DE944CB00

Function 00007FF611309A60 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee928d4349295dd83296cb3ffc0a74822f4b4d78fe9c71e83768e58e224ea547
Instruction ID: 180a6d855534ee18619feb45891d3e60f79152cff8a8e4688e7bcf09976170ad
Opcode Fuzzy Hash: ee928d4349295dd83296cb3ffc0a74822f4b4d78fe9c71e83768e58e224ea547
Instruction Fuzzy Hash: 2CA1F773B245A047EF54CB2A941467A7BE2F74ABA1B84E231DF8D87788DA3DE415C700

Function 00007FF611329618 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c548e54cdb996a2b16215551ee39b84b181e4f79eb41d6fe7a4830435a94d8
Instruction ID: 21e9586169b9d30194ec7a1905af98ffb622e58fc59f065719672d38b9d8742b
Opcode Fuzzy Hash: 64c548e54cdb996a2b16215551ee39b84b181e4f79eb41d6fe7a4830435a94d8
Instruction Fuzzy Hash: 1BC0125BD0EAE10AE270472808A802C2BC0EBA1E34B080078C284863D2A85A240A8B00

Function 00007FF6113059C0 Relevance: 233.2, APIs: 44, Strings: 89, Instructions: 451libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00000000,?,?,00007FF611303C0D), ref: 00007FF6113059D7
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF6113059F3
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305A0F
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305A2B
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305A47
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305A63
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305A7F
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305A9B
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305AB7
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305AD3
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305AEF
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305B0B
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305B27
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305B43
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305B5F
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305B7B
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305B97
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305BB3
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305BCF
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305BEB
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305C07
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305C23
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305C3F
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305C5B
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305C77
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305C93
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305CAF
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305CCB
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305CE7
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305D03
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305D1F
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305D3B
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305D57
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305D73
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305D8F
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305DAB
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305DC7
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305DE3
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305DFF
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305E1B
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305E37
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305E53
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305E6F
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305E8B

Strings

Failed to get address for Py_Finalize, xrefs: 00007FF611305F06
Py_Finalize, xrefs: 00007FF611305A21
Failed to get address for PyConfig_SetWideStringList, xrefs: 00007FF611305F78
PySys_GetObject, xrefs: 00007FF611305DA1
PyErr_Fetch, xrefs: 00007FF611305B55
Failed to get address for Py_DecodeLocale, xrefs: 00007FF611305EDC
Py_DecodeLocale, xrefs: 00007FF6113059E9
Failed to get address for PyErr_Occurred, xrefs: 00007FF611305FD8
PyUnicode_Join, xrefs: 00007FF611305E65
PyErr_Clear, xrefs: 00007FF611305B39
PyMem_RawFree, xrefs: 00007FF611305C89
PyObject_Str, xrefs: 00007FF611305D31
Failed to get address for PyUnicode_Join, xrefs: 00007FF611306278
Failed to get address for PyConfig_SetBytesString, xrefs: 00007FF611305FA8
Failed to get address for PyErr_Print, xrefs: 00007FF611306038
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF611306218
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF6113061A0
Py_InitializeFromConfig, xrefs: 00007FF611305A3D
Failed to get address for Py_DecRef, xrefs: 00007FF611305EA6
Failed to get address for PyImport_ImportModule, xrefs: 00007FF6113060B0
PyObject_CallFunction, xrefs: 00007FF611305CC1
Failed to get address for PyConfig_Clear, xrefs: 00007FF611305F1B
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF6113060C8
PyErr_Occurred, xrefs: 00007FF611305B8D
Failed to get address for PyStatus_Exception, xrefs: 00007FF6113061B8
PyMarshal_ReadObjectFromString, xrefs: 00007FF611305C6D
PySys_SetObject, xrefs: 00007FF611305DBD
Failed to get address for PyPreConfig_InitIsolatedConfig, xrefs: 00007FF611306158
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF611306188
PyObject_SetAttrString, xrefs: 00007FF611305D15
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF6113060E0
Failed to get address for Py_ExitStatusException, xrefs: 00007FF611305EC7
Failed to get address for PyConfig_Read, xrefs: 00007FF611305FC0
PyUnicode_FromString, xrefs: 00007FF611305E49
Failed to get address for Py_IsInitialized, xrefs: 00007FF611305F48
PyImport_ImportModule, xrefs: 00007FF611305C35
Failed to get address for PyObject_CallFunction, xrefs: 00007FF611306110
PyModule_GetDict, xrefs: 00007FF611305CA5
PyObject_GetAttrString, xrefs: 00007FF611305CF9
PyErr_Restore, xrefs: 00007FF611305BC5
Failed to get address for PyList_Append, xrefs: 00007FF611306098
GetProcAddress, xrefs: 00007FF611305EAD, 00007FF611305ECE, 00007FF611305EE3, 00007FF611305EF8, 00007FF611305F0D, 00007FF611305F22, 00007FF611305F37, 00007FF611305F4F, 00007FF611305F67, 00007FF611305F7F, 00007FF611305F97, 00007FF611305FAF, 00007FF611305FC7, 00007FF611305FDF, 00007FF611305FF7, 00007FF61130600F, 00007FF611306027, 00007FF61130603F, 00007FF611306057, 00007FF61130606F, 00007FF611306087, 00007FF61130609F, 00007FF6113060B7, 00007FF6113060CF, 00007FF6113060E7, 00007FF6113060FF, 00007FF611306117, 00007FF61130612F, 00007FF611306147, 00007FF61130615F, 00007FF611306177, 00007FF61130618F, 00007FF6113061A7, 00007FF6113061BF, 00007FF6113061D7, 00007FF6113061EF, 00007FF611306207, 00007FF61130621F, 00007FF611306237, 00007FF61130624F, 00007FF611306267, 00007FF61130627F, 00007FF611306297, 00007FF6113062AF
PyEval_EvalCode, xrefs: 00007FF611305BE1
Failed to get address for PyUnicode_Replace, xrefs: 00007FF6113062A8
Failed to get address for PyErr_Fetch, xrefs: 00007FF611306008
PyUnicode_FromFormat, xrefs: 00007FF611305E2D
PyImport_ExecCodeModule, xrefs: 00007FF611305C19
Failed to get address for PyConfig_InitIsolatedConfig, xrefs: 00007FF611305F60
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF6113061D0
PyUnicode_Decode, xrefs: 00007FF611305DF5
Failed to get address for PyUnicode_FromString, xrefs: 00007FF611306290
PyList_Append, xrefs: 00007FF611305C51
Failed to get address for Py_InitializeFromConfig, xrefs: 00007FF611305EF1
PyConfig_SetString, xrefs: 00007FF611305B01
PyConfig_SetBytesString, xrefs: 00007FF611305AE5
Py_DecRef, xrefs: 00007FF6113059CD
PyObject_CallFunctionObjArgs, xrefs: 00007FF611305CDD
Failed to get address for PySys_GetObject, xrefs: 00007FF611306200
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF611306230
PyUnicode_Replace, xrefs: 00007FF611305E81
Py_ExitStatusException, xrefs: 00007FF611305A05
PyConfig_Read, xrefs: 00007FF611305AC9
PyRun_SimpleStringFlags, xrefs: 00007FF611305D69
Failed to get address for PySys_SetObject, xrefs: 00007FF6113061E8
Py_IsInitialized, xrefs: 00007FF611305A59
Failed to get address for Py_PreInitialize, xrefs: 00007FF611305F30
Failed to get address for PyObject_Str, xrefs: 00007FF611306170
Failed to get address for PyErr_Restore, xrefs: 00007FF611306050
PyUnicode_DecodeFSDefault, xrefs: 00007FF611305E11
PyErr_NormalizeException, xrefs: 00007FF611305B71
PyErr_Print, xrefs: 00007FF611305BA9
PyImport_AddModule, xrefs: 00007FF611305BFD
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF611305D4D
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF611305FF0
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF6113060F8
Failed to get address for PyConfig_SetString, xrefs: 00007FF611305F90
PyConfig_InitIsolatedConfig, xrefs: 00007FF611305AAD
PyConfig_Clear, xrefs: 00007FF611305A91
Failed to get address for PyMem_RawFree, xrefs: 00007FF611306140
Failed to get address for PyUnicode_Decode, xrefs: 00007FF611306248
PyUnicode_AsUTF8, xrefs: 00007FF611305DD9
Failed to get address for PyImport_AddModule, xrefs: 00007FF611306068
Failed to get address for PyModule_GetDict, xrefs: 00007FF611306128
PyConfig_SetWideStringList, xrefs: 00007FF611305B1D
Failed to get address for PyEval_EvalCode, xrefs: 00007FF611306080
PyStatus_Exception, xrefs: 00007FF611305D85
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF611306260
Failed to get address for PyErr_Clear, xrefs: 00007FF611306020
Py_PreInitialize, xrefs: 00007FF611305A75

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-4266016200
Opcode ID: 50e6ba4ab6fb6236e3085a79b8dda0dff8723994d665336298622606d247f3f2
Instruction ID: 7968e8721a7397b5826d877ad782a8669c129fe8c64f7ffa4e4c6d67a4746fe7
Opcode Fuzzy Hash: 50e6ba4ab6fb6236e3085a79b8dda0dff8723994d665336298622606d247f3f2
Instruction Fuzzy Hash: 7132B260A5DF0790EF19DB14A8511B823BDBF44BA0B94903AC44EC26ADEF7CF609D351

Function 00007FF6113037E0 Relevance: 33.5, APIs: 6, Strings: 13, Instructions: 254COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF611303924

Strings

%s%c%s.py, xrefs: 00007FF611303899
\, xrefs: 00007FF611303891
__file__, xrefs: 00007FF6113038C4
__main__, xrefs: 00007FF611303807
Traceback is disabled via bootloader option., xrefs: 00007FF6113039F9
format_exception, xrefs: 00007FF611303AA8
Could not get __main__ module., xrefs: 00007FF611303A51
_pyi_main_co, xrefs: 00007FF6113038FD
Could not get __main__ module's dict., xrefs: 00007FF611303A62
Failed to unmarshal code object for %s, xrefs: 00007FF61130395C
traceback, xrefs: 00007FF611303A7F
Absolute path to script exceeds PATH_MAX, xrefs: 00007FF611303946
pyi-disable-windowed-traceback, xrefs: 00007FF6113039E2

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: free
String ID: %s%c%s.py$Absolute path to script exceeds PATH_MAX$Could not get __main__ module's dict.$Could not get __main__ module.$Failed to unmarshal code object for %s$Traceback is disabled via bootloader option.$\$__file__$__main__$_pyi_main_co$format_exception$pyi-disable-windowed-traceback$traceback
API String ID: 1294909896-4198433784
Opcode ID: 900ce7977e4f46f4bc27d2a17498c34b4b329bf408e99df8640a570d0382665c
Instruction ID: 56c776225090d59bfb3fa0882e7a3a49fa7be6b75401942f9dbc3034880c9aa5
Opcode Fuzzy Hash: 900ce7977e4f46f4bc27d2a17498c34b4b329bf408e99df8640a570d0382665c
Instruction Fuzzy Hash: E8B13F29B09F4A85EB14AB26E85417A23B9BF89FE4F444032DD1EC7768DE3CE505D340

Function 00007FF61130F060 Relevance: 25.7, APIs: 17, Instructions: 211COMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00007FF61130F079
_strdup.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F090
setlocale.MSVCRT ref: 00007FF61130F0A8
mbstowcs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F0DF
mbstowcs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F13F
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F246
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F27F
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F2AE
realloc.MSVCRT ref: 00007FF61130F2C9
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F2F5
setlocale.MSVCRT ref: 00007FF61130F306
free.MSVCRT ref: 00007FF61130F312
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F33B
realloc.MSVCRT ref: 00007FF61130F356
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F37A
setlocale.MSVCRT ref: 00007FF61130F38B
free.MSVCRT ref: 00007FF61130F397

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: wcstombs$setlocale$freembstowcsrealloc$_strdup
String ID:
API String ID: 1093732947-0
Opcode ID: 4057a5c6bd61162031fd582af2eb34abd572d533eb0d544b39b7c2850e9da645
Instruction ID: 358843187ec5ca5b56c6696eb846954c362f31337e0b70162652fa30255411a7
Opcode Fuzzy Hash: 4057a5c6bd61162031fd582af2eb34abd572d533eb0d544b39b7c2850e9da645
Instruction Fuzzy Hash: 43A12666B05F1989EB509BA6D8402BC33F8BB49FA8F404539DE5CA7B99EF3CD4018351

Function 00007FF611303340 Relevance: 25.7, APIs: 2, Strings: 15, Instructions: 196stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6113032D0: strcpy.MSVCRT(00000000,?,_MEIPASS2,00000000,00007FF611303721), ref: 00007FF611303313

Part of subcall function 00007FF611302240: strlen.MSVCRT ref: 00007FF611302257

strcmp.MSVCRT ref: 00007FF61130348A

Strings

%s%c%s.exe, xrefs: 00007FF611303444
Archive path exceeds PATH_MAX, xrefs: 00007FF611303660
Failed to extract %s from referenced dependency archive %s., xrefs: 00007FF611303696
pyi-contents-directory, xrefs: 00007FF6113033B3
%s%c%s, xrefs: 00007FF611303631
Referenced dependency archive %s not found., xrefs: 00007FF611303648
\, xrefs: 00007FF611303541
_MEIPASS2, xrefs: 00007FF611303347
\, xrefs: 00007FF6113033DC
%s%c%s%c%s%c%s, xrefs: 00007FF6113033E4
Failed to open referenced dependency archive %s., xrefs: 00007FF611303677
%s%c%s.pkg, xrefs: 00007FF611303420
Failed to copy file %s from %s!, xrefs: 00007FF611303515
%s%c%s%c%s, xrefs: 00007FF611303549
Failed to open archive %s!, xrefs: 00007FF6113036A7

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: %s%c%s$%s%c%s%c%s$%s%c%s%c%s%c%s$%s%c%s.exe$%s%c%s.pkg$Archive path exceeds PATH_MAX$Failed to copy file %s from %s!$Failed to extract %s from referenced dependency archive %s.$Failed to open archive %s!$Failed to open referenced dependency archive %s.$Referenced dependency archive %s not found.$\$\$_MEIPASS2$pyi-contents-directory
API String ID: 895318938-459211576
Opcode ID: fd39c2760308aef11e2db745e75fa541c5fb47fde11d8f7162a83a1c834ded2e
Instruction ID: 73cb16085dd900b7f67e777171b74fab2e3f0943e2e617497ff1a57581833976
Opcode Fuzzy Hash: fd39c2760308aef11e2db745e75fa541c5fb47fde11d8f7162a83a1c834ded2e
Instruction Fuzzy Hash: 0C814A25A0CE4689EB249B21E8446BB63ADAF44FF4F444132EA4DD77DEDE2CE506C740

Function 00007FF6113049F0 Relevance: 22.7, APIs: 7, Strings: 8, Instructions: 203stringCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF611304A0D
strncmp.MSVCRT ref: 00007FF611304A91
strcmp.MSVCRT ref: 00007FF611304AAB

Strings

optimize, xrefs: 00007FF611304AF8
unbuffered, xrefs: 00007FF611304A51
dev, xrefs: 00007FF611304B83
pyi-, xrefs: 00007FF611304A3B
hash_seed, xrefs: 00007FF611304CC0
verbose, xrefs: 00007FF611304A42
_MEIPASS2, xrefs: 00007FF6113049F4
utf8, xrefs: 00007FF611304B7C

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: callocstrcmpstrncmp
String ID: _MEIPASS2$dev$hash_seed$optimize$pyi-$unbuffered$utf8$verbose
API String ID: 3864021093-2470803696
Opcode ID: 451d73b7ff344c03704b212d97ce530da948a4f6c025c6dc93e866c2767be9a3
Instruction ID: 43dd1adee11f9c95113bd6cf3815a60c00f1d351f4db543391c28fa7c551f445
Opcode Fuzzy Hash: 451d73b7ff344c03704b212d97ce530da948a4f6c025c6dc93e866c2767be9a3
Instruction Fuzzy Hash: 0C819562E0CE4256FF65DB22A40437A6AE9AF45F78F448035CA4DC66CDDF7CE6858304

Function 00007FF611301B30 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF611304650: _wfopen.MSVCRT ref: 00007FF611304695

malloc.MSVCRT ref: 00007FF611301B80
fread.MSVCRT ref: 00007FF611301BD3
free.MSVCRT ref: 00007FF611301BF8
fclose.MSVCRT ref: 00007FF611301C03

Strings

malloc, xrefs: 00007FF611301C85
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF611301C7E
Failed to extract %s: failed to open archive file!, xrefs: 00007FF611301C65
fseek, xrefs: 00007FF611301C4C
fread, xrefs: 00007FF611301BE9
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF611301BE2
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF611301C45
_MEIPASS2, xrefs: 00007FF611301B30

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: _wfopenfclosefreadfreemalloc
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$_MEIPASS2$fread$fseek$malloc
API String ID: 3354994319-975985129
Opcode ID: 2abe935b5ea5116503a70314594df6f61392fc82d382527488ef19b0ba87d799
Instruction ID: 19ba8768eb761e48cedd2b0abc945a7dccd61e1ec89d696ce9ab765ff50e25e5
Opcode Fuzzy Hash: 2abe935b5ea5116503a70314594df6f61392fc82d382527488ef19b0ba87d799
Instruction Fuzzy Hash: F9319E51B09E1B51FF19A7119854AFA12ACAF14FF8F844036EC0DC769EEE6CE50AC300

Function 00007FF611302B90 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF611302BB8
memset.MSVCRT ref: 00007FF611302C04
_wcsdup.MSVCRT ref: 00007FF611302C14
_wcsdup.MSVCRT ref: 00007FF611302C24
_wcsdup.MSVCRT ref: 00007FF611302C34
DialogBoxIndirectParamW.USER32 ref: 00007FF611302C56
free.MSVCRT ref: 00007FF611302C66
free.MSVCRT ref: 00007FF611302C73
free.MSVCRT ref: 00007FF611302C80
DeleteObject.GDI32 ref: 00007FF611302C92
DestroyIcon.USER32 ref: 00007FF611302CA5

Strings

Unhandled exception in script, xrefs: 00007FF611302BC8

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: _wcsdupfree$DeleteDestroyDialogHandleIconIndirectModuleObjectParammemset
String ID: Unhandled exception in script
API String ID: 3963799495-2699770090
Opcode ID: 63ee56fe181a1917596a2b7ec1c70eb69a51c0cc73ba7970fc3e78cbc600a575
Instruction ID: a23022fd173faae4c7dabd0f3f57d8b74b144ae53c7ae6608eb2e7cf232be820
Opcode Fuzzy Hash: 63ee56fe181a1917596a2b7ec1c70eb69a51c0cc73ba7970fc3e78cbc600a575
Instruction Fuzzy Hash: AE215136B09E8581EB65EB62B8546EB6368FBC9FA0F440135EE4E87B49DE3CD045C740

Function 00007FF611306450 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 122COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6113049F0: calloc.MSVCRT ref: 00007FF611304A0D
Part of subcall function 00007FF6113049F0: strncmp.MSVCRT ref: 00007FF611304A91
Part of subcall function 00007FF6113049F0: strcmp.MSVCRT ref: 00007FF611304AAB

Part of subcall function 00007FF6113051B0: calloc.MSVCRT ref: 00007FF6113051D1

fflush.MSVCRT ref: 00007FF611306571
fflush.MSVCRT ref: 00007FF611306580

Strings

Failed to start embedded python interpreter!, xrefs: 00007FF61130658A
Failed to set python home path!, xrefs: 00007FF6113065E8
Failed to set module search paths!, xrefs: 00007FF6113065F6
Failed to set program name!, xrefs: 00007FF6113065DA
Failed to set run-time options!, xrefs: 00007FF611306620
Failed to parse run-time options!, xrefs: 00007FF611306612
Failed to pre-initialize embedded python interpreter!, xrefs: 00007FF6113065C2
Failed to set sys.argv!, xrefs: 00007FF611306604
Failed to allocate PyConfig structure! Unsupported python version?, xrefs: 00007FF61130662E

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: callocfflush$strcmpstrncmp
String ID: Failed to allocate PyConfig structure! Unsupported python version?$Failed to parse run-time options!$Failed to pre-initialize embedded python interpreter!$Failed to set module search paths!$Failed to set program name!$Failed to set python home path!$Failed to set run-time options!$Failed to set sys.argv!$Failed to start embedded python interpreter!
API String ID: 2710203250-3807717293
Opcode ID: 20069458dbc6cbfea570bcd6b724cb1ff9c6197de144f72581953467c1bf7855
Instruction ID: 1117b7a542243e7d961cb3f266d51af83b42f4c675e4a000774ed07a24314ea8
Opcode Fuzzy Hash: 20069458dbc6cbfea570bcd6b724cb1ff9c6197de144f72581953467c1bf7855
Instruction Fuzzy Hash: B051F850A0CE5781FB15AB29E8551B953EDAF80FF4F541132EE4EC62EEEE2DE9059300

Function 00007FF611306D80 Relevance: 18.1, APIs: 9, Strings: 3, Instructions: 131stringCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF611306DA9
memcpy.MSVCRT ref: 00007FF611306DED
strlen.MSVCRT ref: 00007FF611306E07
strlen.MSVCRT ref: 00007FF611306E14
strlen.MSVCRT ref: 00007FF611306E40
free.MSVCRT ref: 00007FF611306E93
strncpy.MSVCRT ref: 00007FF611306EED
strncpy.MSVCRT ref: 00007FF611306F1A
strncpy.MSVCRT ref: 00007FF611306F89

Strings

SPLASH: Cannot find requirement %s in archive., xrefs: 00007FF611306E7F
_MEIPASS2, xrefs: 00007FF611306D89
SPLASH: Cannot extract requirement %s., xrefs: 00007FF611306F53

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: strlenstrncpy$callocfreememcpy
String ID: SPLASH: Cannot extract requirement %s.$SPLASH: Cannot find requirement %s in archive.$_MEIPASS2
API String ID: 4189425833-927121926
Opcode ID: fa06c1771d126537b0c576a2152c8899150302a8b01afd59cc48e191a0e66960
Instruction ID: 507705ac32582b1ea7933cbfe9e5517200da6e8b4514d1ff1b5df0d82a5cbdd0
Opcode Fuzzy Hash: fa06c1771d126537b0c576a2152c8899150302a8b01afd59cc48e191a0e66960
Instruction Fuzzy Hash: 3641C592708E4255EB18EA22D9042FB63A9BF45FE4F844135EE1DC778EDE2CE656C300

Function 00007FF611306B90 Relevance: 18.1, APIs: 10, Strings: 2, Instructions: 114stringCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 00007FF611306BF1
strncpy.MSVCRT ref: 00007FF611306C07
strncpy.MSVCRT ref: 00007FF611306C1D
calloc.MSVCRT ref: 00007FF611306C53
malloc.MSVCRT ref: 00007FF611306C73
malloc.MSVCRT ref: 00007FF611306C93
memcpy.MSVCRT ref: 00007FF611306CC7
memcpy.MSVCRT ref: 00007FF611306CDC
memcpy.MSVCRT ref: 00007FF611306CF1
free.MSVCRT ref: 00007FF611306CF9

Strings

Cannot allocate memory for necessary files., xrefs: 00007FF611306D11
_MEIPASS2, xrefs: 00007FF611306B94

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: memcpystrncpy$malloc$callocfree
String ID: Cannot allocate memory for necessary files.$_MEIPASS2
API String ID: 1819673767-1389504347
Opcode ID: 6abde95e514940232a5d18ebf8d6e33772cb9ca00dbb0a1e4aaf4026809cc789
Instruction ID: 1dc04f59f199458a8da713bedb3bcb0f6aec249f024fcfc4dd4aec9ef68358b0
Opcode Fuzzy Hash: 6abde95e514940232a5d18ebf8d6e33772cb9ca00dbb0a1e4aaf4026809cc789
Instruction Fuzzy Hash: 8341E4A2B05A0657EB18EA22D9442E9B3A9FB44FA0F544530DF1D87B89EF7CE1528300

Function 00007FF611302500 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF611302521
SelectObject.GDI32 ref: 00007FF611302578
DrawTextW.USER32 ref: 00007FF61130259B
SelectObject.GDI32 ref: 00007FF6113025B1
ReleaseDC.USER32 ref: 00007FF6113025C1
MoveWindow.USER32 ref: 00007FF61130260D
MoveWindow.USER32 ref: 00007FF61130264C
MoveWindow.USER32 ref: 00007FF61130269D
MoveWindow.USER32 ref: 00007FF6113026DA

Strings

P%, xrefs: 00007FF611302581

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 6e54ce7222580e4a214d1a9fc401257ee609a80b666226e2997e335eb7f2f95f
Instruction ID: bbe6ee1b6d3a3a77068812d9bbd6c62cec49c7f5faf5a80af74b795f75b0360c
Opcode Fuzzy Hash: 6e54ce7222580e4a214d1a9fc401257ee609a80b666226e2997e335eb7f2f95f
Instruction Fuzzy Hash: 47418776214BA186D7208F36E408779B7A5F788F99F084231EE8987B59EF3CD145CB20

Function 00007FF6113086B0 Relevance: 15.1, APIs: 10, Instructions: 75fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF611304650: _wfopen.MSVCRT ref: 00007FF611304695

fread.MSVCRT ref: 00007FF611308721
ferror.MSVCRT ref: 00007FF611308731
clearerr.MSVCRT(00000000,?,?,00007FF61130350A,00000000), ref: 00007FF61130873D
fwrite.MSVCRT ref: 00007FF611308753
ferror.MSVCRT ref: 00007FF611308760
clearerr.MSVCRT(00000000,?,?,00007FF61130350A,00000000), ref: 00007FF61130876C
fclose.MSVCRT ref: 00007FF611308779
fclose.MSVCRT ref: 00007FF611308781
fclose.MSVCRT ref: 00007FF6113087A4
fclose.MSVCRT ref: 00007FF6113087B1

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: fclose$clearerrferror$_wfopenfreadfwrite
String ID:
API String ID: 4075948245-0
Opcode ID: d078c9525b3220c8e229ac5f92ee0f03a0fc95d342679d59fcabbb94bb70f7c3
Instruction ID: dad51293285be833ac92c51cc72ebd40228db87bdf95f3a57c87f9ce257a7fda
Opcode Fuzzy Hash: d078c9525b3220c8e229ac5f92ee0f03a0fc95d342679d59fcabbb94bb70f7c3
Instruction Fuzzy Hash: 4D21F310E09A4341FA29A6226A193F942D90F46FF0E5801B4ED1EDB7CEEE2CE9524341

Function 00007FF611312D4B Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 176stringCOMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF611312DEE
fwprintf.MSVCRT ref: 00007FF611312E23
memset.MSVCRT ref: 00007FF611312F0A
strlen.MSVCRT ref: 00007FF611312F22

Part of subcall function 00007FF611318E6E: ___mb_cur_max_func.MSVCRT ref: 00007FF611318EA4
Part of subcall function 00007FF611318E6E: ___lc_codepage_func.MSVCRT ref: 00007FF611318EAB

fwprintf.MSVCRT ref: 00007FF611312E4B

Part of subcall function 00007FF611312CC0: fputwc.MSVCRT ref: 00007FF611312D10

Strings

%.*S, xrefs: 00007FF611312E41
%*.*S, xrefs: 00007FF611312DE4
%-*.*S, xrefs: 00007FF611312E19

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: fwprintf$___lc_codepage_func___mb_cur_max_funcfputwcmemsetstrlen
String ID: %*.*S$%-*.*S$%.*S
API String ID: 1485978544-2115465065
Opcode ID: 5a4758fc2b7250ab57d84d915ac7ea9a8d289e4afafd195f03aed32c1a1e0ffa
Instruction ID: 75f8b3f023b56bbab9ca2e055c262703fd6de8f728d65a6eca5afd5a5e8b14ab
Opcode Fuzzy Hash: 5a4758fc2b7250ab57d84d915ac7ea9a8d289e4afafd195f03aed32c1a1e0ffa
Instruction Fuzzy Hash: C781D776A04B498EEB14CF6AC8806AC77B4F748FA8F118525EE5D87B58DF38D510CB50

Function 00007FF611308EC0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF611308F08
WideCharToMultiByte.KERNEL32 ref: 00007FF611308F5A
calloc.MSVCRT ref: 00007FF611308F70

Strings

Failed to get UTF-8 buffer size., xrefs: 00007FF611308FC0
win32_utils_to_utf8, xrefs: 00007FF611308F88
WideCharToMultiByte, xrefs: 00007FF611308FA7, 00007FF611308FC7
Failed to encode wchar_t as UTF-8., xrefs: 00007FF611308FA0
Out of memory., xrefs: 00007FF611308F81

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: ByteCharMultiWide$calloc
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 1374691127-27947307
Opcode ID: 610e830cc156b7b5144b5e984da796cd542280474a5d718d75e7e6b0456d95c9
Instruction ID: a54531b54b36b916956c4e85298a8d55651bc6033303cff3e661cfbe370874ae
Opcode Fuzzy Hash: 610e830cc156b7b5144b5e984da796cd542280474a5d718d75e7e6b0456d95c9
Instruction Fuzzy Hash: B121B361B09F4284FB10EB65B85437A6299AF85BF4F444639EA4DCB6DDEF7CE1088300

Function 00007FF611308DD0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF611308E12
calloc.MSVCRT ref: 00007FF611308E22
WideCharToMultiByte.KERNEL32 ref: 00007FF611308E57

Strings

WideCharToMultiByte, xrefs: 00007FF611308E77, 00007FF611308E97
win32_wcs_to_mbs, xrefs: 00007FF611308EAE
Failed to get ANSI buffer size., xrefs: 00007FF611308E70
Failed to encode filename as ANSI., xrefs: 00007FF611308E90
Out of memory., xrefs: 00007FF611308EA7

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: ByteCharMultiWide$calloc
String ID: Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$Out of memory.$WideCharToMultiByte$win32_wcs_to_mbs
API String ID: 1374691127-3831141058
Opcode ID: 3053fae4ff6c96a7205fc05c2f0ab597f00dd46bdd9511d4cab0f019121f0fe5
Instruction ID: 2f3b467799820a6602a7dd90b9976d695f1a60aad8dd9ce4870ce1520556efea
Opcode Fuzzy Hash: 3053fae4ff6c96a7205fc05c2f0ab597f00dd46bdd9511d4cab0f019121f0fe5
Instruction Fuzzy Hash: 5121C031A0CE4684F710AB65B85836A26E9EB45BF4F844239EA4DC66DDEF7CE104C340

Function 00007FF6113089F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 57stringCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF611308A0B
_strdup.MSVCRT ref: 00007FF611308A3C
_errno.MSVCRT ref: 00007FF611308A70
strerror.MSVCRT ref: 00007FF611308A78
_errno.MSVCRT ref: 00007FF611308A95
strerror.MSVCRT ref: 00007FF611308A9D

Strings

LOADER: failed to strdup argv[%d]: %s, xrefs: 00007FF611308A7F
LOADER: failed to allocate argv_pyi: %s, xrefs: 00007FF611308AA2

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: _errnostrerror$_strdupcalloc
String ID: LOADER: failed to allocate argv_pyi: %s$LOADER: failed to strdup argv[%d]: %s
API String ID: 4278403329-2782260415
Opcode ID: d96aacef9ed84a949530d77edcfedc7950ec38b60155a97baa6cd5d3fb4306df
Instruction ID: ea8c31593786c9a4929a199a3efa107a26e06077b2887bc8933314cb2c822c43
Opcode Fuzzy Hash: d96aacef9ed84a949530d77edcfedc7950ec38b60155a97baa6cd5d3fb4306df
Instruction Fuzzy Hash: 92119021E09E028AFB11AB64E8455B922A9BF45FB0F544134DE1EC3399FF3CA895C340

Function 00007FF611306640 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 102stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF61130665B
free.MSVCRT ref: 00007FF61130676B

Strings

utf-8, xrefs: 00007FF611306667
Module object for %s is NULL!, xrefs: 00007FF611306736
_MEIPASS, xrefs: 00007FF611306690
strict, xrefs: 00007FF611306660
Failed to get _MEIPASS as PyObject., xrefs: 00007FF611306799
_MEIPASS2, xrefs: 00007FF611306642

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: freestrlen
String ID: Failed to get _MEIPASS as PyObject.$Module object for %s is NULL!$_MEIPASS$_MEIPASS2$strict$utf-8
API String ID: 322734593-568040347
Opcode ID: a5cf2be722d84fc10180f0cf476f1804e4b747426b931160dd73358374bab8d8
Instruction ID: 7bcf295ad4f60ec43ae5b7e1d170a4cc9280a7ab8b1c0b0d48950769be05d882
Opcode Fuzzy Hash: a5cf2be722d84fc10180f0cf476f1804e4b747426b931160dd73358374bab8d8
Instruction Fuzzy Hash: 64414166A19E0681EB15AB22E81407963A9BF45FF0B484031DE1DC73A8EF3CE446D340

Function 00007FF611304EE0 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 88COMMON

Download Yara Rule

Strings

\, xrefs: 00007FF611304F65
lib-dynload, xrefs: 00007FF611304F58
base_library.zip, xrefs: 00007FF611304EFD
%s%c%s, xrefs: 00007FF611304F04, 00007FF611304F72
_MEIPASS2, xrefs: 00007FF611304EE0

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: %s%c%s$\$_MEIPASS2$base_library.zip$lib-dynload
API String ID: 626452242-1997419384
Opcode ID: 96eac9c964f75bfd1bb261b00fe75da3a025126ccef3a6a625524ed71a1e8126
Instruction ID: 44ee5af7bd6a5a474c5142f417ca8b8884141367ac5cc770c47755df023e3173
Opcode Fuzzy Hash: 96eac9c964f75bfd1bb261b00fe75da3a025126ccef3a6a625524ed71a1e8126
Instruction Fuzzy Hash: D9313E22A49E8585EB219B54E8403EA6368FB44BA5F444332DE9DD3ADDDF3CE145C740

Function 00007FF611309090 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 60COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6
MultiByteToWideChar.KERNEL32 ref: 00007FF611309108
calloc.MSVCRT ref: 00007FF61130911E

Strings

MultiByteToWideChar, xrefs: 00007FF61130914F, 00007FF61130916F
Failed to decode wchar_t from UTF-8, xrefs: 00007FF611309148
Failed to get wchar_t buffer size., xrefs: 00007FF611309168
win32_utils_from_utf8, xrefs: 00007FF611309132
Out of memory., xrefs: 00007FF61130912B

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: ByteCharMultiWide$calloc
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 1374691127-876015163
Opcode ID: 9bafd67a9e6ba27ecb336526dea89acf2ec330839c75d6e55779765ab19282cc
Instruction ID: 0e5664dcbc93563f91497ed99be2fcf6e57de179fa3b7750a91c4c411ad677ae
Opcode Fuzzy Hash: 9bafd67a9e6ba27ecb336526dea89acf2ec330839c75d6e55779765ab19282cc
Instruction Fuzzy Hash: 36119061B08E5384FF24EB65A85827912A9AF49BF4F484539DA0DC7AE9EE7CE1048300

Function 00007FF6113073C0 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 155COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF61130753B

Strings

_image_data, xrefs: 00007FF611307519
tclInit, xrefs: 00007FF61130741B
exit, xrefs: 00007FF611307472
rename ::source ::_source, xrefs: 00007FF611307490
source, xrefs: 00007FF6113074B9
tcl_findLibrary, xrefs: 00007FF61130743D

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: free
String ID: _image_data$exit$rename ::source ::_source$source$tclInit$tcl_findLibrary
API String ID: 1294909896-1126984729
Opcode ID: d97ae4815509cc26e6e973629a1329cac86f451b544e01a121b7f206e9f1a56d
Instruction ID: 834604165c50ab0cdbf02f21e7b2b36c38face2e385bfe232d5022cbfba4ade0
Opcode Fuzzy Hash: d97ae4815509cc26e6e973629a1329cac86f451b544e01a121b7f206e9f1a56d
Instruction Fuzzy Hash: F671B83AA08E46D5EB11AF25E9543A933A4FB48FA9F448131DE4E87368DF7CD549C380

Function 00007FF6113067B0 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 56stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6113067C4

Strings

utf-8, xrefs: 00007FF6113067D3
path, xrefs: 00007FF611306815
Failed to append PYZ entry to sys.path!, xrefs: 00007FF611306840
strict, xrefs: 00007FF6113067C9
Installing PYZ: Could not get sys.path!, xrefs: 00007FF61130685C
%U?%llu, xrefs: 00007FF6113067E9

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: strlen
String ID: %U?%llu$Failed to append PYZ entry to sys.path!$Installing PYZ: Could not get sys.path!$path$strict$utf-8
API String ID: 39653677-372213108
Opcode ID: d4f4f0bb41883a37b964850e9d6525e6c82bda7dc6b4eb7bef36193f41cd0a21
Instruction ID: e43dace06bb441e46ca1882b51d2b9a71c5baa052ed42dbfe2c5965f01b50710
Opcode Fuzzy Hash: d4f4f0bb41883a37b964850e9d6525e6c82bda7dc6b4eb7bef36193f41cd0a21
Instruction Fuzzy Hash: CF114F66B09E1681FB10EB29E9140A87378BF88FE4B444131CE1ED77A8EE3CE505C340

Function 00007FF611313048 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF6113130EB
fwprintf.MSVCRT ref: 00007FF611313120

Part of subcall function 00007FF611312CC0: fputwc.MSVCRT ref: 00007FF611312D10

Strings

%.*s, xrefs: 00007FF61131313E
%-*.*s, xrefs: 00007FF611313116
%*.*s, xrefs: 00007FF6113130E1

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: fwprintf$fputwc
String ID: %*.*s$%-*.*s$%.*s
API String ID: 2988249585-4054516066
Opcode ID: 780129500cc8eb22b3af81c7775783de4b986a6307f7fb092a662ca78920ec8f
Instruction ID: 5a1b3b433efee427e39deaa1f6d0b3c7f867a8ab0e4c29fdc5155cd4f06b77ef
Opcode Fuzzy Hash: 780129500cc8eb22b3af81c7775783de4b986a6307f7fb092a662ca78920ec8f
Instruction Fuzzy Hash: E271DB76A08B49CADB50DF6AC8815A877F4F748FA8B018536EE4D87758DF38D510CB40

Function 00007FF611307D60 Relevance: 8.8, APIs: 7, Instructions: 67stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF611307D80
strlen.MSVCRT ref: 00007FF611307D97
strlen.MSVCRT ref: 00007FF611307DAC
malloc.MSVCRT ref: 00007FF611307DBA

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: strlen$malloc
String ID:
API String ID: 3157260142-0
Opcode ID: bebafa3fc507f9c40b8e2e1084042dec21c5cd6be2e2a9f71abb3c5bc8a466b7
Instruction ID: 9a546e083b5e079a15bde28031040c13c5b087ca8df6f7848820d4db3313fbbe
Opcode Fuzzy Hash: bebafa3fc507f9c40b8e2e1084042dec21c5cd6be2e2a9f71abb3c5bc8a466b7
Instruction Fuzzy Hash: 63113C02B4ED9644FF5BAA9359116FA55D92F46FF4E0C4430ED4ECB78AFD2CA8428350

Function 00007FF611302AD0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF611302AF9
EndDialog.USER32 ref: 00007FF611302B28
SetWindowLongPtrW.USER32 ref: 00007FF611302B3C
GetWindowLongPtrW.USER32 ref: 00007FF611302B55
InvalidateRect.USER32 ref: 00007FF611302B75

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: DialogLongWindow$InvalidateRect
String ID:
API String ID: 1200242243-0
Opcode ID: 57b41cf59eeebec43940bf3f5d915734346139c7fb041d6f7fac98ec8a71f233
Instruction ID: 921dcbd2f04ac0dfe9e23e53c63de1a17d3a306dce3db26bb15bc6a74e4f117c
Opcode Fuzzy Hash: 57b41cf59eeebec43940bf3f5d915734346139c7fb041d6f7fac98ec8a71f233
Instruction Fuzzy Hash: 7D018C31E1CD7642FB683B6A68852B921C9AF88FB1F554830D90AC5BDDDC6C68C29300

Function 00007FF61130E640 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

CCG , xrefs: 00007FF61130E668

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: 0e3aed78a1e4c150b1ff523e32ba85c0a188e2a4dfc2739e81b31b52371fb521
Instruction ID: 0e4ecac4ac4ad5357a4eb92c74e36a837a43b8f1b0fbf910ca19f15380ff0b0e
Opcode Fuzzy Hash: 0e3aed78a1e4c150b1ff523e32ba85c0a188e2a4dfc2739e81b31b52371fb521
Instruction Fuzzy Hash: C9410F72F09E268AF7249B64D5443BC27E8AB45F78F104A35CA2DD77E8CE3CA6418251

Function 00007FF611302DC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF611309090: MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6

MessageBoxW.USER32 ref: 00007FF611302E28
MessageBoxA.USER32 ref: 00007FF611302E4B

Strings

Failed to get UTF-8 buffer size., xrefs: 00007FF611302DC8
WideCharToMultiByte, xrefs: 00007FF611302DCA

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Failed to get UTF-8 buffer size.$WideCharToMultiByte
API String ID: 1878133881-785100509
Opcode ID: 996ea42dbfbdc6150fb3e78afd1d99beba1d91d16d45c08ba1a9db144a0f4385
Instruction ID: 331f44d4d53625b863712c2d933f9928b3f5198ed5dcff3cfd9be422d15525bd
Opcode Fuzzy Hash: 996ea42dbfbdc6150fb3e78afd1d99beba1d91d16d45c08ba1a9db144a0f4385
Instruction Fuzzy Hash: 2001D16371569005FB256622BD0ABFA05896B49FE1F888034EF4D97BC9EC3CD582C704

Function 00007FF6113045A0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF6113045C2

Part of subcall function 00007FF611308EC0: WideCharToMultiByte.KERNEL32 ref: 00007FF611308F08

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF611304610
Failed to get executable path., xrefs: 00007FF6113045F8
GetModuleFileNameW, xrefs: 00007FF6113045FF

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: ByteCharFileModuleMultiNameWide
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 1532159127-1977442011
Opcode ID: a705923171a296baecb93f2081270a394e4d88c8d8c6dfbd024d0ef3db960c6d
Instruction ID: ad38949581b534d2057e1c825f5c2f854a9ac41c18d49ac2ecdfa60e9268b5ab
Opcode Fuzzy Hash: a705923171a296baecb93f2081270a394e4d88c8d8c6dfbd024d0ef3db960c6d
Instruction Fuzzy Hash: E1F04952B1CD1381FB68A725AC193B902EDAF08FE0F444435E80EC6ADEED1DEA468300

Function 00007FF6113051B0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF6113051D1

Part of subcall function 00007FF611309090: MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6

Strings

_MEIPASS2, xrefs: 00007FF6113051B0

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: ByteCharMultiWidecalloc
String ID: _MEIPASS2
API String ID: 2568606709-3944641314
Opcode ID: 153298e754a5da29828527c7272e57dc28a8d1b5d2e4a766274f553e5afb193d
Instruction ID: c2d88bec3e508551eee575b6aba525e77e25bd04edd0237e6571beeaa7f890a8
Opcode Fuzzy Hash: 153298e754a5da29828527c7272e57dc28a8d1b5d2e4a766274f553e5afb193d
Instruction Fuzzy Hash: BD219861B09E0986FB149B699D802B973A9BF45BB1F544335DE2DC23D8EE28E0108600

Function 00007FF611302CC0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF611302D31
free.MSVCRT ref: 00007FF611302D39
free.MSVCRT ref: 00007FF611302D41

Part of subcall function 00007FF611309090: MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6

Strings

Failed to obtain/convert traceback!, xrefs: 00007FF611302CFB

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: free$ByteCharMultiWide
String ID: Failed to obtain/convert traceback!
API String ID: 3219091393-982972847
Opcode ID: 9418ccf11d311c357f2c0b44d681edf2e8f7f8742d0759f808d0dfda2e738276
Instruction ID: 36f04ec6f88cd3a2bc258049d2dc4832329a60f1c62f89f35d7fe934959795e2
Opcode Fuzzy Hash: 9418ccf11d311c357f2c0b44d681edf2e8f7f8742d0759f808d0dfda2e738276
Instruction Fuzzy Hash: 6E014F01B5A96905FE5965B629266BA51990F09FE0E489434ED0ECBB8AED1CE4024300

Function 00007FF61130DBC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF61130DCBE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF61130DCB4
Unknown error, xrefs: 00007FF61130DC5A

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 20dae29a08e59d28e827f7f7a2a2eda8259e4d1817ef6dbd98be60ed78e0c5d9
Instruction ID: 83cd38c150c21dcc6a206d56e2a343aac2aaa16d0ed3991e54ce75f160be39ec
Opcode Fuzzy Hash: 20dae29a08e59d28e827f7f7a2a2eda8259e4d1817ef6dbd98be60ed78e0c5d9
Instruction Fuzzy Hash: 83216F26A04FC48AD7118F68D8413EA7375FF59BA8F444622EE8C57768EF38D249C300

Function 00007FF611302FE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF611303027

Part of subcall function 00007FF611302DC0: MessageBoxW.USER32 ref: 00007FF611302E28

Strings

%s%s: %s, xrefs: 00007FF611303044
Fatal error detected, xrefs: 00007FF61130305B

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: Message_errno
String ID: %s%s: %s$Fatal error detected
API String ID: 1796756983-2410924014
Opcode ID: 89ab3f84670d69496295afaeef3f91396c60eac41d8d5ed9af97d336e694a63d
Instruction ID: c28294c9a89b346d21826169c9b2e5bff147003e177ddd24247e852ee4af21bc
Opcode Fuzzy Hash: 89ab3f84670d69496295afaeef3f91396c60eac41d8d5ed9af97d336e694a63d
Instruction Fuzzy Hash: 7D01FF6261CA8191E324AB51F4007EA62A8FB98BE0F504135EB8D53B9D9E3CD656CB40

Function 00007FF61130DC40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF61130DCBE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF61130DCB4
Total loss of significance (TLOSS), xrefs: 00007FF61130DC40

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: baefd7cba75bd780381bd2d5fed287ff04b74d7fa079984f5394eb8e5ce75d69
Instruction ID: 614a5cfc97548770ad11d54b2da1bc4c32960a977976bb582593597519d62a9e
Opcode Fuzzy Hash: baefd7cba75bd780381bd2d5fed287ff04b74d7fa079984f5394eb8e5ce75d69
Instruction Fuzzy Hash: 14015E26904F888AD7118F69D8402AA7775FB4DBA8F044722EE8D27728DF28C145C300

Function 00007FF61130DC4D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF61130DCBE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF61130DCB4
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF61130DC4D

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 81b53d873045e560598026d8c864cfe1e58fa63b90fba301861682825eddf50a
Instruction ID: 991929bb0221d0ccdbae86cc5719e2498dfa6eac88ff986c4a2e6d33164df791
Opcode Fuzzy Hash: 81b53d873045e560598026d8c864cfe1e58fa63b90fba301861682825eddf50a
Instruction Fuzzy Hash: 92015A26A04F888AD7118F69D8402AA7779FB4DBA8F044722EE8D27728DF28C145C300

Function 00007FF61130DC0C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF61130DCBE

Strings

Argument domain error (DOMAIN), xrefs: 00007FF61130DC0C
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF61130DCB4

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 06bf403f4c0a9af45a90ca5965f87b6ee5c3a6750db8dc5ebbd969be290419dd
Instruction ID: 1a0d58422669a28d37bbbca04a876133b6798bdb7d21cda2d00c0aea62eeea42
Opcode Fuzzy Hash: 06bf403f4c0a9af45a90ca5965f87b6ee5c3a6750db8dc5ebbd969be290419dd
Instruction Fuzzy Hash: A7015E26904F888AD7118F69D8402AA7775FF4DBA8F044722EE8D27768DF28C145C300

Function 00007FF61130DC19 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF61130DCBE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF61130DCB4
Argument singularity (SIGN), xrefs: 00007FF61130DC19

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: ec9f448085d72bf13c83586b7c52257c26f7af234c67fb9552149ff3dd26a3a7
Instruction ID: ab7acd62de75aa1df805807dd5b92a3e5c17fc3ed1e501a2969a32f59a844363
Opcode Fuzzy Hash: ec9f448085d72bf13c83586b7c52257c26f7af234c67fb9552149ff3dd26a3a7
Instruction Fuzzy Hash: 8F015E26904F888AD7118F69D8402AA7775FB4DBA8F044722EE8D67728DF28C145C300

Function 00007FF61130DC26 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF61130DCBE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF61130DCB4
Overflow range error (OVERFLOW), xrefs: 00007FF61130DC26

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: fc72b1ca348bb75ea9640cba4845ceefab8200df23c4986763f386d421d396ac
Instruction ID: cd6684805ad6265800390dd79e64661528e02356433dd864c571321267a38df1
Opcode Fuzzy Hash: fc72b1ca348bb75ea9640cba4845ceefab8200df23c4986763f386d421d396ac
Instruction Fuzzy Hash: 63015E26904F888AD7118F69D8402AA7775FB4DBA8F044722EE8D27728DF28C145C300

Function 00007FF61130DC33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF61130DCBE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF61130DCB4
Partial loss of significance (PLOSS), xrefs: 00007FF61130DC33

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 1dadd9d91598fd59cd3ee44cef548247d0e8863d0b21ccbc5bbcccc010ffab5c
Instruction ID: d2e26451fd359e7ea30e872cf20c2c22af6540c0d195cb8b107f978fdfae3719
Opcode Fuzzy Hash: 1dadd9d91598fd59cd3ee44cef548247d0e8863d0b21ccbc5bbcccc010ffab5c
Instruction Fuzzy Hash: 0D015A26A04F888AD7118F69D8402AA7779FB4DBA8F044722EE8D27728DF28C145C300

Function 00007FF611304960 Relevance: 5.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF61130498C
free.MSVCRT ref: 00007FF61130499A
free.MSVCRT ref: 00007FF6113049BC
free.MSVCRT ref: 00007FF6113049CA

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9c4186f722e86582c3b1398c543642522ac53436e10a90fe38125ad0e5a34d3b
Instruction ID: 135b8bc12ab8c9e5dc827b3fb08364c05a0372c10145f2bdbcdaa445df2b548c
Opcode Fuzzy Hash: 9c4186f722e86582c3b1398c543642522ac53436e10a90fe38125ad0e5a34d3b
Instruction Fuzzy Hash: D6017127E4991982EB509B6AB4412BD32B9FF88F64F155231DE0DC734ADD28D882C780

Function 00007FF611307060 Relevance: 5.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF61130707D
free.MSVCRT ref: 00007FF61130708E
free.MSVCRT ref: 00007FF61130709F
free.MSVCRT ref: 00007FF6113070A7

Memory Dump Source

Source File: 00000000.00000002.2282660716.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000000.00000002.2282640609.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282683963.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282702280.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282723530.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282742073.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282759912.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2282777400.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff611300000_winws1.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 17bb4e15e412b02df2bc7990f2a8c6dca0a60341a4ea025c79cb532fcc6a30aa
Instruction ID: 840a8d54c22161b11d819af650f246fbc9d32983dc32b8c8661f910423b2f066
Opcode Fuzzy Hash: 17bb4e15e412b02df2bc7990f2a8c6dca0a60341a4ea025c79cb532fcc6a30aa
Instruction Fuzzy Hash: 0FF0EC19F4BD0A41FF1AE6A1B4103FD62685F44F60F044130CF8DDB6499E2CA4438300

Analysis Process: winws1.exePID: 5392, Parent PID: 5776COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1259
Total number of Limit Nodes:	16

Executed Functions

Function 655C6580 Relevance: 118.2, APIs: 51, Strings: 16, Instructions: 915librarystringloaderCOMMON

Download Yara Rule

APIs

PySys_GetObject.PYTHON311 ref: 655C65A1
PyTuple_GetItem.PYTHON311 ref: 655C65BB
PyLong_AsLong.PYTHON311 ref: 655C65D0
PyTuple_GetItem.PYTHON311 ref: 655C65E0
PyLong_AsLong.PYTHON311 ref: 655C65EE
PySys_GetObject.PYTHON311 ref: 655C65FD
PyLong_AsVoidPtr.PYTHON311 ref: 655C6609
GetProcAddress.KERNEL32 ref: 655C662E
GetProcAddress.KERNEL32 ref: 655C664C
GetProcAddress.KERNEL32 ref: 655C666A
PyModule_Create2.PYTHON311 ref: 655C6694
PyModule_GetName.PYTHON311 ref: 655C66A9
strrchr.MSVCRT ref: 655C66CE
malloc.MSVCRT ref: 655C66E4
memcpy.MSVCRT ref: 655C66FE
PyBytes_FromStringAndSize.PYTHON311 ref: 655C6751
PyBytes_AsString.PYTHON311 ref: 655C676B
malloc.MSVCRT ref: 655C677F
PyCMethod_New.PYTHON311 ref: 655C67CD
PyCMethod_New.PYTHON311 ref: 655C6813
PyCMethod_New.PYTHON311 ref: 655C6859
PyBytes_FromStringAndSize.PYTHON311 ref: 655C6883
PyBytes_AsString.PYTHON311 ref: 655C6899
_time64.MSVCRT ref: 655C6976
srand.MSVCRT ref: 655C697E
strstr.MSVCRT ref: 655C6B25
strncmp.MSVCRT ref: 655C6B61
PyErr_Format.PYTHON311 ref: 655C6BD4
_Py_Dealloc.PYTHON311 ref: 655C6C0A
_Py_Dealloc.PYTHON311 ref: 655C6C19
malloc.MSVCRT ref: 655C6C3A
free.MSVCRT ref: 655C6CA4
malloc.MSVCRT ref: 655C6CB0
memcpy.MSVCRT ref: 655C6CD3
free.MSVCRT ref: 655C6D02
malloc.MSVCRT ref: 655C6D0E
memcpy.MSVCRT ref: 655C6D31
PyErr_Format.PYTHON311 ref: 655C7378

Part of subcall function 655DDAD0: memcmp.MSVCRT ref: 655DDB03
Part of subcall function 655DDAD0: memcmp.MSVCRT ref: 655DDB20
Part of subcall function 655DDAD0: memcmp.MSVCRT ref: 655DDB42
Part of subcall function 655DDAD0: memcmp.MSVCRT ref: 655DDB62
Part of subcall function 655DDAD0: memcmp.MSVCRT ref: 655DDB82
Part of subcall function 655DDAD0: memcmp.MSVCRT ref: 655DDBA2
Part of subcall function 655DDAD0: memcmp.MSVCRT ref: 655DDBC2
Part of subcall function 655DDAD0: memcmp.MSVCRT ref: 655DDBE2

Part of subcall function 655DD840: memcmp.MSVCRT ref: 655DD873
Part of subcall function 655DD840: memcmp.MSVCRT ref: 655DD893
Part of subcall function 655DD840: memcmp.MSVCRT ref: 655DD8B5
Part of subcall function 655DD840: memcmp.MSVCRT ref: 655DD8D5
Part of subcall function 655DD840: memcmp.MSVCRT ref: 655DD8F5
Part of subcall function 655DD840: memcmp.MSVCRT ref: 655DD915
Part of subcall function 655DD840: memcmp.MSVCRT ref: 655DD935
Part of subcall function 655DD840: memcmp.MSVCRT ref: 655DD955

Part of subcall function 655DD270: strcmp.MSVCRT ref: 655DD29B
Part of subcall function 655DD270: strcmp.MSVCRT ref: 655DD2C5
Part of subcall function 655DD270: strcmp.MSVCRT ref: 655DD2E4
Part of subcall function 655DD270: strcmp.MSVCRT ref: 655DD303
Part of subcall function 655DD270: strcmp.MSVCRT ref: 655DD322
Part of subcall function 655DD270: strcmp.MSVCRT ref: 655DD33D
Part of subcall function 655DD270: strcmp.MSVCRT ref: 655DD358
Part of subcall function 655DD270: strcmp.MSVCRT ref: 655DD373

Part of subcall function 655DD510: strcmp.MSVCRT ref: 655DD53B
Part of subcall function 655DD510: strcmp.MSVCRT ref: 655DD55F
Part of subcall function 655DD510: strcmp.MSVCRT ref: 655DD57B
Part of subcall function 655DD510: strcmp.MSVCRT ref: 655DD59A
Part of subcall function 655DD510: strcmp.MSVCRT ref: 655DD5B9
Part of subcall function 655DD510: strcmp.MSVCRT ref: 655DD5D4
Part of subcall function 655DD510: strcmp.MSVCRT ref: 655DD5EF
Part of subcall function 655DD510: strcmp.MSVCRT ref: 655DD60A

Part of subcall function 655DD3C0: strcmp.MSVCRT ref: 655DD3EB
Part of subcall function 655DD3C0: strcmp.MSVCRT ref: 655DD415
Part of subcall function 655DD3C0: strcmp.MSVCRT ref: 655DD434
Part of subcall function 655DD3C0: strcmp.MSVCRT ref: 655DD453
Part of subcall function 655DD3C0: strcmp.MSVCRT ref: 655DD472
Part of subcall function 655DD3C0: strcmp.MSVCRT ref: 655DD48D
Part of subcall function 655DD3C0: strcmp.MSVCRT ref: 655DD4A8
Part of subcall function 655DD3C0: strcmp.MSVCRT ref: 655DD4C3

PyBytes_AsStringAndSize.PYTHON311 ref: 655C6EA8

Strings

PyCell_Set, xrefs: 655C6651
PyCell_New, xrefs: 655C6633
aes, xrefs: 655C69E1
C_LEAVE_CO_OBJECT_INDEX, xrefs: 655C6831
,*, xrefs: 655C7363
sha256, xrefs: 655C6A15
.pyarmor.ikey, xrefs: 655C6E80
dllhandle, xrefs: 655C65F0
sprng, xrefs: 655C69FB
version_info, xrefs: 655C6593
C_ENTER_CO_OBJECT_INDEX, xrefs: 655C67EB
C_ASSERT_ARMORED_INDEX, xrefs: 655C6794
PyCell_Get, xrefs: 655C6627
000000, xrefs: 655C6B54
%s (%d:%d), xrefs: 655C6BCD, 655C6DF5, 655C6E64, 655C6FD5, 655C730D, 655C7371
pyarmor_runtime_, xrefs: 655C6B19, 655C6B35

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: strcmp$memcmp$Bytes_Stringmalloc$AddressLong_Method_ProcSizememcpy$DeallocErr_FormatFromItemLongModule_ObjectSys_Tuple_free$Create2NameVoid_time64srandstrncmpstrrchrstrstr
String ID: %s (%d:%d)$,*$.pyarmor.ikey$000000$C_ASSERT_ARMORED_INDEX$C_ENTER_CO_OBJECT_INDEX$C_LEAVE_CO_OBJECT_INDEX$PyCell_Get$PyCell_New$PyCell_Set$aes$dllhandle$pyarmor_runtime_$sha256$sprng$version_info
API String ID: 3695841847-3717260241
Opcode ID: c49689d9fb9b6adb2433b99e16241ad41eae1ea0e4a5ccbbb1b073d1b8f7bae8
Instruction ID: 9088fb379de0069e41cd69e83f0e25aba7ff23454b57df15404cd342592abb7a
Opcode Fuzzy Hash: c49689d9fb9b6adb2433b99e16241ad41eae1ea0e4a5ccbbb1b073d1b8f7bae8
Instruction Fuzzy Hash: AC821672315B8482EB01CF69D85876A3BA2FB85BC9F85805EDE4E0BB54DF39C516C342

Function 655C7590 Relevance: 25.0, APIs: 13, Strings: 1, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 655C7600
PyErr_Format.PYTHON311 ref: 655C78F5
PyErr_Format.PYTHON311 ref: 655C795D
PyErr_Format.PYTHON311 ref: 655C7A2D

Strings

%s (%d:%d), xrefs: 655C7817, 655C78EB, 655C7953, 655C7A23, 655C7A93, 655C7B63, 655C7BEF, 655C7CBD

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_Format$malloc
String ID: %s (%d:%d)
API String ID: 1817594650-1595188566
Opcode ID: 8a995d37fb69e98e2f555d5dc7a50ec56f8a4c957936f599c74ed256fc7057be
Instruction ID: e175f13fffbb985779171ffd35094e7dcb566cda0f4a86c9aa0ba5d2b99f7bf5
Opcode Fuzzy Hash: 8a995d37fb69e98e2f555d5dc7a50ec56f8a4c957936f599c74ed256fc7057be
Instruction Fuzzy Hash: 4B02C071328B4481EF14CB6AD99836937A2FB85B89F44489ECE5E0BB91DF3DC151C782

Function 00007FF611301154 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_amsg_exit.MSVCRT ref: 00007FF6113011F6
_initterm.MSVCRT ref: 00007FF61130122B
_initterm.MSVCRT ref: 00007FF61130125E
exit.MSVCRT ref: 00007FF611301358
_cexit.MSVCRT ref: 00007FF611301367

Strings

0, xrefs: 00007FF611301164

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: _initterm$_amsg_exit_cexitexit
String ID: 0
API String ID: 602970348-4108050209
Opcode ID: 68b42a7169f47ea2a0c2489e8fdb899db89ccd3641b59c7d876ca4fdc4d75048
Instruction ID: 32e468780db96470642340ab7d6b11e790d630cf4aa8f3085b8af854b9925a1a
Opcode Fuzzy Hash: 68b42a7169f47ea2a0c2489e8fdb899db89ccd3641b59c7d876ca4fdc4d75048
Instruction Fuzzy Hash: C2619279A08F0689FB01ABA9E98436937A8BB48FA4F404435DD0DD7769DF7CE4448790

Function 655C5870 Relevance: 59.8, APIs: 28, Strings: 6, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyUnicode_FromFormat.PYTHON311 ref: 655C54FF
Py_DecRef.PYTHON311 ref: 655C5513
PyUnicode_AsUTF8.PYTHON311 ref: 655C5924
PyImport_GetModuleDict.PYTHON311 ref: 655C5958
PyDict_GetItem.PYTHON311 ref: 655C5966
PyModule_GetDict.PYTHON311 ref: 655C5977
PyDict_GetItemString.PYTHON311 ref: 655C598A
PyImport_ExecCodeModuleObject.PYTHON311 ref: 655C59AD
PyErr_Occurred.PYTHON311 ref: 655C59B6

Part of subcall function 655CFDA0: VirtualAlloc.KERNEL32 ref: 655CFDF9
Part of subcall function 655CFDA0: memcpy.MSVCRT ref: 655CFE1C

Strings

, xrefs: 655C589B
__mp_main__, xrefs: 655C593E
<frozen %U>, xrefs: 655C54F8, 655C5543
__main__, xrefs: 655C5918
__spec__, xrefs: 655C597D
%s (%d:%d), xrefs: 655C61EC

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: DictDict_Import_ItemModuleUnicode_$AllocCodeErr_ExecFormatFromModule_ObjectOccurredStringVirtualmemcpy
String ID: $%s (%d:%d)$<frozen %U>$__main__$__mp_main__$__spec__
API String ID: 2800235986-2782528897
Opcode ID: d56c9e0c0242500afa0d281a4e7b82a01fadbc5cb55a1c2f50243ce13058f488
Instruction ID: 442df36ffcee78a0791b5f7407c3daf34482bf8b1eaa455678c73e0b158be5d8
Opcode Fuzzy Hash: d56c9e0c0242500afa0d281a4e7b82a01fadbc5cb55a1c2f50243ce13058f488
Instruction Fuzzy Hash: 6CD1A02230AB8085EF05CFAAD89836877A1FB85F99F4844A9DE5E07764DF29C155C342

Function 00007FF6113037E0 Relevance: 33.5, APIs: 6, Strings: 13, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00007FF611303924

Strings

Failed to unmarshal code object for %s, xrefs: 00007FF61130395C
%s%c%s.py, xrefs: 00007FF611303899
__file__, xrefs: 00007FF6113038C4
Traceback is disabled via bootloader option., xrefs: 00007FF6113039F9
Absolute path to script exceeds PATH_MAX, xrefs: 00007FF611303946
Could not get __main__ module., xrefs: 00007FF611303A51
_pyi_main_co, xrefs: 00007FF6113038FD
format_exception, xrefs: 00007FF611303AA8
pyi-disable-windowed-traceback, xrefs: 00007FF6113039E2
Could not get __main__ module's dict., xrefs: 00007FF611303A62
__main__, xrefs: 00007FF611303807
traceback, xrefs: 00007FF611303A7F
\, xrefs: 00007FF611303891

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: free
String ID: %s%c%s.py$Absolute path to script exceeds PATH_MAX$Could not get __main__ module's dict.$Could not get __main__ module.$Failed to unmarshal code object for %s$Traceback is disabled via bootloader option.$\$__file__$__main__$_pyi_main_co$format_exception$pyi-disable-windowed-traceback$traceback
API String ID: 1294909896-4198433784
Opcode ID: a910d1081c493ede87baa9a3e2d4ef4e79b0eb8e38c4ffb82442c3980188c074
Instruction ID: 56c776225090d59bfb3fa0882e7a3a49fa7be6b75401942f9dbc3034880c9aa5
Opcode Fuzzy Hash: a910d1081c493ede87baa9a3e2d4ef4e79b0eb8e38c4ffb82442c3980188c074
Instruction Fuzzy Hash: E8B13F29B09F4A85EB14AB26E85417A23B9BF89FE4F444032DD1EC7768DE3CE505D340

Function 655C5881 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyUnicode_AsUTF8.PYTHON311 ref: 655C5924
PyImport_GetModuleDict.PYTHON311 ref: 655C5958
PyDict_GetItem.PYTHON311 ref: 655C5966
PyModule_GetDict.PYTHON311 ref: 655C5977
PyDict_GetItemString.PYTHON311 ref: 655C598A
PyImport_ExecCodeModuleObject.PYTHON311 ref: 655C59AD
PyErr_Occurred.PYTHON311 ref: 655C59B6

Strings

, xrefs: 655C589B
__mp_main__, xrefs: 655C593E
__main__, xrefs: 655C5918
__spec__, xrefs: 655C597D
%s (%d:%d), xrefs: 655C5ECC

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: DictDict_Import_ItemModule$CodeErr_ExecModule_ObjectOccurredStringUnicode_
String ID: $%s (%d:%d)$__main__$__mp_main__$__spec__
API String ID: 4088344453-4025645406
Opcode ID: e8e8df76940c80adcfa485fdfe8852c428692b193f4f0e20a05330a4f40e421f
Instruction ID: 50a5a864ebfac76a3046a092d38472960eea4b976405f40bd3b6c9752a3af67e
Opcode Fuzzy Hash: e8e8df76940c80adcfa485fdfe8852c428692b193f4f0e20a05330a4f40e421f
Instruction Fuzzy Hash: AD819C3230AB4085EF55CFA9D8983797361FB85F99F9884A9CE6E07754DF29C141C342

Function 00007FF61130F3B0 Relevance: 25.8, APIs: 17, Instructions: 341
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strdup.MSVCRT(00000000,00000000,?,?,?,00007FF611303E16), ref: 00007FF61130F3E0
setlocale.MSVCRT ref: 00007FF61130F3F8
mbstowcs.MSVCRT(00000000,00000000,?,?,?,00007FF611303E16), ref: 00007FF61130F42F
mbstowcs.MSVCRT(00000000,00000000,?,?,?,00007FF611303E16), ref: 00007FF61130F48F
setlocale.MSVCRT ref: 00007FF61130F4FA
free.MSVCRT ref: 00007FF61130F506
wcstombs.MSVCRT(00000000,00000000,?,?,?,00007FF611303E16), ref: 00007FF61130F73A
wcstombs.MSVCRT(00000000,00000000,?,?,?,00007FF611303E16), ref: 00007FF61130F7AE
realloc.MSVCRT ref: 00007FF61130F7C9
wcstombs.MSVCRT(00000000,00000000,?,?,?,00007FF611303E16), ref: 00007FF61130F7F2
setlocale.MSVCRT ref: 00007FF61130F803
free.MSVCRT ref: 00007FF61130F80F
wcstombs.MSVCRT(00000000,00000000,?,?,?,00007FF611303E16), ref: 00007FF61130F839
realloc.MSVCRT ref: 00007FF61130F854
wcstombs.MSVCRT(00000000,00000000,?,?,?,00007FF611303E16), ref: 00007FF61130F878
setlocale.MSVCRT ref: 00007FF61130F889
free.MSVCRT ref: 00007FF61130F895

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: wcstombs$setlocale$free$mbstowcsrealloc$_strdup
String ID:
API String ID: 918573998-0
Opcode ID: bc37caea81c3f1b4857c0da5a89418885bf617b27b1e748d0f14d2c635658186
Instruction ID: 8f5bee2cb25e0e19cbce18612337648e828bf28c2b5ca53fac248c82cb0a813c
Opcode Fuzzy Hash: bc37caea81c3f1b4857c0da5a89418885bf617b27b1e748d0f14d2c635658186
Instruction Fuzzy Hash: 65F1F866F04B1989EB509BAAD4412BC27F9FB48FA8F804436DE4CA7798EF38D451C351

Function 00007FF611301710 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 231
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61130A920: malloc.MSVCRT ref: 00007FF61130A889

malloc.MSVCRT ref: 00007FF611301788
malloc.MSVCRT ref: 00007FF61130179E
fread.MSVCRT ref: 00007FF6113017EF
ferror.MSVCRT ref: 00007FF611301800
free.MSVCRT ref: 00007FF6113018A2
free.MSVCRT ref: 00007FF6113018AA
fwrite.MSVCRT ref: 00007FF6113018FC
ferror.MSVCRT ref: 00007FF611301917

Strings

1.2.13, xrefs: 00007FF61130173F
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF611301A9C
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF611301ABB
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF611301886
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF611301A64
malloc, xrefs: 00007FF611301AA3, 00007FF611301AC2

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: malloc$ferrorfree$freadfwrite
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 1635854594-1655038675
Opcode ID: 99619c3a175132b3582db99fac23658321bec914c492db8dc182f7a91b5b4957
Instruction ID: 0f5177cb95451457f0e952c0fc06814180a0d22c16884b2a576d92242c99b95f
Opcode Fuzzy Hash: 99619c3a175132b3582db99fac23658321bec914c492db8dc182f7a91b5b4957
Instruction Fuzzy Hash: 8791CF22B08A9641E7208F12A8403BA66E8BB45FF4F544231DE9DD3BDDEE7CE585D700

Function 00007FF6113016D0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 342
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF611308FE0: free.MSVCRT ref: 00007FF611309047
Part of subcall function 00007FF611308FE0: free.MSVCRT ref: 00007FF611309054

Part of subcall function 00007FF6113021D0: calloc.MSVCRT ref: 00007FF6113021DE

Part of subcall function 00007FF6113045A0: GetModuleFileNameW.KERNEL32 ref: 00007FF6113045C2

Part of subcall function 00007FF611307E30: GetEnvironmentVariableW.KERNEL32 ref: 00007FF611307E5C

SetDllDirectoryW.KERNEL32 ref: 00007FF611303DD9

Part of subcall function 00007FF611307020: calloc.MSVCRT ref: 00007FF61130702E

Part of subcall function 00007FF611307060: free.MSVCRT ref: 00007FF61130707D
Part of subcall function 00007FF611307060: free.MSVCRT ref: 00007FF61130708E
Part of subcall function 00007FF611307060: free.MSVCRT ref: 00007FF61130709F
Part of subcall function 00007FF611307060: free.MSVCRT ref: 00007FF6113070A7

free.MSVCRT ref: 00007FF611303D5E

Part of subcall function 00007FF611307F20: SetEnvironmentVariableW.KERNEL32 ref: 00007FF611307F3B
Part of subcall function 00007FF611307F20: free.MSVCRT ref: 00007FF611307F46

strcmp.MSVCRT ref: 00007FF611303E93
strcpy.MSVCRT ref: 00007FF611303ED9
SetDllDirectoryW.KERNEL32 ref: 00007FF6113040E5

Part of subcall function 00007FF611309090: MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6

Strings

Failed to convert DLL search path!, xrefs: 00007FF6113042A5
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF61130405C
_PYI_ONEDIR_MODE, xrefs: 00007FF611303D38, 00007FF611303D63
_MEIPASS2, xrefs: 00007FF611303D1D
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF611304211

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: free$DirectoryEnvironmentVariablecalloc$ByteCharFileModuleMultiNameWidestrcmpstrcpy
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2187479179-3096095006
Opcode ID: 77efaa2d4623c45b5b74c92c9212e285a0ec3a2d66ca2dbf9d5886927e4342f2
Instruction ID: 0e977f339c364287317b8045a5fd6242561dea83be5132dfacc858a02cdec789
Opcode Fuzzy Hash: 77efaa2d4623c45b5b74c92c9212e285a0ec3a2d66ca2dbf9d5886927e4342f2
Instruction Fuzzy Hash: B6E18F21A0CE4280EB64EB22A9502BB66EDAF44FE0F444135EE4ED77DEDE3CE5058750

Function 00007FF611301F90 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF611304650: _wfopen.MSVCRT ref: 00007FF611304695

Part of subcall function 00007FF611308BB0: malloc.MSVCRT ref: 00007FF611308BCE
Part of subcall function 00007FF611308BB0: free.MSVCRT ref: 00007FF611308CA5

fclose.MSVCRT ref: 00007FF611301FF3
fread.MSVCRT ref: 00007FF61130202F
malloc.MSVCRT ref: 00007FF61130208D
fread.MSVCRT ref: 00007FF6113020AE

Strings

Error on file., xrefs: 00007FF611302180
fread, xrefs: 00007FF611302127, 00007FF611302167
Could not read full TOC!, xrefs: 00007FF611302120
fseek, xrefs: 00007FF611302147
Failed to read cookie!, xrefs: 00007FF611302160
Could not allocate buffer for TOC!, xrefs: 00007FF61130219B
malloc, xrefs: 00007FF6113021A2
Failed to seek to cookie position!, xrefs: 00007FF611302140

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: freadmalloc$_wfopenfclosefree
String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$fread$fseek$malloc
API String ID: 2617120823-2084260460
Opcode ID: 97e34f1f8197036ee463dd14bcf40f542b76db0e688edaab6505a5423c5ed9ce
Instruction ID: 6a7e4713da0cd09ce4828a6ce8d251fee3b1e603478eb1b654140d261a6bc9f9
Opcode Fuzzy Hash: 97e34f1f8197036ee463dd14bcf40f542b76db0e688edaab6505a5423c5ed9ce
Instruction Fuzzy Hash: 33516C71B09E0682EB189B29D8442B867F9AF88FA4F54823AD90DC779DDF3CE505C744

Function 6563F450 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 123
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.MSVCRT ref: 6563F4AE
CreateFileMappingA.KERNEL32 ref: 6563F505
MapViewOfFile.KERNEL32 ref: 6563F531
CloseHandle.KERNEL32 ref: 6563F53D
GetLastError.KERNEL32 ref: 6563F548
_errno.MSVCRT ref: 6563F550

Strings

, xrefs: 6563F48C
@, xrefs: 6563F5B4
@, xrefs: 6563F60D

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: File_errno$CloseCreateErrorHandleLastMappingView
String ID: $@$@
API String ID: 896588047-3743272326
Opcode ID: fba389cb87774ad06a68b5533d78d5babd8062efa688bd72495702a505ed211f
Instruction ID: 5da0bf4e5e469521b86c516d5549271f50203570b2081865e894b15c02e9722b
Opcode Fuzzy Hash: fba389cb87774ad06a68b5533d78d5babd8062efa688bd72495702a505ed211f
Instruction Fuzzy Hash: 34411573F15A6045E7218F16ED41B4AA155BB55BB9F492331EE7A17BE1EB3CC840C340

Function 00007FF611301B30 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF611304650: _wfopen.MSVCRT ref: 00007FF611304695

malloc.MSVCRT ref: 00007FF611301B80
fread.MSVCRT ref: 00007FF611301BD3
free.MSVCRT ref: 00007FF611301BF8
fclose.MSVCRT ref: 00007FF611301C03

Strings

fread, xrefs: 00007FF611301BE9
fseek, xrefs: 00007FF611301C4C
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF611301C45
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF611301BE2
_MEIPASS2, xrefs: 00007FF611301B30
malloc, xrefs: 00007FF611301C85
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF611301C7E
Failed to extract %s: failed to open archive file!, xrefs: 00007FF611301C65

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: _wfopenfclosefreadfreemalloc
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$_MEIPASS2$fread$fseek$malloc
API String ID: 3354994319-975985129
Opcode ID: fb8e1b4c3ae1c0d9dbf1886b60f8a5d38b6fdbff1d087ba08816e469a5146e79
Instruction ID: 19ba8768eb761e48cedd2b0abc945a7dccd61e1ec89d696ce9ab765ff50e25e5
Opcode Fuzzy Hash: fb8e1b4c3ae1c0d9dbf1886b60f8a5d38b6fdbff1d087ba08816e469a5146e79
Instruction Fuzzy Hash: F9319E51B09E1B51FF19A7119854AFA12ACAF14FF8F844036EC0DC769EEE6CE50AC300

Function 00007FF611306450 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6113049F0: calloc.MSVCRT ref: 00007FF611304A0D
Part of subcall function 00007FF6113049F0: strncmp.MSVCRT ref: 00007FF611304A91
Part of subcall function 00007FF6113049F0: strcmp.MSVCRT ref: 00007FF611304AAB

Part of subcall function 00007FF6113051B0: calloc.MSVCRT ref: 00007FF6113051D1

fflush.MSVCRT ref: 00007FF611306571
fflush.MSVCRT ref: 00007FF611306580

Strings

Failed to parse run-time options!, xrefs: 00007FF611306612
Failed to allocate PyConfig structure! Unsupported python version?, xrefs: 00007FF61130662E
Failed to pre-initialize embedded python interpreter!, xrefs: 00007FF6113065C2
Failed to set run-time options!, xrefs: 00007FF611306620
Failed to start embedded python interpreter!, xrefs: 00007FF61130658A
Failed to set sys.argv!, xrefs: 00007FF611306604
Failed to set module search paths!, xrefs: 00007FF6113065F6
Failed to set program name!, xrefs: 00007FF6113065DA
Failed to set python home path!, xrefs: 00007FF6113065E8

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: callocfflush$strcmpstrncmp
String ID: Failed to allocate PyConfig structure! Unsupported python version?$Failed to parse run-time options!$Failed to pre-initialize embedded python interpreter!$Failed to set module search paths!$Failed to set program name!$Failed to set python home path!$Failed to set run-time options!$Failed to set sys.argv!$Failed to start embedded python interpreter!
API String ID: 2710203250-3807717293
Opcode ID: 20069458dbc6cbfea570bcd6b724cb1ff9c6197de144f72581953467c1bf7855
Instruction ID: 1117b7a542243e7d961cb3f266d51af83b42f4c675e4a000774ed07a24314ea8
Opcode Fuzzy Hash: 20069458dbc6cbfea570bcd6b724cb1ff9c6197de144f72581953467c1bf7855
Instruction Fuzzy Hash: B051F850A0CE5781FB15AB29E8551B953EDAF80FF4F541132EE4EC62EEEE2DE9059300

Function 655DF060 Relevance: 15.5, APIs: 2, Strings: 8, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.MSVCRT ref: 655DF103
free.MSVCRT ref: 655DF1B1

Strings

key != NULL, xrefs: 655DF4CA
ltc_mp.name != NULL, xrefs: 655DF6EC
in != NULL, xrefs: 655DF4E3
ltc_mp.name != NULL, xrefs: 655DF4B1
key != NULL, xrefs: 655DF6D3
size > 0, xrefs: 655DF705
src/pk/rsa/rsa_make_key.c, xrefs: 655DF6CC, 655DF6E5, 655DF6FE
src/pk/rsa/rsa_import.c, xrefs: 655DF4AA, 655DF4C3, 655DF4DC

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: callocfree
String ID: in != NULL$key != NULL$key != NULL$ltc_mp.name != NULL$ltc_mp.name != NULL$size > 0$src/pk/rsa/rsa_import.c$src/pk/rsa/rsa_make_key.c
API String ID: 306872129-2031961738
Opcode ID: 66a0225e8378a90f5104ae6bb13b2583ae0a41954c2b1ea464cda92131a1ee8c
Instruction ID: d309e945b13ff7d4a5fe46c71a816498b6b57d31c09cb3b5b8e82738f3b63150
Opcode Fuzzy Hash: 66a0225e8378a90f5104ae6bb13b2583ae0a41954c2b1ea464cda92131a1ee8c
Instruction Fuzzy Hash: F9123B77208B8186E760CF66E84879AB7A5F784BC8F004116EF8A87B58DF79C495CB44

Function 655DBF20 Relevance: 14.7, APIs: 4, Strings: 5, Instructions: 1167COMMON

Download Yara Rule

Strings

d != NULL, xrefs: 655DC06E, 655DC11E, 655DC82E, 655DCB9E
c != NULL, xrefs: 655DC087, 655DC137, 655DC4F2, 655DC55F, 655DC5CF, 655DC69F, 655DC7C4, 655DC847, 655DCA5E, 655DCAFE, 655DCBB7, 655DCC3F, 655DCCAF, 655DCD3E, 655DCE1A, 655DCE6A, 655DCEBA
a != NULL, xrefs: 655DBF3B, 655DBF7F, 655DBFCE, 655DC00C, 655DC0B9, 655DC169, 655DC1D8, 655DC449, 655DC481, 655DC4D9, 655DC546, 655DC5B6, 655DC633, 655DC686, 655DC6FE, 655DC741, 655DC7AB, 655DC879, 655DC8A9, 655DC8E1, 655DC945, 655DC9F7, 655DCA90, 655DCB30, 655DCBE9, 655DCC26, 655DCC96, 655DCD57, 655DCDC8, 655DCE01, 655DCE51, 655DCEA1, 655DCEF1, 655DCF41, 655DCF89, 655DCFF8, 655DD068, 655DD09C, 655DD0C9, 655DD0F9, 655DD12C, 655DD1A4, 655DD1BD
b != NULL, xrefs: 655DC0A0, 655DC150, 655DC1F1, 655DC430, 655DC49A, 655DC50B, 655DC578, 655DC5E8, 655DC64C, 655DC6B8, 655DC75A, 655DC860, 655DC8FA, 655DC9DE, 655DCA77, 655DCB17, 655DCBD0, 655DCC58, 655DCCC8, 655DCDAF, 655DCF0A, 655DCF5A, 655DCFDF, 655DD04F
src/math/tfm_desc.c, xrefs: 655DBF34, 655DBF78, 655DBFC7, 655DC005, 655DC067, 655DC080, 655DC099, 655DC0B2, 655DC117, 655DC130, 655DC149, 655DC162, 655DC1D1, 655DC1EA, 655DC429, 655DC442, 655DC47A, 655DC493, 655DC4D2, 655DC4EB, 655DC504, 655DC53F, 655DC558, 655DC571, 655DC5AF, 655DC5C8, 655DC5E1, 655DC62C, 655DC645, 655DC67F, 655DC698, 655DC6B1, 655DC6F7, 655DC73A, 655DC753, 655DC7A4, 655DC7BD, 655DC827, 655DC840, 655DC859, 655DC872, 655DC8A2, 655DC8DA, 655DC8F3, 655DC93E, 655DC9D7, 655DC9F0, 655DCA57, 655DCA70, 655DCA89, 655DCAF7, 655DCB10, 655DCB29, 655DCB97, 655DCBB0, 655DCBC9, 655DCBE2, 655DCC1F, 655DCC38, 655DCC51, 655DCC8F, 655DCCA8, 655DCCC1, 655DCD37, 655DCD50, 655DCDA8, 655DCDC1, 655DCDFA, 655DCE13, 655DCE4A, 655DCE63, 655DCE9A, 655DCEB3, 655DCEEA, 655DCF03, 655DCF3A, 655DCF53, 655DCF82, 655DCFD8, 655DCFF1, 655DD048, 655DD061, 655DD095, 655DD0C2, 655DD0F2, 655DD125, 655DD19D, 655DD1B6

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID:
String ID: a != NULL$b != NULL$c != NULL$d != NULL$src/math/tfm_desc.c
API String ID: 0-1480740242
Opcode ID: 7c7bd4ba0b3e25ae8a6753b3d7c54dee5c41c578796af4c7dccc66bdf6b24d26
Instruction ID: 4f28f6b21660ea1bc6565a7366adf57d69a78a845c566b27ad74431eaf7f54df
Opcode Fuzzy Hash: 7c7bd4ba0b3e25ae8a6753b3d7c54dee5c41c578796af4c7dccc66bdf6b24d26
Instruction Fuzzy Hash: CD921663B1190195FF04DBACDD483B9A2B2FB95385FC0D615DD1A83750EB2EC296CB84

Function 00007FF611306640 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 102
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF61130665B
free.MSVCRT ref: 00007FF61130676B

Strings

Failed to get _MEIPASS as PyObject., xrefs: 00007FF611306799
_MEIPASS, xrefs: 00007FF611306690
strict, xrefs: 00007FF611306660
_MEIPASS2, xrefs: 00007FF611306642
Module object for %s is NULL!, xrefs: 00007FF611306736
utf-8, xrefs: 00007FF611306667

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: freestrlen
String ID: Failed to get _MEIPASS as PyObject.$Module object for %s is NULL!$_MEIPASS$_MEIPASS2$strict$utf-8
API String ID: 322734593-568040347
Opcode ID: c86c3118278ee8bfe6f245b6e564e2c1b0f4dc624b45d7fcaba12a39e257e185
Instruction ID: 7bcf295ad4f60ec43ae5b7e1d170a4cc9280a7ab8b1c0b0d48950769be05d882
Opcode Fuzzy Hash: c86c3118278ee8bfe6f245b6e564e2c1b0f4dc624b45d7fcaba12a39e257e185
Instruction Fuzzy Hash: 64414166A19E0681EB15AB22E81407963A9BF45FF0B484031DE1DC73A8EF3CE446D340

Function 00007FF611308BB0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF611308BCE
free.MSVCRT ref: 00007FF611308CA5

Strings

_MEIPASS2, xrefs: 00007FF611308BB4

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: freemalloc
String ID: _MEIPASS2
API String ID: 3061335427-3944641314
Opcode ID: bdde55cfa16026eebf9a339662736028ea2731d0b4dd98c6b30f895782374b5d
Instruction ID: 31d736820ee6db04093ef4c6f9896fd2b50ee26e50706fd6a4c1a1260301bf2d
Opcode Fuzzy Hash: bdde55cfa16026eebf9a339662736028ea2731d0b4dd98c6b30f895782374b5d
Instruction Fuzzy Hash: 0C21B012B5AD5681FF11DA2299047FAD6A96F45FE8F880471DE0CCB68AEE3DE542C200

Function 00007FF611307020 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF61130702E

Strings

Cannot allocate memory for SPLASH_STATUS., xrefs: 00007FF61130703D
calloc, xrefs: 00007FF611307044

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: calloc
String ID: Cannot allocate memory for SPLASH_STATUS.$calloc
API String ID: 2635317215-799113134
Opcode ID: f2af3c9f5e49862c4fdb12449ad5d52b59e493735a903b8862745a60d1d68c81
Instruction ID: a4db885e7fb9adeb9a252c813abdb801886f8b64749be8aa9518b9d365af448b
Opcode Fuzzy Hash: f2af3c9f5e49862c4fdb12449ad5d52b59e493735a903b8862745a60d1d68c81
Instruction Fuzzy Hash: BBE01265E08E0280EF159710A4511B923A8FF85BA4F944138DA4CC77EDED3CE545CB84

Function 00007FF6113022C0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 93stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00007FF6113023D2

Strings

pyi-contents-directory, xrefs: 00007FF61130238B

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: strcpy
String ID: pyi-contents-directory
API String ID: 3177657795-2617349511
Opcode ID: 5bf9b9d7ed3ee3d6fd6229c4798420956e625b75858e8fae20c676d5f28f119e
Instruction ID: beb355618fcbd02f6dbb066d42b8b7063f3f3d2d4380c325e3a1015924a389ef
Opcode Fuzzy Hash: 5bf9b9d7ed3ee3d6fd6229c4798420956e625b75858e8fae20c676d5f28f119e
Instruction Fuzzy Hash: CA318362B09E8284FB619A65E8083F91399AF44FE4F484131ED0DCB78EDE3CE545C710

Function 00007FF611310060 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

fsetpos.MSVCRT ref: 00007FF611310105

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: fsetpos
String ID:
API String ID: 850078086-0
Opcode ID: 465717a23ec0afd49ac1cc4503031fffc665e619fc2808689674e9d738e7ebcb
Instruction ID: 8fbe51eea9154128745f2afa209e5bb9ad3423301091d52a15b8e6968331372a
Opcode Fuzzy Hash: 465717a23ec0afd49ac1cc4503031fffc665e619fc2808689674e9d738e7ebcb
Instruction Fuzzy Hash: FD113376F04F469AEB109F7588450AC33B8AB09BA8F504A35EE5D8779DDF38D1918350

Function 00007FF6113087C0 Relevance: 3.0, APIs: 2, Instructions: 20libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF611309090: MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6

LoadLibraryExW.KERNEL32 ref: 00007FF6113087E1
free.MSVCRT ref: 00007FF6113087ED

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWidefree
String ID:
API String ID: 3231889924-0
Opcode ID: 535df131c80773ec3641a450554190b52356524c405bfe3dafee0d4a050d7bfd
Instruction ID: de2bf407348129cdc7b76e2490877ad15588131068c4672d58f9951828f273ec
Opcode Fuzzy Hash: 535df131c80773ec3641a450554190b52356524c405bfe3dafee0d4a050d7bfd
Instruction Fuzzy Hash: BAD05E11F2A57A01EF98B3773C1A6A611991F8DFF0E889434DC0D8B749FC2D95828740

Function 00007FF61130FF1B Relevance: 2.6, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61130FD30: wcslen.MSVCRT ref: 00007FF61130FD66

free.MSVCRT ref: 00007FF61130FF5F
memset.MSVCRT ref: 00007FF61130FF7C

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: freememsetwcslen
String ID:
API String ID: 2332356550-0
Opcode ID: c2e1b32b20ba580d70b52182103e0aee796dda81a15ec91a94acdf2495544fb0
Instruction ID: c57a86ef9d78d6b86cf63e6b8d1460ce5ac0b377950596c0c4f38e4305235a93
Opcode Fuzzy Hash: c2e1b32b20ba580d70b52182103e0aee796dda81a15ec91a94acdf2495544fb0
Instruction Fuzzy Hash: BE31B466B04B1489EB14CF7AD48109C3BB5FB98BA8B108526EE1C57B6CEB38C591C790

Function 65640AD0 Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 65640B0E

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4f343b87695161a5d18254556ffb36e1b7b87a5952e54c1e2f269dc1fb69e6c3
Instruction ID: d99ca083c67c347cd19ee18d55c82c78793cd12b79b1ca4db7d4a6c713e6bf4b
Opcode Fuzzy Hash: 4f343b87695161a5d18254556ffb36e1b7b87a5952e54c1e2f269dc1fb69e6c3
Instruction Fuzzy Hash: 24F01C6037D53085EB318539CB20F9679516723BBDF60C106D9661EEA0D56BC285CF0A

Function 00007FF611304650 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF611309090: MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6

_wfopen.MSVCRT ref: 00007FF611304695

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: ByteCharMultiWide_wfopen
String ID:
API String ID: 372205238-0
Opcode ID: 8e21174acb464d8d1757056906152d011765c52c98c26f0b73aa27ab55bd4878
Instruction ID: 6b06dd2b62576c8f81ae7b8d371d63d0cc2b2708278ba82037bfd7d4375f0b85
Opcode Fuzzy Hash: 8e21174acb464d8d1757056906152d011765c52c98c26f0b73aa27ab55bd4878
Instruction Fuzzy Hash: 90E09251B0861041EA14A222A9143E9829A6F49FE0F448030EE0C9BB8E9D1DD2438701

Function 00007FFD930B2B53 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32 ref: 00007FFD932A91BF

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: 7a7abb42e1da2373a447522d0703c239a0e1054588c5a2e88d83da34d31c41e1
Instruction ID: 2424605fa26b5d053d7b12a72e659be14e01e7d936ba5157a17ceeea092ec2bf
Opcode Fuzzy Hash: 7a7abb42e1da2373a447522d0703c239a0e1054588c5a2e88d83da34d31c41e1
Instruction Fuzzy Hash: F8C01265F4500387FB1827798C7626911595F44710FD08038F10ED27D0CD0C58599700

Function 6563DB10 Relevance: 1.5, APIs: 1, Instructions: 213COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6563DDB2

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 39845fe85abc8515df8a10b1327270222ed7b3955be2a785a19ce327db88efc3
Instruction ID: 132fbdd26fff374f7cf2d351cad36bb92939a0d2f90e5bbda1858fdc9c0c2c88
Opcode Fuzzy Hash: 39845fe85abc8515df8a10b1327270222ed7b3955be2a785a19ce327db88efc3
Instruction Fuzzy Hash: F191CAB2605BA482EB548F26D0523993BB5F705FDCF18611ACE9E1BB99CB38C495C380

Function 00007FF61130D990 Relevance: 1.3, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF61130DA4A

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: a1c7189d00abfc9b8276c972b3be7d95addfd7c87cd30e887ec7055d5bdc4fb6
Instruction ID: 63dee087bdf0a544bbbe868f2dc468b06e5b9f19f7c972023103ac7626a25950
Opcode Fuzzy Hash: a1c7189d00abfc9b8276c972b3be7d95addfd7c87cd30e887ec7055d5bdc4fb6
Instruction Fuzzy Hash: 6131F326F08B1599FB109BA6D4443BC37F8A704BA8F904076DE8CA7B98DF3C9691C754

Function 00007FF61130A920 Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF61130A889

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 70144d6ec82bfe141b5cbf93c26a1062560a1e9f03a4e2e5c767b20eb75f5ad6
Instruction ID: 36b0b58fb2304a27edfa2adfe9f5b024120aca135dc81ba736022c0fecf52110
Opcode Fuzzy Hash: 70144d6ec82bfe141b5cbf93c26a1062560a1e9f03a4e2e5c767b20eb75f5ad6
Instruction Fuzzy Hash: B0216D22B09E0686EB614B19A4403393AD9AB44FF4F294334C94EC73D8DF39D983D340

Function 6563DF90 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

malloc.MSVCRT(?,?,00000000,?,65620E00,00000000,?,?,655D3D06,?,?,?,?,?,?), ref: 6563DF9F

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 6d5a5068f8737ec916e8a16d7766cd4028a32b3106eec7618bac94735153682a
Instruction ID: ecd2a7cf14ba2ba2ec5fba9e668081c644534c6d0695b4bcd49c0b1cf6bf393d
Opcode Fuzzy Hash: 6d5a5068f8737ec916e8a16d7766cd4028a32b3106eec7618bac94735153682a
Instruction Fuzzy Hash: 17D02262B87A5081C50C8B577C402988282275EBE0E48C4308E4C87304EC280093C300

Function 6563E010 Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 6563E020

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 59eabad26ca4bc0f09825227a2a1e64669a24db1d1228eb4b05c6605dca3421f
Instruction ID: 0461b1dea6cc65391c1b5cd92fb44d3b9dee5cc20ee36312cf4eed87a31d761c
Opcode Fuzzy Hash: 59eabad26ca4bc0f09825227a2a1e64669a24db1d1228eb4b05c6605dca3421f
Instruction Fuzzy Hash: 50C08CA6A02A00C2FF094BA2F85133422A0AB6CF06F285040CE2A46301DB2C48B4C310

Non-executed Functions

Function 655D3480 Relevance: 72.1, APIs: 35, Strings: 6, Instructions: 355networkstringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 655D34A2
WSAStartup.WS2_32 ref: 655D34B4
gethostbyname.WS2_32 ref: 655D34F9
socket.WS2_32 ref: 655D3536
htons.WS2_32 ref: 655D355D
ioctlsocket.WS2_32 ref: 655D3592
connect.WS2_32 ref: 655D35AA
ioctlsocket.WS2_32 ref: 655D35CC
send.WS2_32 ref: 655D3604
WSAGetLastError.WS2_32 ref: 655D360D
closesocket.WS2_32 ref: 655D3618
WSACleanup.WS2_32 ref: 655D361E
SetLastError.KERNEL32 ref: 655D3626
recv.WS2_32 ref: 655D367C
closesocket.WS2_32 ref: 655D3694
WSACleanup.WS2_32 ref: 655D369A
strstr.MSVCRT ref: 655D36AA
strstr.MSVCRT ref: 655D36D5
toupper.MSVCRT ref: 655D36EA
toupper.MSVCRT ref: 655D36F9
toupper.MSVCRT ref: 655D3708
toupper.MSVCRT ref: 655D3717
strstr.MSVCRT ref: 655D3778
memcmp.MSVCRT ref: 655D382F
memcmp.MSVCRT ref: 655D384D
_mktime64.MSVCRT ref: 655D38F4
gethostbyname.WS2_32 ref: 655D392E
WSAGetLastError.WS2_32 ref: 655D3947
ioctlsocket.WS2_32 ref: 655D3964
WSAGetLastError.WS2_32 ref: 655D3966
WSAGetLastError.WS2_32 ref: 655D3970
WSACleanup.WS2_32 ref: 655D3978
SetLastError.KERNEL32 ref: 655D3980
select.WS2_32 ref: 655D39FA
ioctlsocket.WS2_32 ref: 655D3A16

Strings

Dec, xrefs: 655D383D
Nov, xrefs: 655D381F
HEAD /%s HTTP/1.1Host: %sUser-Agent: PYARMOR.COREConnection: close, xrefs: 655D34D7, 655D390F
and,, xrefs: 655D348B
or,, xrefs: 655D3486
http://, xrefs: 655D3489

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: ErrorLast$ioctlsockettoupper$Cleanupstrstr$closesocketgethostbynamememcmp$Startup_mktime64connecthtonsrecvselectsendsocketstrchr
String ID: Dec$HEAD /%s HTTP/1.1Host: %sUser-Agent: PYARMOR.COREConnection: close$Nov$and,$http://$or,
API String ID: 3493847099-1714119496
Opcode ID: 9afb767975e33e2b9d9cd3452f2ed2fc400f48b80fcd6c6cddda133a68a5f2c0
Instruction ID: 3896cd6c530369e2d64b8908d9846f8f6c076cce19ba745327b2dd297dd88c35
Opcode Fuzzy Hash: 9afb767975e33e2b9d9cd3452f2ed2fc400f48b80fcd6c6cddda133a68a5f2c0
Instruction Fuzzy Hash: 98E12673708AC186E710CF28E84875EBBB1F345B99F458325CA664BB98EB3DC14AC745

Function 655D4710 Relevance: 63.4, APIs: 30, Strings: 6, Instructions: 406memorystringCOMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32 ref: 655D47D9
GetProcessHeap.KERNEL32 ref: 655D4814
HeapAlloc.KERNEL32 ref: 655D4829
GetAdaptersAddresses.IPHLPAPI ref: 655D4859
strlen.MSVCRT ref: 655D4887
GetProcessHeap.KERNEL32 ref: 655D48AB
HeapFree.KERNEL32 ref: 655D48B6
malloc.MSVCRT ref: 655D4942

Strings

SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}, xrefs: 655D4C6E
89abcdef, xrefs: 655D477E
01234567, xrefs: 655D476C
Characteristics, xrefs: 655D4DAE
NetCfgInstanceId, xrefs: 655D4D54
:[sc, xrefs: 655D4759

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Heap$Process$AdaptersAddressesAllocComputerFreeNamemallocstrlen
String ID: 01234567$89abcdef$:[sc$Characteristics$NetCfgInstanceId$SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
API String ID: 1478035857-3618987999
Opcode ID: a2a06f18a30ccc7ce6431cacb19e7b6ddc4f54a7aadf24aaca0f3f9b0134f156
Instruction ID: 6498aeac7ebd99c4eced5d86e7b2689e047e60fb84f52bd37c6f5930d0dc038e
Opcode Fuzzy Hash: a2a06f18a30ccc7ce6431cacb19e7b6ddc4f54a7aadf24aaca0f3f9b0134f156
Instruction Fuzzy Hash: 51F17F73319B90C6EB20CB1AB844B9BB7A6F785B84F448225DEC947B58DB7DC005CB49

Function 00007FF611307F60 Relevance: 49.2, APIs: 20, Strings: 8, Instructions: 188COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF611307FC1
free.MSVCRT ref: 00007FF611307FCC

Part of subcall function 00007FF611309420: wcslen.MSVCRT ref: 00007FF611309429

_wfullpath.MSVCRT ref: 00007FF611307FF4
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,?,_MEIPASS2,00000000,?,00007FF6113024CC), ref: 00007FF61130805D
wcschr.MSVCRT(?,?,_MEIPASS2,00000000,?,00007FF6113024CC), ref: 00007FF611308068
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,?,_MEIPASS2,00000000,?,00007FF6113024CC), ref: 00007FF61130807A
_wputenv_s.MSVCRT ref: 00007FF611308086
free.MSVCRT ref: 00007FF611308091
GetTempPathW.KERNEL32 ref: 00007FF6113080AB
_getpid.MSVCRT(?,?,_MEIPASS2,00000000,?,00007FF6113024CC), ref: 00007FF6113080B1
_wtempnam.MSVCRT ref: 00007FF6113080DA
free.MSVCRT ref: 00007FF6113080EF
free.MSVCRT ref: 00007FF611308119

Part of subcall function 00007FF611307E30: GetEnvironmentVariableW.KERNEL32 ref: 00007FF611307E5C

Part of subcall function 00007FF611309090: MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6

_wcsdup.MSVCRT ref: 00007FF61130813B

Strings

TMP, xrefs: 00007FF61130807C
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF6113081F8
LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF611308210
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6113081E0
_MEIPASS2, xrefs: 00007FF611307F69
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF611308221
_MEI%d, xrefs: 00007FF6113080B6
TMP, xrefs: 00007FF611307F88, 00007FF611308107, 00007FF61130818F, 00007FF6113081B5, 00007FF611308237

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: free$CreateDirectoryEnvironment$ByteCharExpandMultiPathStringsTempVariableWide_getpid_wcsdup_wfullpath_wputenv_s_wtempnamwcschrwcslen
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.$LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d$_MEIPASS2
API String ID: 2274789544-3119237222
Opcode ID: 3b840c5506bd6fd7349de0f788188c7a37745e8f39f2dcd91eb27e463c901c61
Instruction ID: 727f2a12e79b7da31d9e4b5a610f38af72b660992e3f0f6dfc138cee1b0007ad
Opcode Fuzzy Hash: 3b840c5506bd6fd7349de0f788188c7a37745e8f39f2dcd91eb27e463c901c61
Instruction Fuzzy Hash: 62612A21F49E5681FB59BB66A8192BA52E9AF49FE0F484431DD0ED778EED2CE405C300

Function 00007FF611302710 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 00007FF611302743
MulDiv.KERNEL32 ref: 00007FF611302760
MulDiv.KERNEL32 ref: 00007FF611302779
SystemParametersInfoW.USER32 ref: 00007FF6113027BF
LoadIconMetric.COMCTL32 ref: 00007FF6113027F3
CreateWindowExW.USER32 ref: 00007FF611302851
CreateWindowExW.USER32 ref: 00007FF6113028AB
CreateWindowExW.USER32 ref: 00007FF61130290C
CreateWindowExW.USER32 ref: 00007FF61130296E
SendMessageW.USER32 ref: 00007FF611302991
SendMessageW.USER32 ref: 00007FF6113029A9
SendMessageW.USER32 ref: 00007FF6113029C4
SendMessageW.USER32 ref: 00007FF6113029E1
SendMessageW.USER32 ref: 00007FF6113029FC
SendMessageW.USER32 ref: 00007FF611302A17
SendMessageW.USER32 ref: 00007FF611302A32
SendMessageW.USER32 ref: 00007FF611302A46
SendMessageW.USER32 ref: 00007FF611302A5B
GetClientRect.USER32 ref: 00007FF611302A66
CreateFontIndirectW.GDI32 ref: 00007FF611302A88

Strings

, xrefs: 00007FF6113027AD
STATIC, xrefs: 00007FF6113027EC
EDIT, xrefs: 00007FF6113028C2
Failed to execute script '%ls' due to unhandled exception: %ls, xrefs: 00007FF61130271B
BUTTON, xrefs: 00007FF611302924
Close, xrefs: 00007FF611302914

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: MessageSend$Create$Window$BaseClientDialogFontIconIndirectInfoLoadMetricParametersRectSystemUnits
String ID: $BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
API String ID: 3223904152-1365983254
Opcode ID: 23d76df661166ccc8bf8808f21f1e890a82357284aeaf219810838731c85fa8c
Instruction ID: 71ff43d844c84a8a613212993264d43aaf56f03bbba0739b1e19ffdf6de324d7
Opcode Fuzzy Hash: 23d76df661166ccc8bf8808f21f1e890a82357284aeaf219810838731c85fa8c
Instruction Fuzzy Hash: 58917736218B9582E7508F61E45479A7764F788BD8F24413AEE8C4BB9CCF7EC185CB50

Function 655C38D6 Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 418stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 655C3989
free.MSVCRT ref: 655C399E
malloc.MSVCRT ref: 655C39AA
memcpy.MSVCRT ref: 655C39CC
_Py_Dealloc.PYTHON311 ref: 655C39F2

Strings

N+, xrefs: 655C429D
%s (%d:%d), xrefs: 655C3D9F, 655C3E26, 655C3E8B, 655C3F51, 655C42AB

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Deallocfreemallocmemcpystrcmp
String ID: %s (%d:%d)$N+
API String ID: 2421945241-2748867177
Opcode ID: ee4242ee41b193a42d94519b6a8b0116eb396db683662b50cbf8477bce9514d9
Instruction ID: 52ab15b8704c81bc7e8fba4193c0447d62dd4095ab519d2d5a0cfcade352836e
Opcode Fuzzy Hash: ee4242ee41b193a42d94519b6a8b0116eb396db683662b50cbf8477bce9514d9
Instruction Fuzzy Hash: E7F15632348B4486EB10CF65D89875D3771FB86B9AF88865ADEAA0B794DF3DC111C702

Function 655C2C80 Relevance: 42.3, APIs: 20, Strings: 4, Instructions: 282librarystringloaderCOMMON

Download Yara Rule

APIs

PyEval_GetGlobals.PYTHON311 ref: 655C2CE4
PyFunction_NewWithQualName.PYTHON311 ref: 655C2CF3
_PyObject_CallFunction_SizeT.PYTHON311 ref: 655C2D2F
_Py_Dealloc.PYTHON311 ref: 655C2D71
PyErr_Format.PYTHON311 ref: 655C2E4A
GetProcAddress.KERNEL32 ref: 655C2E6A
strlen.MSVCRT ref: 655C2E82
PyErr_Format.PYTHON311 ref: 655C3147

Part of subcall function 655CE6E0: PyList_New.PYTHON311 ref: 655CE71B
Part of subcall function 655CE6E0: PyErr_Occurred.PYTHON311 ref: 655CE73A
Part of subcall function 655CE6E0: PyMem_Free.PYTHON311 ref: 655CE768

_Py_Dealloc.PYTHON311 ref: 655C2F99
_Py_Dealloc.PYTHON311 ref: 655C2FAD
_Py_Dealloc.PYTHON311 ref: 655C2FD9
_Py_Dealloc.PYTHON311 ref: 655C3003
_Py_Dealloc.PYTHON311 ref: 655C3013

Strings

/proc/se, xrefs: 655C2DA0
lf/exe, xrefs: 655C2DB2
z(, xrefs: 655C30C8
%s (%d:%d), xrefs: 655C2E43, 655C3071, 655C30D6, 655C3140

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Dealloc$Err_$FormatFunction_$AddressCallEval_FreeGlobalsList_Mem_NameObject_OccurredProcQualSizeWithstrlen
String ID: %s (%d:%d)$/proc/se$lf/exe$z(
API String ID: 3243918594-3850701646
Opcode ID: 247711cc8750c9647cd6b3fe3b2e3546c073088cc010281dfbb464265b1a000f
Instruction ID: f790aeaffac7158bc616b9d1a88099f53dddadac081fd26329426cfdd115c343
Opcode Fuzzy Hash: 247711cc8750c9647cd6b3fe3b2e3546c073088cc010281dfbb464265b1a000f
Instruction Fuzzy Hash: 45B19D71304B8885EF10CFAAEC983593362F786F95F895569EDAA077A4DF2DC502C342

Function 655CF240 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 224COMMON

Download Yara Rule

APIs

_PyErr_SetString.PYTHON311 ref: 655CF2CD
_Py_Dealloc.PYTHON311 ref: 655CF2E5
_PyErr_SetString.PYTHON311 ref: 655CF31E
_Py_Dealloc.PYTHON311 ref: 655CF331
_Py_CheckFunctionResult.PYTHON311 ref: 655CF434
_PyErr_GetTopmostException.PYTHON311 ref: 655CF465
PyException_GetTraceback.PYTHON311 ref: 655CF490
_PyErr_Restore.PYTHON311 ref: 655CF4A2

Strings

calling %R should have returned an instance of BaseException, not %R, xrefs: 655CF52C
No active exception to reraise, xrefs: 655CF4F7
exception causes must derive from BaseException, xrefs: 655CF2C0
exceptions must derive from BaseException, xrefs: 655CF311

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_$DeallocString$CheckExceptionException_FunctionRestoreResultTopmostTraceback
String ID: No active exception to reraise$calling %R should have returned an instance of BaseException, not %R$exception causes must derive from BaseException$exceptions must derive from BaseException
API String ID: 2601484037-3751834042
Opcode ID: 8ba1f6017095ec3cedd976614c960a210503e3d01fcd907734c4866b344e0e40
Instruction ID: f41d6a088aa836fc2c3bf083b839ce0e8a0444c786563c40d6b61090b04d48a3
Opcode Fuzzy Hash: 8ba1f6017095ec3cedd976614c960a210503e3d01fcd907734c4866b344e0e40
Instruction Fuzzy Hash: 03810476304A4592EB05CFA6ED5876AB3A1BB85FD9F88406ACF5A07B24DF3DC051C342

Function 655D1FE0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 156memoryfileCOMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 655D202C
CreateFileA.KERNEL32 ref: 655D2060
GlobalAlloc.KERNEL32 ref: 655D207A
DeviceIoControl.KERNEL32 ref: 655D20F4
GlobalFree.KERNEL32 ref: 655D210A
_snprintf.MSVCRT ref: 655D2147
CreateFileA.KERNEL32 ref: 655D2174
GlobalAlloc.KERNEL32 ref: 655D2195
GlobalAlloc.KERNEL32 ref: 655D21A4
DeviceIoControl.KERNEL32 ref: 655D21EC
GlobalFree.KERNEL32 ref: 655D2205
GlobalFree.KERNEL32 ref: 655D220A
CloseHandle.KERNEL32 ref: 655D2214
GlobalFree.KERNEL32 ref: 655D2236

Part of subcall function 655D1C90: GetLastError.KERNEL32 ref: 655D1C94
Part of subcall function 655D1C90: FormatMessageA.KERNEL32 ref: 655D1CC5
Part of subcall function 655D1C90: LocalFree.KERNEL32 ref: 655D1CE6

Strings

/%d:, xrefs: 655D1FE6
../src/platforms/windows/hdinfo.c, xrefs: 655D2117
\\.\Scsi%d, xrefs: 655D1FF5
SCSIDISK, xrefs: 655D20A4
Empty serial number, xrefs: 655D2110
\\.\PhysicalDrive%d, xrefs: 655D213B

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Global$Free$Alloc$ControlCreateDeviceFile_snprintf$CloseErrorFormatHandleLastLocalMessage
String ID: ../src/platforms/windows/hdinfo.c$/%d:$Empty serial number$SCSIDISK$\\.\PhysicalDrive%d$\\.\Scsi%d
API String ID: 1119308327-3953537554
Opcode ID: a4f73a8c55f752131cfff48b1cbc1c5c221bfaee8996120c7e8e752da0d811c9
Instruction ID: feb47aa9529fd730e1430cb76b398285d99e96e23acfc6bb75024a7bacafbb22
Opcode Fuzzy Hash: a4f73a8c55f752131cfff48b1cbc1c5c221bfaee8996120c7e8e752da0d811c9
Instruction Fuzzy Hash: 1F51F132304A8486E7508F66FC1874A7B55F789BE9F444225EE5A0BBE4CF3EC546C744

Function 655D31A0 Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 149networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 655D31FF
gethostbyname.WS2_32 ref: 655D3210
socket.WS2_32 ref: 655D323D
setsockopt.WS2_32 ref: 655D3275
setsockopt.WS2_32 ref: 655D3298
htons.WS2_32 ref: 655D32BB
sendto.WS2_32 ref: 655D3339
recvfrom.WS2_32 ref: 655D337E
ntohl.WS2_32 ref: 655D339F
ntohl.WS2_32 ref: 655D33A9
closesocket.WS2_32 ref: 655D33CE
WSACleanup.WS2_32 ref: 655D33D4
WSAGetLastError.WS2_32 ref: 655D33E0
closesocket.WS2_32 ref: 655D33EB
WSACleanup.WS2_32 ref: 655D33F1
SetLastError.KERNEL32 ref: 655D3400
WSAGetLastError.WS2_32 ref: 655D3420
WSACleanup.WS2_32 ref: 655D3428
SetLastError.KERNEL32 ref: 655D3437

Strings

and,, xrefs: 655D31A7
or,, xrefs: 655D31A2
http://, xrefs: 655D31A5

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: ErrorLast$Cleanup$closesocketntohlsetsockopt$Startupgethostbynamehtonsrecvfromsendtosocket
String ID: and,$http://$or,
API String ID: 1750001962-2642771825
Opcode ID: ac908f9a647537c59e5159757bf4edb9f7350e11fa443e029558993d3dbf3d4c
Instruction ID: a94b9126e5892ea2b24d641bf68394bf595295f54b44855c1fba93b71b02ad5f
Opcode Fuzzy Hash: ac908f9a647537c59e5159757bf4edb9f7350e11fa443e029558993d3dbf3d4c
Instruction Fuzzy Hash: 66519232304B8086E7108B29F85871AB7A1F789BB5F540329EEA947BE4DF7DC449CB41

Function 655D2390 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 171fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 655D23B5
wsprintfA.USER32 ref: 655D23C7
CreateFileA.KERNEL32 ref: 655D23F4
memset.MSVCRT ref: 655D2433
DeviceIoControl.KERNEL32 ref: 655D2469
CloseHandle.KERNEL32 ref: 655D2476
isxdigit.MSVCRT ref: 655D24F3
isxdigit.MSVCRT ref: 655D2520
isprint.MSVCRT ref: 655D254B
memcpy.MSVCRT ref: 655D25DB
CloseHandle.KERNEL32 ref: 655D25E3

Strings

/%d:, xrefs: 655D2396
\\.\PhysicalDrive%d, xrefs: 655D23C0

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: CloseHandleisxdigitmemset$ControlCreateDeviceFileisprintmemcpywsprintf
String ID: /%d:$\\.\PhysicalDrive%d
API String ID: 2355516209-72258043
Opcode ID: 23ca530a71485b923bb56634c81bac0a6854ad57cf9354958a780a15327ad4ca
Instruction ID: 168fc219271978ed4de27a2302d44774f6627270f346c04f0e123d56d10bc8cc
Opcode Fuzzy Hash: 23ca530a71485b923bb56634c81bac0a6854ad57cf9354958a780a15327ad4ca
Instruction Fuzzy Hash: 9551057330CB8085E711CB2AEC5875BFB92BB82798F444225EEA547B99DB7EC148C744

Function 655E4530 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 110encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 655E4586
CryptAcquireContextA.ADVAPI32 ref: 655E45A6
CryptGenRandom.ADVAPI32 ref: 655E45B7
CryptReleaseContext.ADVAPI32 ref: 655E45CD
clock.MSVCRT ref: 655E4610
clock.MSVCRT ref: 655E4623
clock.MSVCRT ref: 655E462C
clock.MSVCRT ref: 655E4643

Strings

Microsoft Base Cryptographic Provider v1.0, xrefs: 655E4575, 655E459C
(, xrefs: 655E458E
src/prngs/rng_get_bytes.c, xrefs: 655E4690
out != NULL, xrefs: 655E4697

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Cryptclock$Context$Acquire$RandomRelease
String ID: ($Microsoft Base Cryptographic Provider v1.0$out != NULL$src/prngs/rng_get_bytes.c
API String ID: 2525729555-3762154145
Opcode ID: d01d45094c82ff83c1900061e6dd3bc7f3301a895776b6cf7dda1b35aacd282a
Instruction ID: e58e54692462242c1fdc6e7e2557521506856d5706106ad9859abb0a4baffbd9
Opcode Fuzzy Hash: d01d45094c82ff83c1900061e6dd3bc7f3301a895776b6cf7dda1b35aacd282a
Instruction Fuzzy Hash: 0931D83230CA50C1EB10CF66FC4875A76A6B7897D8F409025DE8A83714DF7AC586C741

Function 00007FFD930B266C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 168COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FFD9327DCB1
GetEnvironmentVariableW.KERNEL32 ref: 00007FFD9327DCD2
GetEnvironmentVariableW.KERNEL32 ref: 00007FFD9327DCED
GetEnvironmentVariableW.KERNEL32 ref: 00007FFD9327DD08
GetEnvironmentVariableW.KERNEL32 ref: 00007FFD9327DD50
WideCharToMultiByte.KERNEL32 ref: 00007FFD9327DD86
WideCharToMultiByte.KERNEL32 ref: 00007FFD9327DDDB

Strings

HOME, xrefs: 00007FFD9327DCC0
SYSTEMROOT, xrefs: 00007FFD9327DCF9
RANDFILE, xrefs: 00007FFD9327DC99
USERPROFILE, xrefs: 00007FFD9327DCDE
.rnd, xrefs: 00007FFD9327DE8A

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID: EnvironmentVariable$ByteCharMultiWide
String ID: .rnd$HOME$RANDFILE$SYSTEMROOT$USERPROFILE
API String ID: 2184640988-1666712896
Opcode ID: 419c88fdedd40b7a4bd6282dbefca93637e627fdfe4ba8766129e23dca955196
Instruction ID: 7cb6b4904630aea12a0f7e91f98e7d2f3e73f9e9409373c9c36e412829e21fd8
Opcode Fuzzy Hash: 419c88fdedd40b7a4bd6282dbefca93637e627fdfe4ba8766129e23dca955196
Instruction Fuzzy Hash: F1611A26718B8286EB21AFA2986017967E9FF95BA4B944235DE1E637D4DF3DE005C300

Function 00007FFD930B5A1F Relevance: 13.6, APIs: 9, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFD932F5BBC
memset.VCRUNTIME140 ref: 00007FFD932F5BE0
RtlCaptureContext.KERNEL32 ref: 00007FFD932F5BE9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFD932F5C03
RtlVirtualUnwind.KERNEL32 ref: 00007FFD932F5C44
memset.VCRUNTIME140 ref: 00007FFD932F5C77
IsDebuggerPresent.KERNEL32 ref: 00007FFD932F5C98
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFD932F5CB9
UnhandledExceptionFilter.KERNEL32 ref: 00007FFD932F5CC4

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 836932d6aed314119f7ddbe256598baef3b0bd20caf5fb751809a6c17d89e7ea
Instruction ID: 25910172d6ffe95653d617f1a8265d6024bc81a4a3a3b30aace14d41f491e4ef
Opcode Fuzzy Hash: 836932d6aed314119f7ddbe256598baef3b0bd20caf5fb751809a6c17d89e7ea
Instruction Fuzzy Hash: ED313D76708A82C6EB709FA1E8603EA7369FB84744F944039DA4E97A98DF3CD548C714

Function 6563F900 Relevance: 12.0, APIs: 8, Instructions: 50COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 6563F914
RtlLookupFunctionEntry.KERNEL32 ref: 6563F92B
RtlVirtualUnwind.KERNEL32 ref: 6563F96D
SetUnhandledExceptionFilter.KERNEL32 ref: 6563F9B1
UnhandledExceptionFilter.KERNEL32 ref: 6563F9BE
GetCurrentProcess.KERNEL32 ref: 6563F9C4
TerminateProcess.KERNEL32 ref: 6563F9D2
abort.MSVCRT ref: 6563F9D8

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
String ID:
API String ID: 4278921479-0
Opcode ID: 6ad85b7cfbc7a52b106bcb33ee71a27bd56fb71e564510aab3933e9ec0d0410d
Instruction ID: 564f19d972da86d82649811458780db4fc5f1688f9817febc19d481c79d9adfe
Opcode Fuzzy Hash: 6ad85b7cfbc7a52b106bcb33ee71a27bd56fb71e564510aab3933e9ec0d0410d
Instruction Fuzzy Hash: D0210472350F44A9EB008F55FC8438A33A6BB08B96F845126EA4E57728EF3AC265C340

Function 655C3AC1 Relevance: 7.7, APIs: 5, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f645a68db3762830e810a3451719be7f6e62bfce9e17296ed75c52f8707522dd
Instruction ID: 27f91e278fb67372d37045930ec81c24e4f6cc9669eec799b6884df0495217c9
Opcode Fuzzy Hash: f645a68db3762830e810a3451719be7f6e62bfce9e17296ed75c52f8707522dd
Instruction Fuzzy Hash: 23A1F4B3308ADDA7C742CF69D00429FBBB0F705B0DB9AC449EB5A4A111D736D95AC742

Function 6563F820 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 6563F865
GetCurrentProcessId.KERNEL32 ref: 6563F870
GetCurrentThreadId.KERNEL32 ref: 6563F879
GetTickCount.KERNEL32 ref: 6563F881
QueryPerformanceCounter.KERNEL32 ref: 6563F88E

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: caebf993aaf1fac0d96827145f2accaa4e8670c55ef45c91e764b5a04bd635f3
Instruction ID: a95bf537698700109e6d97e5686221bb048d36cbf4159aeb0686cc11a2a1447b
Opcode Fuzzy Hash: caebf993aaf1fac0d96827145f2accaa4e8670c55ef45c91e764b5a04bd635f3
Instruction Fuzzy Hash: A5115E26755F9041FB508B25FC04355A2A1B748BB2F885735AE9D47BA8EF3DC495C700

Function 00007FFD930B4241 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d58eeaf8cd2fa5640d15759ddfc5afba554c71bdb7935a9bc8fe32cedcf6388
Instruction ID: dc01ecdc313615c6dd4e59cc2e015487f976ca272509e1461634f708a8953248
Opcode Fuzzy Hash: 6d58eeaf8cd2fa5640d15759ddfc5afba554c71bdb7935a9bc8fe32cedcf6388
Instruction Fuzzy Hash: 40F0E9323283E105CB65CA77B50CF592DD69391BC8F16C030D90CD3F58E92EC6018B40

Function 00007FFD930B572C Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b647e036b0e5ae8a118200442eb522906dc17efbe743a2891263b2f3e414abb
Instruction ID: 191262fc9528dab0aa81f25078ea3a72852f50af94685377317ea0315868d1bd
Opcode Fuzzy Hash: 8b647e036b0e5ae8a118200442eb522906dc17efbe743a2891263b2f3e414abb
Instruction Fuzzy Hash: B4E0DF737183A405C766CE737218E692A99A714B89F43C030DA0DE3F59EC2EC601CB40

Function 00007FF6113059C0 Relevance: 233.2, APIs: 44, Strings: 89, Instructions: 451libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00000000,?,?,00007FF611303C0D), ref: 00007FF6113059D7
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF6113059F3
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305A0F
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305A2B
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305A47
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305A63
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305A7F
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305A9B
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305AB7
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305AD3
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305AEF
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305B0B
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305B27
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305B43
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305B5F
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305B7B
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305B97
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305BB3
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305BCF
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305BEB
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305C07
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305C23
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305C3F
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305C5B
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305C77
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305C93
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305CAF
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305CCB
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305CE7
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305D03
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305D1F
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305D3B
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305D57
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305D73
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305D8F
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305DAB
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305DC7
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305DE3
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305DFF
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305E1B
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305E37
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305E53
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305E6F
GetProcAddress.KERNEL32(?,00007FF611303C0D), ref: 00007FF611305E8B

Strings

PyErr_Fetch, xrefs: 00007FF611305B55
Py_InitializeFromConfig, xrefs: 00007FF611305A3D
Failed to get address for Py_InitializeFromConfig, xrefs: 00007FF611305EF1
PyImport_ExecCodeModule, xrefs: 00007FF611305C19
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF611306230
Failed to get address for PyObject_CallFunction, xrefs: 00007FF611306110
Failed to get address for PyUnicode_Replace, xrefs: 00007FF6113062A8
PyObject_CallFunction, xrefs: 00007FF611305CC1
PyErr_NormalizeException, xrefs: 00007FF611305B71
PyConfig_Read, xrefs: 00007FF611305AC9
Failed to get address for PyConfig_Clear, xrefs: 00007FF611305F1B
Failed to get address for PyUnicode_FromString, xrefs: 00007FF611306290
Failed to get address for PyConfig_InitIsolatedConfig, xrefs: 00007FF611305F60
PyMem_RawFree, xrefs: 00007FF611305C89
Failed to get address for PySys_SetObject, xrefs: 00007FF6113061E8
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF611306260
Py_ExitStatusException, xrefs: 00007FF611305A05
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF6113060C8
PyErr_Occurred, xrefs: 00007FF611305B8D
PyUnicode_Replace, xrefs: 00007FF611305E81
Failed to get address for PyErr_Fetch, xrefs: 00007FF611306008
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF6113060E0
PyConfig_SetBytesString, xrefs: 00007FF611305AE5
Failed to get address for PyModule_GetDict, xrefs: 00007FF611306128
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF611306218
PyUnicode_FromFormat, xrefs: 00007FF611305E2D
Py_IsInitialized, xrefs: 00007FF611305A59
PyImport_AddModule, xrefs: 00007FF611305BFD
Failed to get address for Py_PreInitialize, xrefs: 00007FF611305F30
PySys_SetObject, xrefs: 00007FF611305DBD
Failed to get address for PyObject_Str, xrefs: 00007FF611306170
Failed to get address for Py_ExitStatusException, xrefs: 00007FF611305EC7
PyEval_EvalCode, xrefs: 00007FF611305BE1
Failed to get address for PyMem_RawFree, xrefs: 00007FF611306140
PyErr_Restore, xrefs: 00007FF611305BC5
PyConfig_SetWideStringList, xrefs: 00007FF611305B1D
Failed to get address for PyImport_ImportModule, xrefs: 00007FF6113060B0
PyModule_GetDict, xrefs: 00007FF611305CA5
PyStatus_Exception, xrefs: 00007FF611305D85
Failed to get address for PyErr_Print, xrefs: 00007FF611306038
Failed to get address for PyEval_EvalCode, xrefs: 00007FF611306080
PySys_GetObject, xrefs: 00007FF611305DA1
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF6113061D0
PyConfig_SetString, xrefs: 00007FF611305B01
Failed to get address for PyPreConfig_InitIsolatedConfig, xrefs: 00007FF611306158
PyUnicode_FromString, xrefs: 00007FF611305E49
Failed to get address for PyConfig_SetBytesString, xrefs: 00007FF611305FA8
PyObject_GetAttrString, xrefs: 00007FF611305CF9
Py_DecRef, xrefs: 00007FF6113059CD
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF611305D4D
PyConfig_InitIsolatedConfig, xrefs: 00007FF611305AAD
Py_Finalize, xrefs: 00007FF611305A21
Failed to get address for Py_DecRef, xrefs: 00007FF611305EA6
Failed to get address for Py_IsInitialized, xrefs: 00007FF611305F48
Failed to get address for PyErr_Occurred, xrefs: 00007FF611305FD8
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF611306188
Failed to get address for Py_Finalize, xrefs: 00007FF611305F06
Failed to get address for PyErr_Clear, xrefs: 00007FF611306020
Failed to get address for PyUnicode_Join, xrefs: 00007FF611306278
PyErr_Clear, xrefs: 00007FF611305B39
PyImport_ImportModule, xrefs: 00007FF611305C35
PyUnicode_AsUTF8, xrefs: 00007FF611305DD9
PyConfig_Clear, xrefs: 00007FF611305A91
Failed to get address for PyList_Append, xrefs: 00007FF611306098
PyObject_SetAttrString, xrefs: 00007FF611305D15
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF6113060F8
PyRun_SimpleStringFlags, xrefs: 00007FF611305D69
PyUnicode_Join, xrefs: 00007FF611305E65
Failed to get address for PyConfig_Read, xrefs: 00007FF611305FC0
Py_PreInitialize, xrefs: 00007FF611305A75
PyUnicode_Decode, xrefs: 00007FF611305DF5
Py_DecodeLocale, xrefs: 00007FF6113059E9
Failed to get address for PyImport_AddModule, xrefs: 00007FF611306068
PyErr_Print, xrefs: 00007FF611305BA9
Failed to get address for PyErr_Restore, xrefs: 00007FF611306050
Failed to get address for PyStatus_Exception, xrefs: 00007FF6113061B8
Failed to get address for PySys_GetObject, xrefs: 00007FF611306200
PyObject_CallFunctionObjArgs, xrefs: 00007FF611305CDD
PyList_Append, xrefs: 00007FF611305C51
PyMarshal_ReadObjectFromString, xrefs: 00007FF611305C6D
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF6113061A0
Failed to get address for PyConfig_SetWideStringList, xrefs: 00007FF611305F78
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF611305FF0
Failed to get address for PyConfig_SetString, xrefs: 00007FF611305F90
PyUnicode_DecodeFSDefault, xrefs: 00007FF611305E11
Failed to get address for Py_DecodeLocale, xrefs: 00007FF611305EDC
Failed to get address for PyUnicode_Decode, xrefs: 00007FF611306248
PyObject_Str, xrefs: 00007FF611305D31
GetProcAddress, xrefs: 00007FF611305EAD, 00007FF611305ECE, 00007FF611305EE3, 00007FF611305EF8, 00007FF611305F0D, 00007FF611305F22, 00007FF611305F37, 00007FF611305F4F, 00007FF611305F67, 00007FF611305F7F, 00007FF611305F97, 00007FF611305FAF, 00007FF611305FC7, 00007FF611305FDF, 00007FF611305FF7, 00007FF61130600F, 00007FF611306027, 00007FF61130603F, 00007FF611306057, 00007FF61130606F, 00007FF611306087, 00007FF61130609F, 00007FF6113060B7, 00007FF6113060CF, 00007FF6113060E7, 00007FF6113060FF, 00007FF611306117, 00007FF61130612F, 00007FF611306147, 00007FF61130615F, 00007FF611306177, 00007FF61130618F, 00007FF6113061A7, 00007FF6113061BF, 00007FF6113061D7, 00007FF6113061EF, 00007FF611306207, 00007FF61130621F, 00007FF611306237, 00007FF61130624F, 00007FF611306267, 00007FF61130627F, 00007FF611306297, 00007FF6113062AF

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 190572456-4266016200
Opcode ID: 50e6ba4ab6fb6236e3085a79b8dda0dff8723994d665336298622606d247f3f2
Instruction ID: 7968e8721a7397b5826d877ad782a8669c129fe8c64f7ffa4e4c6d67a4746fe7
Opcode Fuzzy Hash: 50e6ba4ab6fb6236e3085a79b8dda0dff8723994d665336298622606d247f3f2
Instruction Fuzzy Hash: 7132B260A5DF0790EF19DB14A8511B823BDBF44BA0B94903AC44EC26ADEF7CF609D351

Function 00007FF611307680 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 324libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF61130769B
GetProcAddress.KERNEL32 ref: 00007FF6113076B7
GetProcAddress.KERNEL32 ref: 00007FF6113076D3
GetProcAddress.KERNEL32 ref: 00007FF6113076EF
GetProcAddress.KERNEL32 ref: 00007FF61130770B
GetProcAddress.KERNEL32 ref: 00007FF611307727
GetProcAddress.KERNEL32 ref: 00007FF611307743
GetProcAddress.KERNEL32 ref: 00007FF61130775F
GetProcAddress.KERNEL32 ref: 00007FF61130777B
GetProcAddress.KERNEL32 ref: 00007FF611307797
GetProcAddress.KERNEL32 ref: 00007FF6113077B3
GetProcAddress.KERNEL32 ref: 00007FF6113077CF
GetProcAddress.KERNEL32 ref: 00007FF6113077EB
GetProcAddress.KERNEL32 ref: 00007FF611307807
GetProcAddress.KERNEL32 ref: 00007FF611307823
GetProcAddress.KERNEL32 ref: 00007FF61130783F
GetProcAddress.KERNEL32 ref: 00007FF61130785B
GetProcAddress.KERNEL32 ref: 00007FF611307877
GetProcAddress.KERNEL32 ref: 00007FF611307893
GetProcAddress.KERNEL32 ref: 00007FF6113078AF
GetProcAddress.KERNEL32 ref: 00007FF6113078CB
GetProcAddress.KERNEL32 ref: 00007FF6113078E7
GetProcAddress.KERNEL32 ref: 00007FF611307903
GetProcAddress.KERNEL32 ref: 00007FF61130791F
GetProcAddress.KERNEL32 ref: 00007FF61130793B
GetProcAddress.KERNEL32 ref: 00007FF611307957
GetProcAddress.KERNEL32 ref: 00007FF611307973
GetProcAddress.KERNEL32 ref: 00007FF61130798F
GetProcAddress.KERNEL32 ref: 00007FF6113079AB
GetProcAddress.KERNEL32 ref: 00007FF6113079C7
GetProcAddress.KERNEL32 ref: 00007FF6113079E3

Strings

Tcl_EvalEx, xrefs: 00007FF61130794D
Failed to get address for Tcl_MutexLock, xrefs: 00007FF611307B18
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF611307AA0
Tcl_Free, xrefs: 00007FF6113079A1
Tk_Init, xrefs: 00007FF6113079BD
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF611307B60
Tcl_GetString, xrefs: 00007FF6113078A5
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF611307B78
Tcl_SetVar2Ex, xrefs: 00007FF6113078F9
Tcl_ConditionFinalize, xrefs: 00007FF6113077C5
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF611307A5E
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF611307B48
Tcl_Alloc, xrefs: 00007FF611307985
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF611307C20
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF611307BF0
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF611307A88
Tcl_NewStringObj, xrefs: 00007FF6113078C1
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF611307C80
Tcl_MutexLock, xrefs: 00007FF61130778D
GetProcAddress, xrefs: 00007FF611307A06, 00007FF611307A26, 00007FF611307A3B, 00007FF611307A50, 00007FF611307A65, 00007FF611307A7A, 00007FF611307A8F, 00007FF611307AA7, 00007FF611307ABF, 00007FF611307AD7, 00007FF611307AEF, 00007FF611307B07, 00007FF611307B1F, 00007FF611307B37, 00007FF611307B4F, 00007FF611307B67, 00007FF611307B7F, 00007FF611307B97, 00007FF611307BAF, 00007FF611307BC7, 00007FF611307BDF, 00007FF611307BF7, 00007FF611307C0F, 00007FF611307C27, 00007FF611307C3F, 00007FF611307C57, 00007FF611307C6F, 00007FF611307C87, 00007FF611307C9F, 00007FF611307CB7, 00007FF611307CCF
Failed to get address for Tcl_CreateThread, xrefs: 00007FF611307A73
Tcl_FindExecutable, xrefs: 00007FF6113076C9
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF611307B00
Tcl_GetVar2, xrefs: 00007FF611307851
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF611307A1F
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF611307BC0
Tcl_EvalFile, xrefs: 00007FF611307931
Failed to get address for Tcl_SetVar2, xrefs: 00007FF611307B90
Failed to get address for Tcl_Free, xrefs: 00007FF611307C50
Failed to get address for Tk_Init, xrefs: 00007FF611307CB0
Tcl_ConditionWait, xrefs: 00007FF6113077FD
Failed to get address for Tcl_GetVar2, xrefs: 00007FF611307B30
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF611307CC8
Tcl_DoOneEvent, xrefs: 00007FF6113076E5
Tcl_FinalizeThread, xrefs: 00007FF61130771D
Failed to get address for Tcl_Alloc, xrefs: 00007FF611307C68
Tk_GetNumMainWindows, xrefs: 00007FF6113079D9
Tcl_GetCurrentThread, xrefs: 00007FF611307771
Tcl_MutexUnlock, xrefs: 00007FF6113077A9
Tcl_Init, xrefs: 00007FF611307694
Tcl_EvalObjv, xrefs: 00007FF611307969
Failed to get address for Tcl_EvalFile, xrefs: 00007FF611307C38
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF611307C08
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF611307A34
Tcl_SetVar2, xrefs: 00007FF61130786D
Tcl_Finalize, xrefs: 00007FF611307701
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF611307AE8
Tcl_ThreadAlert, xrefs: 00007FF611307835
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF611307BA8
Failed to get address for Tcl_Init, xrefs: 00007FF6113079FF
Tcl_ThreadQueueEvent, xrefs: 00007FF611307819
Tcl_GetObjResult, xrefs: 00007FF611307915
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF611307AD0
Tcl_DeleteInterp, xrefs: 00007FF611307739
Tcl_CreateThread, xrefs: 00007FF611307755
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF611307AB8
Failed to get address for Tcl_Finalize, xrefs: 00007FF611307A49
Tcl_ConditionNotify, xrefs: 00007FF6113077E1
Failed to get address for Tcl_EvalEx, xrefs: 00007FF611307C98
Tcl_CreateInterp, xrefs: 00007FF6113076AD
Failed to get address for Tcl_GetString, xrefs: 00007FF611307BD8
Tcl_NewByteArrayObj, xrefs: 00007FF6113078DD
Tcl_CreateObjCommand, xrefs: 00007FF611307889

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-2208601799
Opcode ID: bd663cd79cc008e1fc6f487746503f053cd2f66c41a095d1ba5e11cdaee36601
Instruction ID: 4ae7d2a216f3e0059a1e070bf8d7edda1573c9c8b6ae2da92e8bd57570d55d0d
Opcode Fuzzy Hash: bd663cd79cc008e1fc6f487746503f053cd2f66c41a095d1ba5e11cdaee36601
Instruction Fuzzy Hash: 85F17360A0DF0790FF16EB28A8550B423ADAF55FB0B945436D44EC62ADEF7CE64AC350

Function 655D2A10 Relevance: 75.7, APIs: 27, Strings: 16, Instructions: 436filestringCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 655D2A4E

Part of subcall function 655D2660: strlen.MSVCRT ref: 655D2683

fprintf.MSVCRT ref: 655D2A87

Part of subcall function 655D2880: strlen.MSVCRT ref: 655D289A

fputc.MSVCRT ref: 655D2AB9

Part of subcall function 655D1D00: GetProcessHeap.KERNEL32 ref: 655D1D23
Part of subcall function 655D1D00: HeapAlloc.KERNEL32 ref: 655D1D37
Part of subcall function 655D1D00: GetAdaptersAddresses.IPHLPAPI ref: 655D1D5C
Part of subcall function 655D1D00: GetProcessHeap.KERNEL32 ref: 655D1DCF
Part of subcall function 655D1D00: HeapFree.KERNEL32 ref: 655D1DD9

fprintf.MSVCRT ref: 655D2AE8

Part of subcall function 655D1B10: GetProcessHeap.KERNEL32 ref: 655D1B31
Part of subcall function 655D1B10: HeapAlloc.KERNEL32 ref: 655D1B46
Part of subcall function 655D1B10: memcpy.MSVCRT ref: 655D1BBC
Part of subcall function 655D1B10: GetProcessHeap.KERNEL32 ref: 655D1BDA
Part of subcall function 655D1B10: HeapFree.KERNEL32 ref: 655D1BE5

fputc.MSVCRT ref: 655D2B1B

Part of subcall function 655D1E90: GetProcessHeap.KERNEL32 ref: 655D1EB3
Part of subcall function 655D1E90: HeapAlloc.KERNEL32 ref: 655D1EC7
Part of subcall function 655D1E90: GetAdaptersAddresses.IPHLPAPI ref: 655D1EEF
Part of subcall function 655D1E90: inet_ntoa.WS2_32 ref: 655D1F27
Part of subcall function 655D1E90: GetProcessHeap.KERNEL32 ref: 655D1F42
Part of subcall function 655D1E90: HeapFree.KERNEL32 ref: 655D1F4C

fprintf.MSVCRT ref: 655D2B4A
fputc.MSVCRT ref: 655D2B5E

Part of subcall function 655D2290: GetProcessHeap.KERNEL32 ref: 655D22AB
Part of subcall function 655D2290: HeapAlloc.KERNEL32 ref: 655D22BF
Part of subcall function 655D2290: GetNetworkParams.IPHLPAPI ref: 655D22F7
Part of subcall function 655D2290: GetProcessHeap.KERNEL32 ref: 655D2319
Part of subcall function 655D2290: HeapFree.KERNEL32 ref: 655D2323

fprintf.MSVCRT ref: 655D2B8D
fwrite.MSVCRT ref: 655D2BAE
strchr.MSVCRT ref: 655D2BDB
fwrite.MSVCRT ref: 655D2C13
fprintf.MSVCRT ref: 655D2C3B
strchr.MSVCRT ref: 655D2C48
fprintf.MSVCRT ref: 655D2C69
fputc.MSVCRT ref: 655D2C82
fwrite.MSVCRT ref: 655D2CA3
malloc.MSVCRT ref: 655D2CAD
fwrite.MSVCRT ref: 655D3047
fwrite.MSVCRT ref: 655D3068
fwrite.MSVCRT ref: 655D3089
fwrite.MSVCRT ref: 655D30AA

Strings

Domain name: "%s", xrefs: 655D2B80
Change logsv6.2.0(r21): Remove trailing dot from harddisk serial numberv6.4.2(r34): Support binding multiple mac addressesv6.5.3(r37): Support binding named harddiskv6.7.5(r45): Support mmc/sd card in Linux, xrefs: 655D2B99
%02x, xrefs: 655D2FBD
Failed to get harddisk information., xrefs: 655D3032
%02x:, xrefs: 655D2F5E
Serial number of default harddisk: "%s", xrefs: 655D2A7A
Ip address: "%s", xrefs: 655D2B3D
Failed to get ip address., xrefs: 655D3074
Multiple Mac addresses: "<, xrefs: 655D2C8E
Serial number with disk name: , xrefs: 655D2BFE
"%s", xrefs: 655D2C1D, 655D2C5C
Failed to get domain name., xrefs: 655D3095
Hardware informations got by PyArmor:, xrefs: 655D2A36
>", xrefs: 655D3007
Default Mac address: "%s", xrefs: 655D2ADB
Failed to get mac address., xrefs: 655D3053

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Heap$Processfwrite$fprintf$AllocFreefputc$AdaptersAddressesstrchrstrlen$NetworkParamsinet_ntoamallocmemcpy
String ID: "%s"$Change logsv6.2.0(r21): Remove trailing dot from harddisk serial numberv6.4.2(r34): Support binding multiple mac addressesv6.5.3(r37): Support binding named harddiskv6.7.5(r45): Support mmc/sd card in Linux$%02x$%02x:$>"$Default Mac address: "%s"$Domain name: "%s"$Failed to get domain name.$Failed to get harddisk information.$Failed to get ip address.$Failed to get mac address.$Hardware informations got by PyArmor:$Ip address: "%s"$Multiple Mac addresses: "<$Serial number of default harddisk: "%s"$Serial number with disk name:
API String ID: 3427000353-3771683696
Opcode ID: 6dc0d441b75f141d5a923415609b4b8fcf4df4210b4c1e63c15a3248b4216819
Instruction ID: a51f26d9095897187b7b15f1ff5ae1ac68a716047c524c395baeceda126df1c3
Opcode Fuzzy Hash: 6dc0d441b75f141d5a923415609b4b8fcf4df4210b4c1e63c15a3248b4216819
Instruction Fuzzy Hash: 7502AE33309B9086DB90CB69E85835EB7A2F789794F408629DF9D4B798DF39C144C709

Function 655C33ED Relevance: 57.9, APIs: 25, Strings: 8, Instructions: 171COMMON

Download Yara Rule

APIs

PyImport_GetModuleDict.PYTHON311 ref: 655C33ED
PyDict_GetItemString.PYTHON311 ref: 655C3400
PyModule_GetDict.PYTHON311 ref: 655C340E
PyDict_GetItemString.PYTHON311 ref: 655C3427
PyObject_GetAttrString.PYTHON311 ref: 655C344D
PyList_GetItem.PYTHON311 ref: 655C3461
_PyObject_CallFunction_SizeT.PYTHON311 ref: 655C34A6
_PyObject_CallMethod_SizeT.PYTHON311 ref: 655C34D7
_PyObject_CallMethod_SizeT.PYTHON311 ref: 655C34E9
_Py_Dealloc.PYTHON311 ref: 655C34F5
PyErr_Clear.PYTHON311 ref: 655C3580
getenv.MSVCRT ref: 655C358D
PyUnicode_FromFormat.PYTHON311(?,?,?,?,?,?), ref: 655C35AA
_PyObject_CallFunction_SizeT.PYTHON311(?,?,?,?,?,?), ref: 655C35D7
_PyObject_CallMethod_SizeT.PYTHON311 ref: 655C3605
_PyObject_CallMethod_SizeT.PYTHON311 ref: 655C3617
_Py_Dealloc.PYTHON311 ref: 655C3623
PyList_GetItem.PYTHON311 ref: 655C3685
_Py_Dealloc.PYTHON311 ref: 655C3824

Strings

%s/%s, xrefs: 655C36C6
__path__, xrefs: 655C341D
PYARMOR_RKEY, xrefs: 655C3586
read, xrefs: 655C34C6, 655C35F4, 655C3713
_path, xrefs: 655C3443
%U/%s, xrefs: 655C369D
close, xrefs: 655C34DF, 655C360D, 655C372C
%U/../%s, xrefs: 655C3479

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Object_$CallSize$ItemMethod_$DeallocString$DictDict_Function_List_$AttrClearErr_FormatFromImport_ModuleModule_Unicode_getenv
String ID: %U/%s$%U/../%s$%s/%s$PYARMOR_RKEY$__path__$_path$close$read
API String ID: 2543034039-1237617226
Opcode ID: 6645aa77723c6f09655ebe9b7e33ff54acc4774b7ff7190aee5297d77cef4eb5
Instruction ID: 697e6c19b04f0f6984914a7061c8b994779c54f6ea107b0a85748601154476cd
Opcode Fuzzy Hash: 6645aa77723c6f09655ebe9b7e33ff54acc4774b7ff7190aee5297d77cef4eb5
Instruction Fuzzy Hash: 28619F61306E1499EE45DF6AEC1879523E2BB49FC6FC98479AC0E07320EF3AD059C352

Function 655C8260 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 205COMMON

Download Yara Rule

APIs

PyTuple_Size.PYTHON311 ref: 655C8281
PyTuple_New.PYTHON311 ref: 655C828D
_PyObject_LookupAttr.PYTHON311 ref: 655C830C
PyObject_GetAttr.PYTHON311 ref: 655C831E
PyModule_GetFilenameObject.PYTHON311 ref: 655C834A
PyUnicode_FromString.PYTHON311 ref: 655C835A
_PyErr_Clear.PYTHON311(?,?,00000000,?,00000000,?,?,?,?,?,655CFAFF), ref: 655C8394
PyErr_SetImportError.PYTHON311 ref: 655C83B9
_Py_Dealloc.PYTHON311 ref: 655C83D8

Strings

cannot import name %R from partially initialized module %R (most likely due to a circular import) (%S), xrefs: 655C850C
cannot import name %R from %R (unknown location), xrefs: 655C839F
%U.%U, xrefs: 655C8432
<unknown module name>, xrefs: 655C8353
cannot import name %R from %R (%S), xrefs: 655C84EA

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: AttrErr_Object_Tuple_$ClearDeallocErrorFilenameFromImportLookupModule_ObjectSizeStringUnicode_
String ID: %U.%U$<unknown module name>$cannot import name %R from %R (%S)$cannot import name %R from %R (unknown location)$cannot import name %R from partially initialized module %R (most likely due to a circular import) (%S)
API String ID: 597108667-3215622635
Opcode ID: 14f415cb069d77af9b1b46768b3645fdddab11c724015a8728e0a1272c8fe63b
Instruction ID: a92e745313617122463ee03642e6a733b014b74a08ebd202791e59ca37e63a32
Opcode Fuzzy Hash: 14f415cb069d77af9b1b46768b3645fdddab11c724015a8728e0a1272c8fe63b
Instruction Fuzzy Hash: 18818A32309E4485DA049F96EC5875A77A2B786FDAF885069EE4E07724EF39C155C303

Function 655C9A70 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 252COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 655C9A81
_PyLong_New.PYTHON311 ref: 655C9AD0
PyErr_Occurred.PYTHON311 ref: 655C9B3D
PyErr_Occurred.PYTHON311 ref: 655C9BAF
PyErr_Occurred.PYTHON311 ref: 655C9BFA
PyErr_SetString.PYTHON311 ref: 655C9C34
PyErr_Occurred.PYTHON311 ref: 655C9FD0
_PyLong_New.PYTHON311 ref: 655CA786
PyErr_SetString.PYTHON311 ref: 655CAF1F

Strings

bad marshal data (digit out of range in long), xrefs: 655C9C2A
bad marshal data (long size out of range), xrefs: 655CAF15
bad marshal data (unnormalized long data), xrefs: 655CAFF9

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_$Occurred$Long_String
String ID: bad marshal data (digit out of range in long)$bad marshal data (long size out of range)$bad marshal data (unnormalized long data)
API String ID: 3688822742-2912230410
Opcode ID: 00873884a0396efe5a4cb7dae3380c39f0550bb95abd8fa2e13ab84476b2f55f
Instruction ID: 5e7367967e9a0aa027078ff513ff533cf77fa0496e20c34997cb83d65618f63e
Opcode Fuzzy Hash: 00873884a0396efe5a4cb7dae3380c39f0550bb95abd8fa2e13ab84476b2f55f
Instruction Fuzzy Hash: 60A1983630AB9087DB00CF55D89871A77B2FB84BC8F158959EE4A47714EB39E851C782

Function 655D11B0 Relevance: 35.3, APIs: 16, Strings: 4, Instructions: 254COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 655D12FB
_Py_Dealloc.PYTHON311 ref: 655D1341
PyTuple_New.PYTHON311 ref: 655D1446
PyDict_GetItem.PYTHON311 ref: 655D152F
PyDict_DelItem.PYTHON311 ref: 655D1557
PyErr_SetString.PYTHON311 ref: 655D1584

Strings

missing kwonly required arguments, xrefs: 655D157A
too many positional arguments, xrefs: 655D15E4
Can't remove argname from kwargs, xrefs: 655D13D6
missing required positional arguments, xrefs: 655D12F1

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Dict_Err_ItemString$DeallocTuple_
String ID: Can't remove argname from kwargs$missing kwonly required arguments$missing required positional arguments$too many positional arguments
API String ID: 2174600326-1903473336
Opcode ID: 6f517f8eb85a8be06516c221eefb980b294ec5352012619a9e5be5e97d842ffb
Instruction ID: dc9457715c45782eb36ffebd4df1c14b797b06736fc1b8d65a1fefd77d28cd34
Opcode Fuzzy Hash: 6f517f8eb85a8be06516c221eefb980b294ec5352012619a9e5be5e97d842ffb
Instruction Fuzzy Hash: 70B18B73609F8081DB25CF1AE84875AB3A6F785BE9F448211DE6E47B68CF3AC095C305

Function 655CF5D0 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 236COMMON

Download Yara Rule

APIs

PyObject_GetIter.PYTHON311 ref: 655CF5FA
PyIter_Next.PYTHON311 ref: 655CF646
_Py_Dealloc.PYTHON311 ref: 655CF686
PySequence_List.PYTHON311 ref: 655CF6CD
PySequence_Check.PYTHON311 ref: 655CF82F
_PyErr_Format.PYTHON311 ref: 655CF854

Strings

not enough values to unpack (expected %d, got %d), xrefs: 655CF921
too many values to unpack (expected %d), xrefs: 655CF880
not enough values to unpack (expected at least %d, got %zd), xrefs: 655CF8D3
cannot unpack non-iterable %.200s object, xrefs: 655CF846
not enough values to unpack (expected at least %d, got %d), xrefs: 655CF8B8

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Sequence_$CheckDeallocErr_FormatIterIter_ListNextObject_
String ID: cannot unpack non-iterable %.200s object$not enough values to unpack (expected %d, got %d)$not enough values to unpack (expected at least %d, got %d)$not enough values to unpack (expected at least %d, got %zd)$too many values to unpack (expected %d)
API String ID: 3840349905-1344257351
Opcode ID: 0c8801bf2ea2789352598e9cc15a09dabf71c224803ac48eb0cc23b97187fb66
Instruction ID: 1965729d9535853e115b8447a572c3250fabf3e4e072b69e02d35623f55f6cf5
Opcode Fuzzy Hash: 0c8801bf2ea2789352598e9cc15a09dabf71c224803ac48eb0cc23b97187fb66
Instruction Fuzzy Hash: 1081FE72705E4586DF04CFA9E8087A973A2FB44FC9F85866ACE6A17324DF39C594C342

Function 00007FF611301D40 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 139COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF611301DCB
fread.MSVCRT ref: 00007FF611301E31
free.MSVCRT ref: 00007FF611301E59
fclose.MSVCRT ref: 00007FF611301E96
fclose.MSVCRT ref: 00007FF611301E9E

Part of subcall function 00007FF611304650: _wfopen.MSVCRT ref: 00007FF611304695

Strings

Failed to extract %s: failed to open target file!, xrefs: 00007FF611301F59
fseek, xrefs: 00007FF611301F2A
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF611301F23
malloc, xrefs: 00007FF611301F78
pyi_arch_extract2fs was called before temporary directory was initialized!, xrefs: 00007FF611301F40
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF611301F71
fread, xrefs: 00007FF611301E45
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF611301F03
Failed to create symbolic link %s!, xrefs: 00007FF611301EBC
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF611301E3E
fopen, xrefs: 00007FF611301F60
Failed to extract %s: failed to open archive file!, xrefs: 00007FF611301ED3
fwrite, xrefs: 00007FF611301F0A

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: fclose$_wfopenfreadfreemalloc
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
API String ID: 414440483-3833288071
Opcode ID: 59301d2b38f1c2ff1f5a3ec36f6c4db0f3c8ec6cb92ecfabbd317690c13ec07b
Instruction ID: 4b9eb521ea7793155c10e2113c74a54d2ecae7714d3d2acfba578de245b604be
Opcode Fuzzy Hash: 59301d2b38f1c2ff1f5a3ec36f6c4db0f3c8ec6cb92ecfabbd317690c13ec07b
Instruction Fuzzy Hash: 69518021E0DD5741FB15972598506FA12A9AF14FF8F88023AED0DCB2DEEE6CE949C340

Function 655CDEB0 Relevance: 32.0, APIs: 17, Strings: 1, Instructions: 480fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 655CE135
PyErr_SetString.PYTHON311 ref: 655CE3C8
fwrite.MSVCRT ref: 655CE5F0

Strings

too many objects, xrefs: 655CE3BE

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: fwrite$Err_String
String ID: too many objects
API String ID: 4210527972-4209268247
Opcode ID: f17f68b2bce66fe46961a9f06636144348ff5c4c0489542c21228fd78f81dc02
Instruction ID: c6891efe90be7ef30e2be68026dd1bcdfb90c83e62b8764b3efcd08c9b5b7544
Opcode Fuzzy Hash: f17f68b2bce66fe46961a9f06636144348ff5c4c0489542c21228fd78f81dc02
Instruction Fuzzy Hash: FA12BDB2204B8482DB11CFA9D44978973B1F719FE8F50425ADE2D5B788DB39D5A2C3C2

Function 655C9D13 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 655C9D24
_Py_CheckFunctionResult.PYTHON311 ref: 655CA6F6

Strings

bad marshal data (set size out of range), xrefs: 655CACAE
NULL object in marshal data for set, xrefs: 655CB121
bad marshal data (index list too large), xrefs: 655CB2C3

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: CheckErr_FunctionOccurredResult
String ID: NULL object in marshal data for set$bad marshal data (index list too large)$bad marshal data (set size out of range)
API String ID: 3781139737-600355161
Opcode ID: 083acb2e0987009778e16f363f5f9939724758c1e64ffa0f5970b46e1c5f64e2
Instruction ID: fd1f302a08f971f9113e9429ed308cfe13ce8dbfd361dfb4a64580a1be51c299
Opcode Fuzzy Hash: 083acb2e0987009778e16f363f5f9939724758c1e64ffa0f5970b46e1c5f64e2
Instruction Fuzzy Hash: 4E717E31309F8081DB60CF96E89871A37B2F786BA5F419559DD6E07B64DF39C484C382

Function 655C8810 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

PyFloat_Unpack8.PYTHON311 ref: 655C8841
PyBuffer_FillInfo.PYTHON311 ref: 655C8896
PyMemoryView_FromBuffer.PYTHON311 ref: 655C88A4
_PyObject_CallMethod.PYTHON311 ref: 655C88CB
PyNumber_AsSsize_t.PYTHON311 ref: 655C88EA
PyErr_SetString.PYTHON311 ref: 655C8A21

Strings

EOF read where not expected, xrefs: 655C8982
marshal data too short, xrefs: 655C8A17
read() returned too much data: %zd bytes requested, %zd returned, xrefs: 655C89F5

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: BufferBuffer_CallErr_FillFloat_FromInfoMemoryMethodNumber_Object_Ssize_tStringUnpack8View_
String ID: EOF read where not expected$marshal data too short$read() returned too much data: %zd bytes requested, %zd returned
API String ID: 2634123556-4172231876
Opcode ID: db42527f7ae0679790ee4cec7e3a278c086182decf5ad1a647ddf837da48021d
Instruction ID: f96c0173ae610800642a3a7134558390bd6a0d22c06bcc997b7a54749f37e3dc
Opcode Fuzzy Hash: db42527f7ae0679790ee4cec7e3a278c086182decf5ad1a647ddf837da48021d
Instruction Fuzzy Hash: EB518E21305E0485EB44CFA9EC587192362FB45FEAF804629D96E47BA4DF39C596C343

Function 655C8A50 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

PyBuffer_FillInfo.PYTHON311 ref: 655C8AD6
PyMemoryView_FromBuffer.PYTHON311 ref: 655C8AE4
_PyObject_CallMethod.PYTHON311 ref: 655C8B0B
PyNumber_AsSsize_t.PYTHON311 ref: 655C8B2A
PyErr_SetString.PYTHON311 ref: 655C8C51

Strings

EOF read where not expected, xrefs: 655C8BB2
marshal data too short, xrefs: 655C8C47
read() returned too much data: %zd bytes requested, %zd returned, xrefs: 655C8C25

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: BufferBuffer_CallErr_FillFromInfoMemoryMethodNumber_Object_Ssize_tStringView_
String ID: EOF read where not expected$marshal data too short$read() returned too much data: %zd bytes requested, %zd returned
API String ID: 3081723458-4172231876
Opcode ID: 3b14d9ae4856d76fa188d4f64d7074492a9e3ea4905703606545de34714b4faf
Instruction ID: c68b7472b8a7aa176c8d327b35ab7b3483fc079cc2df7d248594090e97eb0805
Opcode Fuzzy Hash: 3b14d9ae4856d76fa188d4f64d7074492a9e3ea4905703606545de34714b4faf
Instruction Fuzzy Hash: 0A4117B1305E0482EB44CBA9EC487182362B749FBAF944769DA2D477E4DF39C49AC343

Function 655C8DB0 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

PyBuffer_FillInfo.PYTHON311 ref: 655C8E32
PyMemoryView_FromBuffer.PYTHON311 ref: 655C8E40
_PyObject_CallMethod.PYTHON311 ref: 655C8E6E
PyNumber_AsSsize_t.PYTHON311 ref: 655C8E89
PyErr_Occurred.PYTHON311 ref: 655C8EA2
PyErr_Format.PYTHON311 ref: 655C8ED1
PyErr_SetString.PYTHON311 ref: 655C8F83

Strings

EOF read where not expected, xrefs: 655C8F57
marshal data too short, xrefs: 655C8F77
read() returned too much data: %zd bytes requested, %zd returned, xrefs: 655C8EC7

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_$BufferBuffer_CallFillFormatFromInfoMemoryMethodNumber_Object_OccurredSsize_tStringView_
String ID: EOF read where not expected$marshal data too short$read() returned too much data: %zd bytes requested, %zd returned
API String ID: 315596505-4172231876
Opcode ID: 842c6c9091f9576b1bedeaedd11cbda09d8be00bb8eeb649c7e34976154dc40d
Instruction ID: dccf4f5474baaf280ab131b0962473901efa5bef16e52ae259e93ca8294b720b
Opcode Fuzzy Hash: 842c6c9091f9576b1bedeaedd11cbda09d8be00bb8eeb649c7e34976154dc40d
Instruction Fuzzy Hash: 2E415D62305E0086EB14CF96EC487596362B789BE6F884769AE2E477A0DF39C495C343

Function 655C329E Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 94COMMON

Download Yara Rule

APIs

_PyObject_CallFunction_SizeT.PYTHON311 ref: 655C32E8
PyErr_Clear.PYTHON311 ref: 655C3304
PyErr_Format.PYTHON311 ref: 655C3364
_PyObject_CallMethod_SizeT.PYTHON311(?,?,?,?,?,?), ref: 655C33A3
_PyObject_CallMethod_SizeT.PYTHON311(?,?,?,?,?,?), ref: 655C33B5
PySys_GetObject.PYTHON311 ref: 655C3517
_Py_Dealloc.PYTHON311 ref: 655C3573
getenv.MSVCRT ref: 655C3647

Strings

%s/%s, xrefs: 655C3652
%U.%s, xrefs: 655C3523
PYARMOR_RKEY, xrefs: 655C3640
read, xrefs: 655C3392
%U/%s, xrefs: 655C32BF
executable, xrefs: 655C3510
close, xrefs: 655C33AB
%s (%d:%d), xrefs: 655C335D

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: CallObject_Size$Err_Method_$ClearDeallocFormatFunction_ObjectSys_getenv
String ID: %U.%s$%U/%s$%s (%d:%d)$%s/%s$PYARMOR_RKEY$close$executable$read
API String ID: 2643494441-891831584
Opcode ID: f0f956268247beaabe68f20a8f30ce52ae6e078e8a8891cae0e38a189c7d75e1
Instruction ID: 3dcc05f7f76916350042ce9c8ad08d6812a88138331b6851469e8c90dc7f1f79
Opcode Fuzzy Hash: f0f956268247beaabe68f20a8f30ce52ae6e078e8a8891cae0e38a189c7d75e1
Instruction Fuzzy Hash: EE31C131305E5891EB41CB9AEC943992392BB85FC2FC5847ADD0E07764EF2EC156C382

Function 655D03C0 Relevance: 27.2, APIs: 18, Instructions: 153COMMON

Download Yara Rule

APIs

PyObject_Call.PYTHON311 ref: 655D0472
PyErr_CheckSignals.PYTHON311 ref: 655D04A7
_Py_Dealloc.PYTHON311 ref: 655D04C5
_Py_Dealloc.PYTHON311 ref: 655D04D3
_Py_Dealloc.PYTHON311 ref: 655D04E3

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Dealloc$CallCheckErr_Object_Signals
String ID:
API String ID: 356930793-0
Opcode ID: fc0823230c3e19722e20bd8327469f16b7415beda282e57610dc4591245f7e78
Instruction ID: e325df248cf01070d296216dc78f817de7b1301a077c8c1d683cf5a0efc86036
Opcode Fuzzy Hash: fc0823230c3e19722e20bd8327469f16b7415beda282e57610dc4591245f7e78
Instruction Fuzzy Hash: 65516133349A04D6DA09DF2AED0CB7DB261BB45F99F484626DE1607A20FF39C095C345

Function 655D1D00 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 655D1D23
HeapAlloc.KERNEL32 ref: 655D1D37
GetAdaptersAddresses.IPHLPAPI ref: 655D1D5C
GetProcessHeap.KERNEL32 ref: 655D1DCF
HeapFree.KERNEL32 ref: 655D1DD9
GetProcessHeap.KERNEL32 ref: 655D1DF0
HeapFree.KERNEL32 ref: 655D1DFA
GetProcessHeap.KERNEL32 ref: 655D1E01
HeapAlloc.KERNEL32 ref: 655D1E0B
GetAdaptersAddresses.IPHLPAPI ref: 655D1E27

Strings

../src/platforms/windows/hdinfo.c, xrefs: 655D1E57
Too small size, xrefs: 655D1E50
%02x:%02x:%02x:%02x:%02x:%02x, xrefs: 655D1D99

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Heap$Process$AdaptersAddressesAllocFree
String ID: %02x:%02x:%02x:%02x:%02x:%02x$../src/platforms/windows/hdinfo.c$Too small size
API String ID: 1283795797-3992030336
Opcode ID: f60650675d38592f8edea1884d4fc273f2fdb2e9bfff8e7f9205ef8c4b45c98a
Instruction ID: d5d1d314648b3643743c835b9236b0db553355fe67fb7807f2019e476d87b169
Opcode Fuzzy Hash: f60650675d38592f8edea1884d4fc273f2fdb2e9bfff8e7f9205ef8c4b45c98a
Instruction Fuzzy Hash: 9631C963304A908AD720DBBEAC1476EAB92E789BD4F444236BD5983794DF3CC541C744

Function 00007FF611309210 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF611309247
OpenProcessToken.ADVAPI32 ref: 00007FF611309258
free.MSVCRT ref: 00007FF611309270
CloseHandle.KERNEL32 ref: 00007FF611309280
_snwprintf.MSVCRT ref: 00007FF6113092A8
LocalFree.KERNEL32 ref: 00007FF6113092B1
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF6113092D7
CreateDirectoryW.KERNEL32 ref: 00007FF6113092EB
GetTokenInformation.ADVAPI32(00000000,?,00000005,?,?,00000000,00007FF6113080E8,?,?,_MEIPASS2,00000000,?,00007FF6113024CC), ref: 00007FF611309331
GetLastError.KERNEL32 ref: 00007FF611309337
calloc.MSVCRT ref: 00007FF611309352
GetTokenInformation.ADVAPI32(?,00000000,00007FF6113080E8,?,?,_MEIPASS2,00000000,?,00007FF6113024CC), ref: 00007FF611309378
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF61130938D

Strings

D:(A;;FA;;;%s), xrefs: 00007FF61130929A
S-1-3-4, xrefs: 00007FF61130928B

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen_snwprintfcallocfree
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 1339360106-2855260032
Opcode ID: 840785790ae47b5b900202a130df978d56d1b00df71af0a86b378aa74ba62265
Instruction ID: 370e3472d99b040be8d805f18e9f9b5db98e5ff1070d36b127e2876611467d72
Opcode Fuzzy Hash: 840785790ae47b5b900202a130df978d56d1b00df71af0a86b378aa74ba62265
Instruction Fuzzy Hash: C5318121708A4682E710AB61F8047AA63A9FB85FB4F140235EE6DC7AD8EF7CE445C740

Function 655C1DF0 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 655C1E39
strncmp.MSVCRT ref: 655C1E5F
strncmp.MSVCRT ref: 655C1E7F
strncmp.MSVCRT ref: 655C1E9C
strncmp.MSVCRT ref: 655C1EB9
strncmp.MSVCRT ref: 655C1ED6
PyErr_Format.PYTHON311 ref: 655C1F3D
strlen.MSVCRT ref: 655C1FAB
memcpy.MSVCRT ref: 655C1FBF
free.MSVCRT ref: 655C1FC7
strncmp.MSVCRT ref: 655C1FD5
PyErr_Format.PYTHON311 ref: 655C2057
strncmp.MSVCRT ref: 655C2105
strncmp.MSVCRT ref: 655C2143
strncmp.MSVCRT ref: 655C235C
strncmp.MSVCRT ref: 655C241C
strncmp.MSVCRT ref: 655C24DC
_errno.MSVCRT ref: 655C27A5
_errno.MSVCRT ref: 655C27B7

Strings

*DOMAIN:, xrefs: 655C1EC6
*IFIPV4:, xrefs: 655C1E8C
*HARDDISK:, xrefs: 655C1E4F
5(, xrefs: 655C1F28
*IFMAC:, xrefs: 655C1E6F
*IFIPV6:, xrefs: 655C1EA9
%s (%d:%d), xrefs: 655C1F36
*MID:, xrefs: 655C1E2C

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: strncmp$Err_Format_errno$freememcpystrlen
String ID: %s (%d:%d)$*DOMAIN:$*HARDDISK:$*IFIPV4:$*IFIPV6:$*IFMAC:$*MID:$5(
API String ID: 3958490578-1731549688
Opcode ID: bb3b97dd008b8ccd6e0d8b48d20d37051c0cf2b516f504ec13c3e7f792156655
Instruction ID: 9775fd4fdb6363f6bb6c3498f46d82044ba8d2ad86810e86f2bffb4805e6acec
Opcode Fuzzy Hash: bb3b97dd008b8ccd6e0d8b48d20d37051c0cf2b516f504ec13c3e7f792156655
Instruction Fuzzy Hash: 01210261310A1454FB90CB62EC887571A91BB4ABDAFC09069DC5E4F7D0DF3EC256C311

Function 00007FF61130F060 Relevance: 25.7, APIs: 17, Instructions: 211COMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00007FF61130F079
_strdup.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F090
setlocale.MSVCRT ref: 00007FF61130F0A8
mbstowcs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F0DF
mbstowcs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F13F
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F246
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F27F
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F2AE
realloc.MSVCRT ref: 00007FF61130F2C9
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F2F5
setlocale.MSVCRT ref: 00007FF61130F306
free.MSVCRT ref: 00007FF61130F312
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F33B
realloc.MSVCRT ref: 00007FF61130F356
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF611304370), ref: 00007FF61130F37A
setlocale.MSVCRT ref: 00007FF61130F38B
free.MSVCRT ref: 00007FF61130F397

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: wcstombs$setlocale$freembstowcsrealloc$_strdup
String ID:
API String ID: 1093732947-0
Opcode ID: 4057a5c6bd61162031fd582af2eb34abd572d533eb0d544b39b7c2850e9da645
Instruction ID: 358843187ec5ca5b56c6696eb846954c362f31337e0b70162652fa30255411a7
Opcode Fuzzy Hash: 4057a5c6bd61162031fd582af2eb34abd572d533eb0d544b39b7c2850e9da645
Instruction Fuzzy Hash: 43A12666B05F1989EB509BA6D8402BC33F8BB49FA8F404539DE5CA7B99EF3CD4018351

Function 00007FF611303340 Relevance: 25.7, APIs: 2, Strings: 15, Instructions: 196stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6113032D0: strcpy.MSVCRT(00000000,?,_MEIPASS2,00000000,00007FF611303721), ref: 00007FF611303313

Part of subcall function 00007FF611302240: strlen.MSVCRT ref: 00007FF611302257

strcmp.MSVCRT ref: 00007FF61130348A

Strings

Failed to copy file %s from %s!, xrefs: 00007FF611303515
%s%c%s%c%s, xrefs: 00007FF611303549
%s%c%s.exe, xrefs: 00007FF611303444
%s%c%s.pkg, xrefs: 00007FF611303420
Failed to extract %s from referenced dependency archive %s., xrefs: 00007FF611303696
%s%c%s%c%s%c%s, xrefs: 00007FF6113033E4
Archive path exceeds PATH_MAX, xrefs: 00007FF611303660
\, xrefs: 00007FF611303541
%s%c%s, xrefs: 00007FF611303631
\, xrefs: 00007FF6113033DC
Failed to open archive %s!, xrefs: 00007FF6113036A7
Failed to open referenced dependency archive %s., xrefs: 00007FF611303677
pyi-contents-directory, xrefs: 00007FF6113033B3
Referenced dependency archive %s not found., xrefs: 00007FF611303648
_MEIPASS2, xrefs: 00007FF611303347

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: strcmpstrcpystrlen
String ID: %s%c%s$%s%c%s%c%s$%s%c%s%c%s%c%s$%s%c%s.exe$%s%c%s.pkg$Archive path exceeds PATH_MAX$Failed to copy file %s from %s!$Failed to extract %s from referenced dependency archive %s.$Failed to open archive %s!$Failed to open referenced dependency archive %s.$Referenced dependency archive %s not found.$\$\$_MEIPASS2$pyi-contents-directory
API String ID: 895318938-459211576
Opcode ID: 263e37906a043b2d9e3251dbff4d8a345899adbdbf777523cd6fbb6d2135a085
Instruction ID: 73cb16085dd900b7f67e777171b74fab2e3f0943e2e617497ff1a57581833976
Opcode Fuzzy Hash: 263e37906a043b2d9e3251dbff4d8a345899adbdbf777523cd6fbb6d2135a085
Instruction Fuzzy Hash: 0C814A25A0CE4689EB249B21E8446BB63ADAF44FF4F444132EA4DD77DEDE2CE506C740

Function 00007FFD930B4E3F Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 205registryfileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FFD931BDC24
GetFileType.KERNEL32 ref: 00007FFD931BDC35
__stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD931BDC71
WriteFile.KERNEL32 ref: 00007FFD931BDC99
MultiByteToWideChar.KERNEL32 ref: 00007FFD931BDD06
__stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFD931BDE95
RegisterEventSourceW.ADVAPI32 ref: 00007FFD931BDEB4
ReportEventW.ADVAPI32 ref: 00007FFD931BDEF6
DeregisterEventSource.ADVAPI32 ref: 00007FFD931BDEFF

Strings

no stack?, xrefs: 00007FFD931BDCEC
OpenSSL, xrefs: 00007FFD931BDEAD
OpenSSL: FATAL, xrefs: 00007FFD931BDF0D
, xrefs: 00007FFD931BDD20

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID: Event$FileSource$ByteCharDeregisterHandleMultiRegisterReportTypeWideWrite__stdio_common_vsprintf__stdio_common_vswprintf
String ID: $OpenSSL$OpenSSL: FATAL$no stack?
API String ID: 2603057392-2963566556
Opcode ID: 4334f370b7a482bd35c4ecd3ae7f0d910e81077902a64c89114c2b2096981407
Instruction ID: 834acf4c39b8b048bd2835df1cc5d1210b293a64329c37d74100576845ce8842
Opcode Fuzzy Hash: 4334f370b7a482bd35c4ecd3ae7f0d910e81077902a64c89114c2b2096981407
Instruction Fuzzy Hash: C991E533B18B82C6EB349FA5D8601A83378FB45B94F844235EA5D67A99EF3CD255C300

Function 655CFF30 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

PyList_New.PYTHON311 ref: 655CFF69
PyTuple_New.PYTHON311 ref: 655CFFD3
PyList_New.PYTHON311 ref: 655D0032
_PyList_Extend.PYTHON311 ref: 655D0080
_Py_Dealloc.PYTHON311 ref: 655D0094
PyDict_New.PYTHON311 ref: 655D00A0
PyDict_Update.PYTHON311 ref: 655D011F
_Py_Dealloc.PYTHON311 ref: 655D0135

Strings

Invalid type for op_build, xrefs: 655D018C

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: List_$DeallocDict_$ExtendTuple_Update
String ID: Invalid type for op_build
API String ID: 3794787204-1006902009
Opcode ID: 5a5f4b846ff8d1fd1bb98f9d71d4c3c30ec096eb1b25e09bac97bcd3c9b8234d
Instruction ID: fb41076660bbb84e3a7f3ff86af748c7eb8638140fa994464c30b42e6a9016db
Opcode Fuzzy Hash: 5a5f4b846ff8d1fd1bb98f9d71d4c3c30ec096eb1b25e09bac97bcd3c9b8234d
Instruction Fuzzy Hash: C2510473709A4591EF09CBA9ED1831DA362FB86FC5F84855ACD1A43724FE7AC042C342

Function 655D0ED0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 655D0F17
PyUnicode_New.PYTHON311 ref: 655D0F34
PyObject_Format.PYTHON311 ref: 655D105E
_Py_Dealloc.PYTHON311 ref: 655D1083
_Py_Dealloc.PYTHON311 ref: 655D1118

Strings

Too many format strings, xrefs: 655D0F0D

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Dealloc$Err_FormatObject_StringUnicode_
String ID: Too many format strings
API String ID: 3094464462-2091874682
Opcode ID: 8ecc362eeeae3031d3853dfdb037f5cf9596a269805bca0aadc7f07d8bf57519
Instruction ID: cffc5d4519a9c6bbaeab9374ceb2cfbe3f3c88da2151f6f58aeb9a42cad418ba
Opcode Fuzzy Hash: 8ecc362eeeae3031d3853dfdb037f5cf9596a269805bca0aadc7f07d8bf57519
Instruction Fuzzy Hash: C351C133B09A8682DF049B6AE948729F372B744BC9F544621D91A07B28EF3AC155C349

Function 655D1850 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

PyFunction_NewWithQualName.PYTHON311 ref: 655D18BD
PyTuple_GetItem.PYTHON311 ref: 655D18E9
PyType_IsSubtype.PYTHON311 ref: 655D1910
PyCMethod_New.PYTHON311 ref: 655D1965
PyTuple_SetItem.PYTHON311 ref: 655D197F
_Py_Dealloc.PYTHON311 ref: 655D1993
_Py_Dealloc.PYTHON311 ref: 655D19AA
_Py_Dealloc.PYTHON311 ref: 655D19F7
PyCMethod_New.PYTHON311 ref: 655D1A3C
Py_BuildValue.PYTHON311 ref: 655D1A58

Strings

(O), xrefs: 655D1A51

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Dealloc$ItemMethod_Tuple_$BuildFunction_NameQualSubtypeType_ValueWith
String ID: (O)
API String ID: 593819998-4232840684
Opcode ID: 4ae0ab5d2995b3382f710b58743867f3de19a9a02ca8dd030bdda331dff44141
Instruction ID: fb9936db6f1f9c4326b8201d288c1579a589247edaa78d33f6bd71456b2b2e72
Opcode Fuzzy Hash: 4ae0ab5d2995b3382f710b58743867f3de19a9a02ca8dd030bdda331dff44141
Instruction Fuzzy Hash: 33518F3330AE5086EB15CF6AEE48769B3A2FB85BD5F498214DE5A07B14EF39C094C345

Function 655C8630 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

PyBuffer_FillInfo.PYTHON311 ref: 655C8683
PyMemoryView_FromBuffer.PYTHON311 ref: 655C8695
_PyObject_CallMethod.PYTHON311 ref: 655C86C7
PyNumber_AsSsize_t.PYTHON311 ref: 655C86E2
PyErr_Occurred.PYTHON311 ref: 655C8710
PyErr_Format.PYTHON311 ref: 655C873B
PyMem_Realloc.PYTHON311 ref: 655C8773
_Py_Dealloc.PYTHON311 ref: 655C87B8
PyMem_Malloc.PYTHON311 ref: 655C87E3
PyErr_NoMemory.PYTHON311 ref: 655C87F5

Strings

EOF read where not expected, xrefs: 655C8797
read() returned too much data: %zd bytes requested, %zd returned, xrefs: 655C872B

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_$Mem_Memory$BufferBuffer_CallDeallocFillFormatFromInfoMallocMethodNumber_Object_OccurredReallocSsize_tView_
String ID: EOF read where not expected$read() returned too much data: %zd bytes requested, %zd returned
API String ID: 4179280635-3742967138
Opcode ID: 194f87807741f0c34e6dbb7314b1afdd82c691fc7cd9bf7285fd63d2adb92d28
Instruction ID: d3ae365c7c3282ad903955cfcd6d26b2f1e66998228509a80dc8009a3851d460
Opcode Fuzzy Hash: 194f87807741f0c34e6dbb7314b1afdd82c691fc7cd9bf7285fd63d2adb92d28
Instruction Fuzzy Hash: 84417122305E0485EB018BA6ED0835923A2B744FEAF844629DD2D57B94EE7EC59AC303

Function 00007FF611308820 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 99processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF611309090: MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6

SetConsoleCtrlHandler.KERNEL32 ref: 00007FF61130886A
GetStartupInfoW.KERNEL32 ref: 00007FF61130888C
_get_osfhandle.MSVCRT ref: 00007FF6113088DF
_fileno.MSVCRT ref: 00007FF6113088FC
_get_osfhandle.MSVCRT ref: 00007FF611308903
_fileno.MSVCRT ref: 00007FF611308920
_get_osfhandle.MSVCRT ref: 00007FF611308927
GetCommandLineW.KERNEL32 ref: 00007FF611308939
CreateProcessW.KERNEL32 ref: 00007FF611308981
WaitForSingleObject.KERNEL32 ref: 00007FF611308998
GetExitCodeProcess.KERNEL32 ref: 00007FF6113089AB

Strings

Error creating child process!, xrefs: 00007FF6113089C8
CreateProcessW, xrefs: 00007FF6113089CF

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: _get_osfhandle$Process_fileno$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2399235724-3524285272
Opcode ID: 2bb69f242d9541d69d1b049c92316138750a043074f1ee99989ea41868e2982c
Instruction ID: c0089ae21c8403b2a97eafd0122c2a33b277d6032b14fe060f121b25def22bf8
Opcode Fuzzy Hash: 2bb69f242d9541d69d1b049c92316138750a043074f1ee99989ea41868e2982c
Instruction Fuzzy Hash: 3D414432A08B8145EB609B64F8557AA73A4EB857B4F404335EAAD877D8EF7CD084C740

Function 655DF8C0 Relevance: 22.8, APIs: 9, Strings: 6, Instructions: 254COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 655DF99C
free.MSVCRT ref: 655DF9F4
malloc.MSVCRT ref: 655DFA2C
free.MSVCRT ref: 655DFA81
free.MSVCRT ref: 655DFA8B
memcmp.MSVCRT ref: 655DFB7D
memcmp.MSVCRT ref: 655DFD42
memcmp.MSVCRT ref: 655DFD6B
free.MSVCRT ref: 655DFD80

Strings

key != NULL, xrefs: 655DFB17
stat != NULL, xrefs: 655DFB30
sig != NULL, xrefs: 655DFB49
`ee, xrefs: 655DFAE9, 655DFD0F
src/pk/rsa/rsa_verify_hash.c, xrefs: 655DFB10, 655DFB29, 655DFB42, 655DFB5B
hash != NULL, xrefs: 655DFB62

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: free$memcmp$malloc
String ID: `ee$hash != NULL$key != NULL$sig != NULL$src/pk/rsa/rsa_verify_hash.c$stat != NULL
API String ID: 2896619906-678541687
Opcode ID: 57015f10cfcf0e2d0b6b407767d9478432e745d572775ad3dbcb72667ea8a106
Instruction ID: f1036e4ee06a4e641b9f6741a27c89d3f922c6456eae0a77e18938b2a578b4bf
Opcode Fuzzy Hash: 57015f10cfcf0e2d0b6b407767d9478432e745d572775ad3dbcb72667ea8a106
Instruction Fuzzy Hash: ACB1B1733086819AE760CF49E84879AF7A1F784BC8F404625DE894BB58EB7DC945CF44

Function 00007FF6113049F0 Relevance: 22.7, APIs: 7, Strings: 8, Instructions: 203stringCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF611304A0D
strncmp.MSVCRT ref: 00007FF611304A91
strcmp.MSVCRT ref: 00007FF611304AAB

Strings

optimize, xrefs: 00007FF611304AF8
verbose, xrefs: 00007FF611304A42
dev, xrefs: 00007FF611304B83
unbuffered, xrefs: 00007FF611304A51
pyi-, xrefs: 00007FF611304A3B
_MEIPASS2, xrefs: 00007FF6113049F4
hash_seed, xrefs: 00007FF611304CC0
utf8, xrefs: 00007FF611304B7C

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: callocstrcmpstrncmp
String ID: _MEIPASS2$dev$hash_seed$optimize$pyi-$unbuffered$utf8$verbose
API String ID: 3864021093-2470803696
Opcode ID: 451d73b7ff344c03704b212d97ce530da948a4f6c025c6dc93e866c2767be9a3
Instruction ID: 43dd1adee11f9c95113bd6cf3815a60c00f1d351f4db543391c28fa7c551f445
Opcode Fuzzy Hash: 451d73b7ff344c03704b212d97ce530da948a4f6c025c6dc93e866c2767be9a3
Instruction Fuzzy Hash: 0C819562E0CE4256FF65DB22A40437A6AE9AF45F78F448035CA4DC66CDDF7CE6858304

Function 655DDE20 Relevance: 21.3, APIs: 5, Strings: 9, Instructions: 319COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 655DE060
calloc.MSVCRT ref: 655DE077
free.MSVCRT ref: 655DE0B8
free.MSVCRT ref: 655DE0C0

Strings

A != NULL, xrefs: 655DE577
kB != NULL, xrefs: 655DE513
C != NULL, xrefs: 655DE545
P != NULL, xrefs: 655DDFD1
kA != NULL, xrefs: 655DE52C
B != NULL, xrefs: 655DE55E
modulus != NULL, xrefs: 655DE4FA
src/pk/ecc/ltc_ecc_mul2add.c, xrefs: 655DE4F3, 655DE50C, 655DE525, 655DE53E, 655DE557, 655DE570
src/pk/ecc/ltc_ecc_map.c, xrefs: 655DDFCA

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: callocfree
String ID: A != NULL$B != NULL$C != NULL$P != NULL$kA != NULL$kB != NULL$modulus != NULL$src/pk/ecc/ltc_ecc_map.c$src/pk/ecc/ltc_ecc_mul2add.c
API String ID: 306872129-190324370
Opcode ID: e375381a120fc8b5a5e114f26221754611825eca5b83d7d3e827debef17e50af
Instruction ID: 7baffb5c80e8a2247a922129541a099a2ee65f5305fd1ca1082a725728552f0e
Opcode Fuzzy Hash: e375381a120fc8b5a5e114f26221754611825eca5b83d7d3e827debef17e50af
Instruction Fuzzy Hash: CAC18B33708AD186D760CF5AE848B9AF765F789BD9F454122EE8A97708EF78C844C740

Function 6563FCE0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 283memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,655C1278), ref: 6563FE0D

Strings

Unknown pseudo relocation bit size %d., xrefs: 6563FF7A
4ee, xrefs: 6563FD39
Unknown pseudo relocation protocol version %d., xrefs: 6563FF8E
4ee, xrefs: 6563FD40

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$4ee$4ee
API String ID: 544645111-328321681
Opcode ID: 97a76bfdf81d043948e849395f02b61ebaff46b729ca689dc235c5fe8d44b0c9
Instruction ID: da8817154234a2b2dde872e0848d9477af4e8362c05236e16726acfd7fed9f27
Opcode Fuzzy Hash: 97a76bfdf81d043948e849395f02b61ebaff46b729ca689dc235c5fe8d44b0c9
Instruction Fuzzy Hash: 48914631B0466086EB14CF75D941B5EA362B7A57B8F90D525CE1D8BFA8EB3EC486C301

Function 00007FFD930B1C1C Relevance: 21.3, APIs: 5, Strings: 9, Instructions: 267stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD93161873
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9316199C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD931619AF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD93161B4C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD93161B5F

Part of subcall function 00007FFD93163670: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD93163733
Part of subcall function 00007FFD93163670: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD9316374B
Part of subcall function 00007FFD93163670: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD93163768

Strings

..\s\crypto\asn1\asn_mime.c, xrefs: 00007FFD931617EB, 00007FFD9316192D, 00007FFD931619C5, 00007FFD93161A41, 00007FFD93161AC5, 00007FFD93161AF7, 00007FFD93161B75, 00007FFD93161BFC
content-type, xrefs: 00007FFD93161824
application/pkcs7-mime, xrefs: 00007FFD93161B55
application/x-pkcs7-mime, xrefs: 00007FFD93161B42
application/x-pkcs7-signature, xrefs: 00007FFD93161992
application/pkcs7-signature, xrefs: 00007FFD931619A5
multipart/signed, xrefs: 00007FFD93161869
boundary, xrefs: 00007FFD93161884
type: , xrefs: 00007FFD931619DE, 00007FFD93161B8E

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID: strcmp$strncmp
String ID: ..\s\crypto\asn1\asn_mime.c$application/pkcs7-mime$application/pkcs7-signature$application/x-pkcs7-mime$application/x-pkcs7-signature$boundary$content-type$multipart/signed$type:
API String ID: 1244041713-3630080479
Opcode ID: fe6ee42ba66115c3f582b9304316164a699994161a53c33d26c7d699cf67fd0c
Instruction ID: b5fdb11cbf79f373bbcadbd551289d0a76a5debff91ac5ece493944d10d13c22
Opcode Fuzzy Hash: fe6ee42ba66115c3f582b9304316164a699994161a53c33d26c7d699cf67fd0c
Instruction Fuzzy Hash: 70C1BB22B0C64281FE34EFD194616BD2369AF81788F94803AD94D3779AEF3CE255E300

Function 655C1A30 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 170COMMON

Download Yara Rule

APIs

PyUnicode_AsUTF8.PYTHON311 ref: 655C1A96
PyModule_GetDict.PYTHON311 ref: 655C1AAD
PyDict_GetItemString.PYTHON311 ref: 655C1AC6
PyCFunction_GetSelf.PYTHON311 ref: 655C1AD4
PyErr_Format.PYTHON311 ref: 655C1B3A

Strings

__dict__, xrefs: 655C1B8A
__pyarmor__, xrefs: 655C1ABC
protection exception (%d), xrefs: 655C1B57, 655C1C66
%s (%d:%d), xrefs: 655C1B25

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: DictDict_Err_FormatFunction_ItemModule_SelfStringUnicode_
String ID: %s (%d:%d)$__dict__$__pyarmor__$protection exception (%d)
API String ID: 3090064410-629680938
Opcode ID: e579b2d604af143ecd6b32f8bc8f366ca8e2c428553cc24737c77ac891aa6da4
Instruction ID: 92d1ae53f7e81d4bab4a5921117661733e72ff78fc0139488ccc31b0df7701a0
Opcode Fuzzy Hash: e579b2d604af143ecd6b32f8bc8f366ca8e2c428553cc24737c77ac891aa6da4
Instruction Fuzzy Hash: 3A51E732705B4481EF058B96EC9876827A2FB84FD9F8944B9DE1E07760EE39C095C741

Function 00007FFD930B1F69 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

i, xrefs: 00007FFD9327E019
..\s\crypto\rand\randfile.c, xrefs: 00007FFD9327DFC2, 00007FFD9327E021, 00007FFD9327E12C
Filename=, xrefs: 00007FFD9327DFE3, 00007FFD9327E037, 00007FFD9327E14D

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID:
String ID: ..\s\crypto\rand\randfile.c$Filename=$i
API String ID: 0-1799673945
Opcode ID: 9b4ea193b028727d5cf33481ab8e51e1a79f6630d4abdc56d1a885e2ca4d3d0c
Instruction ID: ef9b6ef9df98d002d4589ebcb250b149a63381fe333723258381d70978b9cfcd
Opcode Fuzzy Hash: 9b4ea193b028727d5cf33481ab8e51e1a79f6630d4abdc56d1a885e2ca4d3d0c
Instruction Fuzzy Hash: 6F51C721B0CA4786FA30EB96D86167A73A9FF84B44F800139D94E67695EF3DF905CB10

Function 655D0D00 Relevance: 21.1, APIs: 14, Instructions: 93COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 655D0D31
PyErr_Fetch.PYTHON311 ref: 655D0D6F
PyErr_NormalizeException.PYTHON311 ref: 655D0D87
PyException_SetTraceback.PYTHON311 ref: 655D0DA9
_Py_Dealloc.PYTHON311 ref: 655D0DCB
PyErr_NormalizeException.PYTHON311 ref: 655D0DDA
PyException_SetContext.PYTHON311 ref: 655D0DE9
PyErr_Restore.PYTHON311 ref: 655D0DFE
PyErr_Restore.PYTHON311 ref: 655D0E2B
_Py_Dealloc.PYTHON311 ref: 655D0E33
PyEval_GetFrame.PYTHON311 ref: 655D0E40
PyErr_Restore.PYTHON311 ref: 655D0E68
PyTraceBack_Here.PYTHON311 ref: 655D0E73
PyErr_Fetch.PYTHON311 ref: 655D0E87

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_$Restore$DeallocExceptionException_FetchNormalize$Back_ContextEval_FrameHereOccurredTraceTraceback
String ID:
API String ID: 4214459649-0
Opcode ID: dc74e0e63e81e9e27f6e8a3395405a33c25d15d68652cb0286dce22e0a72b852
Instruction ID: f0e8edab5bc0cd13362d2990bc35216600e3409fcea9e0b782143a2002b0da7c
Opcode Fuzzy Hash: dc74e0e63e81e9e27f6e8a3395405a33c25d15d68652cb0286dce22e0a72b852
Instruction Fuzzy Hash: 31312666309FC095DA20DB1AFC1439AB762FB86BD1F848016EE8D43B28DF39C045C706

Function 00007FF611302B90 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF611302BB8
memset.MSVCRT ref: 00007FF611302C04
_wcsdup.MSVCRT ref: 00007FF611302C14
_wcsdup.MSVCRT ref: 00007FF611302C24
_wcsdup.MSVCRT ref: 00007FF611302C34
DialogBoxIndirectParamW.USER32 ref: 00007FF611302C56
free.MSVCRT ref: 00007FF611302C66
free.MSVCRT ref: 00007FF611302C73
free.MSVCRT ref: 00007FF611302C80
DeleteObject.GDI32 ref: 00007FF611302C92
DestroyIcon.USER32 ref: 00007FF611302CA5

Strings

Unhandled exception in script, xrefs: 00007FF611302BC8

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: _wcsdupfree$DeleteDestroyDialogHandleIconIndirectModuleObjectParammemset
String ID: Unhandled exception in script
API String ID: 3963799495-2699770090
Opcode ID: 63ee56fe181a1917596a2b7ec1c70eb69a51c0cc73ba7970fc3e78cbc600a575
Instruction ID: a23022fd173faae4c7dabd0f3f57d8b74b144ae53c7ae6608eb2e7cf232be820
Opcode Fuzzy Hash: 63ee56fe181a1917596a2b7ec1c70eb69a51c0cc73ba7970fc3e78cbc600a575
Instruction Fuzzy Hash: AE215136B09E8581EB65EB62B8546EB6368FBC9FA0F440135EE4E87B49DE3CD045C740

Function 655D1E90 Relevance: 19.6, APIs: 13, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 655D1EB3
HeapAlloc.KERNEL32 ref: 655D1EC7
GetAdaptersAddresses.IPHLPAPI ref: 655D1EEF
inet_ntoa.WS2_32 ref: 655D1F27
GetProcessHeap.KERNEL32 ref: 655D1F42
HeapFree.KERNEL32 ref: 655D1F4C
GetProcessHeap.KERNEL32 ref: 655D1F60
HeapFree.KERNEL32 ref: 655D1F6A
GetProcessHeap.KERNEL32 ref: 655D1F70
HeapAlloc.KERNEL32 ref: 655D1F7A
GetAdaptersAddresses.IPHLPAPI ref: 655D1F99

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Heap$Process$AdaptersAddressesAllocFree$inet_ntoa
String ID:
API String ID: 4108032510-0
Opcode ID: 0aea62c4e8033b316e9607a811da02806847fb27f1b58047ef8fd754bcad2c59
Instruction ID: fac0c3534c80afd2e6656ffc6296d38cc0b97535dbf9eddbf443358b8ff35549
Opcode Fuzzy Hash: 0aea62c4e8033b316e9607a811da02806847fb27f1b58047ef8fd754bcad2c59
Instruction Fuzzy Hash: 6221E41331564546EB04DBABAC04B5AE292BB89BD4F088335BD1D87398EF38C442C355

Function 00007FF611306D80 Relevance: 18.1, APIs: 9, Strings: 3, Instructions: 131stringCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF611306DA9
memcpy.MSVCRT ref: 00007FF611306DED
strlen.MSVCRT ref: 00007FF611306E07
strlen.MSVCRT ref: 00007FF611306E14
strlen.MSVCRT ref: 00007FF611306E40
free.MSVCRT ref: 00007FF611306E93
strncpy.MSVCRT ref: 00007FF611306EED
strncpy.MSVCRT ref: 00007FF611306F1A
strncpy.MSVCRT ref: 00007FF611306F89

Strings

SPLASH: Cannot find requirement %s in archive., xrefs: 00007FF611306E7F
SPLASH: Cannot extract requirement %s., xrefs: 00007FF611306F53
_MEIPASS2, xrefs: 00007FF611306D89

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: strlenstrncpy$callocfreememcpy
String ID: SPLASH: Cannot extract requirement %s.$SPLASH: Cannot find requirement %s in archive.$_MEIPASS2
API String ID: 4189425833-927121926
Opcode ID: 3deb22c876463e9c63b73cd2c22ece139e26c11ddae39d3f8cf6f8d0c71dafd8
Instruction ID: 507705ac32582b1ea7933cbfe9e5517200da6e8b4514d1ff1b5df0d82a5cbdd0
Opcode Fuzzy Hash: 3deb22c876463e9c63b73cd2c22ece139e26c11ddae39d3f8cf6f8d0c71dafd8
Instruction Fuzzy Hash: 3641C592708E4255EB18EA22D9042FB63A9BF45FE4F844135EE1DC778EDE2CE656C300

Function 00007FF611306B90 Relevance: 18.1, APIs: 10, Strings: 2, Instructions: 114stringCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 00007FF611306BF1
strncpy.MSVCRT ref: 00007FF611306C07
strncpy.MSVCRT ref: 00007FF611306C1D
calloc.MSVCRT ref: 00007FF611306C53
malloc.MSVCRT ref: 00007FF611306C73
malloc.MSVCRT ref: 00007FF611306C93
memcpy.MSVCRT ref: 00007FF611306CC7
memcpy.MSVCRT ref: 00007FF611306CDC
memcpy.MSVCRT ref: 00007FF611306CF1
free.MSVCRT ref: 00007FF611306CF9

Strings

Cannot allocate memory for necessary files., xrefs: 00007FF611306D11
_MEIPASS2, xrefs: 00007FF611306B94

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: memcpystrncpy$malloc$callocfree
String ID: Cannot allocate memory for necessary files.$_MEIPASS2
API String ID: 1819673767-1389504347
Opcode ID: 1c1aae830d7a0291694ed80a20a0afa746c84ec70af25d8933fc9614f42266ba
Instruction ID: 1dc04f59f199458a8da713bedb3bcb0f6aec249f024fcfc4dd4aec9ef68358b0
Opcode Fuzzy Hash: 1c1aae830d7a0291694ed80a20a0afa746c84ec70af25d8933fc9614f42266ba
Instruction Fuzzy Hash: 8341E4A2B05A0657EB18EA22D9442E9B3A9FB44FA0F544530DF1D87B89EF7CE1528300

Function 655D1B10 Relevance: 18.1, APIs: 12, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 655D1B31
HeapAlloc.KERNEL32 ref: 655D1B46
memcpy.MSVCRT ref: 655D1BBC
GetProcessHeap.KERNEL32 ref: 655D1BDA
HeapFree.KERNEL32 ref: 655D1BE5
GetProcessHeap.KERNEL32 ref: 655D1BFA
HeapFree.KERNEL32 ref: 655D1C05
GetProcessHeap.KERNEL32 ref: 655D1C20
HeapFree.KERNEL32 ref: 655D1C2B
GetProcessHeap.KERNEL32 ref: 655D1C35
HeapAlloc.KERNEL32 ref: 655D1C40
GetAdaptersAddresses.IPHLPAPI ref: 655D1C5C

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Heap$Process$Free$Alloc$AdaptersAddressesmemcpy
String ID:
API String ID: 1739390247-0
Opcode ID: ee3706aff2a730a5c98467d6ffc04d310d8ab49b36e1cd75808933f9135d73bf
Instruction ID: 18e1c2b6d05c5c84bc23980641701ee03a9b06968de6fc720af2fda85320fa74
Opcode Fuzzy Hash: ee3706aff2a730a5c98467d6ffc04d310d8ab49b36e1cd75808933f9135d73bf
Instruction Fuzzy Hash: 6431A8333056418AEB45DF7AA854B6DA392A789BD8F488535EE1947714FE38C582C704

Function 655DD3C0 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 99stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 655DD3EB
strcmp.MSVCRT ref: 655DD415
strcmp.MSVCRT ref: 655DD434
strcmp.MSVCRT ref: 655DD453
strcmp.MSVCRT ref: 655DD472
strcmp.MSVCRT ref: 655DD48D
strcmp.MSVCRT ref: 655DD4A8
strcmp.MSVCRT ref: 655DD4C3

Strings

src/misc/crypt/crypt_find_hash.c, xrefs: 655DD4F1
name != NULL, xrefs: 655DD4F8
aes, xrefs: 655DD3C3
`ee, xrefs: 655DD3D6

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: strcmp
String ID: `ee$aes$name != NULL$src/misc/crypt/crypt_find_hash.c
API String ID: 1004003707-1299439242
Opcode ID: 601caa24f6cdf50978214d2e49c8100922ea2f7feede72d58faa9c819481f6bb
Instruction ID: 387fc27251f71be181105881c74fa1424ccc48856e241ea37ac5113f0c37e7be
Opcode Fuzzy Hash: 601caa24f6cdf50978214d2e49c8100922ea2f7feede72d58faa9c819481f6bb
Instruction Fuzzy Hash: F931A62330628655FF28CE56C5D87B9A315FB447D8F0082258E2B8FA04EF68E209C714

Function 655D3AD0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 117stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 655D3AEA
malloc.MSVCRT ref: 655D3AF6
memcpy.MSVCRT ref: 655D3B15
strchr.MSVCRT ref: 655D3BF4
free.MSVCRT ref: 655D3C26

Strings

and,, xrefs: 655D3B23
or,, xrefs: 655D3B2A
local, xrefs: 655D3B63
http://, xrefs: 655D3B81

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: freemallocmemcpystrchrstrlen
String ID: and,$http://$local$or,
API String ID: 3771145599-2506292620
Opcode ID: 6994832533a56367005cc6e05215c8dd98345101bb0ad32382b69461a8beae47
Instruction ID: 41fba646db815fbe9c58dbcf12320cd4301aed40134d21315c2625a3b0f9d6c8
Opcode Fuzzy Hash: 6994832533a56367005cc6e05215c8dd98345101bb0ad32382b69461a8beae47
Instruction Fuzzy Hash: 7931073330965890FA51CF1E9908369E751FB42BF8F998B248D39177E4EB3AC04AC349

Function 00007FF611302500 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF611302521
SelectObject.GDI32 ref: 00007FF611302578
DrawTextW.USER32 ref: 00007FF61130259B
SelectObject.GDI32 ref: 00007FF6113025B1
ReleaseDC.USER32 ref: 00007FF6113025C1
MoveWindow.USER32 ref: 00007FF61130260D
MoveWindow.USER32 ref: 00007FF61130264C
MoveWindow.USER32 ref: 00007FF61130269D
MoveWindow.USER32 ref: 00007FF6113026DA

Strings

P%, xrefs: 00007FF611302581

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 6e54ce7222580e4a214d1a9fc401257ee609a80b666226e2997e335eb7f2f95f
Instruction ID: bbe6ee1b6d3a3a77068812d9bbd6c62cec49c7f5faf5a80af74b795f75b0360c
Opcode Fuzzy Hash: 6e54ce7222580e4a214d1a9fc401257ee609a80b666226e2997e335eb7f2f95f
Instruction Fuzzy Hash: 47418776214BA186D7208F36E408779B7A5F788F99F084231EE8987B59EF3CD145CB20

Function 655C9C70 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 655C9C81
PyList_New.PYTHON311 ref: 655CA5B2

Strings

NULL object in marshal data for list, xrefs: 655CB058
bad marshal data (list size out of range), xrefs: 655CAAD1

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_List_Occurred
String ID: NULL object in marshal data for list$bad marshal data (list size out of range)
API String ID: 1902535023-3453879413
Opcode ID: 5054c606a19ee87e08223c5bad087505e4feedeb9dbec1fdd4d585c3152e7d60
Instruction ID: 3eb2e04c3e8eee41823eab29957df6be2ea918cd1ce7c48821b428b5a18bb850
Opcode Fuzzy Hash: 5054c606a19ee87e08223c5bad087505e4feedeb9dbec1fdd4d585c3152e7d60
Instruction Fuzzy Hash: 24317A31709B41C6EA00DF95E89871937A2FB85B89F448868DE4E47714DF39D489C382

Function 655C9DE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 655C9DF1
PyTuple_New.PYTHON311 ref: 655CA62F

Strings

NULL object in marshal data for tuple, xrefs: 655CAEF9
bad marshal data (tuple size out of range), xrefs: 655CAC8E

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_OccurredTuple_
String ID: NULL object in marshal data for tuple$bad marshal data (tuple size out of range)
API String ID: 3674511531-3094253248
Opcode ID: 499bab45598a42969fe488b6349a7b18071ec3ea50fd777e284b739c6b91639e
Instruction ID: 6ca57f78b36797b5ebfbb6a218376e1ae92de58f06977249860dec5c12353a54
Opcode Fuzzy Hash: 499bab45598a42969fe488b6349a7b18071ec3ea50fd777e284b739c6b91639e
Instruction Fuzzy Hash: 32217C31709B4186EA10DFA5E89C71937B1BB85B89F42886CDE0E47314EF39D489C383

Function 655D8510 Relevance: 16.9, APIs: 3, Strings: 8, Instructions: 356stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 655D86D6

Strings

src/hashes/md5.c, xrefs: 655D8627, 655D8640
8, xrefs: 655D8A09
@, xrefs: 655D868D
in != NULL, xrefs: 655D8647
?, xrefs: 655D872C
md != NULL, xrefs: 655D862E
?, xrefs: 655D85B9
MD5, xrefs: 655D8767

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: strlen
String ID: 8$?$?$@$MD5$in != NULL$md != NULL$src/hashes/md5.c
API String ID: 39653677-3461814546
Opcode ID: 936d5757294c818ea727aa664ef8605e1bbd9b229f9b7b278c9f300408979052
Instruction ID: 4e60605f0b7ca03fe429f3007bf1b1140834b144d728e05c33a4ac8302d04884
Opcode Fuzzy Hash: 936d5757294c818ea727aa664ef8605e1bbd9b229f9b7b278c9f300408979052
Instruction Fuzzy Hash: F6D1ECB36082818AE701CB5EE458B6EFFA1F392388F446609DE821BB44D77ED445CB47

Function 655DD840 Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 177COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 655DD873
memcmp.MSVCRT ref: 655DD893
memcmp.MSVCRT ref: 655DD8B5
memcmp.MSVCRT ref: 655DD8D5
memcmp.MSVCRT ref: 655DD8F5
memcmp.MSVCRT ref: 655DD915
memcmp.MSVCRT ref: 655DD935
memcmp.MSVCRT ref: 655DD955

Strings

`ee, xrefs: 655DD858
src/misc/crypt/crypt_register_hash.c, xrefs: 655DDAA7
hash != NULL, xrefs: 655DDAAE

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: memcmp
String ID: `ee$hash != NULL$src/misc/crypt/crypt_register_hash.c
API String ID: 1475443563-17379175
Opcode ID: 432f9ad7a351c0998ef8b1f23f89b15d3faec8f5b2df927045c9096e21228a0e
Instruction ID: 171a1370a5b34d404517d46e077ba0088aa323d6a3d6f20e4c75ec675dce37e3
Opcode Fuzzy Hash: 432f9ad7a351c0998ef8b1f23f89b15d3faec8f5b2df927045c9096e21228a0e
Instruction Fuzzy Hash: E061D93330575496E760CF2AE88479AB364F304BD8F448225CF9A87B54DF39E15AC758

Function 655C9E10 Relevance: 16.6, APIs: 11, Instructions: 85COMMON

Download Yara Rule

APIs

PyDict_New.PYTHON311 ref: 655C9E10
PyList_Append.PYTHON311 ref: 655CA355
PyDict_SetItem.PYTHON311 ref: 655CA3B6
_Py_Dealloc.PYTHON311 ref: 655CA3DB

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Dict_$AppendDeallocItemList_
String ID:
API String ID: 2970173465-0
Opcode ID: 59f39ef1215198a9324b581995806f1b1ea9b298c75c10eaeecaa02ef7c6e062
Instruction ID: aba75e0d3f049d7e700fed2bd7b4bec74312637f76618785c1c7d375e704792a
Opcode Fuzzy Hash: 59f39ef1215198a9324b581995806f1b1ea9b298c75c10eaeecaa02ef7c6e062
Instruction Fuzzy Hash: D531387130AB4186EA458FA6EC6C70977A5BB8AF99F4954ACCE4E47B00DE3DD041C343

Function 655D2290 Relevance: 16.6, APIs: 11, Instructions: 78memorynetworkCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 655D22AB
HeapAlloc.KERNEL32 ref: 655D22BF
GetNetworkParams.IPHLPAPI ref: 655D22F7
GetProcessHeap.KERNEL32 ref: 655D2319
HeapFree.KERNEL32 ref: 655D2323
GetProcessHeap.KERNEL32 ref: 655D2340
HeapFree.KERNEL32 ref: 655D234A
GetProcessHeap.KERNEL32 ref: 655D2351
HeapAlloc.KERNEL32 ref: 655D235B
GetProcessHeap.KERNEL32 ref: 655D2376
HeapFree.KERNEL32 ref: 655D2380

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Heap$Process$Free$Alloc$NetworkParams
String ID:
API String ID: 3483679945-0
Opcode ID: a36a2779e4b6ddafb03d1c7d0570e49966fa4ca10da643109c815580eb6d0d7a
Instruction ID: eb208fc36bc46b08561c5562bd16e1b308105ec987d7b028fdb81a631c605eed
Opcode Fuzzy Hash: a36a2779e4b6ddafb03d1c7d0570e49966fa4ca10da643109c815580eb6d0d7a
Instruction Fuzzy Hash: D111E953305A4594EA14DBBB7C0476AD6926FCABD8F488236AD2D573A4EE3CC442C344

Function 655C4D71 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145threadCOMMON

Download Yara Rule

APIs

Part of subcall function 655CE6E0: PyList_New.PYTHON311 ref: 655CE71B
Part of subcall function 655CE6E0: PyErr_Occurred.PYTHON311 ref: 655CE73A
Part of subcall function 655CE6E0: PyMem_Free.PYTHON311 ref: 655CE768

PyThreadState_Get.PYTHON311 ref: 655CF987
_PyDict_GetItemWithError.PYTHON311 ref: 655CF9AA
_PyObject_FastCall.PYTHON311 ref: 655CFA1B
_Py_Dealloc.PYTHON311 ref: 655CFA4B
_Py_Dealloc.PYTHON311 ref: 655CFA83

Part of subcall function 655C8260: PyTuple_Size.PYTHON311 ref: 655C8281
Part of subcall function 655C8260: PyTuple_New.PYTHON311 ref: 655C828D
Part of subcall function 655C8260: _PyObject_LookupAttr.PYTHON311 ref: 655C830C
Part of subcall function 655C8260: PyObject_GetAttr.PYTHON311 ref: 655C831E
Part of subcall function 655C8260: PyModule_GetFilenameObject.PYTHON311 ref: 655C834A
Part of subcall function 655C8260: PyUnicode_FromString.PYTHON311 ref: 655C835A
Part of subcall function 655C8260: _PyErr_Clear.PYTHON311(?,?,00000000,?,00000000,?,?,?,?,?,655CFAFF), ref: 655C8394
Part of subcall function 655C8260: PyErr_SetImportError.PYTHON311 ref: 655C83B9
Part of subcall function 655C8260: _Py_Dealloc.PYTHON311 ref: 655C83D8

_PyLong_AsInt.PYTHON311 ref: 655CFAB8
PyImport_ImportModuleLevelObject.PYTHON311 ref: 655CFADF
_Py_Dealloc.PYTHON311 ref: 655CFB11

Strings

__import__ not found, xrefs: 655CFA97

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Dealloc$Err_Object_$AttrErrorImportObjectTuple_$CallClearDict_FastFilenameFreeFromImport_ItemLevelList_Long_LookupMem_ModuleModule_OccurredSizeState_StringThreadUnicode_With
String ID: __import__ not found
API String ID: 2133401641-2199325508
Opcode ID: 9ac40b60e857652f1246002a6ed900096e3607ad86d5f065cc6ece918d8e19b4
Instruction ID: 248bebcaecf54c11f3edf841a974ff42c383895df94ad4b6bbf72a118cd31454
Opcode Fuzzy Hash: 9ac40b60e857652f1246002a6ed900096e3607ad86d5f065cc6ece918d8e19b4
Instruction Fuzzy Hash: AE519C72309E4482EB418F66ED44759B7A1FB89FE9F44806AEE5A07B24DF39C492C301

Function 655C1660 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 655C16ED
PyErr_Occurred.PYTHON311 ref: 655C178E

Strings

%s (%d:%d), xrefs: 655C16DB

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_$FormatOccurred
String ID: %s (%d:%d)
API String ID: 4038069558-1595188566
Opcode ID: 3203d6e74869b537bf337df77313df74bd09d28397d795c1a8892745d5c82633
Instruction ID: c8a543375930f68ffecc09195063f67851b87a3658f86f762ceac62ff4a4ce04
Opcode Fuzzy Hash: 3203d6e74869b537bf337df77313df74bd09d28397d795c1a8892745d5c82633
Instruction Fuzzy Hash: 1A41E472719B8482DF44CB99E85836E77A1FB86BD5F885069DE4E07B24CE3DC085C741

Function 65640230 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 65640289
signal.MSVCRT ref: 656402E2
signal.MSVCRT ref: 6564033E
signal.MSVCRT ref: 656403F3

Strings

CCG , xrefs: 65640245

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: ac37c62943570249b15e7850ea290f0b562f8858747f7cd5229a97c59afef0a5
Instruction ID: 50235eae97ad12a55b58c389a1256f7646d6a79f6dd2cbfe0932b1f8b682f4e5
Opcode Fuzzy Hash: ac37c62943570249b15e7850ea290f0b562f8858747f7cd5229a97c59afef0a5
Instruction Fuzzy Hash: DE316F3070942287EB66CAB9545036918027BFA339F24CB25C97ECFBD6CEAC95C4C216

Function 655C98B0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 655C98C0
PyUnicode_DecodeUTF8.PYTHON311 ref: 655CA15F

Strings

surrogatepass, xrefs: 655CA155
bad marshal data (string size out of range), xrefs: 655CAA6E

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: DecodeErr_OccurredUnicode_
String ID: bad marshal data (string size out of range)$surrogatepass
API String ID: 1138423624-4021928140
Opcode ID: 186e0761dd20b8e89e334bfe2bded994a7e05cd1ccc3dc244a1ddd59fb7ca03b
Instruction ID: 91838017c88b118c5f3c9ff854cf1866af30506d117ec46b5a44f2cd9a62909d
Opcode Fuzzy Hash: 186e0761dd20b8e89e334bfe2bded994a7e05cd1ccc3dc244a1ddd59fb7ca03b
Instruction Fuzzy Hash: 4031A532309A40C6EB11CF55E858B9A77B6FB85B99F45C86CCE4A07714DF38D485C782

Function 00007FFD930B23D3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFD931BDA48
GetProcAddress.KERNEL32 ref: 00007FFD931BDA5D
GetProcessWindowStation.USER32 ref: 00007FFD931BDA87
GetUserObjectInformationW.USER32 ref: 00007FFD931BDAAF
GetLastError.KERNEL32 ref: 00007FFD931BDABD
GetUserObjectInformationW.USER32 ref: 00007FFD931BDB28
wcsstr.VCRUNTIME140 ref: 00007FFD931BDB50

Strings

Service-0x, xrefs: 00007FFD931BDB49
_OPENSSL_isservice, xrefs: 00007FFD931BDA53

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindowwcsstr
String ID: Service-0x$_OPENSSL_isservice
API String ID: 459917433-1672312481
Opcode ID: bc225b995bbff2d3b119e7081b5c779a5c3234c2f77d3222796a288c2c9d01dd
Instruction ID: 37dbe19f660ff0eb9b9767c55f3a4335bfc650b7535908ff8092753cb0603671
Opcode Fuzzy Hash: bc225b995bbff2d3b119e7081b5c779a5c3234c2f77d3222796a288c2c9d01dd
Instruction Fuzzy Hash: 6841A622709B8295FB74AFA4D86026823A8EF49774F944735E97D677E8DF2CE104C300

Function 655C7FA0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 65stringCOMMON

Download Yara Rule

APIs

PyErr_SetFromWindowsErr.PYTHON311 ref: 655C7FCE
PyErr_Fetch.PYTHON311 ref: 655C7FE3
PyErr_Restore.PYTHON311 ref: 655C7FF8
PyObject_Str.PYTHON311 ref: 655C8008
strerror.MSVCRT ref: 655C8015
PyErr_Format.PYTHON311 ref: 655C8051

Strings

%s (%d:%d), xrefs: 655C8044

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_$FetchFormatFromObject_RestoreWindowsstrerror
String ID: %s (%d:%d)
API String ID: 2858978339-1595188566
Opcode ID: e85c47f1f589f6ea68a2032e06490bc3c68f2969b86d31e1b353e49a83f193b9
Instruction ID: f319ae636bef93743a53fb1d3f3c32ce04b2d9065d0f4f3d62627e49fcfd6743
Opcode Fuzzy Hash: e85c47f1f589f6ea68a2032e06490bc3c68f2969b86d31e1b353e49a83f193b9
Instruction Fuzzy Hash: 33219232705F5481DB009B59EC543997762FB86B96F85802AEE4E27764CF3EC446C782

Function 655CE6E0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 58fileCOMMON

Download Yara Rule

APIs

PyList_New.PYTHON311 ref: 655CE71B
PyErr_Occurred.PYTHON311 ref: 655CE73A
PyMem_Free.PYTHON311 ref: 655CE768
fwrite.MSVCRT ref: 655CE7B2
PyErr_Occurred.PYTHON311 ref: 655CE7C0
PyErr_SetString.PYTHON311 ref: 655CE7D8

Strings

NULL object in marshal data for object, xrefs: 655CE7CE
XXX readobject called with exception set, xrefs: 655CE79D

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_$Occurred$FreeList_Mem_Stringfwrite
String ID: NULL object in marshal data for object$XXX readobject called with exception set
API String ID: 4281374468-3392712392
Opcode ID: 7e3af20d15800fde2b6c589b1e43a9e7a218940ded1b9ba38b436a05a85b144f
Instruction ID: 52a8a6e22c914ef300cd0827caafff511dfcd167662ca4fddad92af67559c5f0
Opcode Fuzzy Hash: 7e3af20d15800fde2b6c589b1e43a9e7a218940ded1b9ba38b436a05a85b144f
Instruction Fuzzy Hash: E021DC3120AF8582EB41CB90FC4931977E1FB89B89F504428EA8E43B68DF3EC006C742

Function 00007FF611308CD0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00007FF611308D12
WideCharToMultiByte.KERNEL32 ref: 00007FF611308D52
GetLastError.KERNEL32 ref: 00007FF611308D98

Strings

PyInstaller: FormatMessageW failed., xrefs: 00007FF611308D83
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF611308DC3
FormatMessageW, xrefs: 00007FF611308D77
WideCharToMultiByte, xrefs: 00007FF611308CD6, 00007FF611308DB7
No error messages generated., xrefs: 00007FF611308D70
Failed to encode wchar_t as UTF-8., xrefs: 00007FF611308DB0

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: ByteCharErrorFormatLastMessageMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 1653872744-2573406579
Opcode ID: 024fbe4156dcd0bd8b1afa62f143db975c9d56f4e4c52d1d88309cd898284ba8
Instruction ID: c9ac70e996a78456ca74bd52e1d2cbdda75d1d182bfa108752427fcce29453be
Opcode Fuzzy Hash: 024fbe4156dcd0bd8b1afa62f143db975c9d56f4e4c52d1d88309cd898284ba8
Instruction Fuzzy Hash: F421A571E0CE0281F720AB14F8583AA23A8BF55BB4F844534EA4DC66ACEF3CD549C700

Function 655DDAD0 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 655DDB03
memcmp.MSVCRT ref: 655DDB20
memcmp.MSVCRT ref: 655DDB42
memcmp.MSVCRT ref: 655DDB62
memcmp.MSVCRT ref: 655DDB82
memcmp.MSVCRT ref: 655DDBA2
memcmp.MSVCRT ref: 655DDBC2
memcmp.MSVCRT ref: 655DDBE2

Strings

src/misc/crypt/crypt_register_prng.c, xrefs: 655DDCFF
prng != NULL, xrefs: 655DDD06

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: memcmp
String ID: prng != NULL$src/misc/crypt/crypt_register_prng.c
API String ID: 1475443563-58737364
Opcode ID: a913128a9f4e728073ed94bef177e1e2b2bedfa6e1bb2cde48caf202d923e6ee
Instruction ID: 1317e3ddf535fc72a45fc22366ad2e50efafd354bfd7698dd3f07dc3c7c85764
Opcode Fuzzy Hash: a913128a9f4e728073ed94bef177e1e2b2bedfa6e1bb2cde48caf202d923e6ee
Instruction Fuzzy Hash: 71518F33304B98A6E750CF16D888B9EB369F748BD4F858225CF2987750EB78D259CB14

Function 655DD510 Relevance: 15.1, APIs: 8, Strings: 2, Instructions: 108stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 655DD53B
strcmp.MSVCRT ref: 655DD55F
strcmp.MSVCRT ref: 655DD57B
strcmp.MSVCRT ref: 655DD59A
strcmp.MSVCRT ref: 655DD5B9
strcmp.MSVCRT ref: 655DD5D4
strcmp.MSVCRT ref: 655DD5EF
strcmp.MSVCRT ref: 655DD60A

Strings

name != NULL, xrefs: 655DD63F
src/misc/crypt/crypt_find_prng.c, xrefs: 655DD638

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: strcmp
String ID: name != NULL$src/misc/crypt/crypt_find_prng.c
API String ID: 1004003707-2030105502
Opcode ID: bd664a6d9f0a0808b36262ff49592f962540af911b4a605302155891ce701580
Instruction ID: 5bcb82b6c15460d08124199243efe65b55dc33dccfe919d23b4368fc9eea5abc
Opcode Fuzzy Hash: bd664a6d9f0a0808b36262ff49592f962540af911b4a605302155891ce701580
Instruction Fuzzy Hash: 4931C62331A58649EF18DE5ADAD83B9A311FF45BDCF0042258F2B4BE08EB28D206C754

Function 655DD270 Relevance: 15.1, APIs: 8, Strings: 2, Instructions: 99stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 655DD29B
strcmp.MSVCRT ref: 655DD2C5
strcmp.MSVCRT ref: 655DD2E4
strcmp.MSVCRT ref: 655DD303
strcmp.MSVCRT ref: 655DD322
strcmp.MSVCRT ref: 655DD33D
strcmp.MSVCRT ref: 655DD358
strcmp.MSVCRT ref: 655DD373

Strings

name != NULL, xrefs: 655DD3A8
src/misc/crypt/crypt_find_cipher.c, xrefs: 655DD3A1

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: strcmp
String ID: name != NULL$src/misc/crypt/crypt_find_cipher.c
API String ID: 1004003707-679692990
Opcode ID: 11dc2316814a17821c6e08e23ef36a2eee01094678e651aac4b8e3b933b740c3
Instruction ID: f7e750e6fedafc293297a7829d9e1343767aa832e7321d741072baed43f8b6ee
Opcode Fuzzy Hash: 11dc2316814a17821c6e08e23ef36a2eee01094678e651aac4b8e3b933b740c3
Instruction Fuzzy Hash: 2231A72331A5C699FF18DE56C9D87BEA315FF44BD8F0086258E278BA44EF28D205C718

Function 00007FF6113086B0 Relevance: 15.1, APIs: 10, Instructions: 75fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF611304650: _wfopen.MSVCRT ref: 00007FF611304695

fread.MSVCRT ref: 00007FF611308721
ferror.MSVCRT ref: 00007FF611308731
clearerr.MSVCRT(00000000,?,?,00007FF61130350A,00000000), ref: 00007FF61130873D
fwrite.MSVCRT ref: 00007FF611308753
ferror.MSVCRT ref: 00007FF611308760
clearerr.MSVCRT(00000000,?,?,00007FF61130350A,00000000), ref: 00007FF61130876C
fclose.MSVCRT ref: 00007FF611308779
fclose.MSVCRT ref: 00007FF611308781
fclose.MSVCRT ref: 00007FF6113087A4
fclose.MSVCRT ref: 00007FF6113087B1

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: fclose$clearerrferror$_wfopenfreadfwrite
String ID:
API String ID: 4075948245-0
Opcode ID: de543994853625e5123b511a0ad74e2fad549e823485704da97f86f2286d7e77
Instruction ID: dad51293285be833ac92c51cc72ebd40228db87bdf95f3a57c87f9ce257a7fda
Opcode Fuzzy Hash: de543994853625e5123b511a0ad74e2fad549e823485704da97f86f2286d7e77
Instruction Fuzzy Hash: 4D21F310E09A4341FA29A6226A193F942D90F46FF0E5801B4ED1EDB7CEEE2CE9524341

Function 00007FF611312D4B Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 176stringCOMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF611312DEE
fwprintf.MSVCRT ref: 00007FF611312E23
memset.MSVCRT ref: 00007FF611312F0A
strlen.MSVCRT ref: 00007FF611312F22

Part of subcall function 00007FF611318E6E: ___mb_cur_max_func.MSVCRT ref: 00007FF611318EA4
Part of subcall function 00007FF611318E6E: ___lc_codepage_func.MSVCRT ref: 00007FF611318EAB

fwprintf.MSVCRT ref: 00007FF611312E4B

Part of subcall function 00007FF611312CC0: fputwc.MSVCRT ref: 00007FF611312D10

Strings

%*.*S, xrefs: 00007FF611312DE4
%.*S, xrefs: 00007FF611312E41
%-*.*S, xrefs: 00007FF611312E19

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: fwprintf$___lc_codepage_func___mb_cur_max_funcfputwcmemsetstrlen
String ID: %*.*S$%-*.*S$%.*S
API String ID: 1485978544-2115465065
Opcode ID: 5a4758fc2b7250ab57d84d915ac7ea9a8d289e4afafd195f03aed32c1a1e0ffa
Instruction ID: 75f8b3f023b56bbab9ca2e055c262703fd6de8f728d65a6eca5afd5a5e8b14ab
Opcode Fuzzy Hash: 5a4758fc2b7250ab57d84d915ac7ea9a8d289e4afafd195f03aed32c1a1e0ffa
Instruction Fuzzy Hash: C781D776A04B498EEB14CF6AC8806AC77B4F748FA8F118525EE5D87B58DF38D510CB50

Function 655C13C0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 167COMMON

Download Yara Rule

APIs

PySys_GetObject.PYTHON311 ref: 655C158B
PyUnicode_AsUTF8AndSize.PYTHON311 ref: 655C159B
getenv.MSVCRT ref: 655C15BB

Strings

LANG, xrefs: 655C15B4
PYARMOR_LANG, xrefs: 655C1565
_PARLANG, xrefs: 655C1584, 655C162C

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: ObjectSizeSys_Unicode_getenv
String ID: LANG$PYARMOR_LANG$_PARLANG
API String ID: 223123148-1822377752
Opcode ID: 2ea2cf00a8b36c58963a17aa7ab993bd4ec67035b6483d9c510a7495e2f72678
Instruction ID: 3e66d71d10d4bf1d9fc5e0ad2051b154bf26aca46c49c87bfac076b794b57818
Opcode Fuzzy Hash: 2ea2cf00a8b36c58963a17aa7ab993bd4ec67035b6483d9c510a7495e2f72678
Instruction Fuzzy Hash: CD5138A260C6E085EB01CB95D5D43A93BB3B742F89F88C0DEDA9E07351D729C499C752

Function 00007FFD930B3779 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 85stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD93159B51
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFD93159B6C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD93159C16

Strings

MASK:, xrefs: 00007FFD93159B4A
pkix, xrefs: 00007FFD93159BCF
utf8only, xrefs: 00007FFD93159C0C
nombstr, xrefs: 00007FFD93159B8F
default, xrefs: 00007FFD93159C3A

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID: strcmpstrncmpstrtoul
String ID: MASK:$default$nombstr$pkix$utf8only
API String ID: 1175158921-3483942737
Opcode ID: 56a8b705b4d859711014d430f94cbbc3222095bc84f144be5c70752352c183a7
Instruction ID: e729a501e48f01778bb3eb8354783167159e9ab22c8a4bf107bc1ec0c5fa5ca7
Opcode Fuzzy Hash: 56a8b705b4d859711014d430f94cbbc3222095bc84f144be5c70752352c183a7
Instruction Fuzzy Hash: 35315523B1C68186FB719B9DE4607B837A4EB45750F844236EA5EA36A1EF2CE491C700

Function 00007FF611308EC0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF611308F08
WideCharToMultiByte.KERNEL32 ref: 00007FF611308F5A
calloc.MSVCRT ref: 00007FF611308F70

Strings

Out of memory., xrefs: 00007FF611308F81
Failed to get UTF-8 buffer size., xrefs: 00007FF611308FC0
WideCharToMultiByte, xrefs: 00007FF611308FA7, 00007FF611308FC7
win32_utils_to_utf8, xrefs: 00007FF611308F88
Failed to encode wchar_t as UTF-8., xrefs: 00007FF611308FA0

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: ByteCharMultiWide$calloc
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 1374691127-27947307
Opcode ID: 610e830cc156b7b5144b5e984da796cd542280474a5d718d75e7e6b0456d95c9
Instruction ID: a54531b54b36b916956c4e85298a8d55651bc6033303cff3e661cfbe370874ae
Opcode Fuzzy Hash: 610e830cc156b7b5144b5e984da796cd542280474a5d718d75e7e6b0456d95c9
Instruction Fuzzy Hash: B121B361B09F4284FB10EB65B85437A6299AF85BF4F444639EA4DCB6DDEF7CE1088300

Function 00007FF611308DD0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF611308E12
calloc.MSVCRT ref: 00007FF611308E22
WideCharToMultiByte.KERNEL32 ref: 00007FF611308E57

Strings

Failed to get ANSI buffer size., xrefs: 00007FF611308E70
Out of memory., xrefs: 00007FF611308EA7
Failed to encode filename as ANSI., xrefs: 00007FF611308E90
WideCharToMultiByte, xrefs: 00007FF611308E77, 00007FF611308E97
win32_wcs_to_mbs, xrefs: 00007FF611308EAE

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: ByteCharMultiWide$calloc
String ID: Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$Out of memory.$WideCharToMultiByte$win32_wcs_to_mbs
API String ID: 1374691127-3831141058
Opcode ID: 3053fae4ff6c96a7205fc05c2f0ab597f00dd46bdd9511d4cab0f019121f0fe5
Instruction ID: 2f3b467799820a6602a7dd90b9976d695f1a60aad8dd9ce4870ce1520556efea
Opcode Fuzzy Hash: 3053fae4ff6c96a7205fc05c2f0ab597f00dd46bdd9511d4cab0f019121f0fe5
Instruction Fuzzy Hash: 5121C031A0CE4684F710AB65B85836A26E9EB45BF4F844239EA4DC66DDEF7CE104C340

Function 00007FF6113089F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 57stringCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF611308A0B
_strdup.MSVCRT ref: 00007FF611308A3C
_errno.MSVCRT ref: 00007FF611308A70
strerror.MSVCRT ref: 00007FF611308A78
_errno.MSVCRT ref: 00007FF611308A95
strerror.MSVCRT ref: 00007FF611308A9D

Strings

LOADER: failed to strdup argv[%d]: %s, xrefs: 00007FF611308A7F
LOADER: failed to allocate argv_pyi: %s, xrefs: 00007FF611308AA2

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: _errnostrerror$_strdupcalloc
String ID: LOADER: failed to allocate argv_pyi: %s$LOADER: failed to strdup argv[%d]: %s
API String ID: 4278403329-2782260415
Opcode ID: d96aacef9ed84a949530d77edcfedc7950ec38b60155a97baa6cd5d3fb4306df
Instruction ID: ea8c31593786c9a4929a199a3efa107a26e06077b2887bc8933314cb2c822c43
Opcode Fuzzy Hash: d96aacef9ed84a949530d77edcfedc7950ec38b60155a97baa6cd5d3fb4306df
Instruction Fuzzy Hash: 92119021E09E028AFB11AB64E8455B922A9BF45FB0F544134DE1EC3399FF3CA895C340

Function 655E7730 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 168COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 655E77A3
malloc.MSVCRT ref: 655E77AD

Strings

seed != NULL, xrefs: 655E7960
src/pk/pkcs1/pkcs_1_mgf1.c, xrefs: 655E7959, 655E7972
mask != NULL, xrefs: 655E7979

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: malloc
String ID: mask != NULL$seed != NULL$src/pk/pkcs1/pkcs_1_mgf1.c
API String ID: 2803490479-2931318352
Opcode ID: 007d18a35a24888dcf39cfe4df07b7613f2485130eb91db0356d5a04b7ea0b2f
Instruction ID: 6b03929a61ecd4ce8b527f2e326edd5501b55e068084a0c0faaf78ccabebfb04
Opcode Fuzzy Hash: 007d18a35a24888dcf39cfe4df07b7613f2485130eb91db0356d5a04b7ea0b2f
Instruction Fuzzy Hash: EA51053272C2D446EB11CF369908B7EBF62BB467C8F458054DEA68BB46EB39D506C710

Function 655C9920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

PyUnicode_FromKindAndData.PYTHON311 ref: 655C9966
PyErr_SetString.PYTHON311 ref: 655CA4D7

Strings

EOF read where object expected, xrefs: 655CA4CA

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: DataErr_FromKindStringUnicode_
String ID: EOF read where object expected
API String ID: 3898585613-3634523442
Opcode ID: 04ca306bd89f918b7f90f971045096d01b4dbce57aefe0c7a7e2d83fe1acdd06
Instruction ID: f10ceccba4cfa7312ef8cac71ec97e1824882466543ffcafdd226683020711f5
Opcode Fuzzy Hash: 04ca306bd89f918b7f90f971045096d01b4dbce57aefe0c7a7e2d83fe1acdd06
Instruction Fuzzy Hash: 6931B172308A9086EB11CF54D89CB5A37B6FB84B99F42899CCE4E07354DF38E485D382

Function 655C8C70 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 655C8CC9
PyOS_string_to_double.PYTHON311 ref: 655C8CDB
PyErr_SetString.PYTHON311 ref: 655C8D33

Strings

marshal data too short, xrefs: 655C8D7C
EOF read where object expected, xrefs: 655C8D29

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_S_string_to_doubleStringmemcpy
String ID: EOF read where object expected$marshal data too short
API String ID: 1651926552-3827827332
Opcode ID: f38f77dd6b9e2ae228d9fa50a2c1b41989e173e465579d058b658c3aa1c4c980
Instruction ID: 9893afe519beb309a5c822026a8bf841d2b62195f40b60ae0ca80469fcebf519
Opcode Fuzzy Hash: f38f77dd6b9e2ae228d9fa50a2c1b41989e173e465579d058b658c3aa1c4c980
Instruction Fuzzy Hash: A7319362306E0481EF15CF69E8543683361BB54BC9F84866A9E5E0B764DF3CC5A6C383

Function 655C3790 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

_PyObject_CallMethod_SizeT.PYTHON311 ref: 655C37ED
_PyObject_CallMethod_SizeT.PYTHON311 ref: 655C37FF
_Py_Dealloc.PYTHON311 ref: 655C380B
_Py_Dealloc.PYTHON311 ref: 655C3883

Strings

%U.%s, xrefs: 655C3796
read, xrefs: 655C37DC
close, xrefs: 655C37F5

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: CallDeallocMethod_Object_Size
String ID: %U.%s$close$read
API String ID: 3129687173-1885073756
Opcode ID: aa663db67ea191b5490c2e51e3b0525d23603efdf2b6fc5ee98d59a3f3621397
Instruction ID: 7a98b9dd8726981eaff07f189bdfd600ed0865f17cd7732ce25404e26c2a3b34
Opcode Fuzzy Hash: aa663db67ea191b5490c2e51e3b0525d23603efdf2b6fc5ee98d59a3f3621397
Instruction Fuzzy Hash: D3110872346A1895EA01DF5AFC0839473D2BB05BC6FC9847AAC0907710EF3AC155C342

Function 00007FF6113015E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6113015F7
LoadLibraryA.KERNEL32 ref: 00007FF611301608
GetProcAddress.KERNEL32 ref: 00007FF611301626
GetProcAddress.KERNEL32 ref: 00007FF611301635

Strings

libgcc_s_dw2-1.dll, xrefs: 00007FF6113015ED
__register_frame_info, xrefs: 00007FF611301615
__deregister_frame_info, xrefs: 00007FF611301628

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: c987cd605a046c4775a246cf352f7a0ef9f3b92eb4b15ad4de75813f5d1440e3
Instruction ID: 93bfa6b5016b5c9158fa77e4a97cc2c9e01a359e92fd018dc08700346b207ebe
Opcode Fuzzy Hash: c987cd605a046c4775a246cf352f7a0ef9f3b92eb4b15ad4de75813f5d1440e3
Instruction Fuzzy Hash: B5017E25A0AE1B95EB25AB15BC505B423A8BF49FF5F884131D80ED736CAF2CE54AC340

Function 655C8FA0 Relevance: 12.2, APIs: 8, Instructions: 242fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 655C904D

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: fwrite
String ID:
API String ID: 3559309478-0
Opcode ID: 35d53b257ab5d36623af3ede2f7f5326aabfd9c2661b5d44362e3d723fae2bf1
Instruction ID: 4ceffa435346867d23c185757ecf7d9bc08aab45cc780a3b5a10b29e76c7adf3
Opcode Fuzzy Hash: 35d53b257ab5d36623af3ede2f7f5326aabfd9c2661b5d44362e3d723fae2bf1
Instruction Fuzzy Hash: 50917CB2204B4081DB14CFA9D54839973B1F709FE8F54461ADE6E17388DB78D5A1C3C2

Function 655C9510 Relevance: 12.2, APIs: 8, Instructions: 175filestringCOMMON

Download Yara Rule

APIs

PyOS_double_to_string.PYTHON311 ref: 655C9536
strlen.MSVCRT ref: 655C9547
fwrite.MSVCRT ref: 655C95DB
fwrite.MSVCRT ref: 655C95F6

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: fwrite$S_double_to_stringstrlen
String ID:
API String ID: 4243900985-0
Opcode ID: e16756779b8a1fc10292522e6c8f00f77a61b77a9032fca392c706517718d5f4
Instruction ID: 7f486fe836997e6953096de4b45e580ce0e0a654669adafa2600e6d000e116f9
Opcode Fuzzy Hash: e16756779b8a1fc10292522e6c8f00f77a61b77a9032fca392c706517718d5f4
Instruction Fuzzy Hash: 6151AAA6305B8885DB05CFA5E84839977B1F749FECF54822ACE1E07788EB38D591C381

Function 655E1DC0 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 127COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 655E1E31
free.MSVCRT ref: 655E1F2F

Strings

in != NULL, xrefs: 655E1FF2
public_key_len != NULL, xrefs: 655E1FC0
inlen != 0, xrefs: 655E1FD9
src/pk/asn1/der/sequence/der_decode_subject_public_key_info.c, xrefs: 655E1FB9, 655E1FD2, 655E1FEB

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: callocfree
String ID: in != NULL$inlen != 0$public_key_len != NULL$src/pk/asn1/der/sequence/der_decode_subject_public_key_info.c
API String ID: 306872129-3913984646
Opcode ID: 1d68fb711517bc7399ea16f3c952ac82f5687450421f59b63b0c312b341e7b4e
Instruction ID: 6bf8326df5b2730deeb7430c2419952d441c9b92cfb700bb3abdf420f54ac495
Opcode Fuzzy Hash: 1d68fb711517bc7399ea16f3c952ac82f5687450421f59b63b0c312b341e7b4e
Instruction Fuzzy Hash: 18415A723096C08AE771CF56E8447DAB7A1F398388F804119EE994BB48EB7DC545CF90

Function 00007FF611304EE0 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 88COMMON

Download Yara Rule

Strings

lib-dynload, xrefs: 00007FF611304F58
%s%c%s, xrefs: 00007FF611304F04, 00007FF611304F72
base_library.zip, xrefs: 00007FF611304EFD
_MEIPASS2, xrefs: 00007FF611304EE0
\, xrefs: 00007FF611304F65

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: %s%c%s$\$_MEIPASS2$base_library.zip$lib-dynload
API String ID: 626452242-1997419384
Opcode ID: 96eac9c964f75bfd1bb261b00fe75da3a025126ccef3a6a625524ed71a1e8126
Instruction ID: 44ee5af7bd6a5a474c5142f417ca8b8884141367ac5cc770c47755df023e3173
Opcode Fuzzy Hash: 96eac9c964f75bfd1bb261b00fe75da3a025126ccef3a6a625524ed71a1e8126
Instruction Fuzzy Hash: D9313E22A49E8585EB219B54E8403EA6368FB44BA5F444332DE9DD3ADDDF3CE145C740

Function 00007FF611309090 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 60COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6
MultiByteToWideChar.KERNEL32 ref: 00007FF611309108
calloc.MSVCRT ref: 00007FF61130911E

Strings

Failed to get wchar_t buffer size., xrefs: 00007FF611309168
win32_utils_from_utf8, xrefs: 00007FF611309132
Failed to decode wchar_t from UTF-8, xrefs: 00007FF611309148
MultiByteToWideChar, xrefs: 00007FF61130914F, 00007FF61130916F
Out of memory., xrefs: 00007FF61130912B

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: ByteCharMultiWide$calloc
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 1374691127-876015163
Opcode ID: 9bafd67a9e6ba27ecb336526dea89acf2ec330839c75d6e55779765ab19282cc
Instruction ID: 0e5664dcbc93563f91497ed99be2fcf6e57de179fa3b7750a91c4c411ad677ae
Opcode Fuzzy Hash: 9bafd67a9e6ba27ecb336526dea89acf2ec330839c75d6e55779765ab19282cc
Instruction Fuzzy Hash: 36119061B08E5384FF24EB65A85827912A9AF49BF4F484539DA0DC7AE9EE7CE1048300

Function 6563FAE0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 156COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 6563FB8B

Strings

VirtualProtect failed with code 0x%x, xrefs: 6563FC6A
VirtualQuery failed for %d bytes at address %p, xrefs: 6563FCB8
Address %p has no image-section, xrefs: 6563FCC9

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 1804819252-2123141913
Opcode ID: 9049368619da4a25c66c9b95f1ea17296b441588c7bbd9637c1f18506f63dcd1
Instruction ID: 78dbba2b07fa2b8dbbbe386d4d94c1a6ceea098a2a5d8f29c15745fd74c11fff
Opcode Fuzzy Hash: 9049368619da4a25c66c9b95f1ea17296b441588c7bbd9637c1f18506f63dcd1
Instruction Fuzzy Hash: 7B51C4B3751B6086DB118F26EC4179DB7A1FB48BB9F448226EE5A47BA4EB3CC541C301

Function 00007FF6113073C0 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 155COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF61130753B

Strings

rename ::source ::_source, xrefs: 00007FF611307490
exit, xrefs: 00007FF611307472
source, xrefs: 00007FF6113074B9
_image_data, xrefs: 00007FF611307519
tclInit, xrefs: 00007FF61130741B
tcl_findLibrary, xrefs: 00007FF61130743D

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: free
String ID: _image_data$exit$rename ::source ::_source$source$tclInit$tcl_findLibrary
API String ID: 1294909896-1126984729
Opcode ID: d97ae4815509cc26e6e973629a1329cac86f451b544e01a121b7f206e9f1a56d
Instruction ID: 834604165c50ab0cdbf02f21e7b2b36c38face2e385bfe232d5022cbfba4ade0
Opcode Fuzzy Hash: d97ae4815509cc26e6e973629a1329cac86f451b544e01a121b7f206e9f1a56d
Instruction Fuzzy Hash: F671B83AA08E46D5EB11AF25E9543A933A4FB48FA9F448131DE4E87368DF7CD549C380

Function 00007FFD930B2E46 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FFD931BD832

Strings

~, xrefs: 00007FFD931BD84C
~, xrefs: 00007FFD931BD8FC
~, xrefs: 00007FFD931BD867
~, xrefs: 00007FFD931BD8E4
OPENSSL_ia32cap, xrefs: 00007FFD931BD808

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID: EnvironmentVariable
String ID: OPENSSL_ia32cap$~$~$~$~
API String ID: 1431749950-1981414212
Opcode ID: 2634814bda47d7719d861af1cfec94a442d099e0f6a35619a322e4b16ada4e8f
Instruction ID: 40b87fb0fb29145773194b944262459e6d04ab5e1354371baf35e9449d186fd9
Opcode Fuzzy Hash: 2634814bda47d7719d861af1cfec94a442d099e0f6a35619a322e4b16ada4e8f
Instruction Fuzzy Hash: FD417F25F4865386FB34AF81A8601B962B8FB04B90F445239D9AD777B8DF3DE485C740

Function 00007FF611308260 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF611309090: MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6

wcslen.MSVCRT ref: 00007FF6113082B0
wcscat.MSVCRT ref: 00007FF6113082DE
_wrmdir.MSVCRT ref: 00007FF6113082FC
wcscat.MSVCRT ref: 00007FF61130832E

Strings

_MEIPASS2, xrefs: 00007FF611308269

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: wcscat$ByteCharMultiWide_wrmdirwcslen
String ID: _MEIPASS2
API String ID: 3789554339-3944641314
Opcode ID: dff885c60d23d3461016a6460ebf55cb8603be97f12bd722d7800e4d7d6e30bf
Instruction ID: 73bab770df99253c07fb571ba9c9c54f1d84fd9bb2a882a5b0dce12228a7bd77
Opcode Fuzzy Hash: dff885c60d23d3461016a6460ebf55cb8603be97f12bd722d7800e4d7d6e30bf
Instruction Fuzzy Hash: 2721AD52B08D4244EB64A612A8146FE92A8BB86FF0FC84571ED1ED77DEEE3CE445C305

Function 655C97D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 655C98A4

Strings

recursion limit exceeded, xrefs: 655C9FAE
bad marshal data (unknown type code), xrefs: 655C9F87
EOF read where object expected, xrefs: 655C9897

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_String
String ID: EOF read where object expected$bad marshal data (unknown type code)$recursion limit exceeded
API String ID: 1450464846-1585441539
Opcode ID: 72857e5f31b23ca580e303d826eac4072c2d33220b5725a31caacbc6c35201fa
Instruction ID: dc9edf6bc3160556bb6a1e6f9d34eb1ca2939b0baebc8a6839550ae8d11542b0
Opcode Fuzzy Hash: 72857e5f31b23ca580e303d826eac4072c2d33220b5725a31caacbc6c35201fa
Instruction Fuzzy Hash: 70318E62204E84C1EB12CF59EC4879977B5FB88B9EF918615EE4907370DF3AD196C342

Function 00007FF6113067B0 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 56stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6113067C4

Strings

%U?%llu, xrefs: 00007FF6113067E9
path, xrefs: 00007FF611306815
Failed to append PYZ entry to sys.path!, xrefs: 00007FF611306840
strict, xrefs: 00007FF6113067C9
Installing PYZ: Could not get sys.path!, xrefs: 00007FF61130685C
utf-8, xrefs: 00007FF6113067D3

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: strlen
String ID: %U?%llu$Failed to append PYZ entry to sys.path!$Installing PYZ: Could not get sys.path!$path$strict$utf-8
API String ID: 39653677-372213108
Opcode ID: d4f4f0bb41883a37b964850e9d6525e6c82bda7dc6b4eb7bef36193f41cd0a21
Instruction ID: e43dace06bb441e46ca1882b51d2b9a71c5baa052ed42dbfe2c5965f01b50710
Opcode Fuzzy Hash: d4f4f0bb41883a37b964850e9d6525e6c82bda7dc6b4eb7bef36193f41cd0a21
Instruction Fuzzy Hash: CF114F66B09E1681FB10EB29E9140A87378BF88FE4B444131CE1ED77A8EE3CE505C340

Function 655C9CA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 655C9CAB
PyBytes_FromStringAndSize.PYTHON311 ref: 655CA554
memcpy.MSVCRT ref: 655CA591

Strings

bad marshal data (bytes object size out of range), xrefs: 655CAB0D

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Bytes_Err_FromOccurredSizeStringmemcpy
String ID: bad marshal data (bytes object size out of range)
API String ID: 2675459810-66224825
Opcode ID: 372bbe69b73e72245b42a05347342d6e2556be109c5071e2d3c2ef300887fc81
Instruction ID: 3db665dd54a59fb4354c8f241d34f8bc98ff82026e83f2ec77fd9428e2b7775b
Opcode Fuzzy Hash: 372bbe69b73e72245b42a05347342d6e2556be109c5071e2d3c2ef300887fc81
Instruction Fuzzy Hash: A4113775349A41D6DA04DF95D8ACB5A3366FB86B89F52C85CCD0A0B714DF38E885C382

Function 655D0A60 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 655D0A8D
_Py_Dealloc.PYTHON311 ref: 655D0AA3
PyNumber_Positive.PYTHON311 ref: 655D0AB4
PyNumber_Invert.PYTHON311 ref: 655D0AC0
PyNumber_Negative.PYTHON311 ref: 655D0AD0

Strings

Invalid operator, xrefs: 655D0A83

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Number_$DeallocErr_InvertNegativePositiveString
String ID: Invalid operator
API String ID: 4031754375-2676212410
Opcode ID: bb0e5358f5855027b1d18ec4438ad423c9f8c163757e117bf35e0d2341aad790
Instruction ID: 56ee4e428c4930b2a7ec680c83bbaa57737bbb89105a1948faf2673ab94f0611
Opcode Fuzzy Hash: bb0e5358f5855027b1d18ec4438ad423c9f8c163757e117bf35e0d2341aad790
Instruction Fuzzy Hash: D0F04F2635AD02C1EB14CB3DEC5831DB362B789B56F844616E95A47778EE3D8094C34A

Function 65640CB0 Relevance: 9.1, APIs: 6, Instructions: 137stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 65640CCD
_stat64.MSVCRT ref: 65640D1B
malloc.MSVCRT ref: 65640E33
memcpy.MSVCRT ref: 65640E48
_stat64.MSVCRT ref: 65640E5B
free.MSVCRT ref: 65640E70

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: _stat64$freemallocmemcpystrlen
String ID:
API String ID: 4289191721-0
Opcode ID: 2e8b4db83b12a41ffbe3facdde420b2ac2544ea1a3acc10374bbb150b9bb6a37
Instruction ID: 56ace8c1c3186e4903d447239d00f5edcdfd6c97e3fd21de96ae64c5b98fdc6d
Opcode Fuzzy Hash: 2e8b4db83b12a41ffbe3facdde420b2ac2544ea1a3acc10374bbb150b9bb6a37
Instruction Fuzzy Hash: 8151906650C6A089E724CF21E05036EBBA3F7AABA8F54C012DAE50FB48D77ED059C751

Function 00007FF611308590 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 75COMMON

Download Yara Rule

Strings

\, xrefs: 00007FF6113085B8
ERROR: file already exists but should not: %s, xrefs: 00007FF611308683
%s%c%s, xrefs: 00007FF6113085A1
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF611308648
WARNING: file already exists but should not: %s, xrefs: 00007FF611308622

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: strlen$_wfopenstrcpystrtok
String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
API String ID: 1482442392-3501660386
Opcode ID: 3857e9cd60ee6755af969470ea9db99d25e9f8ec4df6ec79fe72a54bffc774bc
Instruction ID: 03200e64dd8320341658c664ef6508b1484b7e350b924097a3b7cb6e269cfc5c
Opcode Fuzzy Hash: 3857e9cd60ee6755af969470ea9db99d25e9f8ec4df6ec79fe72a54bffc774bc
Instruction Fuzzy Hash: A521E060E0CE4785FB20AB25AD142BA22ED5F04FF4F494572EA5DC62DEEE2CE5428200

Function 655D01D0 Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

PyEval_GetGlobals.PYTHON311 ref: 655D01E1
PyDict_SetItem.PYTHON311 ref: 655D0259
PyDict_GetItem.PYTHON311 ref: 655D027D
PyDict_DelItem.PYTHON311 ref: 655D0296

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Dict_Item$Eval_Globals
String ID:
API String ID: 298195719-0
Opcode ID: d5408bdd1d46d6877632b01687fee9b399b38884ed7c7739265720aee7ef3364
Instruction ID: e380ce7385be2531d364d4a4de241fe0ac32816ddd3e420fec19ae663cd23236
Opcode Fuzzy Hash: d5408bdd1d46d6877632b01687fee9b399b38884ed7c7739265720aee7ef3364
Instruction Fuzzy Hash: B611C153F0B51442EE8AD79EFC683858152BB99FD4F8D8222CC0D07724FD28D9C38205

Function 00007FF6113083A0 Relevance: 9.1, APIs: 6, Instructions: 58COMMON

Download Yara Rule

APIs

wcscmp.MSVCRT ref: 00007FF6113083EA
wcscat.MSVCRT ref: 00007FF611308400

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: wcscatwcscmp
String ID:
API String ID: 3846154227-0
Opcode ID: 540d919613c492cef5aa6eb646dd1b1cb3c8d339fc27a6144501ec21207fb444
Instruction ID: 8e6fd7d5c96a9720805716239bed22239ecd372163d41879fbea657f466d91d8
Opcode Fuzzy Hash: 540d919613c492cef5aa6eb646dd1b1cb3c8d339fc27a6144501ec21207fb444
Instruction Fuzzy Hash: 2A116D14E08E428AFB64AB22A8102FE13DC5F84FE4F0840B1DD0EC66DEEE6CE5018301

Function 655CFB30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 164memoryCOMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 655CFB39
VirtualAlloc.KERNEL32 ref: 655CFC5B
memcpy.MSVCRT ref: 655CFC7B

Strings

Failed to alloc memory for spp code, xrefs: 655CFD7B

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: AllocVirtualexitmemcpy
String ID: Failed to alloc memory for spp code
API String ID: 693558432-822294455
Opcode ID: 08e832c0c9f710393ef95aa86fdc690f668fb6e3fbe4ddf920d45d3e6ddf32d7
Instruction ID: d9a193d96d362e16e10bfc7cee67294009c3bee90cb96a3439ebee9496c6edcb
Opcode Fuzzy Hash: 08e832c0c9f710393ef95aa86fdc690f668fb6e3fbe4ddf920d45d3e6ddf32d7
Instruction Fuzzy Hash: D4518AB271AB4482DF548F46E88875873A5FF09BD8F48852AEE5D477A4EF38C0A1C301

Function 00007FF611313048 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF6113130EB
fwprintf.MSVCRT ref: 00007FF611313120

Part of subcall function 00007FF611312CC0: fputwc.MSVCRT ref: 00007FF611312D10

Strings

%-*.*s, xrefs: 00007FF611313116
%.*s, xrefs: 00007FF61131313E
%*.*s, xrefs: 00007FF6113130E1

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: fwprintf$fputwc
String ID: %*.*s$%-*.*s$%.*s
API String ID: 2988249585-4054516066
Opcode ID: 780129500cc8eb22b3af81c7775783de4b986a6307f7fb092a662ca78920ec8f
Instruction ID: 5a1b3b433efee427e39deaa1f6d0b3c7f867a8ab0e4c29fdc5155cd4f06b77ef
Opcode Fuzzy Hash: 780129500cc8eb22b3af81c7775783de4b986a6307f7fb092a662ca78920ec8f
Instruction Fuzzy Hash: E271DB76A08B49CADB50DF6AC8815A877F4F748FA8B018536EE4D87758DF38D510CB40

Function 655C1010 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 655C1057
_amsg_exit.MSVCRT ref: 655C1081

Strings

`fe, xrefs: 655C11B0

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID: `fe
API String ID: 1015461914-3353273076
Opcode ID: 199634705dce5b4f770805382d025e87dccb6df90746fea589fb0f8542ffedc8
Instruction ID: 9b9550d06393cd6cab9e1125078025130cad039e04c39752dc338ddc62f05058
Opcode Fuzzy Hash: 199634705dce5b4f770805382d025e87dccb6df90746fea589fb0f8542ffedc8
Instruction Fuzzy Hash: 8A41C333745A4486F702CF9AEC5475523A2B784BDAF84846ADE5C47350EE3ED8E2C342

Function 00007FF611307D60 Relevance: 8.8, APIs: 7, Instructions: 67stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF611307D80
strlen.MSVCRT ref: 00007FF611307D97
strlen.MSVCRT ref: 00007FF611307DAC
malloc.MSVCRT ref: 00007FF611307DBA

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: strlen$malloc
String ID:
API String ID: 3157260142-0
Opcode ID: bebafa3fc507f9c40b8e2e1084042dec21c5cd6be2e2a9f71abb3c5bc8a466b7
Instruction ID: 9a546e083b5e079a15bde28031040c13c5b087ca8df6f7848820d4db3313fbbe
Opcode Fuzzy Hash: bebafa3fc507f9c40b8e2e1084042dec21c5cd6be2e2a9f71abb3c5bc8a466b7
Instruction Fuzzy Hash: 63113C02B4ED9644FF5BAA9359116FA55D92F46FF4E0C4430ED4ECB78AFD2CA8428350

Function 655D06B5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON311 ref: 655D06A4
PyErr_GivenExceptionMatches.PYTHON311 ref: 655D06E6
PyTuple_Size.PYTHON311 ref: 655D0793
PyErr_SetString.PYTHON311 ref: 655D0801

Strings

catching classes that do not inherit from BaseException is not allowed, xrefs: 655D07F5

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_$DeallocExceptionGivenMatchesSizeStringTuple_
String ID: catching classes that do not inherit from BaseException is not allowed
API String ID: 1667255942-1287988286
Opcode ID: 2ddce8402beef71e25fb151be9229e65b8e086872c143b4be1c0a7d2074ead73
Instruction ID: c00a8616df912711fa4d636d0c10aabf2e5053e6905e83b6793b36860df68a2a
Opcode Fuzzy Hash: 2ddce8402beef71e25fb151be9229e65b8e086872c143b4be1c0a7d2074ead73
Instruction Fuzzy Hash: 16218B73705B4185EB858F2AE84CB19B3A1B781F99F448226CE495B734EB3AC094C749

Function 655D0C40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 655D0C47
PyErr_Format.PYTHON311 ref: 655D0C76
PyErr_Format.PYTHON311 ref: 655D0C95

Strings

local variable referenced before assignment, xrefs: 655D0C8B
No active exception to reraise, xrefs: 655D0C6C

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_$Format$Occurred
String ID: No active exception to reraise$local variable referenced before assignment
API String ID: 1084603930-1116140797
Opcode ID: 925c9e6883d7b0226a7ac6fd8a78dc0513a9bb80c5a8847127b5eb0d77d708e5
Instruction ID: 644575126bcd704e2ac599e14d505237c336f1b838df6f2527c855f857a5de5b
Opcode Fuzzy Hash: 925c9e6883d7b0226a7ac6fd8a78dc0513a9bb80c5a8847127b5eb0d77d708e5
Instruction Fuzzy Hash: 54F01261701E0A81EF149B65ECD836453E2BB88B96F845012DC0947334EE2EC0E5C345

Function 00007FFD930B1064 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFD932C12EF
memmove.VCRUNTIME140 ref: 00007FFD932C14D5

Strings

0123456789ABCDEF, xrefs: 00007FFD932C14F4
..\s\crypto\x509\x509_obj.c, xrefs: 00007FFD932C12D0, 00007FFD932C159F, 00007FFD932C15C3
NO X509_NAME, xrefs: 00007FFD932C12E2

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID: memmovestrncpy
String ID: ..\s\crypto\x509\x509_obj.c$0123456789ABCDEF$NO X509_NAME
API String ID: 3054264757-3422593365
Opcode ID: 7f77f0534d5a2a99a2cc4ad61e5207ec6cb1e36b2fae790484e7a38ba6b0187c
Instruction ID: e5f3b54e68d918851ce34c79750d59a4d8a57b1e601d802f6f5610c59db8ecfe
Opcode Fuzzy Hash: 7f77f0534d5a2a99a2cc4ad61e5207ec6cb1e36b2fae790484e7a38ba6b0187c
Instruction Fuzzy Hash: D3B1F332B0868686EB30AF99E46137AB7A8FB447C8F144175DA8E67785DE7CF401C700

Function 00007FFD930B158C Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 131COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FFD932F443F

Strings

FALSE, xrefs: 00007FFD932F11DB, 00007FFD932F11F3
TRUE, xrefs: 00007FFD932F11B9, 00007FFD932F11D2
E, xrefs: 00007FFD932F44C1
..\s\crypto\x509v3\v3_utl.c, xrefs: 00007FFD932F4414, 00007FFD932F4450, 00007FFD932F446D, 00007FFD932F44C9, 00007FFD932F44F4, 00007FFD932F4509, 00007FFD932F451E

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID: memchr
String ID: ..\s\crypto\x509v3\v3_utl.c$E$FALSE$TRUE
API String ID: 3297308162-1433594941
Opcode ID: afb071bca9fb63d4d8150a353952ceb48a3f39d8d44ea172c003c9b4e1cef4c6
Instruction ID: 3cffe568c6d30fa43c5945f40a445ccbd2a7bf4e7232f84176f6084ec1e3c897
Opcode Fuzzy Hash: afb071bca9fb63d4d8150a353952ceb48a3f39d8d44ea172c003c9b4e1cef4c6
Instruction Fuzzy Hash: 1A51B325B09B4284FA34EFE6A4703BA62A8AF44B80F844439ED4D77795DF7CE641D304

Function 655D2730 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 655D27E6
sprintf.MSVCRT ref: 655D2810

Strings

No any serial number of harddisk got, xrefs: 655D2855
/%d:, xrefs: 655D27BB, 655D27CD
../src/platforms/windows/hdinfo.c, xrefs: 655D285C

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: sprintfstrlen
String ID: ../src/platforms/windows/hdinfo.c$/%d:$No any serial number of harddisk got
API String ID: 1090396089-4267867539
Opcode ID: ac58de0b02559ea35e239e7b5920a514f9373c233a009cfc2dd28759ab763dff
Instruction ID: 05b2d9363daf1451f6ffe4ac11d2150450b3a457ba3477c55a75cf7920dc6697
Opcode Fuzzy Hash: ac58de0b02559ea35e239e7b5920a514f9373c233a009cfc2dd28759ab763dff
Instruction Fuzzy Hash: 68319953B0945049EB60CE3DAC287ACA213B796BF9F988331CD294B784DA3985C7C348

Function 655D16C0 Relevance: 7.6, APIs: 5, Instructions: 100COMMON

Download Yara Rule

APIs

PyFunction_NewWithQualName.PYTHON311 ref: 655D170C
_Py_Dealloc.PYTHON311 ref: 655D1797

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: DeallocFunction_NameQualWith
String ID:
API String ID: 2691592392-0
Opcode ID: 3077c3de32299fc1994f2696746d037fd12b2bf16bfa47a1dd58350e40abc364
Instruction ID: 4d29aacf2fdd0f96df02e4ace6db0588d37e01026e5b04dfbb3c682784ce57cf
Opcode Fuzzy Hash: 3077c3de32299fc1994f2696746d037fd12b2bf16bfa47a1dd58350e40abc364
Instruction Fuzzy Hash: 6531A43334AE40C2EA89CF5EE94C729B2A5F745BD5F484620DE2607B20EF34C491C349

Function 655E0FE0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 97COMMON

Download Yara Rule

Strings

src/math/rand_prime.c, xrefs: 655E1126
N != NULL, xrefs: 655E112D

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID:
String ID: N != NULL$src/math/rand_prime.c
API String ID: 0-3192267683
Opcode ID: cb910b647e8abcccaead9b9b7fe59af7af402870bf1f0b7ef6196090397879d1
Instruction ID: bcdb52681da7f3265faeec0c182f53b85d06aad601d75021b3ff6bd3ac142ed5
Opcode Fuzzy Hash: cb910b647e8abcccaead9b9b7fe59af7af402870bf1f0b7ef6196090397879d1
Instruction Fuzzy Hash: FB31272230868586E725DF16EC08B6EAB65B786BE8F844125ED1A8BB94EF3DC541C700

Function 655C9D93 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 655C8C70: memcpy.MSVCRT ref: 655C8CC9
Part of subcall function 655C8C70: PyOS_string_to_double.PYTHON311 ref: 655C8CDB

PyErr_Occurred.PYTHON311 ref: 655C9DB7
PyErr_Occurred.PYTHON311 ref: 655CA08D

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_Occurred$S_string_to_doublememcpy
String ID:
API String ID: 282781714-0
Opcode ID: 3d968de7e1fe6efd12466ac0b279690b6bd23adde742df7babe8a3660f4b82b3
Instruction ID: d66d783ec293f9530ebe548648b0e3628acfd2f5e7bcd7944ec1c21c776a9858
Opcode Fuzzy Hash: 3d968de7e1fe6efd12466ac0b279690b6bd23adde742df7babe8a3660f4b82b3
Instruction Fuzzy Hash: 63115165649A40CAD606DFA0C46CB1A33B6BB85799F52EA8DD90627210DF35E881D383

Function 655C9E50 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 655C8810: PyFloat_Unpack8.PYTHON311 ref: 655C8841

PyErr_Occurred.PYTHON311 ref: 655C9E74
PyErr_Occurred.PYTHON311 ref: 655CA02D

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_Occurred$Float_Unpack8
String ID:
API String ID: 3006406168-0
Opcode ID: 369cc6e6fab0356e349259fa79c6b7736e3a29e6c76bd7c5fb254614319366de
Instruction ID: a9dd119f302648dababd8dd36dac1e4c3a6b0e14a7099fc5a2f93f662d279b10
Opcode Fuzzy Hash: 369cc6e6fab0356e349259fa79c6b7736e3a29e6c76bd7c5fb254614319366de
Instruction Fuzzy Hash: 3E119061648A40C6D601DFA1D8ACB4A33B6FB86789F42DE8DDD0627210DF35F482E3C2

Function 00007FF611302AD0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF611302AF9
EndDialog.USER32 ref: 00007FF611302B28
SetWindowLongPtrW.USER32 ref: 00007FF611302B3C
GetWindowLongPtrW.USER32 ref: 00007FF611302B55
InvalidateRect.USER32 ref: 00007FF611302B75

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: DialogLongWindow$InvalidateRect
String ID:
API String ID: 1200242243-0
Opcode ID: 57b41cf59eeebec43940bf3f5d915734346139c7fb041d6f7fac98ec8a71f233
Instruction ID: 921dcbd2f04ac0dfe9e23e53c63de1a17d3a306dce3db26bb15bc6a74e4f117c
Opcode Fuzzy Hash: 57b41cf59eeebec43940bf3f5d915734346139c7fb041d6f7fac98ec8a71f233
Instruction Fuzzy Hash: 7D018C31E1CD7642FB683B6A68852B921C9AF88FB1F554830D90AC5BDDDC6C68C29300

Function 6561D6A0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 233fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6561D954
abort.MSVCRT ref: 6561D959

Strings

', xrefs: 6561D9BE
illegal index register, xrefs: 6561D93F

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: abortfwrite
String ID: '$illegal index register
API String ID: 1067672060-451399654
Opcode ID: 8fda720d08536c9c7f86e7d72d6a805ff540ad46f21f2d47b2444522e335936a
Instruction ID: 96d33956d7a75d81f3e0330d08506ce4844ae2e5eb055506ae35163bcf9b8dd4
Opcode Fuzzy Hash: 8fda720d08536c9c7f86e7d72d6a805ff540ad46f21f2d47b2444522e335936a
Instruction Fuzzy Hash: B7918BB761AB99C4DB228F3DE890A4C3B75E395F88B9AC112CB4D47B14CA7EC456C710

Function 00007FF61130E640 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

CCG , xrefs: 00007FF61130E668

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: 0e3aed78a1e4c150b1ff523e32ba85c0a188e2a4dfc2739e81b31b52371fb521
Instruction ID: 0e4ecac4ac4ad5357a4eb92c74e36a837a43b8f1b0fbf910ca19f15380ff0b0e
Opcode Fuzzy Hash: 0e3aed78a1e4c150b1ff523e32ba85c0a188e2a4dfc2739e81b31b52371fb521
Instruction Fuzzy Hash: C9410F72F09E268AF7249B64D5443BC27E8AB45F78F104A35CA2DD77E8CE3CA6418251

Function 00007FFD930B3841 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON

Download Yara Rule

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFD93179C1A, 00007FFD93179C9D
host=, xrefs: 00007FFD93179D0E
J, xrefs: 00007FFD93179C95

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID:
String ID: ..\s\crypto\bio\b_sock.c$J$host=
API String ID: 0-1729655730
Opcode ID: 31c7aae0c6204fcaae541c015ea13e20bcfa82d779c5bb0f8b846d03ff15bf19
Instruction ID: f2cb1f9e87c7c7199f0f694002f1a0f7249b9a8e6a6be15e99720249e51c8a8f
Opcode Fuzzy Hash: 31c7aae0c6204fcaae541c015ea13e20bcfa82d779c5bb0f8b846d03ff15bf19
Instruction Fuzzy Hash: 5131A132B0868282EB20DF95F4611AEA374FB85784F840035EB8D63BAADF7DD5449B00

Function 655CFDA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 655CFDF9
memcpy.MSVCRT ref: 655CFE1C
fwrite.MSVCRT ref: 655CFEAC

Strings

Failed to alloc memory for bcc code, xrefs: 655CFE97

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: AllocVirtualfwritememcpy
String ID: Failed to alloc memory for bcc code
API String ID: 1603020442-783995166
Opcode ID: b428dafa0490d868059339f54b4b7a73ddaf40ac8375481d99a28d422e384d13
Instruction ID: c92dfdfd98e9b95e720341ebd4ad38059adb16915cf40e7d8ba5290994afd775
Opcode Fuzzy Hash: b428dafa0490d868059339f54b4b7a73ddaf40ac8375481d99a28d422e384d13
Instruction Fuzzy Hash: 8321DEB2702B5486DB548F5AE88076877A4FB0DFD9F48912AEF0D83354EB38C1A2C340

Function 655C99A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 655C99B0
PyErr_SetString.PYTHON311 ref: 655CA0E9

Strings

bad marshal data (string size out of range), xrefs: 655CA0DF

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_$OccurredString
String ID: bad marshal data (string size out of range)
API String ID: 114435612-3115314950
Opcode ID: 8b1a550116f0c324f3e4c57fad5cc2c73eefae9cb2877b347941cd34b56c2525
Instruction ID: 065ccceb7fcf20a91aa8924412b76c89ffcd62536ab4a385a5ab61a62671b7f1
Opcode Fuzzy Hash: 8b1a550116f0c324f3e4c57fad5cc2c73eefae9cb2877b347941cd34b56c2525
Instruction Fuzzy Hash: 0E11C672305A8486EB12CF45EC487A673B1BF88B99F45856CCE4D17714EF38E489D342

Function 00007FF611302DC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF611309090: MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6

MessageBoxW.USER32 ref: 00007FF611302E28
MessageBoxA.USER32 ref: 00007FF611302E4B

Strings

Failed to get UTF-8 buffer size., xrefs: 00007FF611302DC8
WideCharToMultiByte, xrefs: 00007FF611302DCA

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Failed to get UTF-8 buffer size.$WideCharToMultiByte
API String ID: 1878133881-785100509
Opcode ID: 996ea42dbfbdc6150fb3e78afd1d99beba1d91d16d45c08ba1a9db144a0f4385
Instruction ID: 331f44d4d53625b863712c2d933f9928b3f5198ed5dcff3cfd9be422d15525bd
Opcode Fuzzy Hash: 996ea42dbfbdc6150fb3e78afd1d99beba1d91d16d45c08ba1a9db144a0f4385
Instruction Fuzzy Hash: 2001D16371569005FB256622BD0ABFA05896B49FE1F888034EF4D97BC9EC3CD582C704

Function 655C2ECE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 655C2F4F
exit.MSVCRT(655C1E15), ref: 655C3240

Strings

\(, xrefs: 655C2F3A
%s (%d:%d), xrefs: 655C2F48

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_Formatexit
String ID: %s (%d:%d)$\(
API String ID: 2212715685-1109738240
Opcode ID: e747bb5f631494d9453c9f18b9f4efe0d826f169312f5ee0d90a09e36386c2e3
Instruction ID: 71f36ed67453079e8ba9a861225dd639282c8d532cb97743f27bc9e2529d01f2
Opcode Fuzzy Hash: e747bb5f631494d9453c9f18b9f4efe0d826f169312f5ee0d90a09e36386c2e3
Instruction Fuzzy Hash: D8110262355B8884EB41CF95EC943AA3760F785B95F856466DD5F0B394CF3CC142C742

Function 655C9F30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 655CA1A9
PyErr_Occurred.PYTHON311 ref: 655CA4F9
PyErr_SetString.PYTHON311 ref: 655CAD67

Strings

bad marshal data (invalid reference), xrefs: 655CA19C, 655CAD5A

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_$String$Occurred
String ID: bad marshal data (invalid reference)
API String ID: 1118661901-2759865940
Opcode ID: f3fe2ad5349754e4a9757f78037221e52d129df4df06ccd699d249bb2566b44c
Instruction ID: 3e29b29041c3dab9ea8585a8c71ee1a5f635ff6f5c271b37e2f2e2c8875a323e
Opcode Fuzzy Hash: f3fe2ad5349754e4a9757f78037221e52d129df4df06ccd699d249bb2566b44c
Instruction Fuzzy Hash: 411117B5304E40C6EB05CF55DC98B0933B6FB84BA5F92A949DA1947224DF35D4D9C382

Function 00007FF6113045A0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF6113045C2

Part of subcall function 00007FF611308EC0: WideCharToMultiByte.KERNEL32 ref: 00007FF611308F08

Strings

GetModuleFileNameW, xrefs: 00007FF6113045FF
Failed to convert executable path to UTF-8., xrefs: 00007FF611304610
Failed to get executable path., xrefs: 00007FF6113045F8

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: ByteCharFileModuleMultiNameWide
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 1532159127-1977442011
Opcode ID: a705923171a296baecb93f2081270a394e4d88c8d8c6dfbd024d0ef3db960c6d
Instruction ID: ad38949581b534d2057e1c825f5c2f854a9ac41c18d49ac2ecdfa60e9268b5ab
Opcode Fuzzy Hash: a705923171a296baecb93f2081270a394e4d88c8d8c6dfbd024d0ef3db960c6d
Instruction Fuzzy Hash: E1F04952B1CD1381FB68A725AC193B902EDAF08FE0F444435E80EC6ADEED1DEA468300

Function 655D1C90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 655D1C94
FormatMessageA.KERNEL32 ref: 655D1CC5
LocalFree.KERNEL32 ref: 655D1CE6

Strings

../src/platforms/windows/hdinfo.c, xrefs: 655D1CD0

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: ../src/platforms/windows/hdinfo.c
API String ID: 1365068426-2451707101
Opcode ID: c9c70334066065b88396303e7bd641ee83867a9d70dae79d63c15fefd2233f3d
Instruction ID: ad4e4ada93c1b1fb4ed91767e7d73b94eb71408d56c75f64ce9afdc74f9973b7
Opcode Fuzzy Hash: c9c70334066065b88396303e7bd641ee83867a9d70dae79d63c15fefd2233f3d
Instruction Fuzzy Hash: F2F03931304F80C2E7109B65E81574A7B72F3C9B86F904025EA8A03B64CF3EC15ACB42

Function 00007FFD932D9650 Relevance: 6.5, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFD932D9D33), ref: 00007FFD932D97E5
memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFD932D9D33), ref: 00007FFD932D97FD
memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFD932D9D33), ref: 00007FFD932D9815
memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFD932D9D33), ref: 00007FFD932D9851
memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFD932D9D33), ref: 00007FFD932D9936

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: f9a5f847c0a831fcffc5b112e7359bb239a83faf7b63a308c16b99dc0b69426a
Instruction ID: 4f4dd87b234e10297550c9eb9f63e816ddf29bf30b8c91edb2a741ef838232dd
Opcode Fuzzy Hash: f9a5f847c0a831fcffc5b112e7359bb239a83faf7b63a308c16b99dc0b69426a
Instruction Fuzzy Hash: 78919261B0D65785FB309BA6D9606FD13AAFF41788F449131EE1D6BA89EE38E405C300

Function 00007FF611308480 Relevance: 6.3, APIs: 5, Instructions: 77stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6113084F1
strlen.MSVCRT ref: 00007FF611308513
strlen.MSVCRT ref: 00007FF611308529
strcpy.MSVCRT(?,?,00000000,00000000,?,00007FF611301CDA,00000000,?,?,00000000,00007FF611301E65), ref: 00007FF61130853A
strtok.MSVCRT(?,?,00000000,00000000,?,00007FF611301CDA,00000000,?,?,00000000,00007FF611301E65), ref: 00007FF611308544

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: strlen$strcpystrtok
String ID:
API String ID: 3698421117-0
Opcode ID: c07b8759f16da2138d4d66d79236ce0cafdfe8c8ac8761bac40afba6f90c1058
Instruction ID: 3c0976ed524fc1e886d7767cd73579945dea498afd8a60da550a383558e21deb
Opcode Fuzzy Hash: c07b8759f16da2138d4d66d79236ce0cafdfe8c8ac8761bac40afba6f90c1058
Instruction Fuzzy Hash: 3C219011B49E4285FB22A651A8053FA52995F45FF0F880531ED0DC77CEEE3CE556C344

Function 655E1C50 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

Strings

src/pk/asn1/der/sequence/der_decode_sequence_multi.c, xrefs: 655E1DA2
in != NULL, xrefs: 655E1DA9

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID:
String ID: in != NULL$src/pk/asn1/der/sequence/der_decode_sequence_multi.c
API String ID: 0-85593093
Opcode ID: a3131317ed16eb42bf37b0103d1b8f19e9f7bff5b66bc058039bdfa7e818c662
Instruction ID: ddf4a2eb1fb07a6202932a1fe36df6e615bc2d5fcd85dc317141c884643019ac
Opcode Fuzzy Hash: a3131317ed16eb42bf37b0103d1b8f19e9f7bff5b66bc058039bdfa7e818c662
Instruction Fuzzy Hash: 21310732705A808AEB14CF19E918F9D7266F785BD8F848028EE4D87B44DB39C551CB40

Function 00007FF6113051B0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF6113051D1

Part of subcall function 00007FF611309090: MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6

Strings

_MEIPASS2, xrefs: 00007FF6113051B0

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: ByteCharMultiWidecalloc
String ID: _MEIPASS2
API String ID: 2568606709-3944641314
Opcode ID: 153298e754a5da29828527c7272e57dc28a8d1b5d2e4a766274f553e5afb193d
Instruction ID: c2d88bec3e508551eee575b6aba525e77e25bd04edd0237e6571beeaa7f890a8
Opcode Fuzzy Hash: 153298e754a5da29828527c7272e57dc28a8d1b5d2e4a766274f553e5afb193d
Instruction Fuzzy Hash: BD219861B09E0986FB149B699D802B973A9BF45BB1F544335DE2DC23D8EE28E0108600

Function 00007FF611302CC0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF611302D31
free.MSVCRT ref: 00007FF611302D39
free.MSVCRT ref: 00007FF611302D41

Part of subcall function 00007FF611309090: MultiByteToWideChar.KERNEL32(00007FF611302E07,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,?,00007FF611302FD0), ref: 00007FF6113090C6

Strings

Failed to obtain/convert traceback!, xrefs: 00007FF611302CFB

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: free$ByteCharMultiWide
String ID: Failed to obtain/convert traceback!
API String ID: 3219091393-982972847
Opcode ID: 9418ccf11d311c357f2c0b44d681edf2e8f7f8742d0759f808d0dfda2e738276
Instruction ID: 36f04ec6f88cd3a2bc258049d2dc4832329a60f1c62f89f35d7fe934959795e2
Opcode Fuzzy Hash: 9418ccf11d311c357f2c0b44d681edf2e8f7f8742d0759f808d0dfda2e738276
Instruction Fuzzy Hash: 6E014F01B5A96905FE5965B629266BA51990F09FE0E489434ED0ECBB8AED1CE4024300

Function 655C9D40 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 655C8810: PyFloat_Unpack8.PYTHON311 ref: 655C8841

PyErr_Occurred.PYTHON311 ref: 655C9D60
PyFloat_FromDouble.PYTHON311 ref: 655CA054

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Float_$DoubleErr_FromOccurredUnpack8
String ID:
API String ID: 4123378784-0
Opcode ID: df84d80ce26176bde0440ccc8e8eb441c179f26da343db27623bb656fa75ebc2
Instruction ID: 5e567385b00126dabfe243aef5d54219e0316156d1a71f47d7b341d0bcf48653
Opcode Fuzzy Hash: df84d80ce26176bde0440ccc8e8eb441c179f26da343db27623bb656fa75ebc2
Instruction Fuzzy Hash: 24017C75249600C6D605DFA1C86CB1A77B6FB857C9F02D98CDD0617610DB34F481D382

Function 655C9EF4 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 655C8C70: memcpy.MSVCRT ref: 655C8CC9
Part of subcall function 655C8C70: PyOS_string_to_double.PYTHON311 ref: 655C8CDB

PyErr_Occurred.PYTHON311 ref: 655C9F14
PyFloat_FromDouble.PYTHON311 ref: 655CA0B4

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: DoubleErr_Float_FromOccurredS_string_to_doublememcpy
String ID:
API String ID: 1362591179-0
Opcode ID: 5910be8271225f76af7be4214b668b5b79cf73ca39909755ef6c69e926973e7f
Instruction ID: 5293bb7adbc0ec95bafa6a4bb487f4d314149cf87c4171f0260f6776bb889f3e
Opcode Fuzzy Hash: 5910be8271225f76af7be4214b668b5b79cf73ca39909755ef6c69e926973e7f
Instruction Fuzzy Hash: 180178A5249A00C6E604DFA1D86CB1A37BAFB457C9F02DA8CDE061B610DB38F481D383

Function 655C9C43 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 655C9C4D
PyLong_FromLong.PYTHON311 ref: 655CA85C

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_FromLongLong_Occurred
String ID:
API String ID: 4098471257-0
Opcode ID: 4e7236585997c914534fc8fba7d195fb651d18099bb673999376ffb29699eab5
Instruction ID: 4ffd0236aa66019d49fea4d5dc658a777e4cf316309cd4f487c8d2e163fcdf29
Opcode Fuzzy Hash: 4e7236585997c914534fc8fba7d195fb651d18099bb673999376ffb29699eab5
Instruction Fuzzy Hash: D901F665349610C2EA04DFA1C8ACB1A37B6EB85B95F529C9CCE160B204DE38E885D382

Function 00007FFD930B6A1E Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 330COMMON

Download Yara Rule

Strings

b, xrefs: 00007FFD93211806
..\s\crypto\user\eng_ctrl.c, xrefs: 00007FFD93211639, 00007FFD9321170C, 00007FFD9321177D, 00007FFD9321180E, 00007FFD932118F3, 00007FFD93211931, 00007FFD93211952, 00007FFD93211972, 00007FFD93211996, 00007FFD932119B4, 00007FFD932119DC, 00007FFD93211A0C, 00007FFD93211A2E

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID:
String ID: ..\s\crypto\user\eng_ctrl.c$b
API String ID: 0-1836817417
Opcode ID: 6a8c4ebf4a0a0db44f30e3cc5f857322594d81500bd7b086c438121fe743cf03
Instruction ID: abd7502ea6d436145ce39a7b61df28976a63ffd6d4bcf493644dd9f69bc6080d
Opcode Fuzzy Hash: 6a8c4ebf4a0a0db44f30e3cc5f857322594d81500bd7b086c438121fe743cf03
Instruction Fuzzy Hash: C1E1AE22B1C28686FB749BD2E52077A23A9FF80744F548139DA9E27A95CF3DF945C700

Function 00007FFD930B3387 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 00007FFD93179E87
WSAGetLastError.WS2_32 ref: 00007FFD93179E92

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFD93179E46, 00007FFD93179EA8, 00007FFD93179EC4, 00007FFD93179EF7

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID: ErrorLastgetsockname
String ID: ..\s\crypto\bio\b_sock.c
API String ID: 566540725-540685895
Opcode ID: a7a9d23270d94e37348a85efb9068d8d5f36d2912cc69f144dbe1a5ed76ec5ab
Instruction ID: b3851f0e521bd1df5e98d5a56f1378c9bbdd849d95eeda4dd38e47c318bc02f6
Opcode Fuzzy Hash: a7a9d23270d94e37348a85efb9068d8d5f36d2912cc69f144dbe1a5ed76ec5ab
Instruction Fuzzy Hash: BB21B072B5850686EB20DFA1D8246EE7365FF90304F840135E6AC13AA1DF7DE6D9EB40

Function 655C80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON311 ref: 655C8100

Strings

%s (%d:%d), xrefs: 655C80F3

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: Err_Format
String ID: %s (%d:%d)
API String ID: 376477240-1595188566
Opcode ID: 0a7436336b2bb26b475b0088d45aa805510d6ee1d1385048329f8fc96a24bc68
Instruction ID: faa075164ffe086e7fae1211f46b20b4feb5b27cc11e75e8bb842daa24447183
Opcode Fuzzy Hash: 0a7436336b2bb26b475b0088d45aa805510d6ee1d1385048329f8fc96a24bc68
Instruction Fuzzy Hash: 2901F537A04A5485EB019B59DC943993391FB85B45FDA8069CD5E17361CB2AC982C383

Function 00007FF61130DBC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF61130DCBE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF61130DCB4
Unknown error, xrefs: 00007FF61130DC5A

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 20dae29a08e59d28e827f7f7a2a2eda8259e4d1817ef6dbd98be60ed78e0c5d9
Instruction ID: 83cd38c150c21dcc6a206d56e2a343aac2aaa16d0ed3991e54ce75f160be39ec
Opcode Fuzzy Hash: 20dae29a08e59d28e827f7f7a2a2eda8259e4d1817ef6dbd98be60ed78e0c5d9
Instruction Fuzzy Hash: 83216F26A04FC48AD7118F68D8413EA7375FF59BA8F444622EE8C57768EF38D249C300

Function 00007FFD930B251D Relevance: 5.3, APIs: 4, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6eff884418fc92cc5e26df02b3eed974339047e7975db595e20ff13a8e19e6
Instruction ID: 05666c8d67b777f214b1d5951a864520fe82644d38681b82939a8e389995bdca
Opcode Fuzzy Hash: 8c6eff884418fc92cc5e26df02b3eed974339047e7975db595e20ff13a8e19e6
Instruction Fuzzy Hash: 8AC1A576B0868086DB30CF9AB4547AAB7A5FB88BC4F444136EE8D67B59DF3CD1058B40

Function 00007FF611302FE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF611303027

Part of subcall function 00007FF611302DC0: MessageBoxW.USER32 ref: 00007FF611302E28

Strings

Fatal error detected, xrefs: 00007FF61130305B
%s%s: %s, xrefs: 00007FF611303044

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: Message_errno
String ID: %s%s: %s$Fatal error detected
API String ID: 1796756983-2410924014
Opcode ID: 89ab3f84670d69496295afaeef3f91396c60eac41d8d5ed9af97d336e694a63d
Instruction ID: c28294c9a89b346d21826169c9b2e5bff147003e177ddd24247e852ee4af21bc
Opcode Fuzzy Hash: 89ab3f84670d69496295afaeef3f91396c60eac41d8d5ed9af97d336e694a63d
Instruction Fuzzy Hash: 7D01FF6261CA8191E324AB51F4007EA62A8FB98BE0F504135EB8D53B9D9E3CD656CB40

Function 00007FF61130DC40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF61130DCBE

Strings

Total loss of significance (TLOSS), xrefs: 00007FF61130DC40
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF61130DCB4

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: baefd7cba75bd780381bd2d5fed287ff04b74d7fa079984f5394eb8e5ce75d69
Instruction ID: 614a5cfc97548770ad11d54b2da1bc4c32960a977976bb582593597519d62a9e
Opcode Fuzzy Hash: baefd7cba75bd780381bd2d5fed287ff04b74d7fa079984f5394eb8e5ce75d69
Instruction Fuzzy Hash: 14015E26904F888AD7118F69D8402AA7775FB4DBA8F044722EE8D27728DF28C145C300

Function 00007FF61130DC4D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF61130DCBE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF61130DCB4
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF61130DC4D

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 81b53d873045e560598026d8c864cfe1e58fa63b90fba301861682825eddf50a
Instruction ID: 991929bb0221d0ccdbae86cc5719e2498dfa6eac88ff986c4a2e6d33164df791
Opcode Fuzzy Hash: 81b53d873045e560598026d8c864cfe1e58fa63b90fba301861682825eddf50a
Instruction Fuzzy Hash: 92015A26A04F888AD7118F69D8402AA7779FB4DBA8F044722EE8D27728DF28C145C300

Function 00007FF61130DC0C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF61130DCBE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF61130DCB4
Argument domain error (DOMAIN), xrefs: 00007FF61130DC0C

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 06bf403f4c0a9af45a90ca5965f87b6ee5c3a6750db8dc5ebbd969be290419dd
Instruction ID: 1a0d58422669a28d37bbbca04a876133b6798bdb7d21cda2d00c0aea62eeea42
Opcode Fuzzy Hash: 06bf403f4c0a9af45a90ca5965f87b6ee5c3a6750db8dc5ebbd969be290419dd
Instruction Fuzzy Hash: A7015E26904F888AD7118F69D8402AA7775FF4DBA8F044722EE8D27768DF28C145C300

Function 00007FF61130DC19 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF61130DCBE

Strings

Argument singularity (SIGN), xrefs: 00007FF61130DC19
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF61130DCB4

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: ec9f448085d72bf13c83586b7c52257c26f7af234c67fb9552149ff3dd26a3a7
Instruction ID: ab7acd62de75aa1df805807dd5b92a3e5c17fc3ed1e501a2969a32f59a844363
Opcode Fuzzy Hash: ec9f448085d72bf13c83586b7c52257c26f7af234c67fb9552149ff3dd26a3a7
Instruction Fuzzy Hash: 8F015E26904F888AD7118F69D8402AA7775FB4DBA8F044722EE8D67728DF28C145C300

Function 00007FF61130DC26 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF61130DCBE

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF61130DC26
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF61130DCB4

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: fc72b1ca348bb75ea9640cba4845ceefab8200df23c4986763f386d421d396ac
Instruction ID: cd6684805ad6265800390dd79e64661528e02356433dd864c571321267a38df1
Opcode Fuzzy Hash: fc72b1ca348bb75ea9640cba4845ceefab8200df23c4986763f386d421d396ac
Instruction Fuzzy Hash: 63015E26904F888AD7118F69D8402AA7775FB4DBA8F044722EE8D27728DF28C145C300

Function 00007FF61130DC33 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF61130DCBE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF61130DCB4
Partial loss of significance (PLOSS), xrefs: 00007FF61130DC33

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 1dadd9d91598fd59cd3ee44cef548247d0e8863d0b21ccbc5bbcccc010ffab5c
Instruction ID: d2e26451fd359e7ea30e872cf20c2c22af6540c0d195cb8b107f978fdfae3719
Opcode Fuzzy Hash: 1dadd9d91598fd59cd3ee44cef548247d0e8863d0b21ccbc5bbcccc010ffab5c
Instruction Fuzzy Hash: 0D015A26A04F888AD7118F69D8402AA7779FB4DBA8F044722EE8D27728DF28C145C300

Function 655DD200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 655DD210
abort.MSVCRT(?,?,?,?,?,655D7352), ref: 655DD231

Strings

LTC_ARGCHK '%s' failure on line %d of file %s, xrefs: 655DD216

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: __iob_funcabort
String ID: LTC_ARGCHK '%s' failure on line %d of file %s
API String ID: 1307436159-2823265812
Opcode ID: 99d6edcdf46810ba0b76ea370e310c263b2d6a49728293579bc19f9b3fbd7be9
Instruction ID: d8aa3875196ea46e5536ea2c20576d4c152b27e6b2155433e4c0bcdb51c0eefd
Opcode Fuzzy Hash: 99d6edcdf46810ba0b76ea370e310c263b2d6a49728293579bc19f9b3fbd7be9
Instruction Fuzzy Hash: A1D0A770320E6551DB105F16ED44B9D9B65FB6DFE8F84C121ED4DA7B155B14C216C340

Function 00007FFD930B6BE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFD9317A042
WSAGetLastError.WS2_32 ref: 00007FFD9317A04E

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFD9317A064

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID: ErrorLastioctlsocket
String ID: ..\s\crypto\bio\b_sock.c
API String ID: 1021210092-540685895
Opcode ID: 4b3498a1bc9275628b4fed3f0116b26741c55f820a8da06fdf06bba4b20f0e59
Instruction ID: f181d1aa3c402313d9159dcf342ea9b9d3d879356c41469e70d1b2029f04cbd8
Opcode Fuzzy Hash: 4b3498a1bc9275628b4fed3f0116b26741c55f820a8da06fdf06bba4b20f0e59
Instruction Fuzzy Hash: 89E09251B5950386F7316BE19824BB62218AF14304F400538E91DA27A1DF3DA2459A00

Function 00007FFD930B53E4 Relevance: 5.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFD931A9810
memmove.VCRUNTIME140 ref: 00007FFD931A9820
memmove.VCRUNTIME140 ref: 00007FFD931A9830
memmove.VCRUNTIME140 ref: 00007FFD931A9840

Memory Dump Source

Source File: 00000003.00000002.2268221059.00007FFD930B1000.00000020.00000001.01000000.00000014.sdmp, Offset: 00007FFD930B0000, based on PE: true

Associated: 00000003.00000002.2268198166.00007FFD930B0000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD930BD000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93115000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93129000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD93139000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD9314D000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268221059.00007FFD932FC000.00000020.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD932FE000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93329000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD9335A000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD93380000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268543744.00007FFD933A6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268693373.00007FFD933CE000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268714611.00007FFD933D4000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933D6000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F2000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000003.00000002.2268733206.00007FFD933F6000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd930b0000_winws1.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: f8fc3825456b718fa61beb737ea69a31c942ec99b197afecc34420bc9983a393
Instruction ID: 9aee8370f5793d6e2c91000dff7d6912d521d9d9de5eda3f7e99132405de3b50
Opcode Fuzzy Hash: f8fc3825456b718fa61beb737ea69a31c942ec99b197afecc34420bc9983a393
Instruction Fuzzy Hash: C111D032B04A8182DB70EB5AE1501A96364EB44BD0F448132EF5DA7B96EF28E5D1C300

Function 65640510 Relevance: 5.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 65640537
free.MSVCRT ref: 65640588
LeaveCriticalSection.KERNEL32 ref: 65640594

Memory Dump Source

Source File: 00000003.00000002.2263976468.00000000655C1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 655C0000, based on PE: true

Associated: 00000003.00000002.2263954108.00000000655C0000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264025215.0000000065642000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264042915.0000000065646000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264060848.0000000065647000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264089420.000000006565F000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264107813.0000000065662000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264126823.0000000065664000.00000008.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000003.00000002.2264145538.0000000065668000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_655c0000_winws1.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: ec840dfc4ae41f17e291a0d69645ba4a6c5c997fc4c67aef1303447780a82588
Instruction ID: f332e7965b8410ecb7b3583439a2ad29ed66d8c6ce61743f54508716d0bc107d
Opcode Fuzzy Hash: ec840dfc4ae41f17e291a0d69645ba4a6c5c997fc4c67aef1303447780a82588
Instruction Fuzzy Hash: 63017C61326B50C6EB4CCB59EE9036523A2F7A8B65FD0E425DD198B320FB39C4A1C311

Function 00007FF611304960 Relevance: 5.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF61130498C
free.MSVCRT ref: 00007FF61130499A
free.MSVCRT ref: 00007FF6113049BC
free.MSVCRT ref: 00007FF6113049CA

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9c4186f722e86582c3b1398c543642522ac53436e10a90fe38125ad0e5a34d3b
Instruction ID: 135b8bc12ab8c9e5dc827b3fb08364c05a0372c10145f2bdbcdaa445df2b548c
Opcode Fuzzy Hash: 9c4186f722e86582c3b1398c543642522ac53436e10a90fe38125ad0e5a34d3b
Instruction Fuzzy Hash: D6017127E4991982EB509B6AB4412BD32B9FF88F64F155231DE0DC734ADD28D882C780

Function 00007FF611307060 Relevance: 5.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF61130707D
free.MSVCRT ref: 00007FF61130708E
free.MSVCRT ref: 00007FF61130709F
free.MSVCRT ref: 00007FF6113070A7

Memory Dump Source

Source File: 00000003.00000002.2267917600.00007FF611301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF611300000, based on PE: true

Associated: 00000003.00000002.2267898435.00007FF611300000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2267973392.00007FF61131A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268008338.00007FF61131B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268070057.00007FF611325000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611327000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268093201.00007FF611329000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268142435.00007FF61132A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2268164253.00007FF61132D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ff611300000_winws1.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 17bb4e15e412b02df2bc7990f2a8c6dca0a60341a4ea025c79cb532fcc6a30aa
Instruction ID: 840a8d54c22161b11d819af650f246fbc9d32983dc32b8c8661f910423b2f066
Opcode Fuzzy Hash: 17bb4e15e412b02df2bc7990f2a8c6dca0a60341a4ea025c79cb532fcc6a30aa
Instruction Fuzzy Hash: 0FF0EC19F4BD0A41FF1AE6A1B4103FD62685F44F60F044130CF8DDB6499E2CA4438300

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report winws1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin\mfc140u.dll

C:\Users\user\AppData\Local\Temp\_MEI57762\Pythonwin\win32ui.pyd

C:\Users\user\AppData\Local\Temp\_MEI57762\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI57762\VCRUNTIME140_1.dll

C:\Users\user\AppData\Local\Temp\_MEI57762\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI57762\_ctypes.pyd

C:\Users\user\AppData\Local\Temp\_MEI57762\_decimal.pyd

C:\Users\user\AppData\Local\Temp\_MEI57762\_hashlib.pyd

C:\Users\user\AppData\Local\Temp\_MEI57762\_lzma.pyd

C:\Users\user\AppData\Local\Temp\_MEI57762\_queue.pyd

C:\Users\user\AppData\Local\Temp\_MEI57762\_socket.pyd

C:\Users\user\AppData\Local\Temp\_MEI57762\_ssl.pyd

C:\Users\user\AppData\Local\Temp\_MEI57762\_uuid.pyd

C:\Users\user\AppData\Local\Temp\_MEI57762\base_library.zip

C:\Users\user\AppData\Local\Temp\_MEI57762\certifi\cacert.pem

C:\Users\user\AppData\Local\Temp\_MEI57762\charset_normalizer\md.cp311-win_amd64.pyd

C:\Users\user\AppData\Local\Temp\_MEI57762\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

C:\Users\user\AppData\Local\Temp\_MEI57762\libcrypto-1_1.dll

C:\Users\user\AppData\Local\Temp\_MEI57762\libffi-8.dll

C:\Users\user\AppData\Local\Temp\_MEI57762\libssl-1_1.dll

Windows Analysis Report
winws1.exe

C:\Users\user\AppData\Local\Temp\tmpqxtmfx2p\gen_py\init.py

Function 00007FF611307F60 Relevance: 49.2, APIs: 20, Strings: 8, Instructions: 188
COMMON

Function 00007FF611301154 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 123
COMMON

Function 00007FF61130AAA0 Relevance: 6.9, Strings: 5, Instructions: 602
COMMON

Function 00007FF611301D40 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 139
COMMON

Function 00007FF611309210 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 96
COMMON

Function 00007FF61130F3B0 Relevance: 25.8, APIs: 17, Instructions: 341
COMMON

Function 00007FF611301710 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 231
fileCOMMON

Function 00007FF611308820 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 99
processsynchronizationCOMMON

Function 00007FF6113016D0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 342
stringCOMMON

Function 00007FF611301F90 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 132
COMMON