Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
l4.exe

Overview

General Information

Sample name:l4.exe
Analysis ID:1577336
MD5:d68f79c459ee4ae03b76fa5ba151a41f
SHA1:bfa641085d59d58993ba98ac9ee376f898ee5f7b
SHA256:aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6
Tags:18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • l4.exe (PID: 6360 cmdline: "C:\Users\user\Desktop\l4.exe" MD5: D68F79C459EE4AE03B76FA5BA151A41F)
    • conhost.exe (PID: 4888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • l4.exe (PID: 6380 cmdline: C:\Users\user\Desktop\l4.exe MD5: 63C4E3F9C7383D039AB4AF449372C17F)
  • l4.exe (PID: 516 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe" MD5: D68F79C459EE4AE03B76FA5BA151A41F)
    • conhost.exe (PID: 2980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • l4.exe (PID: 1200 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe" MD5: 63C4E3F9C7383D039AB4AF449372C17F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Startup Folder File Write
Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exe, ProcessId: 6380, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\l4.exeReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeReversingLabs: Detection: 63%
Multi AV Scanner detection for submitted file
Source: l4.exeReversingLabs: Detection: 63%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for dropped file
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\l4.exeJoe Sandbox ML: detected
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\l4.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: l4.exeJoe Sandbox ML: detected
Source: l4.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: l4.exe, 00000000.00000003.1286029353.00000158457C8000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000002.3705165473.00007FF7F8E2B000.00000004.00000001.01000000.00000003.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000002.1471185441.00007FF65B17B000.00000004.00000001.01000000.0000000C.sdmp, l4.exe, 0000000A.00000003.1403235878.0000023B5C1A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: l4.exe, 00000000.00000003.1276528706.0000015848280000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3709183900.00007FFB1E843000.00000002.00000001.01000000.00000009.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5ED56000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000002.1466730977.00007FFB22653000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: l4.exe, 00000000.00000003.1276528706.0000015847FEF000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3707644441.00007FFB0C312000.00000002.00000001.01000000.00000006.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EAC5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: l4.exe, 00000000.00000003.1276528706.0000015847B4A000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E620000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3708639100.00007FFB1B70C000.00000002.00000001.01000000.0000000B.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3708639100.00007FFB1B70C000.00000002.00000001.01000000.0000000B.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: l4.exe, 00000000.00000003.1276528706.0000015847AB2000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E588000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: l4.exe, 00000000.00000003.1286029353.00000158457C8000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3709066529.00007FFB1C263000.00000002.00000001.01000000.00000007.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1403235878.0000023B5C1A9000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000002.1466623707.00007FFB1E683000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: l4.exe, 00000000.00000003.1286029353.00000158457C8000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3709066529.00007FFB1C263000.00000002.00000001.01000000.00000007.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1403235878.0000023B5C1A9000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000002.1466623707.00007FFB1E683000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: l4.exe, 00000000.00000003.1276528706.0000015847B4A000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E620000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3708896237.00007FFB1BB19000.00000002.00000001.01000000.00000008.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: l4.exe, 00000000.00000003.1286029353.00000158457C8000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000002.3705165473.00007FF7F8E2B000.00000004.00000001.01000000.00000003.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000002.1471185441.00007FF65B17B000.00000004.00000001.01000000.0000000C.sdmp, l4.exe, 0000000A.00000003.1403235878.0000023B5C1A9000.00000004.00000020.00020000.00000000.sdmp
Source: global trafficTCP traffic: 192.168.2.7:49699 -> 194.59.30.220:1336
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.220
Source: l4.exe, 00000000.00000003.1276528706.0000015847BFB000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015848280000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E6D1000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5ED56000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: l4.exe, 00000000.00000003.1276528706.0000015847BFB000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015848280000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E6D1000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5ED56000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: l4.exe, 00000000.00000003.1276528706.0000015847BFB000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015848280000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E6D1000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5ED56000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: l4.exe, 00000000.00000003.1276528706.0000015847BFB000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015848280000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E6D1000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5ED56000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: l4.exe, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: l4.exe, 00000000.00000003.1276528706.0000015847BFB000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015848280000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E6D1000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5ED56000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: l4.exe, 00000000.00000003.1276528706.0000015847BFB000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015848280000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E6D1000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5ED56000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: l4.exe, 00000000.00000003.1276528706.0000015847BFB000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015848280000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E6D1000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5ED56000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: l4.exe, 00000000.00000003.1276528706.0000015847BFB000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015848280000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E6D1000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5ED56000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: l4.exe, 00000000.00000003.1276528706.0000015847BFB000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015848280000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E6D1000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5ED56000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: l4.exe, 00000000.00000003.1276528706.0000015847BFB000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015848280000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E6D1000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5ED56000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: l4.exe, 00000000.00000003.1276528706.0000015847BFB000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015848280000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E6D1000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5ED56000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: l4.exe, 00000000.00000003.1276528706.0000015847BFB000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015848280000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E6D1000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5ED56000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
Source: l4.exe, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://speleotrove.com/decimal/decarith.html
Source: l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000000.1285480048.00007FF65ED61000.00000002.00000001.01000000.00000005.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: l4.exe, 00000000.00000003.1276528706.0000015847BFB000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015848280000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E6D1000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5ED56000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000000.1285480048.00007FF65ED61000.00000002.00000001.01000000.00000005.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: l4.exe, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: l4.exe, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000000.1285480048.00007FF65ED61000.00000002.00000001.01000000.00000005.sdmp, l4.exe, 00000008.00000002.3705135663.000001F3349DC000.00000004.00001000.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmp, l4.exe, 0000000C.00000002.1458235330.00000272C94BC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: l4.exe, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: l4.exe, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000000.1285480048.00007FF65ED61000.00000002.00000001.01000000.00000005.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://json.org
Source: l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000000.1285428532.00007FF65ED3C000.00000002.00000001.01000000.00000005.sdmp, l4.exe, 00000008.00000002.3707034027.00007FF65ED3C000.00000002.00000001.01000000.00000005.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000002.1464603823.00007FF65BBDC000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://nuitka.net/info/segfault.html
Source: l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000000.1285428532.00007FF65ED3C000.00000002.00000001.01000000.00000005.sdmp, l4.exe, 00000008.00000002.3707034027.00007FF65ED3C000.00000002.00000001.01000000.00000005.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000002.1464603823.00007FF65BBDC000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://nuitka.net/info/segfault.htmlfor
Source: l4.exe, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: l4.exe, l4.exe, 0000000C.00000002.1463348109.00000272C97E0000.00000004.00001000.00020000.00000000.sdmp, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
Source: l4.exe, 00000000.00000003.1276528706.0000015847FEF000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3707644441.00007FFB0C312000.00000002.00000001.01000000.00000006.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EAC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
Source: l4.exe, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://www.ibm.com/
Source: l4.exe, 00000000.00000003.1276528706.0000015847BEB000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E6C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openssl.org/H
Source: l4.exe, 00000000.00000003.1276528706.0000015847FEF000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3708187690.00007FFB0C488000.00000008.00000001.01000000.00000006.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EAC5000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000002.1465814524.00007FFB0B329000.00000008.00000001.01000000.0000000E.sdmpString found in binary or memory: https://www.python.org/psf/license/
Source: l4.exe, 00000000.00000003.1276528706.0000015847FEF000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3707644441.00007FFB0C312000.00000002.00000001.01000000.00000006.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EAC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/psf/license/)
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeCode function: 8_2_00007FFB1BA43B208_2_00007FFB1BA43B20
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeCode function: 8_2_00007FFB1BA460808_2_00007FFB1BA46080
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeCode function: 8_2_00007FFB1BA43DC08_2_00007FFB1BA43DC0
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeCode function: 8_2_00007FFB1BA42DC08_2_00007FFB1BA42DC0
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeCode function: 8_2_00007FFB1BA410008_2_00007FFB1BA41000
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeCode function: 8_2_00007FFB1BA477F88_2_00007FFB1BA477F8
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1BAC23B012_2_00007FFB1BAC23B0
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1BAC73F812_2_00007FFB1BAC73F8
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1BAC8F4012_2_00007FFB1BAC8F40
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1BAC2F8012_2_00007FFB1BAC2F80
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1BAC12B012_2_00007FFB1BAC12B0
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1BAC5F0012_2_00007FFB1BAC5F00
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1BAC465012_2_00007FFB1BAC4650
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1BACFA8812_2_00007FFB1BACFA88
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1BAC55D012_2_00007FFB1BAC55D0
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1BAC1A0012_2_00007FFB1BAC1A00
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1BAC192012_2_00007FFB1BAC1920
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1E3B77F812_2_00007FFB1E3B77F8
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1E3B100012_2_00007FFB1E3B1000
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1E3B2DC012_2_00007FFB1E3B2DC0
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1E3B3DC012_2_00007FFB1E3B3DC0
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1E3B608012_2_00007FFB1E3B6080
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1E3B3B2012_2_00007FFB1E3B3B20
Source: Joe Sandbox ViewDropped File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\l4.exe AA50C900E210ABB6BE7D2420D9D5AE34C66818E0491AABD141421D175211FED6
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_bz2.pyd CB15D6CC7268D3A0BD17D9D9CEC330A7C1768B1C911553045C73BC6920DE987F
Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.10.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: l4.exe, 00000000.00000003.1276528706.0000015848280000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepython312.dll. vs l4.exe
Source: l4.exe, 00000000.00000003.1276528706.0000015848280000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs l4.exe
Source: l4.exe, 00000000.00000003.1286029353.00000158457C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140_1.dllT vs l4.exe
Source: l4.exe, 00000000.00000003.1286029353.00000158457C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs l4.exe
Source: l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs l4.exe
Source: l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs l4.exe
Source: l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs l4.exe
Source: l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs l4.exe
Source: l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs l4.exe
Source: l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140_1.dllT vs l4.exe
Source: l4.exe, 00000000.00000002.3705165473.00007FF7F8E2B000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevcruntime140_1.dllT vs l4.exe
Source: l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs l4.exe
Source: l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs l4.exe
Source: l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_wmi.pyd. vs l4.exe
Source: l4.exe, 00000000.00000003.1276528706.0000015847BEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs l4.exe
Source: l4.exeBinary or memory string: OriginalFilename vs l4.exe
Source: l4.exe, 00000008.00000002.3708970669.00007FFB1BB23000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs l4.exe
Source: l4.exe, 00000008.00000002.3708544719.00007FFB0C5B1000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenamepython312.dll. vs l4.exe
Source: l4.exe, 00000008.00000002.3708726075.00007FFB1B715000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs l4.exe
Source: l4.exe, 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs l4.exe
Source: l4.exe, 00000008.00000002.3709097202.00007FFB1C269000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs l4.exe
Source: l4.exe, 00000008.00000002.3709265478.00007FFB1E846000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs l4.exe
Source: l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs l4.exe
Source: l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs l4.exe
Source: l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs l4.exe
Source: l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs l4.exe
Source: l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs l4.exe
Source: l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140_1.dllT vs l4.exe
Source: l4.exe, 0000000A.00000003.1396402930.0000023B5E6C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs l4.exe
Source: l4.exe, 0000000A.00000002.1471185441.00007FF65B17B000.00000004.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilenamevcruntime140_1.dllT vs l4.exe
Source: l4.exe, 0000000A.00000003.1396402930.0000023B5ED56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepython312.dll. vs l4.exe
Source: l4.exe, 0000000A.00000003.1396402930.0000023B5ED56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs l4.exe
Source: l4.exe, 0000000A.00000003.1403235878.0000023B5C1A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140_1.dllT vs l4.exe
Source: l4.exe, 0000000A.00000003.1403235878.0000023B5C1A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs l4.exe
Source: l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs l4.exe
Source: l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs l4.exe
Source: l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_wmi.pyd. vs l4.exe
Source: l4.exeBinary or memory string: OriginalFilename vs l4.exe
Source: l4.exe, 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs l4.exe
Source: l4.exe, 0000000C.00000002.1466150026.00007FFB0B451000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilenamepython312.dll. vs l4.exe
Source: l4.exe, 0000000C.00000002.1466664542.00007FFB1E689000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs l4.exe
Source: l4.exe, 0000000C.00000002.1466778351.00007FFB22656000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs l4.exe
Source: classification engineClassification label: mal72.adwa.winEXE@8/28@0/1
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4888:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2980:120:WilError_03
Source: C:\Users\user\Desktop\l4.exeFile created: C:\Users\user~1\AppData\Local\Temp\onefile_6360_133789935056132008Jump to behavior
Source: l4.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\l4.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: l4.exeBinary or memory string: Insert thousands separators into a digit string. spec is a dictionary whose keys should include 'thousands_sep' and 'grouping'; typically it's the result of parsing the format specifier using _parse_format_specifier. The min_width keyword arg
Source: l4.exeReversingLabs: Detection: 63%
Source: l4.exeString found in binary or memory: zcUsage: %s [-n | -t | -h] url -n: open new window -t: open new tab -h, --help: show helpr"
Source: l4.exeString found in binary or memory: zcUsage: %s [-n | -t | -h] url -n: open new window -t: open new tab -h, --help: show helpr"
Source: l4.exeString found in binary or memory: msg-id-startr
Source: l4.exeString found in binary or memory: no-fold-literal-startr
Source: l4.exeString found in binary or memory: Fused multiply-add. Returns self*other+third with no rounding of the intermediate product self*other. self and other are multiplied together, with no rounding of the result. The third operand is then added to the result,
Source: l4.exeString found in binary or memory: The name of the reverse DNS pointer for the IP address, e.g.: >>> ipaddress.ip_address("127.0.0.1").reverse_pointer '1.0.0.127.in-addr.arpa' >>> ipaddress.ip_address("2001:db8::1").reverse_pointer '1.0.0.0.0.0.0.
Source: l4.exeString found in binary or memory: angle-addr-startr
Source: l4.exeString found in binary or memory: angle-addr-startr
Source: l4.exeString found in binary or memory: ``True`` if the address is defined as globally reachable by iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_ (for IPv6) with the following exception: For IPv4-mapped IPv6-addresses the ``is_private`` value is deter
Source: l4.exeString found in binary or memory: for more digits precision -u/--unit: set the output time unit (nsec, usec, msec, or sec) -h/--help: print this usage message and exit --: separate options from statement, use when statement starts with - statement: statement to be timed (default 'pass
Source: l4.exeString found in binary or memory: for more digits precision -u/--unit: set the output time unit (nsec, usec, msec, or sec) -h/--help: print this usage message and exit --: separate options from statement, use when statement starts with - statement: statement to be timed (default 'pass
Source: l4.exeString found in binary or memory: Usage: mimetypes.py [options] type Options: --help / -h -- print this message and exit --lenient / -l -- additionally search of some common, but non-standard types. --extension / -e -- guess extension instead of
Source: l4.exeString found in binary or memory: Usage: mimetypes.py [options] type Options: --help / -h -- print this message and exit --lenient / -l -- additionally search of some common, but non-standard types. --extension / -e -- guess extension instead of
Source: l4.exeString found in binary or memory: * For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the semantics of the underlying IPv4 addresses and the following condition holds (see :attr:`IPv6Address.ipv4_mapped`):: address.is_private == a
Source: l4.exeString found in binary or memory: .rte. AIX ABI compatibility is described as guaranteed at: https://www.ibm.com/ support/knowledgecenter/en/ssw_aix_72/install/binary_compatability.html For pep425 purposes the AIX platform tag becomes: "aix-{:1x}{:1d}{:02d}-{:04d}-{}".format(v
Source: l4.exeString found in binary or memory: address_list = (address *("," address)) / obs-addr-list obs-addr-list = *([CFWS] ",") address *("," [address / CFWS]) We depart from the formal grammar here by continuing to parse until the end of the input, assuming the input to be entirely
Source: l4.exeString found in binary or memory: --helpr
Source: l4.exeString found in binary or memory: --helpr
Source: l4.exeString found in binary or memory: helpz#use -h/--help for command line helprJ
Source: l4.exeString found in binary or memory: helpz#use -h/--help for command line helprJ
Source: l4.exeString found in binary or memory: - conflict_handler -- String indicating how to handle conflicts - add_help -- Add a -h/-help option - allow_abbrev -- Allow long options to be abbreviated unambiguously - exit_on_error -- Determines whether or not ArgumentParser exi
Source: l4.exeString found in binary or memory: zcUsage: %s [-n | -t | -h] url -n: open new window -t: open new tab -h, --help: show helpr"
Source: l4.exeString found in binary or memory: zcUsage: %s [-n | -t | -h] url -n: open new window -t: open new tab -h, --help: show helpr"
Source: l4.exeString found in binary or memory: msg-id-startr
Source: l4.exeString found in binary or memory: no-fold-literal-startr
Source: l4.exeString found in binary or memory: Fused multiply-add. Returns self*other+third with no rounding of the intermediate product self*other. self and other are multiplied together, with no rounding of the result. The third operand is then added to the result,
Source: l4.exeString found in binary or memory: The name of the reverse DNS pointer for the IP address, e.g.: >>> ipaddress.ip_address("127.0.0.1").reverse_pointer '1.0.0.127.in-addr.arpa' >>> ipaddress.ip_address("2001:db8::1").reverse_pointer '1.0.0.0.0.0.0.
Source: l4.exeString found in binary or memory: Usage: mimetypes.py [options] type Options: --help / -h -- print this message and exit --lenient / -l -- additionally search of some common, but non-standard types. --extension / -e -- guess extension instead of
Source: l4.exeString found in binary or memory: Usage: mimetypes.py [options] type Options: --help / -h -- print this message and exit --lenient / -l -- additionally search of some common, but non-standard types. --extension / -e -- guess extension instead of
Source: l4.exeString found in binary or memory: for more digits precision -u/--unit: set the output time unit (nsec, usec, msec, or sec) -h/--help: print this usage message and exit --: separate options from statement, use when statement starts with - statement: statement to be timed (default 'pass
Source: l4.exeString found in binary or memory: for more digits precision -u/--unit: set the output time unit (nsec, usec, msec, or sec) -h/--help: print this usage message and exit --: separate options from statement, use when statement starts with - statement: statement to be timed (default 'pass
Source: l4.exeString found in binary or memory: angle-addr-startr
Source: l4.exeString found in binary or memory: angle-addr-startr
Source: l4.exeString found in binary or memory: ``True`` if the address is defined as globally reachable by iana-ipv4-special-registry_ (for IPv4) or iana-ipv6-special-registry_ (for IPv6) with the following exception: For IPv4-mapped IPv6-addresses the ``is_private`` value is deter
Source: l4.exeString found in binary or memory: * For IPv4-mapped IPv6-addresses the ``is_private`` value is determined by the semantics of the underlying IPv4 addresses and the following condition holds (see :attr:`IPv6Address.ipv4_mapped`):: address.is_private == a
Source: l4.exeString found in binary or memory: .rte. AIX ABI compatibility is described as guaranteed at: https://www.ibm.com/ support/knowledgecenter/en/ssw_aix_72/install/binary_compatability.html For pep425 purposes the AIX platform tag becomes: "aix-{:1x}{:1d}{:02d}-{:04d}-{}".format(v
Source: l4.exeString found in binary or memory: address_list = (address *("," address)) / obs-addr-list obs-addr-list = *([CFWS] ",") address *("," [address / CFWS]) We depart from the formal grammar here by continuing to parse until the end of the input, assuming the input to be entirely
Source: l4.exeString found in binary or memory: --helpr
Source: l4.exeString found in binary or memory: --helpr
Source: l4.exeString found in binary or memory: helpz#use -h/--help for command line helprJ
Source: l4.exeString found in binary or memory: helpz#use -h/--help for command line helprJ
Source: l4.exeString found in binary or memory: - conflict_handler -- String indicating how to handle conflicts - add_help -- Add a -h/-help option - allow_abbrev -- Allow long options to be abbreviated unambiguously - exit_on_error -- Determines whether or not ArgumentParser exi
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeFile read: C:\Users\user\Desktop\l4.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\l4.exe "C:\Users\user\Desktop\l4.exe"
Source: C:\Users\user\Desktop\l4.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\l4.exeProcess created: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exe C:\Users\user\Desktop\l4.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeProcess created: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe"
Source: C:\Users\user\Desktop\l4.exeProcess created: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exe C:\Users\user\Desktop\l4.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeProcess created: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe"Jump to behavior
Source: C:\Users\user\Desktop\l4.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\l4.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\l4.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\l4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeSection loaded: python312.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeSection loaded: python312.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: l4.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: l4.exeStatic file information: File size 6174208 > 1048576
Source: l4.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x5b3000
Source: l4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: l4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: l4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: l4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: l4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: l4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: l4.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: l4.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: l4.exe, 00000000.00000003.1286029353.00000158457C8000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000002.3705165473.00007FF7F8E2B000.00000004.00000001.01000000.00000003.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000002.1471185441.00007FF65B17B000.00000004.00000001.01000000.0000000C.sdmp, l4.exe, 0000000A.00000003.1403235878.0000023B5C1A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: l4.exe, 00000000.00000003.1276528706.0000015848280000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3709183900.00007FFB1E843000.00000002.00000001.01000000.00000009.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5ED56000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000002.1466730977.00007FFB22653000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\python312.pdb source: l4.exe, 00000000.00000003.1276528706.0000015847FEF000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3707644441.00007FFB0C312000.00000002.00000001.01000000.00000006.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EAC5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\libcrypto-3.pdb| source: l4.exe, 00000000.00000003.1276528706.0000015847B4A000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E620000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3708639100.00007FFB1B70C000.00000002.00000001.01000000.0000000B.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL || WITHIN_ARENA(temp->next)assertion failed: (char **)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) || WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/*0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3708639100.00007FFB1B70C000.00000002.00000001.01000000.0000000B.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: l4.exe, 00000000.00000003.1276528706.0000015847AB2000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E588000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: l4.exe, 00000000.00000003.1286029353.00000158457C8000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3709066529.00007FFB1C263000.00000002.00000001.01000000.00000007.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1403235878.0000023B5C1A9000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000002.1466623707.00007FFB1E683000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: l4.exe, 00000000.00000003.1286029353.00000158457C8000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3709066529.00007FFB1C263000.00000002.00000001.01000000.00000007.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1403235878.0000023B5C1A9000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000002.1466623707.00007FFB1E683000.00000002.00000001.01000000.0000000F.sdmp
Source: Binary string: D:\a\1\b\libcrypto-3.pdb source: l4.exe, 00000000.00000003.1276528706.0000015847B4A000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E620000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3708896237.00007FFB1BB19000.00000002.00000001.01000000.00000008.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: l4.exe, 00000000.00000003.1276528706.00000158476D7000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E1AD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: l4.exe, 00000000.00000003.1286029353.00000158457C8000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000003.1276528706.00000158483B0000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000000.00000002.3705165473.00007FF7F8E2B000.00000004.00000001.01000000.00000003.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EE86000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000002.1471185441.00007FF65B17B000.00000004.00000001.01000000.0000000C.sdmp, l4.exe, 0000000A.00000003.1403235878.0000023B5C1A9000.00000004.00000020.00020000.00000000.sdmp
Source: l4.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: l4.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: l4.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: l4.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: l4.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: vcruntime140_1.dll.0.drStatic PE information: 0xFB76EAA0 [Mon Sep 10 13:35:28 2103 UTC]
Source: l4.exeStatic PE information: section name: _RDATA
Source: vcruntime140.dll.0.drStatic PE information: section name: fothk
Source: vcruntime140.dll.0.drStatic PE information: section name: _RDATA
Source: l4.exe.0.drStatic PE information: section name: _RDATA
Source: libcrypto-3.dll.0.drStatic PE information: section name: .00cfg
Source: python312.dll.0.drStatic PE information: section name: PyRuntim
Source: l4.exe.8.drStatic PE information: section name: _RDATA
Source: l4.exe0.8.drStatic PE information: section name: _RDATA
Source: libcrypto-3.dll.10.drStatic PE information: section name: .00cfg
Source: python312.dll.10.drStatic PE information: section name: PyRuntim
Source: vcruntime140.dll.10.drStatic PE information: section name: fothk
Source: vcruntime140.dll.10.drStatic PE information: section name: _RDATA
Source: l4.exe.10.drStatic PE information: section name: _RDATA
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeCode function: 8_2_00007FFB1BA49B0C push 82000085h; retn 0000h8_2_00007FFB1BA49B11
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1E3B9B0C push 82000085h; retn 0000h12_2_00007FFB1E3B9B11
Source: C:\Users\user\Desktop\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\libcrypto-3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\libcrypto-3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\python312.dllJump to dropped file
Source: C:\Users\user\Desktop\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_decimal.pydJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_decimal.pydJump to dropped file
Source: C:\Users\user\Desktop\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\python312.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeJump to dropped file
Source: C:\Users\user\Desktop\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\vcruntime140.dllJump to dropped file
Source: C:\Users\user\Desktop\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\select.pydJump to dropped file
Source: C:\Users\user\Desktop\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\vcruntime140_1.dllJump to dropped file
Source: C:\Users\user\Desktop\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_lzma.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\unicodedata.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_bz2.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_hashlib.pydJump to dropped file
Source: C:\Users\user\Desktop\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\select.pydJump to dropped file
Source: C:\Users\user\Desktop\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_hashlib.pydJump to dropped file
Source: C:\Users\user\Desktop\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\unicodedata.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_bz2.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\vcruntime140.dllJump to dropped file
Source: C:\Users\user\Desktop\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_wmi.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\vcruntime140_1.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_lzma.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeFile created: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_wmi.pydJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\l4.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\l4.exeJump to dropped file

Boot Survival

barindex
Drops PE files to the startup folder
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\l4.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeJump to behavior
Source: C:\Users\user\Desktop\l4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeWindow / User API: threadDelayed 2077Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeWindow / User API: threadDelayed 7906Jump to behavior
Source: C:\Users\user\Desktop\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\libcrypto-3.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_bz2.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_hashlib.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\libcrypto-3.dllJump to dropped file
Source: C:\Users\user\Desktop\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_decimal.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\select.pydJump to dropped file
Source: C:\Users\user\Desktop\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_hashlib.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_decimal.pydJump to dropped file
Source: C:\Users\user\Desktop\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\select.pydJump to dropped file
Source: C:\Users\user\Desktop\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\vcruntime140_1.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_bz2.pydJump to dropped file
Source: C:\Users\user\Desktop\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_lzma.pydJump to dropped file
Source: C:\Users\user\Desktop\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_wmi.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\vcruntime140_1.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_wmi.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_lzma.pydJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\unicodedata.pydJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exe TID: 2704Thread sleep count: 2077 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exe TID: 2704Thread sleep time: -2077000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exe TID: 2704Thread sleep count: 7906 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exe TID: 2704Thread sleep time: -7906000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: l4.exe, 0000000A.00000003.1467032220.0000023B5C1EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\t
Source: l4.exe, 0000000A.00000003.1467032220.0000023B5C1EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b})
Source: l4.exe, 0000000C.00000002.1462692296.00000272C958E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000003.1454612145.00000272C958E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000003.1453025601.00000272C958E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW\S
Source: l4.exe, 00000008.00000002.3705666141.000001F334ACB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: l4.exe, 0000000C.00000003.1451038984.00000272C9555000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000003.1453025601.00000272C956B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeCode function: 8_2_00007FFB1BA4AA7C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FFB1BA4AA7C
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeCode function: 8_2_00007FFB1BA4A050 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FFB1BA4A050
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeCode function: 8_2_00007FFB1BA4AA7C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FFB1BA4AA7C
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeCode function: 8_2_00007FFB1E841AA0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00007FFB1E841AA0
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeCode function: 8_2_00007FFB1E8414E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FFB1E8414E0
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1BAD3E60 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00007FFB1BAD3E60
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1BAD38A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FFB1BAD38A0
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1E3BAA7C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00007FFB1E3BAA7C
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeCode function: 12_2_00007FFB1E3BA050 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FFB1E3BA050
Source: C:\Users\user\Desktop\l4.exeProcess created: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exe C:\Users\user\Desktop\l4.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exeProcess created: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeQueries volume information: C:\Users\user\Desktop\l4.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeQueries volume information: C:\Users\user\Desktop\l4.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeQueries volume information: C:\Users\user\Desktop\l4.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeQueries volume information: C:\Users\user\Desktop\l4.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeQueries volume information: C:\Users\user\Desktop\l4.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeQueries volume information: C:\Users\user\Desktop\l4.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeQueries volume information: C:\Users\user\Desktop\l4.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\l4.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exeQueries volume information: C:\Users\user\Desktop\l4.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exeQueries volume information: C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099 VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\l4.exeCode function: 0_2_00007FF7F8DEC0F0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7F8DEC0F0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		12
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		12
Registry Run Keys / Startup Folder		1
Virtualization/Sandbox Evasion		LSASS Memory111
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		11
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials13
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
l4.exe63%ReversingLabsWin64.Trojan.Amadey
l4.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\l4.exe100%Joe Sandbox ML
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\l4.exe100%Joe Sandbox ML
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\l4.exe63%ReversingLabsWin64.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_bz2.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_decimal.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_hashlib.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_lzma.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_socket.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_wmi.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exe5%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\libcrypto-3.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\python312.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\select.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\unicodedata.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\vcruntime140_1.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_bz2.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_decimal.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_hashlib.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_lzma.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_socket.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_wmi.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exe5%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\libcrypto-3.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\python312.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\select.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\unicodedata.pyd0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\vcruntime140_1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe63%ReversingLabsWin64.Trojan.Amadey

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64l4.exe, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpfalse
    		high
    https://nuitka.net/info/segfault.htmll4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000000.1285428532.00007FF65ED3C000.00000002.00000001.01000000.00000005.sdmp, l4.exe, 00000008.00000002.3707034027.00007FF65ED3C000.00000002.00000001.01000000.00000005.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000002.1464603823.00007FF65BBDC000.00000002.00000001.01000000.0000000D.sdmpfalse
      		high
      http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/l4.exe, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpfalse
        		high
        https://github.com/python/importlib_metadata/wiki/Development-Methodologyl4.exe, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpfalse
          		high
          https://www.ibm.com/l4.exe, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpfalse
            		high
            https://github.com/python/cpython/issues/86361.l4.exe, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpfalse
              		high
              https://www.openssl.org/Hl4.exe, 00000000.00000003.1276528706.0000015847BEB000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5E6C1000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://json.orgl4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpfalse
                  		high
                  http://www.iana.org/time-zones/repository/tz-link.htmll4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000000.1285480048.00007FF65ED61000.00000002.00000001.01000000.00000005.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpfalse
                    		high
                    https://packaging.python.org/specifications/entry-points/l4.exe, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpfalse
                      		high
                      http://www.cl.cam.ac.uk/~mgk25/iso-time.htmll4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000000.1285480048.00007FF65ED61000.00000002.00000001.01000000.00000005.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpfalse
                        		high
                        https://peps.python.org/pep-0205/l4.exe, l4.exe, 0000000C.00000002.1463348109.00000272C97E0000.00000004.00001000.00020000.00000000.sdmp, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpfalse
                          		high
                          http://speleotrove.com/decimal/decarith.htmll4.exe, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpfalse
                            		high
                            https://docs.python.org/3/howto/mro.html.l4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000000.1285480048.00007FF65ED61000.00000002.00000001.01000000.00000005.sdmp, l4.exe, 00000008.00000002.3705135663.000001F3349DC000.00000004.00001000.00020000.00000000.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmp, l4.exe, 0000000C.00000002.1458235330.00000272C94BC000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              https://www.python.org/psf/license/)l4.exe, 00000000.00000003.1276528706.0000015847FEF000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3707644441.00007FFB0C312000.00000002.00000001.01000000.00000006.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EAC5000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.phys.uu.nl/~vgent/calendar/isocalendar.html4.exe, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpfalse
                                  		high
                                  https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacyl4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000000.1285480048.00007FF65ED61000.00000002.00000001.01000000.00000005.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000000.1402508822.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpfalse
                                    		high
                                    https://nuitka.net/info/segfault.htmlforl4.exe, 00000000.00000003.1276528706.0000015847078000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000000.1285428532.00007FF65ED3C000.00000002.00000001.01000000.00000005.sdmp, l4.exe, 00000008.00000002.3707034027.00007FF65ED3C000.00000002.00000001.01000000.00000005.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5DB4E000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000002.1464603823.00007FF65BBDC000.00000002.00000001.01000000.0000000D.sdmpfalse
                                      		high
                                      https://peps.python.org/pep-0263/l4.exe, 00000000.00000003.1276528706.0000015847FEF000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3707644441.00007FFB0C312000.00000002.00000001.01000000.00000006.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EAC5000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.python.org/psf/license/l4.exe, 00000000.00000003.1276528706.0000015847FEF000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 00000008.00000002.3708187690.00007FFB0C488000.00000008.00000001.01000000.00000006.sdmp, l4.exe, 0000000A.00000003.1396402930.0000023B5EAC5000.00000004.00000020.00020000.00000000.sdmp, l4.exe, 0000000C.00000002.1465814524.00007FFB0B329000.00000008.00000001.01000000.0000000E.sdmpfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          194.59.30.220
                                          		unknownGermany
                                          		30823COMBAHTONcombahtonGmbHDEfalse

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1577336
                                          Start date and time:2024-12-18 12:04:09 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 10m 37s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:18
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:l4.exe
                                          Detection:MAL
                                          Classification:mal72.adwa.winEXE@8/28@0/1
                                          EGA Information:Failed
                                          HCA Information:Failed
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                                          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target l4.exe, PID 1200 because there are no executed function
                                          • Execution Graph export aborted for target l4.exe, PID 516 because there are no executed function
                                          • Execution Graph export aborted for target l4.exe, PID 6360 because there are no executed function
                                          • Execution Graph export aborted for target l4.exe, PID 6380 because there are no executed function
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: l4.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          07:47:22API Interceptor6905289x Sleep call for process: l4.exe modified
                                          12:05:09AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          194.59.30.220client.exeGet hashmaliciousUnknownBrowse
                                          • 194.59.30.220:5000/download
                                          client.exeGet hashmaliciousUnknownBrowse
                                          • 194.59.30.220:5000/download

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          COMBAHTONcombahtonGmbHDEclient.exeGet hashmaliciousUnknownBrowse
                                          • 194.59.30.220
                                          client.exeGet hashmaliciousUnknownBrowse
                                          • 194.59.30.220
                                          Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                          • 194.59.30.164
                                          Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                          • 194.59.30.164
                                          Shipping Bill6239999 dated 13122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                          • 194.59.30.164
                                          Support.ClientSetup.exeGet hashmaliciousScreenConnect ToolBrowse
                                          • 194.59.31.27
                                          Counseling_Services_Overview.docmGet hashmaliciousUnknownBrowse
                                          • 45.147.231.195
                                          Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeGet hashmaliciousQuasarBrowse
                                          • 194.59.31.75
                                          https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.htmlGet hashmaliciousScreenConnect ToolBrowse
                                          • 194.59.31.199
                                          https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.htmlGet hashmaliciousScreenConnect ToolBrowse
                                          • 194.59.31.199

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_bz2.pydclient.exeGet hashmaliciousUnknownBrowse
                                            client.exeGet hashmaliciousUnknownBrowse
                                              fWAr4zGUkY.exeGet hashmaliciousRemcos, Amadey, StealcBrowse
                                                fbc5UlsRXq.exeGet hashmaliciousUnknownBrowse
                                                  5SkF9LFhB3.exeGet hashmaliciousUnknownBrowse
                                                    WUD0WG3OdV.exeGet hashmaliciousUnknownBrowse
                                                      98Y05R2rTb.exeGet hashmaliciousUnknownBrowse
                                                        aLsxeH29P2.exeGet hashmaliciousUnknownBrowse
                                                          c9a6BV0eQO.exeGet hashmaliciousUnknownBrowse
                                                            eEiHdLSfum.exeGet hashmaliciousUnknownBrowse
                                                              C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\l4.exefWAr4zGUkY.exeGet hashmaliciousRemcos, Amadey, StealcBrowse

                                                                Created / dropped Files

                                                                C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\l4.exe

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exe
                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):6174208
                                                                Entropy (8bit):7.990978110457585
                                                                Encrypted:true
                                                                SSDEEP:98304:copJ0ndCADji3dh8iemrdbYOssb5+7wFADy/+sXBuVoDtnOPyz70fhhQAHHDRWfU:cc0cWjigIbCs+ZivuVoDFOKn0fPyqEvo
                                                                MD5:D68F79C459EE4AE03B76FA5BA151A41F
                                                                SHA1:BFA641085D59D58993BA98AC9EE376F898EE5F7B
                                                                SHA-256:AA50C900E210ABB6BE7D2420D9D5AE34C66818E0491AABD141421D175211FED6
                                                                SHA-512:BD4EF3E3708DF81D53B2E9050447032E8DCDCC776CF0353077310F208A30DAB8F31D6EC6769D47FB6C05C642BDD7A58FB4F93D9D28E2DE0EFC01312FBC5E391E
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 63%
                                                                Joe Sandbox View:
                                                                • Filename: fWAr4zGUkY.exe, Detection: malicious, Browse
                                                                Reputation:low
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........jO..jO..jO..!7..lO..!7...O..!7..`O..jO..kO..l...hO..l...BO..l...zO..l...{O..!7..oO..jO...O......kO......kO..RichjO..................PE..d...O.Xg.........."....&.....,\................@..............................`...........`.....................................................<....p..X/[..@..T.............`.....`............................... ...@............ ...............................text...P........................... ..`.rdata....... ......................@..@.data...pN..........................@....pdata..T....@......................@..@_RDATA.......`......................@..@.rsrc...X/[..p...0[.................@..@.reloc........`.......^.............@..B................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_bz2.pyd

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):85272
                                                                Entropy (8bit):6.591841805043941
                                                                Encrypted:false
                                                                SSDEEP:1536:Iyhz79151BVo1vXfzIFnaR4bO1As0n8qsjk+VIMCVl7SyVx7:/hzx15evXkuxAP8qMk+VIMCVlJ
                                                                MD5:30F396F8411274F15AC85B14B7B3CD3D
                                                                SHA1:D3921F39E193D89AA93C2677CBFB47BC1EDE949C
                                                                SHA-256:CB15D6CC7268D3A0BD17D9D9CEC330A7C1768B1C911553045C73BC6920DE987F
                                                                SHA-512:7D997EF18E2CBC5BCA20A4730129F69A6D19ABDDA0261B06AD28AD8A2BDDCDECB12E126DF9969539216F4F51467C0FE954E4776D842E7B373FE93A8246A5CA3F
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Joe Sandbox View:
                                                                • Filename: client.exe, Detection: malicious, Browse
                                                                • Filename: client.exe, Detection: malicious, Browse
                                                                • Filename: fWAr4zGUkY.exe, Detection: malicious, Browse
                                                                • Filename: fbc5UlsRXq.exe, Detection: malicious, Browse
                                                                • Filename: 5SkF9LFhB3.exe, Detection: malicious, Browse
                                                                • Filename: WUD0WG3OdV.exe, Detection: malicious, Browse
                                                                • Filename: 98Y05R2rTb.exe, Detection: malicious, Browse
                                                                • Filename: aLsxeH29P2.exe, Detection: malicious, Browse
                                                                • Filename: c9a6BV0eQO.exe, Detection: malicious, Browse
                                                                • Filename: eEiHdLSfum.exe, Detection: malicious, Browse
                                                                Reputation:moderate, very likely benign file
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................b....(......(......(......(......(.....................................................Rich...........PE..d....b.f.........." ...(.....^...............................................`............`.........................................p...H............@.......0..D......../...P..........T...........................p...@............................................text...#........................... ..`.rdata..P>.......@..................@..@.data........ ......................@....pdata..D....0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_decimal.pyd

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):257304
                                                                Entropy (8bit):6.565831509727426
                                                                Encrypted:false
                                                                SSDEEP:6144:/CxJS14bteS9B+ApcG0Qos0KR29py9qWM53pLW1AZHVHMhhhKoDStGwL0zsWD:/aeS9B+HQosbY9FfHVHXfEsWD
                                                                MD5:7AE94F5A66986CBC1A2B3C65A8D617F3
                                                                SHA1:28ABEFB1DF38514B9FFE562F82F8C77129CA3F7D
                                                                SHA-256:DA8BB3D54BBBA20D8FA6C2FD0A4389AEC80AB6BD490B0ABEF5BD65097CBC0DA4
                                                                SHA-512:FBB599270066C43B5D3A4E965FB2203B085686479AF157CD0BB0D29ED73248B6F6371C5158799F6D58B1F1199B82C01ABE418E609EA98C71C37BB40F3226D8C5
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V..............'.....g&......g&......g&......g&.......!.................9....!.......!.......!.......!K......!......Rich............PE..d...[b.f.........." ...(.....<.......................................................4....`..........................................c..P....c...................&......./......T.......T...............................@............................................text...v........................... ..`.rdata..............................@..@.data...X*.......$...b..............@....pdata...&.......(..................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_hashlib.pyd

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):66328
                                                                Entropy (8bit):6.227186392528159
                                                                Encrypted:false
                                                                SSDEEP:1536:9PgLpgE4Z27jHZWZnEmoANIMOIi7SyAx2:9EtHZeEmoANIMOIit
                                                                MD5:A25BC2B21B555293554D7F611EAA75EA
                                                                SHA1:A0DFD4FCFAE5B94D4471357F60569B0C18B30C17
                                                                SHA-256:43ACECDC00DD5F9A19B48FF251106C63C975C732B9A2A7B91714642F76BE074D
                                                                SHA-512:B39767C2757C65500FC4F4289CB3825333D43CB659E3B95AF4347BD2A277A7F25D18359CEDBDDE9A020C7AB57B736548C739909867CE9DE1DBD3F638F4737DC5
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8QtZY?'ZY?'ZY?'S!.'^Y?'..>&XY?'..<&YY?'..;&RY?'..:&VY?'.!>&XY?'O.>&_Y?'ZY>'.Y?'O.2&[Y?'O.?&[Y?'O..'[Y?'O.=&[Y?'RichZY?'........PE..d....b.f.........." ...(.V.......... @....................................................`.........................................p...P................................/......X...@}..T............................|..@............p..(............................text....T.......V.................. ..`.rdata...O...p...P...Z..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_lzma.pyd

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):160024
                                                                Entropy (8bit):6.85410280956396
                                                                Encrypted:false
                                                                SSDEEP:3072:ssvkxujgo7e2uONOG+hi+CTznfF9mNoDXnmbuVIMZ10L:snu0o7JUCNYOD2Kg
                                                                MD5:9E94FAC072A14CA9ED3F20292169E5B2
                                                                SHA1:1EEAC19715EA32A65641D82A380B9FA624E3CF0D
                                                                SHA-256:A46189C5BD0302029847FED934F481835CB8D06470EA3D6B97ADA7D325218A9F
                                                                SHA-512:B7B3D0F737DD3B88794F75A8A6614C6FB6B1A64398C6330A52A2680CAF7E558038470F6F3FC024CE691F6F51A852C05F7F431AC2687F4525683FF09132A0DECB
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D.3H%.`H%.`H%.`A]7`L%.`...aJ%.`...aK%.`...a@%.`...aD%.`]..aK%.`.].aJ%.`H%.`-%.`]..ar%.`]..aI%.`].[`I%.`]..aI%.`RichH%.`........................PE..d....b.f.........." ...(.f..........`8..............................................C.....`......................................... %..L...l%..x....p.......P.......B.../......4.......T...............................@............................................text...be.......f.................. ..`.rdata..............j..............@..@.data...p....@......................@....pdata.......P......."..............@..@.rsrc........p.......6..............@..@.reloc..4............@..............@..B................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_socket.pyd

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):83736
                                                                Entropy (8bit):6.3186936632343205
                                                                Encrypted:false
                                                                SSDEEP:1536:mOYhekrkJqlerLSyypHf9/s+S+pzMii/n1IsJqKN5IMLwoR7SygCxkWN:vwkJqHyypHf9/sT+pzMiE1IwdN5IMLw0
                                                                MD5:69801D1A0809C52DB984602CA2653541
                                                                SHA1:0F6E77086F049A7C12880829DE051DCBE3D66764
                                                                SHA-256:67ACA001D36F2FCE6D88DBF46863F60C0B291395B6777C22B642198F98184BA3
                                                                SHA-512:5FCE77DD567C046FEB5A13BAF55FDD8112798818D852DFECC752DAC87680CE0B89EDFBFBDAB32404CF471B70453A33F33488D3104CD82F4E0B94290E83EAE7BB
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...Nb}.Nb}.Nb}.6.}.Nb}g.c|.Nb}g.a|.Nb}g.f|.Nb}g.g|.Nb}..c|.Nb}.Nc}.Nb}.6c|.Nb}..o|.Nb}..b|.Nb}..}.Nb}..`|.Nb}Rich.Nb}................PE..d....b.f.........." ...(.x..........0-.......................................`............`.........................................@...P............@.......0.........../...P......P...T...............................@............................................text....v.......x.................. ..`.rdata...x.......z...|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\_wmi.pyd

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):37656
                                                                Entropy (8bit):6.340152202881265
                                                                Encrypted:false
                                                                SSDEEP:768:rUmqQhTcYr6NxO0VIMCit5YiSyv4YmAJAMxkEn:Im7GBNxO0VIMCiz7SyQYmQxz
                                                                MD5:827615EEE937880862E2F26548B91E83
                                                                SHA1:186346B816A9DE1BA69E51042FAF36F47D768B6C
                                                                SHA-256:73B7EE3156EF63D6EB7DF9900EF3D200A276DF61A70D08BD96F5906C39A3AC32
                                                                SHA-512:45114CAF2B4A7678E6B1E64D84B118FB3437232B4C0ADD345DDB6FBDA87CEBD7B5ADAD11899BDCD95DDFE83FDC3944A93674CA3D1B5F643A2963FBE709E44FB8
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.L...L...L...E..J.......H.......H.......D...Y...N.......Q.......K...L...........M...Y...M...Y...M...Y...M...Y...M...RichL...........PE..d...db.f.........." ...(.*...<.......(...................................................`..........................................V..H...HV..................x....d.../......t...dG..T............................C..@............@.......S..@....................text...n(.......*.................. ..`.rdata..4 ...@..."..................@..@.data........p.......P..............@....pdata..x............T..............@..@.rsrc................X..............@..@.reloc..t............b..............@..B........................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exe

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe
                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):6162432
                                                                Entropy (8bit):5.64790582887791
                                                                Encrypted:false
                                                                SSDEEP:98304:OSoY112XQr2fqDVS1K17UpJwIX4OzWObPPumo0:doq1QQSfqDVgX
                                                                MD5:63C4E3F9C7383D039AB4AF449372C17F
                                                                SHA1:F52FF760A098A006C41269FF73ABB633B811F18E
                                                                SHA-256:151524F6C1D1AEAC530CFD69DE15C3336043DC8EB3F5AEAA31513E24BFD7ACDD
                                                                SHA-512:DCFB4804C5569AD13E752270D13320F8769601B7092544741E35BC62A22AF363B7A5EA7C5A65132C9575540A3E689A6946110502BD0F046385B8739E81761FBF
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8...|..Q|..Q|..Q7..Pw..Q7..P...Q7..Pq..Q|..Q}..Qzz.Q~..Qzz.PU..Qzz.Pl..Qzz.Pm..Qi..P~..Q7..Py..Q|..Q...Q.z.Pz..Q.z.P}..QRich|..Q................PE..d...K.Xg.........."....&.....VY................@..............................^...........`.................................................|...<....`..P.W......4...........p^.....................................p...@............................................text............................... ..`.rdata..t...........................@..@.data...8....`...n...D..............@....pdata...4.......6..................@..@_RDATA.......P......................@..@.rsrc...P.W..`....W.................@..@.reloc.......p^.......].............@..B........................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\libcrypto-3.dll

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):5232408
                                                                Entropy (8bit):5.940072183736028
                                                                Encrypted:false
                                                                SSDEEP:98304:/V+Qs2NuR5YV0L8PQ1CPwDvt3uFlDC4SC9c:9rs2NuDYV0L841CPwDvt3uFlDC4SCa
                                                                MD5:123AD0908C76CCBA4789C084F7A6B8D0
                                                                SHA1:86DE58289C8200ED8C1FC51D5F00E38E32C1AAD5
                                                                SHA-256:4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43
                                                                SHA-512:80FAE0533BA9A2F5FA7806E86F0DB8B6AAB32620DDE33B70A3596938B529F3822856DE75BDDB1B06721F8556EC139D784BC0BB9C8DA0D391DF2C20A80D33CB04
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(..7..<......v........................................0P.......O...`...........................................H.0.....O.@....@O.|.... L. .....O../...PO.$...`{D.8............................yD.@.............O..............................text.....7.......7................. ..`.rdata........7.......7.............@..@.data...Ao....K..<....K.............@....pdata....... L.......K.............@..@.idata...%....O..&....N.............@..@.00cfg..u....0O.......N.............@..@.rsrc...|....@O.......N.............@..@.reloc..~....PO.......N.............@..B................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\python312.dll

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:modified
                                                                Size (bytes):6927640
                                                                Entropy (8bit):5.765552513907485
                                                                Encrypted:false
                                                                SSDEEP:49152:mRSn173WIgXqQYRn0I+gaYFD0iRpIrCMEGXgeieBwHTuJTA8LbLH7ft4OCLj8j4V:mIn8hYEgw8Ij887GlSvBHDMiEruuln
                                                                MD5:166CC2F997CBA5FC011820E6B46E8EA7
                                                                SHA1:D6179213AFEA084F02566EA190202C752286CA1F
                                                                SHA-256:C045B57348C21F5F810BAE60654AE39490846B487378E917595F1F95438F9546
                                                                SHA-512:49D9D4DF3D7EF5737E947A56E48505A2212E05FDBCD7B83D689639728639B7FD3BE39506D7CFCB7563576EBEE879FD305370FDB203909ED9B522B894DD87AACB
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D..Z%..Z%..Z%......X%....e.T%......^%......R%......W%..S]..@%...]..Q%..Z%..*$..O....%..O...[%..O.g.[%..O...[%..RichZ%..........PE..d...=b.f.........." ...(..(..4B..... .........................................j......[j...`..........................................cN.d...$1O.......i......._.xI....i../... i.([....2.T.....................H.(...p.2.@............ (..............................text.....(.......(................. ..`.rdata...6'.. (..8'...(.............@..@.data....I...`O......HO.............@....pdata..xI...._..J....^.............@..@PyRuntim0.....b.......a.............@....rsrc.........i...... h.............@..@.reloc..([... i..\...*h.............@..B........................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\select.pyd

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):31000
                                                                Entropy (8bit):6.556986708902353
                                                                Encrypted:false
                                                                SSDEEP:384:IyRVBC9t6Lhz64CHf2slDT90Y5IMQGCHQIYiSy1pCQFm/AM+o/8E9VF0Ny/r5n+/:LGyKHfx1H5IMQGY5YiSyv4AMxkEFNnq
                                                                MD5:7C14C7BC02E47D5C8158383CB7E14124
                                                                SHA1:5EE9E5968E7B5CE9E4C53A303DAC9FC8FAF98DF3
                                                                SHA-256:00BD8BB6DEC8C291EC14C8DDFB2209D85F96DB02C7A3C39903803384FF3A65E5
                                                                SHA-512:AF70CBDD882B923013CB47545633B1147CE45C547B8202D7555043CFA77C1DEEE8A51A2BC5F93DB4E3B9CBF7818F625CA8E3B367BFFC534E26D35F475351A77C
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t..'..'..'..g'..'-..&..'-..&..'-..&..'-..&..'...&..'..'...'...&..'...&..'...&..'...'..'...&..'Rich..'................PE..d...`b.f.........." ...(.....2.......................................................o....`..........................................@..L...<A..x....p.......`.......J.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...`....P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B........................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\unicodedata.pyd

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1138456
                                                                Entropy (8bit):5.4620027688967845
                                                                Encrypted:false
                                                                SSDEEP:12288:arEHdcM6hbuCjJ43w9hIpCQvb0QN8MdIEQ+U2BNNmD+99FfcAIU:arEXDCjfk7bPNfv42BN6yzUAIU
                                                                MD5:A8ED52A66731E78B89D3C6C6889C485D
                                                                SHA1:781E5275695ACE4A5C3AD4F2874B5E375B521638
                                                                SHA-256:BF669344D1B1C607D10304BE47D2A2FB572E043109181E2C5C1038485AF0C3D7
                                                                SHA-512:1C131911F120A4287EBF596C52DE047309E3BE6D99BC18555BD309A27E057CC895A018376AA134DF1DC13569F47C97C1A6E8872ACEDFA06930BBF2B175AF9017
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#.}.#.}.#.}.*..%.}..*|.!.}..*~. .}..*y.+.}..*x...}.6-|. .}.h.|.!.}.#.|.s.}.6-p.".}.6-}.".}.6-..".}.6-..".}.Rich#.}.........PE..d...`b.f.........." ...(.@..........0*.......................................p.......)....`.........................................p...X............P.......@.......0.../...`......P^..T............................]..@............P..p............................text...!>.......@.................. ..`.rdata..\....P.......D..............@..@.data........ ......................@....pdata.......@......................@..@.rsrc........P.......$..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\vcruntime140.dll

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):119192
                                                                Entropy (8bit):6.6016214745004635
                                                                Encrypted:false
                                                                SSDEEP:1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
                                                                MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
                                                                SHA1:A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
                                                                SHA-256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
                                                                SHA-512:0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\vcruntime140_1.dll

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):49528
                                                                Entropy (8bit):6.662491747506177
                                                                Encrypted:false
                                                                SSDEEP:768:wPIyGVrxmKqOnA4j3z6Su77A+i0QLxi9z9Rtii9zn+:fBr87uW1nA8QLx+zrti+zn+
                                                                MD5:F8DFA78045620CF8A732E67D1B1EB53D
                                                                SHA1:FF9A604D8C99405BFDBBF4295825D3FCBC792704
                                                                SHA-256:A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
                                                                SHA-512:BA7F8B7AB0DEB7A7113124C28092B543E216CA08D1CF158D9F40A326FB69F4A2511A41A59EA8482A10C9EC4EC8AC69B70DFE9CA65E525097D93B819D498DA371
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9@.W}!..}!..}!...S...!..{....!..tYJ.v!..}!..N!..{...x!..{...z!..{...f!..{...|!..{.&.|!..{...|!..Rich}!..................PE..d.....v..........." ...&.<...8.......B...................................................`A........................................Pm.......m..x....................r..xO......D....c..p...........................`b..@............P..`............................text...p:.......<.................. ..`.rdata...#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B........................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_bz2.pyd

                                                                Download File
                                                                Process:C:\Users\user\Desktop\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):85272
                                                                Entropy (8bit):6.591841805043941
                                                                Encrypted:false
                                                                SSDEEP:1536:Iyhz79151BVo1vXfzIFnaR4bO1As0n8qsjk+VIMCVl7SyVx7:/hzx15evXkuxAP8qMk+VIMCVlJ
                                                                MD5:30F396F8411274F15AC85B14B7B3CD3D
                                                                SHA1:D3921F39E193D89AA93C2677CBFB47BC1EDE949C
                                                                SHA-256:CB15D6CC7268D3A0BD17D9D9CEC330A7C1768B1C911553045C73BC6920DE987F
                                                                SHA-512:7D997EF18E2CBC5BCA20A4730129F69A6D19ABDDA0261B06AD28AD8A2BDDCDECB12E126DF9969539216F4F51467C0FE954E4776D842E7B373FE93A8246A5CA3F
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................b....(......(......(......(......(.....................................................Rich...........PE..d....b.f.........." ...(.....^...............................................`............`.........................................p...H............@.......0..D......../...P..........T...........................p...@............................................text...#........................... ..`.rdata..P>.......@..................@..@.data........ ......................@....pdata..D....0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_decimal.pyd

                                                                Download File
                                                                Process:C:\Users\user\Desktop\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):257304
                                                                Entropy (8bit):6.565831509727426
                                                                Encrypted:false
                                                                SSDEEP:6144:/CxJS14bteS9B+ApcG0Qos0KR29py9qWM53pLW1AZHVHMhhhKoDStGwL0zsWD:/aeS9B+HQosbY9FfHVHXfEsWD
                                                                MD5:7AE94F5A66986CBC1A2B3C65A8D617F3
                                                                SHA1:28ABEFB1DF38514B9FFE562F82F8C77129CA3F7D
                                                                SHA-256:DA8BB3D54BBBA20D8FA6C2FD0A4389AEC80AB6BD490B0ABEF5BD65097CBC0DA4
                                                                SHA-512:FBB599270066C43B5D3A4E965FB2203B085686479AF157CD0BB0D29ED73248B6F6371C5158799F6D58B1F1199B82C01ABE418E609EA98C71C37BB40F3226D8C5
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V..............'.....g&......g&......g&......g&.......!.................9....!.......!.......!.......!K......!......Rich............PE..d...[b.f.........." ...(.....<.......................................................4....`..........................................c..P....c...................&......./......T.......T...............................@............................................text...v........................... ..`.rdata..............................@..@.data...X*.......$...b..............@....pdata...&.......(..................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_hashlib.pyd

                                                                Download File
                                                                Process:C:\Users\user\Desktop\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):66328
                                                                Entropy (8bit):6.227186392528159
                                                                Encrypted:false
                                                                SSDEEP:1536:9PgLpgE4Z27jHZWZnEmoANIMOIi7SyAx2:9EtHZeEmoANIMOIit
                                                                MD5:A25BC2B21B555293554D7F611EAA75EA
                                                                SHA1:A0DFD4FCFAE5B94D4471357F60569B0C18B30C17
                                                                SHA-256:43ACECDC00DD5F9A19B48FF251106C63C975C732B9A2A7B91714642F76BE074D
                                                                SHA-512:B39767C2757C65500FC4F4289CB3825333D43CB659E3B95AF4347BD2A277A7F25D18359CEDBDDE9A020C7AB57B736548C739909867CE9DE1DBD3F638F4737DC5
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8QtZY?'ZY?'ZY?'S!.'^Y?'..>&XY?'..<&YY?'..;&RY?'..:&VY?'.!>&XY?'O.>&_Y?'ZY>'.Y?'O.2&[Y?'O.?&[Y?'O..'[Y?'O.=&[Y?'RichZY?'........PE..d....b.f.........." ...(.V.......... @....................................................`.........................................p...P................................/......X...@}..T............................|..@............p..(............................text....T.......V.................. ..`.rdata...O...p...P...Z..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_lzma.pyd

                                                                Download File
                                                                Process:C:\Users\user\Desktop\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):160024
                                                                Entropy (8bit):6.85410280956396
                                                                Encrypted:false
                                                                SSDEEP:3072:ssvkxujgo7e2uONOG+hi+CTznfF9mNoDXnmbuVIMZ10L:snu0o7JUCNYOD2Kg
                                                                MD5:9E94FAC072A14CA9ED3F20292169E5B2
                                                                SHA1:1EEAC19715EA32A65641D82A380B9FA624E3CF0D
                                                                SHA-256:A46189C5BD0302029847FED934F481835CB8D06470EA3D6B97ADA7D325218A9F
                                                                SHA-512:B7B3D0F737DD3B88794F75A8A6614C6FB6B1A64398C6330A52A2680CAF7E558038470F6F3FC024CE691F6F51A852C05F7F431AC2687F4525683FF09132A0DECB
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D.3H%.`H%.`H%.`A]7`L%.`...aJ%.`...aK%.`...a@%.`...aD%.`]..aK%.`.].aJ%.`H%.`-%.`]..ar%.`]..aI%.`].[`I%.`]..aI%.`RichH%.`........................PE..d....b.f.........." ...(.f..........`8..............................................C.....`......................................... %..L...l%..x....p.......P.......B.../......4.......T...............................@............................................text...be.......f.................. ..`.rdata..............j..............@..@.data...p....@......................@....pdata.......P......."..............@..@.rsrc........p.......6..............@..@.reloc..4............@..............@..B................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_socket.pyd

                                                                Download File
                                                                Process:C:\Users\user\Desktop\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):83736
                                                                Entropy (8bit):6.3186936632343205
                                                                Encrypted:false
                                                                SSDEEP:1536:mOYhekrkJqlerLSyypHf9/s+S+pzMii/n1IsJqKN5IMLwoR7SygCxkWN:vwkJqHyypHf9/sT+pzMiE1IwdN5IMLw0
                                                                MD5:69801D1A0809C52DB984602CA2653541
                                                                SHA1:0F6E77086F049A7C12880829DE051DCBE3D66764
                                                                SHA-256:67ACA001D36F2FCE6D88DBF46863F60C0B291395B6777C22B642198F98184BA3
                                                                SHA-512:5FCE77DD567C046FEB5A13BAF55FDD8112798818D852DFECC752DAC87680CE0B89EDFBFBDAB32404CF471B70453A33F33488D3104CD82F4E0B94290E83EAE7BB
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...Nb}.Nb}.Nb}.6.}.Nb}g.c|.Nb}g.a|.Nb}g.f|.Nb}g.g|.Nb}..c|.Nb}.Nc}.Nb}.6c|.Nb}..o|.Nb}..b|.Nb}..}.Nb}..`|.Nb}Rich.Nb}................PE..d....b.f.........." ...(.x..........0-.......................................`............`.........................................@...P............@.......0.........../...P......P...T...............................@............................................text....v.......x.................. ..`.rdata...x.......z...|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\_wmi.pyd

                                                                Download File
                                                                Process:C:\Users\user\Desktop\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):37656
                                                                Entropy (8bit):6.340152202881265
                                                                Encrypted:false
                                                                SSDEEP:768:rUmqQhTcYr6NxO0VIMCit5YiSyv4YmAJAMxkEn:Im7GBNxO0VIMCiz7SyQYmQxz
                                                                MD5:827615EEE937880862E2F26548B91E83
                                                                SHA1:186346B816A9DE1BA69E51042FAF36F47D768B6C
                                                                SHA-256:73B7EE3156EF63D6EB7DF9900EF3D200A276DF61A70D08BD96F5906C39A3AC32
                                                                SHA-512:45114CAF2B4A7678E6B1E64D84B118FB3437232B4C0ADD345DDB6FBDA87CEBD7B5ADAD11899BDCD95DDFE83FDC3944A93674CA3D1B5F643A2963FBE709E44FB8
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k.L...L...L...E..J.......H.......H.......D...Y...N.......Q.......K...L...........M...Y...M...Y...M...Y...M...Y...M...RichL...........PE..d...db.f.........." ...(.*...<.......(...................................................`..........................................V..H...HV..................x....d.../......t...dG..T............................C..@............@.......S..@....................text...n(.......*.................. ..`.rdata..4 ...@..."..................@..@.data........p.......P..............@....pdata..x............T..............@..@.rsrc................X..............@..@.reloc..t............b..............@..B........................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exe

                                                                Download File
                                                                Process:C:\Users\user\Desktop\l4.exe
                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):6162432
                                                                Entropy (8bit):5.64790582887791
                                                                Encrypted:false
                                                                SSDEEP:98304:OSoY112XQr2fqDVS1K17UpJwIX4OzWObPPumo0:doq1QQSfqDVgX
                                                                MD5:63C4E3F9C7383D039AB4AF449372C17F
                                                                SHA1:F52FF760A098A006C41269FF73ABB633B811F18E
                                                                SHA-256:151524F6C1D1AEAC530CFD69DE15C3336043DC8EB3F5AEAA31513E24BFD7ACDD
                                                                SHA-512:DCFB4804C5569AD13E752270D13320F8769601B7092544741E35BC62A22AF363B7A5EA7C5A65132C9575540A3E689A6946110502BD0F046385B8739E81761FBF
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8...|..Q|..Q|..Q7..Pw..Q7..P...Q7..Pq..Q|..Q}..Qzz.Q~..Qzz.PU..Qzz.Pl..Qzz.Pm..Qi..P~..Q7..Py..Q|..Q...Q.z.Pz..Q.z.P}..QRich|..Q................PE..d...K.Xg.........."....&.....VY................@..............................^...........`.................................................|...<....`..P.W......4...........p^.....................................p...@............................................text............................... ..`.rdata..t...........................@..@.data...8....`...n...D..............@....pdata...4.......6..................@..@_RDATA.......P......................@..@.rsrc...P.W..`....W.................@..@.reloc.......p^.......].............@..B........................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\libcrypto-3.dll

                                                                Download File
                                                                Process:C:\Users\user\Desktop\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):5232408
                                                                Entropy (8bit):5.940072183736028
                                                                Encrypted:false
                                                                SSDEEP:98304:/V+Qs2NuR5YV0L8PQ1CPwDvt3uFlDC4SC9c:9rs2NuDYV0L841CPwDvt3uFlDC4SCa
                                                                MD5:123AD0908C76CCBA4789C084F7A6B8D0
                                                                SHA1:86DE58289C8200ED8C1FC51D5F00E38E32C1AAD5
                                                                SHA-256:4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43
                                                                SHA-512:80FAE0533BA9A2F5FA7806E86F0DB8B6AAB32620DDE33B70A3596938B529F3822856DE75BDDB1B06721F8556EC139D784BC0BB9C8DA0D391DF2C20A80D33CB04
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(..7..<......v........................................0P.......O...`...........................................H.0.....O.@....@O.|.... L. .....O../...PO.$...`{D.8............................yD.@.............O..............................text.....7.......7................. ..`.rdata........7.......7.............@..@.data...Ao....K..<....K.............@....pdata....... L.......K.............@..@.idata...%....O..&....N.............@..@.00cfg..u....0O.......N.............@..@.rsrc...|....@O.......N.............@..@.reloc..~....PO.......N.............@..B................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\python312.dll

                                                                Download File
                                                                Process:C:\Users\user\Desktop\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):6927640
                                                                Entropy (8bit):5.765552513907485
                                                                Encrypted:false
                                                                SSDEEP:49152:mRSn173WIgXqQYRn0I+gaYFD0iRpIrCMEGXgeieBwHTuJTA8LbLH7ft4OCLj8j4V:mIn8hYEgw8Ij887GlSvBHDMiEruuln
                                                                MD5:166CC2F997CBA5FC011820E6B46E8EA7
                                                                SHA1:D6179213AFEA084F02566EA190202C752286CA1F
                                                                SHA-256:C045B57348C21F5F810BAE60654AE39490846B487378E917595F1F95438F9546
                                                                SHA-512:49D9D4DF3D7EF5737E947A56E48505A2212E05FDBCD7B83D689639728639B7FD3BE39506D7CFCB7563576EBEE879FD305370FDB203909ED9B522B894DD87AACB
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D..Z%..Z%..Z%......X%....e.T%......^%......R%......W%..S]..@%...]..Q%..Z%..*$..O....%..O...[%..O.g.[%..O...[%..RichZ%..........PE..d...=b.f.........." ...(..(..4B..... .........................................j......[j...`..........................................cN.d...$1O.......i......._.xI....i../... i.([....2.T.....................H.(...p.2.@............ (..............................text.....(.......(................. ..`.rdata...6'.. (..8'...(.............@..@.data....I...`O......HO.............@....pdata..xI...._..J....^.............@..@PyRuntim0.....b.......a.............@....rsrc.........i...... h.............@..@.reloc..([... i..\...*h.............@..B........................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\select.pyd

                                                                Download File
                                                                Process:C:\Users\user\Desktop\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):31000
                                                                Entropy (8bit):6.556986708902353
                                                                Encrypted:false
                                                                SSDEEP:384:IyRVBC9t6Lhz64CHf2slDT90Y5IMQGCHQIYiSy1pCQFm/AM+o/8E9VF0Ny/r5n+/:LGyKHfx1H5IMQGY5YiSyv4AMxkEFNnq
                                                                MD5:7C14C7BC02E47D5C8158383CB7E14124
                                                                SHA1:5EE9E5968E7B5CE9E4C53A303DAC9FC8FAF98DF3
                                                                SHA-256:00BD8BB6DEC8C291EC14C8DDFB2209D85F96DB02C7A3C39903803384FF3A65E5
                                                                SHA-512:AF70CBDD882B923013CB47545633B1147CE45C547B8202D7555043CFA77C1DEEE8A51A2BC5F93DB4E3B9CBF7818F625CA8E3B367BFFC534E26D35F475351A77C
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t..'..'..'..g'..'-..&..'-..&..'-..&..'-..&..'...&..'..'...'...&..'...&..'...&..'...'..'...&..'Rich..'................PE..d...`b.f.........." ...(.....2.......................................................o....`..........................................@..L...<A..x....p.......`.......J.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...`....P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B........................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\unicodedata.pyd

                                                                Download File
                                                                Process:C:\Users\user\Desktop\l4.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:modified
                                                                Size (bytes):1138456
                                                                Entropy (8bit):5.4620027688967845
                                                                Encrypted:false
                                                                SSDEEP:12288:arEHdcM6hbuCjJ43w9hIpCQvb0QN8MdIEQ+U2BNNmD+99FfcAIU:arEXDCjfk7bPNfv42BN6yzUAIU
                                                                MD5:A8ED52A66731E78B89D3C6C6889C485D
                                                                SHA1:781E5275695ACE4A5C3AD4F2874B5E375B521638
                                                                SHA-256:BF669344D1B1C607D10304BE47D2A2FB572E043109181E2C5C1038485AF0C3D7
                                                                SHA-512:1C131911F120A4287EBF596C52DE047309E3BE6D99BC18555BD309A27E057CC895A018376AA134DF1DC13569F47C97C1A6E8872ACEDFA06930BBF2B175AF9017
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#.}.#.}.#.}.*..%.}..*|.!.}..*~. .}..*y.+.}..*x...}.6-|. .}.h.|.!.}.#.|.s.}.6-p.".}.6-}.".}.6-..".}.6-..".}.Rich#.}.........PE..d...`b.f.........." ...(.@..........0*.......................................p.......)....`.........................................p...X............P.......@.......0.../...`......P^..T............................]..@............P..p............................text...!>.......@.................. ..`.rdata..\....P.......D..............@..@.data........ ......................@....pdata.......@......................@..@.rsrc........P.......$..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\vcruntime140.dll

                                                                Download File
                                                                Process:C:\Users\user\Desktop\l4.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):119192
                                                                Entropy (8bit):6.6016214745004635
                                                                Encrypted:false
                                                                SSDEEP:1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
                                                                MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
                                                                SHA1:A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
                                                                SHA-256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
                                                                SHA-512:0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\vcruntime140_1.dll

                                                                Download File
                                                                Process:C:\Users\user\Desktop\l4.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):49528
                                                                Entropy (8bit):6.662491747506177
                                                                Encrypted:false
                                                                SSDEEP:768:wPIyGVrxmKqOnA4j3z6Su77A+i0QLxi9z9Rtii9zn+:fBr87uW1nA8QLx+zrti+zn+
                                                                MD5:F8DFA78045620CF8A732E67D1B1EB53D
                                                                SHA1:FF9A604D8C99405BFDBBF4295825D3FCBC792704
                                                                SHA-256:A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
                                                                SHA-512:BA7F8B7AB0DEB7A7113124C28092B543E216CA08D1CF158D9F40A326FB69F4A2511A41A59EA8482A10C9EC4EC8AC69B70DFE9CA65E525097D93B819D498DA371
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9@.W}!..}!..}!...S...!..{....!..tYJ.v!..}!..N!..{...x!..{...z!..{...f!..{...|!..{.&.|!..{...|!..Rich}!..................PE..d.....v..........." ...&.<...8.......B...................................................`A........................................Pm.......m..x....................r..xO......D....c..p...........................`b..@............P..`............................text...p:.......<.................. ..`.rdata...#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B........................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exe
                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):6174208
                                                                Entropy (8bit):7.990978110457585
                                                                Encrypted:true
                                                                SSDEEP:98304:copJ0ndCADji3dh8iemrdbYOssb5+7wFADy/+sXBuVoDtnOPyz70fhhQAHHDRWfU:cc0cWjigIbCs+ZivuVoDFOKn0fPyqEvo
                                                                MD5:D68F79C459EE4AE03B76FA5BA151A41F
                                                                SHA1:BFA641085D59D58993BA98AC9EE376F898EE5F7B
                                                                SHA-256:AA50C900E210ABB6BE7D2420D9D5AE34C66818E0491AABD141421D175211FED6
                                                                SHA-512:BD4EF3E3708DF81D53B2E9050447032E8DCDCC776CF0353077310F208A30DAB8F31D6EC6769D47FB6C05C642BDD7A58FB4F93D9D28E2DE0EFC01312FBC5E391E
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 63%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........jO..jO..jO..!7..lO..!7...O..!7..`O..jO..kO..l...hO..l...BO..l...zO..l...{O..!7..oO..jO...O......kO......kO..RichjO..................PE..d...O.Xg.........."....&.....,\................@..............................`...........`.....................................................<....p..X/[..@..T.............`.....`............................... ...@............ ...............................text...P........................... ..`.rdata....... ......................@..@.data...pN..........................@....pdata..T....@......................@..@_RDATA.......`......................@..@.rsrc...X/[..p...0[.................@..@.reloc........`.......^.............@..B................................................................................................................................................................................................

                                                                Static File Info

                                                                General

                                                                File type:PE32+ executable (console) x86-64, for MS Windows
                                                                Entropy (8bit):7.990978110457585
                                                                TrID:
                                                                • Win64 Executable Console (202006/5) 92.65%
                                                                • Win64 Executable (generic) (12005/4) 5.51%
                                                                • Generic Win/DOS Executable (2004/3) 0.92%
                                                                • DOS Executable Generic (2002/1) 0.92%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:l4.exe
                                                                File size:6'174'208 bytes
                                                                MD5:d68f79c459ee4ae03b76fa5ba151a41f
                                                                SHA1:bfa641085d59d58993ba98ac9ee376f898ee5f7b
                                                                SHA256:aa50c900e210abb6be7d2420d9d5ae34c66818e0491aabd141421d175211fed6
                                                                SHA512:bd4ef3e3708df81d53b2e9050447032e8dcdcc776cf0353077310f208a30dab8f31d6ec6769d47fb6c05c642bdd7a58fb4f93d9d28e2de0efc01312fbc5e391e
                                                                SSDEEP:98304:copJ0ndCADji3dh8iemrdbYOssb5+7wFADy/+sXBuVoDtnOPyz70fhhQAHHDRWfU:cc0cWjigIbCs+ZivuVoDFOKn0fPyqEvo
                                                                TLSH:8E56335AF26140FCE71B62B49CAA0363F9B7785913019BDF52707A669F337C11A2A331
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........jO..jO..jO..!7..lO..!7...O..!7..`O..jO..kO..l...hO..l...BO..l...zO..l...{O..!7..oO..jO...O......kO......kO..RichjO.........

                                                                File Icon

                                                                Icon Hash:00928e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x14000be9c
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x140000000
                                                                Subsystem:windows cui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x6758824F [Tue Dec 10 18:02:55 2024 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:6
                                                                OS Version Minor:0
                                                                File Version Major:6
                                                                File Version Minor:0
                                                                Subsystem Version Major:6
                                                                Subsystem Version Minor:0
                                                                Import Hash:8e3dad4d4ea6736338bcc4aca7b446c9

                                                                Entrypoint Preview

                                                                Instruction
                                                                dec eax
                                                                sub esp, 28h
                                                                call 00007F62D0BF0740h
                                                                dec eax
                                                                add esp, 28h
                                                                jmp 00007F62D0BF0367h
                                                                int3
                                                                int3
                                                                dec eax
                                                                sub esp, 28h
                                                                call 00007F62D0BF0C80h
                                                                test eax, eax
                                                                je 00007F62D0BF0513h
                                                                dec eax
                                                                mov eax, dword ptr [00000030h]
                                                                dec eax
                                                                mov ecx, dword ptr [eax+08h]
                                                                jmp 00007F62D0BF04F7h
                                                                dec eax
                                                                cmp ecx, eax
                                                                je 00007F62D0BF0506h
                                                                xor eax, eax
                                                                dec eax
                                                                cmpxchg dword ptr [0002419Ch], ecx
                                                                jne 00007F62D0BF04E0h
                                                                xor al, al
                                                                dec eax
                                                                add esp, 28h
                                                                ret
                                                                mov al, 01h
                                                                jmp 00007F62D0BF04E9h
                                                                int3
                                                                int3
                                                                int3
                                                                dec eax
                                                                sub esp, 28h
                                                                test ecx, ecx
                                                                jne 00007F62D0BF04F9h
                                                                mov byte ptr [00024185h], 00000001h
                                                                call 00007F62D0BF0A8Dh
                                                                call 00007F62D0BF0ED0h
                                                                test al, al
                                                                jne 00007F62D0BF04F6h
                                                                xor al, al
                                                                jmp 00007F62D0BF0506h
                                                                call 00007F62D0BF8DABh
                                                                test al, al
                                                                jne 00007F62D0BF04FBh
                                                                xor ecx, ecx
                                                                call 00007F62D0BF0EE0h
                                                                jmp 00007F62D0BF04DCh
                                                                mov al, 01h
                                                                dec eax
                                                                add esp, 28h
                                                                ret
                                                                int3
                                                                int3
                                                                inc eax
                                                                push ebx
                                                                dec eax
                                                                sub esp, 20h
                                                                cmp byte ptr [0002414Ch], 00000000h
                                                                mov ebx, ecx
                                                                jne 00007F62D0BF0559h
                                                                cmp ecx, 01h
                                                                jnbe 00007F62D0BF055Ch
                                                                call 00007F62D0BF0BF6h
                                                                test eax, eax
                                                                je 00007F62D0BF051Ah
                                                                test ebx, ebx
                                                                jne 00007F62D0BF0516h
                                                                dec eax
                                                                lea ecx, dword ptr [00024136h]
                                                                call 00007F62D0BF8BCAh
                                                                test eax, eax
                                                                jne 00007F62D0BF0502h
                                                                dec eax
                                                                lea ecx, dword ptr [0002413Eh]
                                                                call 00007F62D0BF05BAh

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2e0fc0x3c.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x570000x5b2f58.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x540000x1854.pdata
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x60a0000x688.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x2bf600x1c.rdata
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2be200x140.rdata
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x220000x2e0.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x204500x20600d5881c799223a7c43227753af4dfb945False0.5567084942084942data6.520018060774394IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0x220000xcab00xcc000e51738cb3a1352b016ad756319571fcFalse0.47909007352941174PGP symmetric key encrypted data - Plaintext or unencrypted data5.144088628907143IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0x2f0000x24e700xc006d8f02b8aab3664e63abe84f259bc1c7False0.13802083333333334data1.9439948621662484IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .pdata0x540000x18540x1a002939e1273090608fed331aea22bcb0fdFalse0.45703125PEX Binary Archive5.057262605805601IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                _RDATA0x560000x1f40x2003bbe165281ec2be875b71c5ef5761cf3False0.525390625data3.671095801963117IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .rsrc0x570000x5b2f580x5b3000d805cd73a079d91d788f02c118c10a48unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x60a0000x6880x800fd808e45828696952605c6bce78bb2f4False0.5126953125data4.934942496146745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_RCDATA0x570a00x5b2ac0data0.9976177215576172
                                                                RT_MANIFEST0x609b600x3f8ASCII text, with very long lines (1016), with no line terminators0.4655511811023622

                                                                Imports

                                                                DLLImport
                                                                SHELL32.dllSHFileOperationW, SHGetFolderPathW, CommandLineToArgvW
                                                                KERNEL32.dllSetLastError, WriteConsoleW, HeapReAlloc, CreateDirectoryW, SizeofResource, SetConsoleCtrlHandler, GetCommandLineW, GetStdHandle, WriteFile, TerminateProcess, GetModuleFileNameW, SetEnvironmentVariableW, GetTempPathW, FindResourceA, WaitForSingleObject, CreateFileW, GetFileAttributesW, Sleep, GetLastError, LockResource, CloseHandle, LoadResource, GetProcAddress, GetCurrentProcessId, CreateProcessW, WideCharToMultiByte, GetSystemTimeAsFileTime, FormatMessageA, GetExitCodeProcess, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, HeapSize, RtlUnwindEx, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, EncodePointer, RaiseException, RtlPcToFileHeader, ExitProcess, GetModuleHandleExW, GetCommandLineA, HeapAlloc, MultiByteToWideChar, HeapFree, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetStringTypeW, GetProcessHeap, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 18, 2024 12:05:09.295212984 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:09.414980888 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:09.415067911 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:09.415240049 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:09.539011955 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:10.576759100 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:10.618659019 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:10.811487913 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:10.853153944 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:11.673002958 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:11.721477032 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:11.863826990 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:11.909018040 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:12.581629038 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:12.707756996 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:12.980587006 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:13.034567118 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:13.582089901 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:13.701944113 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:15.245419025 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:15.245790958 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:15.365797043 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:20.668982029 CET497111336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:20.700824976 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:20.705311060 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:20.788762093 CET133649711194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:20.790230989 CET497111336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:20.790230989 CET497111336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:20.825439930 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:20.909872055 CET133649711194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:21.948892117 CET133649711194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:21.993859053 CET497111336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:22.183866978 CET133649711194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:22.228215933 CET497111336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:23.073227882 CET133649711194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:23.121347904 CET497111336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:23.263782978 CET133649711194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:23.308861017 CET497111336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:23.950324059 CET497111336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:24.070287943 CET133649711194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:24.343560934 CET133649711194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:24.387566090 CET497111336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:24.950763941 CET497111336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:25.071417093 CET133649711194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:25.349281073 CET133649711194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:25.349370003 CET497111336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:25.349464893 CET497111336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:25.470005989 CET133649711194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:26.161672115 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:26.181791067 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:26.301911116 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:31.634604931 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:31.634913921 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:31.754580975 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:37.082294941 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:37.082462072 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:37.202250004 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:42.548475027 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:42.548765898 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:42.668724060 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:47.998188019 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:47.998368025 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:48.118767023 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:53.441267967 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:53.441411972 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:53.563868999 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:58.896888018 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:05:58.897444010 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:05:59.017211914 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:04.364289045 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:04.364453077 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:06:04.484658957 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:09.807950020 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:09.808468103 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:06:09.928092003 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:15.261291981 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:15.264170885 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:06:15.383944035 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:20.716960907 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:20.717164040 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:06:20.837996006 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:26.268934965 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:26.269126892 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:06:26.389170885 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:31.712414980 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:31.712610960 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:06:31.832088947 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:37.280045986 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:37.280220032 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:06:37.400315046 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:42.735919952 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:42.736130953 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:06:42.855950117 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:48.187432051 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:48.187643051 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:06:48.307849884 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:53.653954983 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:53.682204962 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:06:53.804565907 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:59.177007914 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:06:59.178383112 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:06:59.301840067 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:04.637995005 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:04.638215065 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:07:04.760401011 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:10.259114981 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:10.259268045 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:07:10.378974915 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:15.792444944 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:15.798948050 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:07:15.918658972 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:21.244250059 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:21.246526003 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:07:21.366170883 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:26.715660095 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:26.727145910 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:07:26.846744061 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:32.172218084 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:32.172533035 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:07:32.292798996 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:37.610219955 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:37.613316059 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:07:37.732812881 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:43.092313051 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:43.092462063 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:07:43.212215900 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:48.549201965 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:48.550256968 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:07:48.670136929 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:54.002420902 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:54.005073071 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:07:54.124890089 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:59.450651884 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:07:59.450807095 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:07:59.573107004 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:04.905944109 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:04.906090975 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:08:05.025607109 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:10.358445883 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:10.358586073 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:08:10.478734016 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:15.818866014 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:15.819063902 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:08:15.941771030 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:21.284636021 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:21.284802914 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:08:21.404458046 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:26.729355097 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:26.729530096 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:08:26.849173069 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:32.173490047 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:32.173747063 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:08:32.293355942 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:37.622767925 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:37.623639107 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:08:37.743541002 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:43.375782967 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:43.376791954 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:08:43.498538017 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:49.133119106 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:49.134771109 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:08:49.255352020 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:54.600624084 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:08:54.600802898 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:08:54.720431089 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:09:00.038850069 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:09:00.039067030 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:09:00.159529924 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:09:05.490792036 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:09:05.490930080 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:09:05.611536980 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:09:10.944994926 CET133649699194.59.30.220192.168.2.7
                                                                Dec 18, 2024 12:09:10.998610973 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:09:11.185789108 CET496991336192.168.2.7194.59.30.220
                                                                Dec 18, 2024 12:09:11.407149076 CET133649699194.59.30.220192.168.2.7

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:06:05:05
                                                                Start date:18/12/2024
                                                                Path:C:\Users\user\Desktop\l4.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\Desktop\l4.exe"
                                                                Imagebase:0x7ff7f8de0000
                                                                File size:6'174'208 bytes
                                                                MD5 hash:D68F79C459EE4AE03B76FA5BA151A41F
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:false

                                                                General

                                                                Target ID:2
                                                                Start time:06:05:05
                                                                Start date:18/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff75da10000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:8
                                                                Start time:06:05:08
                                                                Start date:18/12/2024
                                                                Path:C:\Users\user\AppData\Local\Temp\onefile_6360_133789935056132008\l4.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\Desktop\l4.exe
                                                                Imagebase:0x7ff65ecf0000
                                                                File size:6'162'432 bytes
                                                                MD5 hash:63C4E3F9C7383D039AB4AF449372C17F
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 5%, ReversingLabs
                                                                Reputation:low
                                                                Has exited:false

                                                                General

                                                                Target ID:10
                                                                Start time:06:05:18
                                                                Start date:18/12/2024
                                                                Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe"
                                                                Imagebase:0x7ff65b130000
                                                                File size:6'174'208 bytes
                                                                MD5 hash:D68F79C459EE4AE03B76FA5BA151A41F
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 63%, ReversingLabs
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:06:05:18
                                                                Start date:18/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff75da10000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:06:05:20
                                                                Start date:18/12/2024
                                                                Path:C:\Users\user\AppData\Local\Temp\onefile_516_133789935184231099\l4.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l4.exe"
                                                                Imagebase:0x7ff65bb90000
                                                                File size:6'162'432 bytes
                                                                MD5 hash:63C4E3F9C7383D039AB4AF449372C17F
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 5%, ReversingLabs
                                                                Reputation:low
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Non-executed Functions

                                                                  Function 00007FF7F8DEC0F0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.3704935248.00007FF7F8DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F8DE0000, based on PE: true
                                                                  • Associated: 00000000.00000002.3704848672.00007FF7F8DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.3705055848.00007FF7F8E02000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.3705165473.00007FF7F8E0F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.3705165473.00007FF7F8E21000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.3705165473.00007FF7F8E2B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.3705434974.00007FF7F8E34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff7f8de0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: e5452eedf9582e092569b7414b2f17c91349fbc22d9af30a0b797327307e927a
                                                                  • Instruction ID: ecc842cf156c0cce6bb48aa08e258050a704e1482bb089e1bc9ff61d996dba5e
                                                                  • Opcode Fuzzy Hash: e5452eedf9582e092569b7414b2f17c91349fbc22d9af30a0b797327307e927a
                                                                  • Instruction Fuzzy Hash: 1C113326B14F058AEB00DF60E8552B8B3A4FB19758F440E31EA7E467E4DF7CD1688390

                                                                  Non-executed Functions

                                                                  Function 00007FFB1BA43DC0 Relevance: 36.9, APIs: 12, Strings: 8, Instructions: 1907COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: memset$__acrt_iob_func
                                                                  • String ID: %d in block, %d after MTF & 1-2 coding, %d+2 syms in use$ bytes: mapping %d, $ initial group %d, [%d .. %d], has %d syms (%4.1f%%)$ pass %d: size is %d, grp uses are $%d $code lengths %d, $codes %d$selectors %d,
                                                                  • API String ID: 2663462942-2674272606
                                                                  • Opcode ID: fddf6da674a9559637942c02094f43c67222fa0e889a8864347ceb34b5a778ed
                                                                  • Instruction ID: 934a31541ef0e0c5785699303e5bbe4715535ed6f933f7b91a1da38e40e1dabd
                                                                  • Opcode Fuzzy Hash: fddf6da674a9559637942c02094f43c67222fa0e889a8864347ceb34b5a778ed
                                                                  • Instruction Fuzzy Hash: 5823D2B2A256E18ADB24CF29D448BEC37A5FB48B5CF054226DF4D07BA5DF38A454CB10
                                                                  Function 00007FFB1BA41000 Relevance: 19.9, APIs: 6, Strings: 5, Instructions: 669COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: __acrt_iob_funcmemset
                                                                  • String ID: bucket sorting ...$ depth %6d has $ reconstructing block ...$ %d work, %d block, ratio %5.2f$%6d unresolved strings
                                                                  • API String ID: 3274466043-3557197531
                                                                  • Opcode ID: 3fcda9e2fd7ac071b7b70a866bceb4482f728b7e61e8db2759de8a03a3a667f4
                                                                  • Instruction ID: 278696aea738d24c5c3e54e23dd556e4c13ceee175d06f057f579549df0ac57c
                                                                  • Opcode Fuzzy Hash: 3fcda9e2fd7ac071b7b70a866bceb4482f728b7e61e8db2759de8a03a3a667f4
                                                                  • Instruction Fuzzy Hash: 2452ADB3B35A4486DB09CF1CC484AAC37A5F759744F8AA22AD70E8B395EF39E154C700
                                                                  Function 00007FFB1BA46080 Relevance: 16.4, APIs: 4, Strings: 5, Instructions: 652COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: __acrt_iob_func
                                                                  • String ID: %d pointers, %d sorted, %d scanned$ bucket sorting ...$ main sort initialise ...$ qsort [0x%x, 0x%x] done %d this %d$VUUU
                                                                  • API String ID: 711238415-771725242
                                                                  • Opcode ID: 6f13b787d251c16a07ca401ee5e08a3a53f96260666b07c687ed5de27d5da20e
                                                                  • Instruction ID: 34fe364fce3eced4e88715c8611b5e8063c23ad85058d475b1e43119bf484c0f
                                                                  • Opcode Fuzzy Hash: 6f13b787d251c16a07ca401ee5e08a3a53f96260666b07c687ed5de27d5da20e
                                                                  • Instruction Fuzzy Hash: F75246B36286D0CAD319CF28D014A7D7BB1FB56B44F1A9276EB9A43765DE38E500CB10
                                                                  Function 00007FFB1BA477F8 Relevance: 14.8, APIs: 2, Strings: 5, Instructions: 2584COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: __acrt_iob_func
                                                                  • String ID: [%d: huff+mtf $1$2$@$rt+rld
                                                                  • API String ID: 711238415-2511902606
                                                                  • Opcode ID: 619850e11dacf86815c574bd646255232747cdcace6cf06140f5c0d03bc097ac
                                                                  • Instruction ID: 8a3ec4f633e583cef4c21d857002ce9ad0b0d9069ddbe557c1144319bf6f6421
                                                                  • Opcode Fuzzy Hash: 619850e11dacf86815c574bd646255232747cdcace6cf06140f5c0d03bc097ac
                                                                  • Instruction Fuzzy Hash: 10436FB3618A85CBD7688F29C0406AC7BB1F385B58F29D23ADA4D47799CF78D845CB10
                                                                  Function 00007FFB1E841AA0 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3709167204.00007FFB1E841000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFB1E840000, based on PE: true
                                                                  • Associated: 00000008.00000002.3709113784.00007FFB1E840000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709183900.00007FFB1E843000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709239335.00007FFB1E845000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709265478.00007FFB1E846000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1e840000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 313767242-0
                                                                  • Opcode ID: 99395305cdb11cdb041beb820624a25ea4585affacafc0dcd255409337a1a2bc
                                                                  • Instruction ID: a2266765efcc3bc1461a60d6307bff174e29062b796f82f235ed7c57cc13fa66
                                                                  • Opcode Fuzzy Hash: 99395305cdb11cdb041beb820624a25ea4585affacafc0dcd255409337a1a2bc
                                                                  • Instruction Fuzzy Hash: AD311EB2709F8185EB608F60E8403E973A5FB84754F44453ADA4E47B95EF38E648C720
                                                                  Function 00007FFB1BA4AA7C Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 313767242-0
                                                                  • Opcode ID: 012467218d5544a4534461b4b62cf789c3f5b00e1029445c7606c465824eddd2
                                                                  • Instruction ID: d7045fa15ae9da70fd8f799070afca70701392eb5b8cba388717058147c5f85f
                                                                  • Opcode Fuzzy Hash: 012467218d5544a4534461b4b62cf789c3f5b00e1029445c7606c465824eddd2
                                                                  • Instruction Fuzzy Hash: 59315CB6618F8186EB688F70E8503E97361FB84714F08953ADB4E47BA4DF78D648C710
                                                                  Function 00007FFB1BA42DC0 Relevance: 3.4, APIs: 2, Instructions: 371COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: memset
                                                                  • String ID:
                                                                  • API String ID: 2221118986-0
                                                                  • Opcode ID: 5f9966c6679bf272717b46166595d2fc079e24c6c6c4c3c0b50c94340c7423a6
                                                                  • Instruction ID: bfc5b4aa0aaf73cf7e8431fa54696910a3ba79aa42f9512e417f1326acd24654
                                                                  • Opcode Fuzzy Hash: 5f9966c6679bf272717b46166595d2fc079e24c6c6c4c3c0b50c94340c7423a6
                                                                  • Instruction Fuzzy Hash: FEF168B2A24F8186D7268F3DD4412B97351FB9579AF18A335EB0863BA5DF3EE1418700
                                                                  Function 00007FFB1BA43B20 Relevance: .4, Instructions: 364COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ed8d24cf098aadaf33039588b135da2843f570b6115a25eeafe42063b0bf3ebc
                                                                  • Instruction ID: dfd55986913873ca883ba55afe3225e288f53045ee09c1050f9cc2308de9b048
                                                                  • Opcode Fuzzy Hash: ed8d24cf098aadaf33039588b135da2843f570b6115a25eeafe42063b0bf3ebc
                                                                  • Instruction Fuzzy Hash: 7BF1D4F3928A9587E758CF25D48497D37AAF744B54F59A636DE0A83760CF38E802CB40
                                                                  Function 00007FFB1E8422F8 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 206timethreadnetworkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _PyTime_FromSecondsObject.PYTHON312(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E842356
                                                                  • PyErr_ExceptionMatches.PYTHON312(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E84236A
                                                                  • PyErr_SetString.PYTHON312(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E8423B6
                                                                    • Part of subcall function 00007FFB1E84266C: PySequence_Fast.PYTHON312(00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E842694
                                                                  • _PyDeadline_Init.PYTHON312(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E842471
                                                                  • PyEval_SaveThread.PYTHON312(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E8424AB
                                                                  • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E8424B4
                                                                  • select.WS2_32(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E8424CD
                                                                  • PyEval_RestoreThread.PYTHON312(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E8424D9
                                                                  • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E8424DF
                                                                  • PyErr_CheckSignals.PYTHON312(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E8424EE
                                                                  • _PyDeadline_Get.PYTHON312(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E84250B
                                                                  • _PyTime_AsTimeval_clamp.PYTHON312(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E842529
                                                                  • PyErr_Occurred.PYTHON312(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E842584
                                                                  • PyTuple_Pack.PYTHON312(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E84259D
                                                                  • _Py_Dealloc.PYTHON312(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E8425BA
                                                                  • _Py_Dealloc.PYTHON312(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E8425D3
                                                                  • _Py_Dealloc.PYTHON312(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E8425EC
                                                                  • WSAGetLastError.WS2_32(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E842652
                                                                  • PyErr_SetExcFromWindowsErr.PYTHON312(?,?,?,00007FFB0C47D290,?,?,00007FFB1E8422E5), ref: 00007FFB1E842664
                                                                    • Part of subcall function 00007FFB1E84266C: PyObject_AsFileDescriptor.PYTHON312(?,?,00007FFB1E8422E5), ref: 00007FFB1E842709
                                                                    • Part of subcall function 00007FFB1E84266C: PyErr_SetString.PYTHON312(?,?,00007FFB1E8422E5), ref: 00007FFB1E84278F
                                                                    • Part of subcall function 00007FFB1E84266C: _Py_Dealloc.PYTHON312(?,?,00007FFB1E8422E5), ref: 00007FFB1E8427A3
                                                                    • Part of subcall function 00007FFB1E84266C: _Py_Dealloc.PYTHON312(?,?,00007FFB1E8422E5), ref: 00007FFB1E8427B7
                                                                    • Part of subcall function 00007FFB1E84266C: _Py_Dealloc.PYTHON312(?,?,00007FFB1E8422E5), ref: 00007FFB1E8427D2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3709167204.00007FFB1E841000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFB1E840000, based on PE: true
                                                                  • Associated: 00000008.00000002.3709113784.00007FFB1E840000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709183900.00007FFB1E843000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709239335.00007FFB1E845000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709265478.00007FFB1E846000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1e840000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: DeallocErr_$Deadline_Eval_FromStringThreadTime__errno$CheckDescriptorErrorExceptionFastFileInitLastMatchesObjectObject_OccurredPackRestoreSaveSecondsSequence_SignalsTimeval_clampTuple_Windowsselect
                                                                  • String ID: timeout must be a float or None$timeout must be non-negative
                                                                  • API String ID: 1581318368-2150404077
                                                                  • Opcode ID: d788fc8d8f2c4c3425777ff2c68e582025ccc74bbe31b0ae76aafc8d094d01c2
                                                                  • Instruction ID: 4226968f55275ed2f5f12632017d12966edb4c9fe275e7658f5d5b6e79ac375f
                                                                  • Opcode Fuzzy Hash: d788fc8d8f2c4c3425777ff2c68e582025ccc74bbe31b0ae76aafc8d094d01c2
                                                                  • Instruction Fuzzy Hash: C3912AA1A0CE9295EA219F31E8543B963A2FF54FA4F404135DA4E466A8EF3CF545C720
                                                                  Function 00007FFB1BA43548 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 115COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Buffer_$Arg_BufferContiguousIndexKeywordsLong_Number_Object_ReleaseSsize_tUnpackmemset
                                                                  • String ID: argument 'data'$contiguous buffer$decompress
                                                                  • API String ID: 2593461735-2667845042
                                                                  • Opcode ID: 765b22e1d0c43746eefacce39cc61ecbcbbe27cbcf58c331b942709e186efdb8
                                                                  • Instruction ID: d74eb33516a7af586b9c3c9ebe89050728f01c6211c97c633a4f96ebd72eb864
                                                                  • Opcode Fuzzy Hash: 765b22e1d0c43746eefacce39cc61ecbcbbe27cbcf58c331b942709e186efdb8
                                                                  • Instruction Fuzzy Hash: 864160B1A29F4281EA189B22D48467963A6FB49BA4F4CA331DE5D537B4DF3CE505C700
                                                                  Function 00007FFB1E841190 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3709167204.00007FFB1E841000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFB1E840000, based on PE: true
                                                                  • Associated: 00000008.00000002.3709113784.00007FFB1E840000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709183900.00007FFB1E843000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709239335.00007FFB1E845000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709265478.00007FFB1E846000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1e840000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                  • String ID:
                                                                  • API String ID: 190073905-0
                                                                  • Opcode ID: b57b117b731fe6fadf01a2aa5e6dfd03c7664753ee25818152bc9f2dcd8646e2
                                                                  • Instruction ID: e516595a27e7382e6f6ea208e3ac31a3bd3267c5390c998c4b3f13a8582b6564
                                                                  • Opcode Fuzzy Hash: b57b117b731fe6fadf01a2aa5e6dfd03c7664753ee25818152bc9f2dcd8646e2
                                                                  • Instruction Fuzzy Hash: 3C8178E1F08E5786FA509B76D4413B966D3EF81BA0F448135DA0D87AA6EF2CF9058730
                                                                  Function 00007FFB1BA4A2F0 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                  • String ID:
                                                                  • API String ID: 190073905-0
                                                                  • Opcode ID: 2eaa67de80a121e031fad50f9f59be50fff6b26d2a98fc10d8919c7430d16f7e
                                                                  • Instruction ID: 98ba78cf06b91c37f9aedb8d795258ebc6e311c9620d10c89971a5b68b8324dc
                                                                  • Opcode Fuzzy Hash: 2eaa67de80a121e031fad50f9f59be50fff6b26d2a98fc10d8919c7430d16f7e
                                                                  • Instruction Fuzzy Hash: C0819FE1E2CE4386FA5C9B75D4602792292EF457A0F4CE235EA0D477B2DE3CE8458B00
                                                                  Function 00007FFB1BA43270 Relevance: 15.2, APIs: 10, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Mem_memcpy$Bytes_DeallocFromMallocReallocSizeString
                                                                  • String ID:
                                                                  • API String ID: 2377850682-0
                                                                  • Opcode ID: 41b2a13bf521d5b7757f118eec8ced83366289b083df3c13bbfcfecfc1a8147d
                                                                  • Instruction ID: 19bd5fa9c204c0ca94a964dbb2c96dc46af6a53054232f38ead7516a95646b4d
                                                                  • Opcode Fuzzy Hash: 41b2a13bf521d5b7757f118eec8ced83366289b083df3c13bbfcfecfc1a8147d
                                                                  • Instruction Fuzzy Hash: 405159B2A29F8281EA589F36D48427972A6FB45FA4F58E635CE8D47764DF3CE0518300
                                                                  Function 00007FFB1BA41ED4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 119COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: __acrt_iob_func
                                                                  • String ID: %d work, %d block, ratio %5.2f$ too repetitive; using fallback sorting algorithm$VUUU
                                                                  • API String ID: 711238415-2988393112
                                                                  • Opcode ID: c9a2b1f2fff8b693f84e6fade5b350d543d714228db9c5a9fe61d7526b9c9b01
                                                                  • Instruction ID: af3b699495a39511595140af3ea527395f24458dd797e867166eecd4326409c1
                                                                  • Opcode Fuzzy Hash: c9a2b1f2fff8b693f84e6fade5b350d543d714228db9c5a9fe61d7526b9c9b01
                                                                  • Instruction Fuzzy Hash: 3141D772A28A4187E7189F36D44417877A6FB98B64F18A336DE0E53775DF3DE8428700
                                                                  Function 00007FFB1E84266C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 115COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3709167204.00007FFB1E841000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFB1E840000, based on PE: true
                                                                  • Associated: 00000008.00000002.3709113784.00007FFB1E840000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709183900.00007FFB1E843000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709239335.00007FFB1E845000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709265478.00007FFB1E846000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1e840000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Dealloc$DescriptorErr_FastFileObject_Sequence_String
                                                                  • String ID: arguments 1-3 must be sequences$too many file descriptors in select()
                                                                  • API String ID: 3320488554-3996108163
                                                                  • Opcode ID: 663c9d7e54148f1ae31ea019f9802c07c2ccdac2675d68113b08dfc84bed29b7
                                                                  • Instruction ID: 7e432815339367a03f57849d6da872c0ce3b38d518d6d8c7a03183eda6e21bc3
                                                                  • Opcode Fuzzy Hash: 663c9d7e54148f1ae31ea019f9802c07c2ccdac2675d68113b08dfc84bed29b7
                                                                  • Instruction Fuzzy Hash: C7414AB6A08F0286EB158F25E94427877A6FB94BB4F144231DA6E43794DF3CF555C310
                                                                  Function 00007FFB1BA42690 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Buffer_$Arg_ArgumentBufferContiguousObject_ReleaseThread_acquire_lockThread_release_lockmemset
                                                                  • String ID: argument$compress$contiguous buffer
                                                                  • API String ID: 1731275941-2310704374
                                                                  • Opcode ID: 14121d2eb2f0784b8e94f491fcd0c9020d2f8b8e0951888bcb593b8e05aee52d
                                                                  • Instruction ID: bc8ed29d2fc044bd7fe1722d2f142879bec66dd55243a9bd58aebbcee1cd8b98
                                                                  • Opcode Fuzzy Hash: 14121d2eb2f0784b8e94f491fcd0c9020d2f8b8e0951888bcb593b8e05aee52d
                                                                  • Instruction Fuzzy Hash: 591151A2A28F4681EA18DB35E4442B96362FB48B94F5CE231DA4D43674EF3CE549C700
                                                                  Function 00007FFB1BA4C790 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: DeallocString$AppendBytes_Err_FromList_Size
                                                                  • String ID: Unable to allocate output buffer.$avail_out is non-zero in _BlocksOutputBuffer_Grow().
                                                                  • API String ID: 1563898963-3455802345
                                                                  • Opcode ID: ff338362e5abe2334e11cb080246bf7f77446c403590bc40d540ec3316304a65
                                                                  • Instruction ID: 517784c0d6783b8dd0689e1e06f7c3006589347b9ac46af307d50f0bb1491af6
                                                                  • Opcode Fuzzy Hash: ff338362e5abe2334e11cb080246bf7f77446c403590bc40d540ec3316304a65
                                                                  • Instruction Fuzzy Hash: 7C31EFB2A28F4682EA1C8B35E94412963E6EB45BF4F18A731DA1D477F4EF3DE5418300
                                                                  Function 00007FFB1BA4222C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Arg_KeywordsLong_ModuleModule_StateType_
                                                                  • String ID: BZ2Compressor
                                                                  • API String ID: 694278274-1096114097
                                                                  • Opcode ID: c29017a166be628f3c043c4071bfaebd4dc5a5912452c5fe267a8d3f159135bf
                                                                  • Instruction ID: 3688b00160e9d3b7e89607220ea7e5a47b60f679ede96ef43dfb0e2172045a6c
                                                                  • Opcode Fuzzy Hash: c29017a166be628f3c043c4071bfaebd4dc5a5912452c5fe267a8d3f159135bf
                                                                  • Instruction Fuzzy Hash: 002121B1A3DF4285EA6C9F36D4441796362EB58BA0F5CA231CA1D477B4DF3CE4458300
                                                                  Function 00007FFB1BA436D8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Eval_ThreadThread_acquire_lock$Err_RestoreSaveStringThread_release_lockmemcpy
                                                                  • String ID: End of stream already reached
                                                                  • API String ID: 180092378-3466344095
                                                                  • Opcode ID: 309d9335925c998c01d05fe5717c16006e6c4eec569cf43e6d0882e4142690fe
                                                                  • Instruction ID: d39231e8afb72a63a402d689ca941d385d57c09210ed3f25df16a451e2686b49
                                                                  • Opcode Fuzzy Hash: 309d9335925c998c01d05fe5717c16006e6c4eec569cf43e6d0882e4142690fe
                                                                  • Instruction Fuzzy Hash: EC112EA5A28E4186EA1CCB76E8441696762FB89FD0F0CA232DF4E43B35CF3CE4558300
                                                                  Function 00007FFB1BA425FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Eval_ThreadThread_acquire_lock$RestoreSaveThread_release_lock
                                                                  • String ID: Compressor has been flushed
                                                                  • API String ID: 1906554297-3904734015
                                                                  • Opcode ID: 44824e688ac5818207e66a8fa07d8ee67426f91ffe2dff722fcdce01adc47589
                                                                  • Instruction ID: 012bc5bfc89ed5f9e4f0e6b89fa3cc95880e21751ae5f966b5ea2edcde9a5d94
                                                                  • Opcode Fuzzy Hash: 44824e688ac5818207e66a8fa07d8ee67426f91ffe2dff722fcdce01adc47589
                                                                  • Instruction Fuzzy Hash: 291100B1A28E4282EA1CDB26F5445796366FB89FE0B18A632DE4D47B74CF3CE451C340
                                                                  Function 00007FFB1BA4200C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Eval_Thread$RestoreSaveStringThread_acquire_lock$Bytes_Err_FromList_SizeThread_release_lock
                                                                  • String ID: Repeated call to flush()
                                                                  • API String ID: 3236580226-194442007
                                                                  • Opcode ID: 5871bef96599481079b609c1d245c472c7a68676c479b15d6616a7a45fe64ed0
                                                                  • Instruction ID: 60e618dae2f5ba1fc95176ccfa228dfc68a51afd393e403a3fe7a129dbecb3b8
                                                                  • Opcode Fuzzy Hash: 5871bef96599481079b609c1d245c472c7a68676c479b15d6616a7a45fe64ed0
                                                                  • Instruction Fuzzy Hash: 66111271A2CE5282EA1C9B36E5445796362EB89BA0F48A231DA0D47774CF3CE496C740
                                                                  Function 00007FFB1BA49C6C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Dealloc$Bytes_FromSizeStringmemcpy
                                                                  • String ID: Unable to allocate output buffer.
                                                                  • API String ID: 76732796-2565006440
                                                                  • Opcode ID: 192d9c9cdf7fb7c81c0bae171a6cbb097aeaf5356c6e4851a41644aa9c401917
                                                                  • Instruction ID: 55243475e753ee6d2331e27bf7df794f9a9261729ec897d7ff59e08d43653e3b
                                                                  • Opcode Fuzzy Hash: 192d9c9cdf7fb7c81c0bae171a6cbb097aeaf5356c6e4851a41644aa9c401917
                                                                  • Instruction Fuzzy Hash: 75410EB6A29E0286EB1D8F26C44426937A2FB48FA4F18A632DF1D47764DF39D461C300
                                                                  Function 00007FFB1BA422D4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Dealloc$Err_StringThread_allocate_lockmemset
                                                                  • String ID: Unable to allocate lock$compresslevel must be between 1 and 9
                                                                  • API String ID: 451674277-2500606449
                                                                  • Opcode ID: 3dccc7cd2452e4a8ba701b6261aeff0617572921f18deb801f63fe5c7fd59db8
                                                                  • Instruction ID: cd99c457e52b389fe5b4e6f5f3745e2466ca98efe0b2bc8e62a56234290507d7
                                                                  • Opcode Fuzzy Hash: 3dccc7cd2452e4a8ba701b6261aeff0617572921f18deb801f63fe5c7fd59db8
                                                                  • Instruction Fuzzy Hash: 9921C9B1A38F0281EB1C9B35D84427863AAEF59B65F5CA635C60D866B5DF3CF485C300
                                                                  Function 00007FFB1BA43838 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: DeallocString$Bytes_Err_FromSizeThread_allocate_lock
                                                                  • String ID: Unable to allocate lock
                                                                  • API String ID: 553681934-3516605728
                                                                  • Opcode ID: 759680a25ddd07c6aa1ccb4943ed979172cd353d0607e0d9c42c479e1e040031
                                                                  • Instruction ID: 93b07c03e2a10e17b0f5e6b0489f147015eef0ba2631c009eba55fc923526b7a
                                                                  • Opcode Fuzzy Hash: 759680a25ddd07c6aa1ccb4943ed979172cd353d0607e0d9c42c479e1e040031
                                                                  • Instruction Fuzzy Hash: F4214AA1A29F0281FB1C5F34D84437832E6EF09B29F0CE635DA0D852B5DF3CA0488310
                                                                  Function 00007FFB1BA4C8E4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB1BA4C8F1
                                                                    • Part of subcall function 00007FFB1BA4C8A0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FFB1BA4B152), ref: 00007FFB1BA4C8D6
                                                                  • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB1BA4C91D
                                                                  • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFB1BA4C937
                                                                  Strings
                                                                  • 1.0.8, 13-Jul-2019, xrefs: 00007FFB1BA4C8F7
                                                                  • bzip2/libbzip2: internal error number %d.This is a bug in bzip2/libbzip2, %s.Please report it to: bzip2-devel@sourceware.org. If this happenedwhen you were using some program which uses libbzip2 as acomponent, you should also report this bug to the auth, xrefs: 00007FFB1BA4C904
                                                                  • *** A special note about internal error number 1007 ***Experience suggests that a common cause of i.e. 1007is unreliable memory or other hardware. The 1007 assertionjust happens to cross-check the results of huge numbers ofmemory reads/writes, and so ac, xrefs: 00007FFB1BA4C926
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: __acrt_iob_func$__stdio_common_vfprintfexit
                                                                  • String ID: bzip2/libbzip2: internal error number %d.This is a bug in bzip2/libbzip2, %s.Please report it to: bzip2-devel@sourceware.org. If this happenedwhen you were using some program which uses libbzip2 as acomponent, you should also report this bug to the auth$*** A special note about internal error number 1007 ***Experience suggests that a common cause of i.e. 1007is unreliable memory or other hardware. The 1007 assertionjust happens to cross-check the results of huge numbers ofmemory reads/writes, and so ac$1.0.8, 13-Jul-2019
                                                                  • API String ID: 77255540-989448446
                                                                  • Opcode ID: 836efcf6b23a4585cd62e76ace601ecc2435689098995399630fc0c516941a58
                                                                  • Instruction ID: ce443e9fd0d495b4cdfeda5fc7487e749c5fc1904ff56eb148bc7abc85f0cfab
                                                                  • Opcode Fuzzy Hash: 836efcf6b23a4585cd62e76ace601ecc2435689098995399630fc0c516941a58
                                                                  • Instruction Fuzzy Hash: BDE065A0A38D0652F61C6774E4952781257EF59760F48B239C60E063B2AD6D25048341
                                                                  Function 00007FFB1BA42C08 Relevance: 9.1, APIs: 6, Instructions: 114threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: DeallocEval_Thread$Bytes_FromList_RestoreSaveSizeString
                                                                  • String ID:
                                                                  • API String ID: 722544280-0
                                                                  • Opcode ID: 299e1a11eefcece535b48eefa17f910425dba9180d5bd0db985f057c361aac7e
                                                                  • Instruction ID: ed753acced574000ae79a69035d918875f9a4597f81dc25283fbcca064401f2d
                                                                  • Opcode Fuzzy Hash: 299e1a11eefcece535b48eefa17f910425dba9180d5bd0db985f057c361aac7e
                                                                  • Instruction Fuzzy Hash: 5C416EB2A28F0286EA6D8B35D40027972A2FB54B74F58A735DF5D837A4DF3CE4518740
                                                                  Function 00007FFB1BA439F4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: combined CRCs: stored = 0x%08x, computed = 0x%08x$ {0x%08x, 0x%08x}
                                                                  • API String ID: 0-2474432645
                                                                  • Opcode ID: beca674fd8db362ae3c326a262006269a39a6cc495ac54829b8af714453b82f3
                                                                  • Instruction ID: 061d16af86ba969961fb03e537108e59994e46842091d30d1077b9e13a686569
                                                                  • Opcode Fuzzy Hash: beca674fd8db362ae3c326a262006269a39a6cc495ac54829b8af714453b82f3
                                                                  • Instruction Fuzzy Hash: 0D4172B1A6D94286EB6C8F35C08067C72D2EB45B64F1CE335DA0E872E5DF39A8498710
                                                                  Function 00007FFB1BA43774 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Arg_$KeywordsModuleModule_PositionalStateType_
                                                                  • String ID: BZ2Decompressor
                                                                  • API String ID: 2980520244-1337346095
                                                                  • Opcode ID: f57c856a1eaa85dad08e037339d259dc31bffbd300076d52cdc827e69f7ac027
                                                                  • Instruction ID: 3a50230ee841d087814b3a93bef5e0fef25784a330530c7f0778a5f16b34bff8
                                                                  • Opcode Fuzzy Hash: f57c856a1eaa85dad08e037339d259dc31bffbd300076d52cdc827e69f7ac027
                                                                  • Instruction Fuzzy Hash: 98212CA2A29E4681EA588B22D88057967A2FB44BA4F4C9632DE4D47774DF3CE4858300
                                                                  Function 00007FFB1E8410E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3709167204.00007FFB1E841000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFB1E840000, based on PE: true
                                                                  • Associated: 00000008.00000002.3709113784.00007FFB1E840000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709183900.00007FFB1E843000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709239335.00007FFB1E845000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709265478.00007FFB1E846000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1e840000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Module_$FromInternObjectStateStringUnicode_
                                                                  • String ID: close$error
                                                                  • API String ID: 4029360594-371397155
                                                                  • Opcode ID: 0a630f88c3fb29b6303c131d10015d5f25b4110c9ff69da5c0eced729275bb56
                                                                  • Instruction ID: 8695d7a82a611ff4ce137d7ff9eae1c54856a8cbf5ff486c60f718fb0aab900b
                                                                  • Opcode Fuzzy Hash: 0a630f88c3fb29b6303c131d10015d5f25b4110c9ff69da5c0eced729275bb56
                                                                  • Instruction Fuzzy Hash: E7F03AE1B09F47D2EA048B75F84426933A2FF09BA4B444136EA1D463A0DE3CF4598310
                                                                  Function 00007FFB1E8427F8 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3709167204.00007FFB1E841000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFB1E840000, based on PE: true
                                                                  • Associated: 00000008.00000002.3709113784.00007FFB1E840000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709183900.00007FFB1E843000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709239335.00007FFB1E845000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709265478.00007FFB1E846000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1e840000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: List_$DeallocItem
                                                                  • String ID:
                                                                  • API String ID: 1559017468-0
                                                                  • Opcode ID: a3b86cd28f5a00db1039b6b37618db01fe58124a87f1d68f694451c2dc2a1ca4
                                                                  • Instruction ID: 3e347501c8de59a73126cf6d02cf0a8a9e068367f54edf52e953e00cc5fe21b5
                                                                  • Opcode Fuzzy Hash: a3b86cd28f5a00db1039b6b37618db01fe58124a87f1d68f694451c2dc2a1ca4
                                                                  • Instruction Fuzzy Hash: CA219AB2A18B4296EB248FA2E4443A973A2FB48FA4F844535CB4E93750DF3CF555C360
                                                                  Function 00007FFB1E841070 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3709167204.00007FFB1E841000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFB1E840000, based on PE: true
                                                                  • Associated: 00000008.00000002.3709113784.00007FFB1E840000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709183900.00007FFB1E843000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709239335.00007FFB1E845000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709265478.00007FFB1E846000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1e840000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: DeallocModule_State
                                                                  • String ID:
                                                                  • API String ID: 1903735390-0
                                                                  • Opcode ID: 2ce0c8c7188e7a3beb229335f2cd0a6251314470689c624f0e1d13b771884af1
                                                                  • Instruction ID: 150e8ede84a7fc02413028f883e83e0ee9cd8b5069146e9e261b834a3716ea4a
                                                                  • Opcode Fuzzy Hash: 2ce0c8c7188e7a3beb229335f2cd0a6251314470689c624f0e1d13b771884af1
                                                                  • Instruction Fuzzy Hash: 4B21A4B1B0EE82C5FB5A4F74D84437822E6EF55B29F144031D60E86181DF7EB485C761
                                                                  Function 00007FFB1BA49F74 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Module_$FromModuleSpecTypeType_$State
                                                                  • String ID:
                                                                  • API String ID: 1138651315-0
                                                                  • Opcode ID: 385c81540caf7594d2d79f420c7c64eb9f9f90bd2783a20cd1ed782b2f8c24c0
                                                                  • Instruction ID: bfe84d5e44a1885afb7725dccae8e7492913d3589bc32e417547c133305373e6
                                                                  • Opcode Fuzzy Hash: 385c81540caf7594d2d79f420c7c64eb9f9f90bd2783a20cd1ed782b2f8c24c0
                                                                  • Instruction Fuzzy Hash: 6F019671B2DF5281FA584B79E58453A6392EF09BE0B48E631EA4D06774EF3CE154C700
                                                                  Function 00007FFB1BA42358 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 175COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: __acrt_iob_func
                                                                  • String ID: block %d: crc = 0x%08x, combined CRC = 0x%08x, size = %d$ final combined CRC = 0x%08x
                                                                  • API String ID: 711238415-3357347091
                                                                  • Opcode ID: bae728a6bf01b28945588ec33f57403ca6373a91784663bbbb4fd72b5314d822
                                                                  • Instruction ID: a1bbc5de6fd8aa167b2e34634ea76fd5b179a8e523cea0984184469d0c5a4a54
                                                                  • Opcode Fuzzy Hash: bae728a6bf01b28945588ec33f57403ca6373a91784663bbbb4fd72b5314d822
                                                                  • Instruction Fuzzy Hash: B361EAB6B3971286E628DF3BD4412B93392EB85F54F1CA635DE0907766CE7DE4028740
                                                                  Function 00007FFB0C0C8960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3707462830.00007FFB0BF21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFB0BF20000, based on PE: true
                                                                  • Associated: 00000008.00000002.3707444300.00007FFB0BF20000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3707644441.00007FFB0C1A2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3707644441.00007FFB0C1C2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3707644441.00007FFB0C1D1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3707644441.00007FFB0C247000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3707644441.00007FFB0C312000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708061956.00007FFB0C416000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708111215.00007FFB0C47E000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708132501.00007FFB0C485000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708150326.00007FFB0C486000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708170143.00007FFB0C487000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708187690.00007FFB0C488000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708245115.00007FFB0C50F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708265603.00007FFB0C511000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708286011.00007FFB0C51B000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708316820.00007FFB0C540000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708407281.00007FFB0C541000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708424965.00007FFB0C542000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708442377.00007FFB0C543000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708461056.00007FFB0C545000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708480512.00007FFB0C551000.00000008.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708496637.00007FFB0C552000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708522006.00007FFB0C594000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708544719.00007FFB0C5B1000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb0bf20000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: d2285d0ca78b08e9284e6539fe4cd286835083a25521d89012cfe7de672bd859
                                                                  • Instruction ID: e15df20fa89f7c48805e9fb5aa9a399ae4c4473d94ad15adec452e947758a277
                                                                  • Opcode Fuzzy Hash: d2285d0ca78b08e9284e6539fe4cd286835083a25521d89012cfe7de672bd859
                                                                  • Instruction Fuzzy Hash: 151118A2B14B058AEB00CB70E8596B833B4FF19758F441A31EE6D86BA4EF78D154C340
                                                                  Function 00007FF65ED1D6F4 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3707005380.00007FF65ECF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF65ECF0000, based on PE: true
                                                                  • Associated: 00000008.00000002.3706986282.00007FF65ECF0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3707034027.00007FF65ED3C000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3707055207.00007FF65ED56000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3707077361.00007FF65ED61000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ff65ecf0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: 3e9bf284f51a014416bd2e884015404433c55462ee1280fbdb526b963edf0727
                                                                  • Instruction ID: cfb1e106312adb3b1f6904247d6b6d8df0cfef14e0807b614eed59671c93226f
                                                                  • Opcode Fuzzy Hash: 3e9bf284f51a014416bd2e884015404433c55462ee1280fbdb526b963edf0727
                                                                  • Instruction Fuzzy Hash: 01111826B15F098AEF00CB64E9542B833A4FB69758F480B31EA6D977A4DF78D1948340
                                                                  Function 00007FFB1E84165C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3709167204.00007FFB1E841000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFB1E840000, based on PE: true
                                                                  • Associated: 00000008.00000002.3709113784.00007FFB1E840000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709183900.00007FFB1E843000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709239335.00007FFB1E845000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3709265478.00007FFB1E846000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1e840000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: 7f6b854855521a5eeb54a69c346efd32b0b439a43f7217cfd0872cc224e201bb
                                                                  • Instruction ID: 4bc10fc5cdc1e469a81fdf747a4b91fca270d0e63004a2e34118eceb34a7de7f
                                                                  • Opcode Fuzzy Hash: 7f6b854855521a5eeb54a69c346efd32b0b439a43f7217cfd0872cc224e201bb
                                                                  • Instruction Fuzzy Hash: A0110C66B15F018AEB00CF70E8553B833A4FB59B68F441E35DA6D46BA4EF7CE1548390
                                                                  Function 00007FFB1BA4A640 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.3708761311.00007FFB1BA41000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFB1BA40000, based on PE: true
                                                                  • Associated: 00000008.00000002.3708746034.00007FFB1BA40000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708781207.00007FFB1BA4E000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708798910.00007FFB1BA52000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 00000008.00000002.3708847006.00007FFB1BA53000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7ffb1ba40000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: c9d2bc6b1f4b90143cfcf8b72833dd591a01bb31496536103f8e1994dd480a1d
                                                                  • Instruction ID: d3d25829be9eaaab56666a90ae80af98048d0122d46899048d2024c68fffcb96
                                                                  • Opcode Fuzzy Hash: c9d2bc6b1f4b90143cfcf8b72833dd591a01bb31496536103f8e1994dd480a1d
                                                                  • Instruction Fuzzy Hash: E5115A62B29F019AEB04CF70E8542B933A5FB59768F482E31EA2D427A4DF3CD1588340

                                                                  Non-executed Functions

                                                                  Function 00007FF65B13C0F0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.1470905065.00007FF65B131000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00007FF65B130000, based on PE: true
                                                                  • Associated: 0000000A.00000002.1470744595.00007FF65B130000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                  • Associated: 0000000A.00000002.1471024680.00007FF65B152000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                  • Associated: 0000000A.00000002.1471185441.00007FF65B15F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                  • Associated: 0000000A.00000002.1471185441.00007FF65B171000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                  • Associated: 0000000A.00000002.1471185441.00007FF65B177000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                  • Associated: 0000000A.00000002.1471185441.00007FF65B179000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                  • Associated: 0000000A.00000002.1471185441.00007FF65B17B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                  • Associated: 0000000A.00000002.1471418183.00007FF65B184000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ff65b130000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: e5452eedf9582e092569b7414b2f17c91349fbc22d9af30a0b797327307e927a
                                                                  • Instruction ID: 2dc1467c97e4f5b9dfda9473415312470c13bebd745bb54a2b054bffa6fe8d44
                                                                  • Opcode Fuzzy Hash: e5452eedf9582e092569b7414b2f17c91349fbc22d9af30a0b797327307e927a
                                                                  • Instruction Fuzzy Hash: C6115A22B14F018AEF50CF60E8442B933A4FB1D758F480E31EA6D977A4EF38D1948780

                                                                  Non-executed Functions

                                                                  Function 00007FFB1BAD3E60 Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 313767242-0
                                                                  • Opcode ID: 3d249a4d3ec741f06bccba3fca43a7136d5c4f0ed13e34deacf6695f45bbc58d
                                                                  • Instruction ID: 9f0bde6e5e3ca50a143c932941076f7a36ee61ce19ad8833c0883307477a9334
                                                                  • Opcode Fuzzy Hash: 3d249a4d3ec741f06bccba3fca43a7136d5c4f0ed13e34deacf6695f45bbc58d
                                                                  • Instruction Fuzzy Hash: 50316DB2619F819AEB608F64E8803ED73A1FB84754F44953ADA4E87BA4DF38D548C710
                                                                  Function 00007FFB1E3BAA7C Relevance: 13.6, APIs: 9, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 313767242-0
                                                                  • Opcode ID: 012467218d5544a4534461b4b62cf789c3f5b00e1029445c7606c465824eddd2
                                                                  • Instruction ID: 1ca05c2dbe97d501bc5d75bc85ca8bae4aa7abfb27d7f445dfa162e5da394941
                                                                  • Opcode Fuzzy Hash: 012467218d5544a4534461b4b62cf789c3f5b00e1029445c7606c465824eddd2
                                                                  • Instruction Fuzzy Hash: 93313CB2A08F8186EB618F75F8403E97365FB84755F44443AEA4E47B94DF38E649C720
                                                                  Function 00007FFB1BAD27C0 Relevance: 73.7, APIs: 12, Strings: 30, Instructions: 229COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Module_$Constant$FromType$LongModuleSpecType_$Err_ExceptionLong_ObjectStateTuple_With
                                                                  • String ID: CHECK_CRC32$CHECK_CRC64$CHECK_ID_MAX$CHECK_NONE$CHECK_SHA256$CHECK_UNKNOWN$Call to liblzma failed.$FILTER_ARM$FILTER_ARMTHUMB$FILTER_DELTA$FILTER_IA64$FILTER_LZMA1$FILTER_LZMA2$FILTER_POWERPC$FILTER_SPARC$FILTER_X86$FORMAT_ALONE$FORMAT_AUTO$FORMAT_RAW$FORMAT_XZ$MF_BT2$MF_BT3$MF_BT4$MF_HC3$MF_HC4$MODE_FAST$MODE_NORMAL$PRESET_DEFAULT$PRESET_EXTREME$_lzma.LZMAError
                                                                  • API String ID: 2322464913-730042774
                                                                  • Opcode ID: b091e49e01b098b25a876694f3ea7601ad3c204f15de4486665e150d791b2536
                                                                  • Instruction ID: 679d3b605cc4fc02c24330e10a3528bbf8e470bcd7a0fed19386593a801b2804
                                                                  • Opcode Fuzzy Hash: b091e49e01b098b25a876694f3ea7601ad3c204f15de4486665e150d791b2536
                                                                  • Instruction Fuzzy Hash: 64A1B5A1B28F1252E7149F36EA502B56767AF08BB4F40E334CD1DC6675EFADE504C620
                                                                  Function 00007FFB1BAC71F0 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 156threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Dealloc$Err_LongString$Bytes_FromLong_ModuleOccurredSizeStateThread_allocate_lockType_Unsigned
                                                                  • String ID: Cannot specify filters except with FORMAT_RAW$Cannot specify memory limit with FORMAT_RAW$Invalid container format: %d$Must specify filters for FORMAT_RAW$Unable to allocate lock
                                                                  • API String ID: 553332449-1518367256
                                                                  • Opcode ID: 83269ee791d243be0076bb43cd9e278918348ca24e3dda33455d90f1b8b1c2f8
                                                                  • Instruction ID: 9bbb08f525077752e644ab5258a313315f08510533917fb769333745f132ab9c
                                                                  • Opcode Fuzzy Hash: 83269ee791d243be0076bb43cd9e278918348ca24e3dda33455d90f1b8b1c2f8
                                                                  • Instruction Fuzzy Hash: 82614BA1A28E4285EB648F36E85427977A6BF54BB4F48E336DD1D863B4DF3CE4448300
                                                                  Function 00007FFB1BAD0CAC Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Err_$LongMem_String$Arg_CallocClearDeallocExceptionFreeItemKeywords_Long_Mapping_MatchesOccurredParseSizeTupleUnsigned
                                                                  • String ID: Invalid compression preset: %u$Invalid filter specifier for LZMA filter$preset$|OOO&O&O&O&O&O&O&O&
                                                                  • API String ID: 1879153319-1461672608
                                                                  • Opcode ID: f4c4c6e41dfebc803be0e4ebb02aeaa3e2e4c228a037d78fce276d899d29ed1e
                                                                  • Instruction ID: 77b17a8d3b954a127e691189eda22c81e3e50f19069751c7e2f009b6f0529d94
                                                                  • Opcode Fuzzy Hash: f4c4c6e41dfebc803be0e4ebb02aeaa3e2e4c228a037d78fce276d899d29ed1e
                                                                  • Instruction Fuzzy Hash: 2D512EB5618F4285EA20CF35F4502A973A6FB88BA4F54A236DA9D83774DF3CE458C700
                                                                  Function 00007FFB1BAC81F0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Arg_Buffer_$ArgumentBufferContiguousErr_IndexKeywordsLong_Number_Object_OccurredReleaseSsize_tUnpackmemset
                                                                  • String ID: argument 'data'$contiguous buffer$decompress
                                                                  • API String ID: 883004049-2667845042
                                                                  • Opcode ID: bd01afbcdf428c3c6fd1533d6da37d25cba52a063e969e166f86159c4183e5fb
                                                                  • Instruction ID: 4e561aa4f075d3b0df33816aa0d0eebd3da6ea210ec29ba49dcb3ce223120964
                                                                  • Opcode Fuzzy Hash: bd01afbcdf428c3c6fd1533d6da37d25cba52a063e969e166f86159c4183e5fb
                                                                  • Instruction Fuzzy Hash: 594150A1A29F4282EA518F22E44427963A6FB49BB0F44A331DE6D537B4DF3CE445C700
                                                                  Function 00007FFB1E3B3548 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 115COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Buffer_$Arg_BufferContiguousIndexKeywordsLong_Number_Object_ReleaseSsize_tUnpackmemset
                                                                  • String ID: argument 'data'$contiguous buffer$decompress
                                                                  • API String ID: 2593461735-2667845042
                                                                  • Opcode ID: 765b22e1d0c43746eefacce39cc61ecbcbbe27cbcf58c331b942709e186efdb8
                                                                  • Instruction ID: ab72130f464c323759ca168cedec3e6e07e294087ae09a60eca9799396be0734
                                                                  • Opcode Fuzzy Hash: 765b22e1d0c43746eefacce39cc61ecbcbbe27cbcf58c331b942709e186efdb8
                                                                  • Instruction Fuzzy Hash: 52418AA2A08F5682EA129F26F4847B963A6FB48BA4F454131EE1F07794EF7CF505C700
                                                                  Function 00007FFB1BAD1110 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 143threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: DeallocErr_$Arg_FormatKeywords_ModuleParseSizeStateStringThread_allocate_lockTupleType_
                                                                  • String ID: Cannot specify both preset and filter chain$Integrity checks are only supported by FORMAT_XZ$Invalid container format: %d$Unable to allocate lock$|iiOO:LZMACompressor
                                                                  • API String ID: 1600877341-3984722346
                                                                  • Opcode ID: 1e688a17dabf5163ed9c27b377d890ab5408a498247c306a90725e182f9f5b69
                                                                  • Instruction ID: 2131501c4bf462a0d5657452658e92402f3ecb070907a07060b7843bf47031e7
                                                                  • Opcode Fuzzy Hash: 1e688a17dabf5163ed9c27b377d890ab5408a498247c306a90725e182f9f5b69
                                                                  • Instruction Fuzzy Hash: 25612CB2A28F1285EB508F76E4400B837A6FB48BA8F50A636D95D83778DF3DE545C740
                                                                  Function 00007FFB1BAD0B5C Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PyMapping_Check.PYTHON312(?,?,?,00000028,00007FFB1BAD0AE3,?,00000000,00007FFB1BAD0A18), ref: 00007FFB1BAD0B81
                                                                  • PyMapping_GetItemString.PYTHON312(?,?,?,00000028,00007FFB1BAD0AE3,?,00000000,00007FFB1BAD0A18), ref: 00007FFB1BAD0B9B
                                                                  • PyLong_AsUnsignedLongLong.PYTHON312(?,?,?,00000028,00007FFB1BAD0AE3,?,00000000,00007FFB1BAD0A18), ref: 00007FFB1BAD0BB0
                                                                  • PyErr_Occurred.PYTHON312(?,?,?,00000028,00007FFB1BAD0AE3,?,00000000,00007FFB1BAD0A18), ref: 00007FFB1BAD0BC7
                                                                  • PyErr_ExceptionMatches.PYTHON312(?,?,?,00000028,00007FFB1BAD0AE3,?,00000000,00007FFB1BAD0A18), ref: 00007FFB1BAD0C40
                                                                  • PyErr_Format.PYTHON312(?,?,?,00000028,00007FFB1BAD0AE3,?,00000000,00007FFB1BAD0A18), ref: 00007FFB1BAD0C89
                                                                  • PyErr_SetString.PYTHON312(?,?,?,00000028,00007FFB1BAD0AE3,?,00000000,00007FFB1BAD0A18), ref: 00007FFB1BAD0CA2
                                                                  • _Py_Dealloc.PYTHON312(?,?,?,00000028,00007FFB1BAD0AE3,?,00000000,00007FFB1BAD0A18), ref: 00007FFB1BAD5D3A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Err_$LongMapping_String$CheckDeallocExceptionFormatItemLong_MatchesOccurredUnsigned
                                                                  • String ID: Filter specifier must be a dict or dict-like object$Filter specifier must have an "id" entry$Invalid filter ID: %llu
                                                                  • API String ID: 1881886752-3390802605
                                                                  • Opcode ID: 0c5f6f5e7484fbb015a79b71ea40a48de156ee4d8636223415d5697c2780f545
                                                                  • Instruction ID: abaf10eb24119e534b4a66ee1110a0fe404e6264da1d1af8101fd2d092ce08ce
                                                                  • Opcode Fuzzy Hash: 0c5f6f5e7484fbb015a79b71ea40a48de156ee4d8636223415d5697c2780f545
                                                                  • Instruction Fuzzy Hash: 4A41DFB5A6DE0385EA749F36E46417863A6FB49BE4B44E236CA9DC6670DE3CE4448300
                                                                  Function 00007FFB1BAD0710 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Arg_Buffer_Long$ArgumentBufferCheckContiguousErr_Long_Module_Object_OccurredPositionalReleaseStateUnsignedfreememset
                                                                  • String ID: _decode_filter_properties$argument 2$contiguous buffer
                                                                  • API String ID: 3656606796-2431706548
                                                                  • Opcode ID: 6ac779201fb040bc529056ec0a6a5a048fdef9ca7122a7e56471178991ab58fb
                                                                  • Instruction ID: 1a4f4ac98d221edf24c3845211b70df2a17f99630149a65697c260073ef1fb89
                                                                  • Opcode Fuzzy Hash: 6ac779201fb040bc529056ec0a6a5a048fdef9ca7122a7e56471178991ab58fb
                                                                  • Instruction Fuzzy Hash: 1A3182A1A28E4681EA209B36D4445B96362FF88FD4F58D231DA5D87674DF3CE549C700
                                                                  Function 00007FFB1BAC86B8 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Err_$MemoryString
                                                                  • String ID: Corrupt input data$Input format not supported by decoder$Insufficient buffer space$Internal error$Invalid or unsupported options$Memory usage limit exceeded$Unrecognized error from liblzma: %d$Unsupported integrity check
                                                                  • API String ID: 60457842-2177155514
                                                                  • Opcode ID: e667bd3184b1031ca586e5cabd8905ebea692642c7ea9d8a448339030e972199
                                                                  • Instruction ID: 276d383c6ab952e55091789f716170a7429192b5920a7e95c834a4cd83904193
                                                                  • Opcode Fuzzy Hash: e667bd3184b1031ca586e5cabd8905ebea692642c7ea9d8a448339030e972199
                                                                  • Instruction Fuzzy Hash: E921E9E5E7CE1391EAA98739D4540B422A3BF45771F64F335C00E869B4AF7DE944D200
                                                                  Function 00007FFB1BAC7FEC Relevance: 16.7, APIs: 11, Instructions: 154COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Mem_$memcpy$Bytes_DeallocErr_FreeFromMallocNoneReallocSizeStringmemmove
                                                                  • String ID:
                                                                  • API String ID: 1220578264-0
                                                                  • Opcode ID: 85adeaa55f33651ef0f232b94068ae9b2308325af99af7830eee87ddd8bfa38a
                                                                  • Instruction ID: 210977795fac94f691147cc4e376b51ec2d3905d45899191901e1acfb180c339
                                                                  • Opcode Fuzzy Hash: 85adeaa55f33651ef0f232b94068ae9b2308325af99af7830eee87ddd8bfa38a
                                                                  • Instruction Fuzzy Hash: BB515DA2A29E4281EB608F35E84027963A6FB44FB4F18A236CE4D57774DF3CE4518300
                                                                  Function 00007FFB1BAD3550 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                  • String ID:
                                                                  • API String ID: 190073905-0
                                                                  • Opcode ID: 425fd5ac1271bb133272e3ab21a2143b35eb579dd60372998353d793c77f0ddb
                                                                  • Instruction ID: b6aaa68732345176b636583416130afdf6126af02ad19e8583ebb96da63a8664
                                                                  • Opcode Fuzzy Hash: 425fd5ac1271bb133272e3ab21a2143b35eb579dd60372998353d793c77f0ddb
                                                                  • Instruction Fuzzy Hash: 6E817DE0F28E4346FA509B35D4812B966E3AF45BA0F44E335D90DC77B6DE7CE9058600
                                                                  Function 00007FFB1E3BA2F0 Relevance: 15.2, APIs: 10, Instructions: 227COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                  • String ID:
                                                                  • API String ID: 190073905-0
                                                                  • Opcode ID: 2eaa67de80a121e031fad50f9f59be50fff6b26d2a98fc10d8919c7430d16f7e
                                                                  • Instruction ID: df55c83a024a8ce6a2adeb2e854e89cfe804f0873b1556a5089acfd843280e11
                                                                  • Opcode Fuzzy Hash: 2eaa67de80a121e031fad50f9f59be50fff6b26d2a98fc10d8919c7430d16f7e
                                                                  • Instruction Fuzzy Hash: A1819FE0E0CE4746FA56AB7AF44127A22A3AF857A2F444036D94E47792DE3CF9478710
                                                                  Function 00007FFB1E3B3270 Relevance: 15.2, APIs: 10, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Mem_memcpy$Bytes_DeallocFromMallocReallocSizeString
                                                                  • String ID:
                                                                  • API String ID: 2377850682-0
                                                                  • Opcode ID: 41b2a13bf521d5b7757f118eec8ced83366289b083df3c13bbfcfecfc1a8147d
                                                                  • Instruction ID: a411971cf21684b467e400e7834697e4b74f280f924b37762c83971e058952ee
                                                                  • Opcode Fuzzy Hash: 41b2a13bf521d5b7757f118eec8ced83366289b083df3c13bbfcfecfc1a8147d
                                                                  • Instruction Fuzzy Hash: B35137B2A09F9281EB269F36E44427A63A6FB44FA4F188435DE8F5A754DF7CF0518310
                                                                  Function 00007FFB1E3B1ED4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 119COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: __acrt_iob_func
                                                                  • String ID: %d work, %d block, ratio %5.2f$ too repetitive; using fallback sorting algorithm$VUUU
                                                                  • API String ID: 711238415-2988393112
                                                                  • Opcode ID: c9a2b1f2fff8b693f84e6fade5b350d543d714228db9c5a9fe61d7526b9c9b01
                                                                  • Instruction ID: 433f02e9c026d7b77c5952386dbe9abba03614eb35ebb244e8bf9b775f467913
                                                                  • Opcode Fuzzy Hash: c9a2b1f2fff8b693f84e6fade5b350d543d714228db9c5a9fe61d7526b9c9b01
                                                                  • Instruction Fuzzy Hash: 3241A2B2A18A4187E6259F39E44517873A6FF88B64F101236EE4F537A5DF3DF482C600
                                                                  Function 00007FFB1BAC84D0 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Buffer_$Arg_ArgumentBufferContiguousObject_ReleaseThread_acquire_lockThread_release_lockmemset
                                                                  • String ID: argument$compress$contiguous buffer
                                                                  • API String ID: 1731275941-2310704374
                                                                  • Opcode ID: e49fcee8418d40925be70ffaeb55ce411285ea8029e7bf477f1f0c24e54d7857
                                                                  • Instruction ID: ff9bd9a44478f1d16a6515a873776e45af4c71e60d8c44a3fe505fd886396bf9
                                                                  • Opcode Fuzzy Hash: e49fcee8418d40925be70ffaeb55ce411285ea8029e7bf477f1f0c24e54d7857
                                                                  • Instruction Fuzzy Hash: 9A1189A2B28E4691EB10DF35E4442B96362FB88BE4F54D231DA5D83674EF7CD945C700
                                                                  Function 00007FFB1E3B2690 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Buffer_$Arg_ArgumentBufferContiguousObject_ReleaseThread_acquire_lockThread_release_lockmemset
                                                                  • String ID: argument$compress$contiguous buffer
                                                                  • API String ID: 1731275941-2310704374
                                                                  • Opcode ID: 14121d2eb2f0784b8e94f491fcd0c9020d2f8b8e0951888bcb593b8e05aee52d
                                                                  • Instruction ID: 5fba03c685ab37303d9e8b33b4fbd82bfb21b6d40889cadac8be583e8c9d9c01
                                                                  • Opcode Fuzzy Hash: 14121d2eb2f0784b8e94f491fcd0c9020d2f8b8e0951888bcb593b8e05aee52d
                                                                  • Instruction Fuzzy Hash: B41121A2B18E4691EA119B36F8542B96362FB88F94F544231EA4F43664EF7CF645C700
                                                                  Function 00007FFB1BAD246C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PyBytes_FromStringAndSize.PYTHON312(?,?,?,?,?,?,?,00000000,?,?,?,00007FFB1BAC8041), ref: 00007FFB1BAD24B8
                                                                  • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00000000,?,?,?,00007FFB1BAC8041), ref: 00007FFB1BAD24FC
                                                                  • _Py_Dealloc.PYTHON312(?,?,?,?,?,?,?,00000000,?,?,?,00007FFB1BAC8041), ref: 00007FFB1BAD2518
                                                                  • _Py_Dealloc.PYTHON312(?,?,?,?,?,?,?,00000000,?,?,?,00007FFB1BAC8041), ref: 00007FFB1BAD2567
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Dealloc$Bytes_FromSizeStringmemcpy
                                                                  • String ID: Unable to allocate output buffer.
                                                                  • API String ID: 76732796-2565006440
                                                                  • Opcode ID: dfc50fe1e76f4b95923bb712c602e591bc04f2612fcca18cafc909a29d1c47b1
                                                                  • Instruction ID: 83b2996bdd15aa82c113761073b39da8ff272ecc8eaee0c2a5bb9b84f968b92f
                                                                  • Opcode Fuzzy Hash: dfc50fe1e76f4b95923bb712c602e591bc04f2612fcca18cafc909a29d1c47b1
                                                                  • Instruction Fuzzy Hash: DF410DB6A25F0281EB158F26D45426933A2FB48FA4F18A632DE1D83765CF3CE491C300
                                                                  Function 00007FFB1BAD083C Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PyDict_New.PYTHON312(?,?,?,00007FFB1BAD081A,?,?,?,?,?,00007FFB1BAD07A5), ref: 00007FFB1BAD0849
                                                                    • Part of subcall function 00007FFB1BAD0970: PyLong_FromUnsignedLongLong.PYTHON312(?,?,?,00007FFB1BAD086D,?,?,?,00007FFB1BAD081A,?,?,?,?,?,00007FFB1BAD07A5), ref: 00007FFB1BAD0988
                                                                    • Part of subcall function 00007FFB1BAD0970: PyUnicode_InternFromString.PYTHON312(?,?,?,00007FFB1BAD086D,?,?,?,00007FFB1BAD081A,?,?,?,?,?,00007FFB1BAD07A5), ref: 00007FFB1BAD0999
                                                                    • Part of subcall function 00007FFB1BAD0970: PyDict_SetItem.PYTHON312(?,?,?,00007FFB1BAD086D,?,?,?,00007FFB1BAD081A,?,?,?,?,?,00007FFB1BAD07A5), ref: 00007FFB1BAD09B4
                                                                  • PyErr_Format.PYTHON312(?,?,?,00007FFB1BAD081A,?,?,?,?,?,00007FFB1BAD07A5), ref: 00007FFB1BAD5C50
                                                                  • _Py_Dealloc.PYTHON312(?,?,?,00007FFB1BAD081A,?,?,?,?,?,00007FFB1BAD07A5), ref: 00007FFB1BAD5C6C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Dict_FromLong$DeallocErr_FormatInternItemLong_StringUnicode_Unsigned
                                                                  • String ID: Invalid filter ID: %llu$dict_size$dist$start_offset
                                                                  • API String ID: 1484310907-3368833446
                                                                  • Opcode ID: 2bf5425971416fcf604516447e7ff1f6a8227c031248f9865350739be3ef4e27
                                                                  • Instruction ID: 3a6a48a13e66dda0de539215c9f37ca4114c6eda576e9b1ba89affe0b83fc1d5
                                                                  • Opcode Fuzzy Hash: 2bf5425971416fcf604516447e7ff1f6a8227c031248f9865350739be3ef4e27
                                                                  • Instruction Fuzzy Hash: CF41CBB1A68E0381FA648B36D55427C2362AF49BB4F54E332C66DC66B4DF3CE4A5C700
                                                                  Function 00007FFB1BAD6380 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PyErr_SetString.PYTHON312(?,?,?,00007FFB1BAD4D6B,?,?,?,00000000,?,?,?,00007FFB1BAC8041), ref: 00007FFB1BAD63B8
                                                                  • PyBytes_FromStringAndSize.PYTHON312(?,?,?,00007FFB1BAD4D6B,?,?,?,00000000,?,?,?,00007FFB1BAC8041), ref: 00007FFB1BAD641B
                                                                  • PyList_Append.PYTHON312(?,?,?,00007FFB1BAD4D6B,?,?,?,00000000,?,?,?,00007FFB1BAC8041), ref: 00007FFB1BAD642F
                                                                  • _Py_Dealloc.PYTHON312(?,?,?,00007FFB1BAD4D6B,?,?,?,00000000,?,?,?,00007FFB1BAC8041), ref: 00007FFB1BAD644B
                                                                  • _Py_Dealloc.PYTHON312(?,?,?,00007FFB1BAD4D6B,?,?,?,00000000,?,?,?,00007FFB1BAC8041), ref: 00007FFB1BAD6464
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: DeallocString$AppendBytes_Err_FromList_Size
                                                                  • String ID: Unable to allocate output buffer.$avail_out is non-zero in _BlocksOutputBuffer_Grow().
                                                                  • API String ID: 1563898963-3455802345
                                                                  • Opcode ID: 580d003c13f45ba0d3f5d519e6676035726d1c9c5441bda9205d6986d50f6f75
                                                                  • Instruction ID: 015057e2bc42e543e3b7edd768a40db721ed05add5a6d4bdd388d3bdccab0647
                                                                  • Opcode Fuzzy Hash: 580d003c13f45ba0d3f5d519e6676035726d1c9c5441bda9205d6986d50f6f75
                                                                  • Instruction Fuzzy Hash: F1310CB1A29F4681EA148F3AEA4416963A2FB44BF4F14A331E96D877B4DF3DE445C300
                                                                  Function 00007FFB1E3BC790 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: DeallocString$AppendBytes_Err_FromList_Size
                                                                  • String ID: Unable to allocate output buffer.$avail_out is non-zero in _BlocksOutputBuffer_Grow().
                                                                  • API String ID: 1563898963-3455802345
                                                                  • Opcode ID: ff338362e5abe2334e11cb080246bf7f77446c403590bc40d540ec3316304a65
                                                                  • Instruction ID: 379547b2fccaa9b3f23a9ff847de77bcee9a7dd9df5ffa822fb8dbbc2075ca67
                                                                  • Opcode Fuzzy Hash: ff338362e5abe2334e11cb080246bf7f77446c403590bc40d540ec3316304a65
                                                                  • Instruction Fuzzy Hash: FF31E1A2A08F4685EA298B3AF94413963A6EB44BB4F155631D92F877E4DF3DF5418300
                                                                  Function 00007FFB1E3B222C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Arg_KeywordsLong_ModuleModule_StateType_
                                                                  • String ID: BZ2Compressor
                                                                  • API String ID: 694278274-1096114097
                                                                  • Opcode ID: c29017a166be628f3c043c4071bfaebd4dc5a5912452c5fe267a8d3f159135bf
                                                                  • Instruction ID: ec875d5f2d5e2cc66b45f461f27e58775fad5d8848d3617d4e8d5948ff61dadd
                                                                  • Opcode Fuzzy Hash: c29017a166be628f3c043c4071bfaebd4dc5a5912452c5fe267a8d3f159135bf
                                                                  • Instruction Fuzzy Hash: 742144B1A0CE4285EA659F36F84417963A2EB48FA0F594131DA1F8B7A4DF3CF4418300
                                                                  Function 00007FFB1BAC95F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Eval_ThreadThread_acquire_lock$Err_RestoreSaveStringThread_release_lock
                                                                  • String ID: Already at end of stream
                                                                  • API String ID: 2195683152-1334556646
                                                                  • Opcode ID: 3eb67ee195b5bbe57a7cea297c8508a8a17e06b17122ceb0a36300f9ddcb8c56
                                                                  • Instruction ID: e51ac65de6c8554949e058d3215bcc4c7ec9495e04a41d069c77dc5cd066de13
                                                                  • Opcode Fuzzy Hash: 3eb67ee195b5bbe57a7cea297c8508a8a17e06b17122ceb0a36300f9ddcb8c56
                                                                  • Instruction Fuzzy Hash: 8E112BA1A28E4285EA14DB72E8441696766FB89FE0F08A232DE1E83774CF3CE455C300
                                                                  Function 00007FFB1E3B36D8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Eval_ThreadThread_acquire_lock$Err_RestoreSaveStringThread_release_lockmemcpy
                                                                  • String ID: End of stream already reached
                                                                  • API String ID: 180092378-3466344095
                                                                  • Opcode ID: 309d9335925c998c01d05fe5717c16006e6c4eec569cf43e6d0882e4142690fe
                                                                  • Instruction ID: b8da70c7e6bf213015d2ea72d1898e22c34f6c6e8378e39209de305c17c83dd8
                                                                  • Opcode Fuzzy Hash: 309d9335925c998c01d05fe5717c16006e6c4eec569cf43e6d0882e4142690fe
                                                                  • Instruction Fuzzy Hash: 021104A6A08E9585EA199B7BF8442696766FB88FE0F184031EE4F47B25CF38F4558310
                                                                  Function 00007FFB1BAC9010 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PyThread_acquire_lock.PYTHON312(?,?,?,00007FFB1BAC8536), ref: 00007FFB1BAC9036
                                                                  • PyThread_release_lock.PYTHON312(?,?,?,00007FFB1BAC8536), ref: 00007FFB1BAC9068
                                                                  • PyErr_SetString.PYTHON312(?,?,?,00007FFB1BAC8536), ref: 00007FFB1BAC9098
                                                                    • Part of subcall function 00007FFB1BAC8564: PyType_GetModuleState.PYTHON312 ref: 00007FFB1BAC859D
                                                                    • Part of subcall function 00007FFB1BAC8564: PyBytes_FromStringAndSize.PYTHON312 ref: 00007FFB1BAC85B1
                                                                    • Part of subcall function 00007FFB1BAC8564: PyList_New.PYTHON312 ref: 00007FFB1BAC85C8
                                                                    • Part of subcall function 00007FFB1BAC8564: PyEval_SaveThread.PYTHON312 ref: 00007FFB1BAC8619
                                                                    • Part of subcall function 00007FFB1BAC8564: PyEval_RestoreThread.PYTHON312 ref: 00007FFB1BAC8633
                                                                  • PyEval_SaveThread.PYTHON312(?,?,?,00007FFB1BAC8536), ref: 00007FFB1BAD4F44
                                                                  • PyThread_acquire_lock.PYTHON312(?,?,?,00007FFB1BAC8536), ref: 00007FFB1BAD4F59
                                                                  • PyEval_RestoreThread.PYTHON312(?,?,?,00007FFB1BAC8536), ref: 00007FFB1BAD4F62
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Eval_Thread$RestoreSaveStringThread_acquire_lock$Bytes_Err_FromList_ModuleSizeStateThread_release_lockType_
                                                                  • String ID: Compressor has been flushed
                                                                  • API String ID: 3871537485-3904734015
                                                                  • Opcode ID: 7a7077e9134b2479d70bc0b55754877c5396126443336fd8736004c065fe7fd0
                                                                  • Instruction ID: e926b78ce94b4df1e9e7337fea0c2c880e25d0ced06fd769637f55b8d4acebe9
                                                                  • Opcode Fuzzy Hash: 7a7077e9134b2479d70bc0b55754877c5396126443336fd8736004c065fe7fd0
                                                                  • Instruction Fuzzy Hash: D01100A5A18E8281E654CB22E8442696366FB88FE1F04E132DE5D87B34CF3CE455C740
                                                                  Function 00007FFB1E3B25FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Eval_ThreadThread_acquire_lock$RestoreSaveThread_release_lock
                                                                  • String ID: Compressor has been flushed
                                                                  • API String ID: 1906554297-3904734015
                                                                  • Opcode ID: 44824e688ac5818207e66a8fa07d8ee67426f91ffe2dff722fcdce01adc47589
                                                                  • Instruction ID: 02f0155f7ce9bbcee215b1dde5c3d36e43407eb8a5242367461a6b0d626a9377
                                                                  • Opcode Fuzzy Hash: 44824e688ac5818207e66a8fa07d8ee67426f91ffe2dff722fcdce01adc47589
                                                                  • Instruction Fuzzy Hash: F311F8B1A08E5682EA16DB27F8441692766FB88FE0F145532EE4F47B65CF3CF4918350
                                                                  Function 00007FFB1BAD2F1C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Eval_Thread$RestoreSaveStringThread_acquire_lock$Bytes_Err_FromList_ModuleSizeStateThread_release_lockType_
                                                                  • String ID: Repeated call to flush()
                                                                  • API String ID: 3871537485-194442007
                                                                  • Opcode ID: a4197e1cdbd251bead5eb9b1989463c00a4a401fc08ccf7e864d5c68d6b91325
                                                                  • Instruction ID: ac4eea8b3a9063c2445e159a1277e76af297a954a92107d8bd765fc4e89f7270
                                                                  • Opcode Fuzzy Hash: a4197e1cdbd251bead5eb9b1989463c00a4a401fc08ccf7e864d5c68d6b91325
                                                                  • Instruction Fuzzy Hash: 611112A1A28E4282EA548B36E4442796366FB89FA0F04E231DA5E87774CF7CE459C701
                                                                  Function 00007FFB1E3B200C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Eval_Thread$RestoreSaveStringThread_acquire_lock$Bytes_Err_FromList_SizeThread_release_lock
                                                                  • String ID: Repeated call to flush()
                                                                  • API String ID: 3236580226-194442007
                                                                  • Opcode ID: 5871bef96599481079b609c1d245c472c7a68676c479b15d6616a7a45fe64ed0
                                                                  • Instruction ID: 6a1fc2b65c1cbcbd5ebddf6d4af5728cba159d664658713dbb077f23715fc9e1
                                                                  • Opcode Fuzzy Hash: 5871bef96599481079b609c1d245c472c7a68676c479b15d6616a7a45fe64ed0
                                                                  • Instruction Fuzzy Hash: 4A111CB1A08E5682EA159B37F9445792366FB89FA0F144131EA0F4BB65CF3CF496C740
                                                                  Function 00007FFB1BAC8564 Relevance: 10.6, APIs: 7, Instructions: 125threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: DeallocEval_Thread$Bytes_FromList_ModuleRestoreSaveSizeStateStringType_
                                                                  • String ID:
                                                                  • API String ID: 2831925710-0
                                                                  • Opcode ID: cae30496bc2a9274937e9c345c6c18388f66ce03b5df9a1d955108f12d730ff2
                                                                  • Instruction ID: 5f5abf7c031547c5ff15bd425a90afe95645936d39675aa80bcd6524899a91b2
                                                                  • Opcode Fuzzy Hash: cae30496bc2a9274937e9c345c6c18388f66ce03b5df9a1d955108f12d730ff2
                                                                  • Instruction Fuzzy Hash: 015184A2A29F4296EA608B35E5442B963A1FF48B70F54A335DE9D437B0DF3CE450C300
                                                                  Function 00007FFB1E3B9C6C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Dealloc$Bytes_FromSizeStringmemcpy
                                                                  • String ID: Unable to allocate output buffer.
                                                                  • API String ID: 76732796-2565006440
                                                                  • Opcode ID: 192d9c9cdf7fb7c81c0bae171a6cbb097aeaf5356c6e4851a41644aa9c401917
                                                                  • Instruction ID: 976cc2afe402084897cfd9b29becebf062eb986cd72f5f43e65fa1801ac4d340
                                                                  • Opcode Fuzzy Hash: 192d9c9cdf7fb7c81c0bae171a6cbb097aeaf5356c6e4851a41644aa9c401917
                                                                  • Instruction Fuzzy Hash: 13410CB6A19E0681EB2A9F36E44426937A6FB48FA4F185432DE1E47755CF39F491C300
                                                                  Function 00007FFB1E3B22D4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Dealloc$Err_StringThread_allocate_lockmemset
                                                                  • String ID: Unable to allocate lock$compresslevel must be between 1 and 9
                                                                  • API String ID: 451674277-2500606449
                                                                  • Opcode ID: 3dccc7cd2452e4a8ba701b6261aeff0617572921f18deb801f63fe5c7fd59db8
                                                                  • Instruction ID: 69583eaeaa3147915140f0fca0b396790d13f613099e432ad11f1390f1dce848
                                                                  • Opcode Fuzzy Hash: 3dccc7cd2452e4a8ba701b6261aeff0617572921f18deb801f63fe5c7fd59db8
                                                                  • Instruction Fuzzy Hash: E821EAB1A08E0786EB2B9F35F88427823AAEF54B64F184535DA0F462A5DF3CF545C311
                                                                  Function 00007FFB1E3B3838 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: DeallocString$Bytes_Err_FromSizeThread_allocate_lock
                                                                  • String ID: Unable to allocate lock
                                                                  • API String ID: 553681934-3516605728
                                                                  • Opcode ID: 759680a25ddd07c6aa1ccb4943ed979172cd353d0607e0d9c42c479e1e040031
                                                                  • Instruction ID: f9fc52db8ed09d466cfbf471ec5aa0342a52c42862159a710bee1e9aa45c0ef3
                                                                  • Opcode Fuzzy Hash: 759680a25ddd07c6aa1ccb4943ed979172cd353d0607e0d9c42c479e1e040031
                                                                  • Instruction Fuzzy Hash: D2212CA1A09F5681FB1A5F35E80537833A6AF48B69F084434D91F89295EF7DB5488311
                                                                  Function 00007FFB1BAD1F4C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Err_$Arg_CallocKeywords_Mem_MemoryParseSizeStringTuple
                                                                  • String ID: Invalid filter specifier for delta filter$|OO&
                                                                  • API String ID: 3027669873-2010576982
                                                                  • Opcode ID: 8f6d3e53a03bcdfc1a1c4549eb233bcc7dd316073f513c0d7cf3946cf18a22e7
                                                                  • Instruction ID: aa9bed58f3c4eeaaa559712acd3d4ca43a7bf60b088581ae6d2b9f5e689cda14
                                                                  • Opcode Fuzzy Hash: 8f6d3e53a03bcdfc1a1c4549eb233bcc7dd316073f513c0d7cf3946cf18a22e7
                                                                  • Instruction Fuzzy Hash: 78111BB5A29E0396EB00CB32E84816933B6FB48B64F509236D51D83370DF7DE90AC740
                                                                  Function 00007FFB1BAD1EC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Err_$Arg_CallocKeywords_Mem_MemoryParseSizeStringTuple
                                                                  • String ID: Invalid filter specifier for BCJ filter$|OO&
                                                                  • API String ID: 3027669873-3728029529
                                                                  • Opcode ID: c99a539e3f84903be04565e407b851ab502a56b26a5fb183a3bd791a404fbe6a
                                                                  • Instruction ID: f8419001f182fa2a0009ffa2b3d85adb523d25220e8e609f58fe833c775cb923
                                                                  • Opcode Fuzzy Hash: c99a539e3f84903be04565e407b851ab502a56b26a5fb183a3bd791a404fbe6a
                                                                  • Instruction Fuzzy Hash: CC01E9B5A28F0295EB00CB36E8441A933A6FB48B60F50A236D61DC7370DF7CE909C750
                                                                  Function 00007FFB1E3BC8E4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB1E3BC8F1
                                                                    • Part of subcall function 00007FFB1E3BC8A0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FFB1E3BB152), ref: 00007FFB1E3BC8D6
                                                                  • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB1E3BC91D
                                                                  • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFB1E3BC937
                                                                  Strings
                                                                  • bzip2/libbzip2: internal error number %d.This is a bug in bzip2/libbzip2, %s.Please report it to: bzip2-devel@sourceware.org. If this happenedwhen you were using some program which uses libbzip2 as acomponent, you should also report this bug to the auth, xrefs: 00007FFB1E3BC904
                                                                  • *** A special note about internal error number 1007 ***Experience suggests that a common cause of i.e. 1007is unreliable memory or other hardware. The 1007 assertionjust happens to cross-check the results of huge numbers ofmemory reads/writes, and so ac, xrefs: 00007FFB1E3BC926
                                                                  • 1.0.8, 13-Jul-2019, xrefs: 00007FFB1E3BC8F7
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: __acrt_iob_func$__stdio_common_vfprintfexit
                                                                  • String ID: bzip2/libbzip2: internal error number %d.This is a bug in bzip2/libbzip2, %s.Please report it to: bzip2-devel@sourceware.org. If this happenedwhen you were using some program which uses libbzip2 as acomponent, you should also report this bug to the auth$*** A special note about internal error number 1007 ***Experience suggests that a common cause of i.e. 1007is unreliable memory or other hardware. The 1007 assertionjust happens to cross-check the results of huge numbers ofmemory reads/writes, and so ac$1.0.8, 13-Jul-2019
                                                                  • API String ID: 77255540-989448446
                                                                  • Opcode ID: 836efcf6b23a4585cd62e76ace601ecc2435689098995399630fc0c516941a58
                                                                  • Instruction ID: d81d0e13925cfcdd611574182b6aebfd01a3808a5b0cd6f6a412d763ef31bb16
                                                                  • Opcode Fuzzy Hash: 836efcf6b23a4585cd62e76ace601ecc2435689098995399630fc0c516941a58
                                                                  • Instruction Fuzzy Hash: 4CE06DA4F18D0A42FA2F57BAF8952782217AF84760F401039E50F473A29E3C75448392
                                                                  Function 00007FFB1E3B2C08 Relevance: 9.1, APIs: 6, Instructions: 114threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: DeallocEval_Thread$Bytes_FromList_RestoreSaveSizeString
                                                                  • String ID:
                                                                  • API String ID: 722544280-0
                                                                  • Opcode ID: 299e1a11eefcece535b48eefa17f910425dba9180d5bd0db985f057c361aac7e
                                                                  • Instruction ID: 3dfd2dbac0f43b398669837530dd02d3a0fba1f1391f2c526a108c8eab3a858f
                                                                  • Opcode Fuzzy Hash: 299e1a11eefcece535b48eefa17f910425dba9180d5bd0db985f057c361aac7e
                                                                  • Instruction Fuzzy Hash: F0416DB2E18F0686EA2A8B36E44433922A6FB48B74F140635EE5F43790DF3CF8508741
                                                                  Function 00007FFB1BAD0970 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PyLong_FromUnsignedLongLong.PYTHON312(?,?,?,00007FFB1BAD086D,?,?,?,00007FFB1BAD081A,?,?,?,?,?,00007FFB1BAD07A5), ref: 00007FFB1BAD0988
                                                                  • PyUnicode_InternFromString.PYTHON312(?,?,?,00007FFB1BAD086D,?,?,?,00007FFB1BAD081A,?,?,?,?,?,00007FFB1BAD07A5), ref: 00007FFB1BAD0999
                                                                  • PyDict_SetItem.PYTHON312(?,?,?,00007FFB1BAD086D,?,?,?,00007FFB1BAD081A,?,?,?,?,?,00007FFB1BAD07A5), ref: 00007FFB1BAD09B4
                                                                  • _Py_Dealloc.PYTHON312(?,?,?,00007FFB1BAD086D,?,?,?,00007FFB1BAD081A,?,?,?,?,?,00007FFB1BAD07A5), ref: 00007FFB1BAD5CBE
                                                                  • _Py_Dealloc.PYTHON312(?,?,?,00007FFB1BAD086D,?,?,?,00007FFB1BAD081A,?,?,?,?,?,00007FFB1BAD07A5), ref: 00007FFB1BAD5CD7
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: DeallocFromLong$Dict_InternItemLong_StringUnicode_Unsigned
                                                                  • String ID:
                                                                  • API String ID: 252187852-0
                                                                  • Opcode ID: 4407cb7e2ae5907235722564fec9c5a3f52f4cf3bc80c1b274a729e09646330d
                                                                  • Instruction ID: 338028db0b45590f0c605a22ee4f73d03988dc884554ae51e5c3a3a8c49d741a
                                                                  • Opcode Fuzzy Hash: 4407cb7e2ae5907235722564fec9c5a3f52f4cf3bc80c1b274a729e09646330d
                                                                  • Instruction Fuzzy Hash: F3112EA1D6DE4282FA254B32D92433D2296AF49BF5F08A235D95E827A4DF3CE8408300
                                                                  Function 00007FFB1E3B39F4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: combined CRCs: stored = 0x%08x, computed = 0x%08x$ {0x%08x, 0x%08x}
                                                                  • API String ID: 0-2474432645
                                                                  • Opcode ID: beca674fd8db362ae3c326a262006269a39a6cc495ac54829b8af714453b82f3
                                                                  • Instruction ID: 2624e2b05dc824fa7581dfd9080e0565deecaf6219eb23a4f67f7a2ed5447496
                                                                  • Opcode Fuzzy Hash: beca674fd8db362ae3c326a262006269a39a6cc495ac54829b8af714453b82f3
                                                                  • Instruction Fuzzy Hash: C14180B1E0D95286FB6A9F38E04427873A6EB45B68F245235DE0F8B2C5DF78B8418711
                                                                  Function 00007FFB1BAD0A68 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PySequence_Size.PYTHON312(00000000,?,00000000,00007FFB1BAD0A18), ref: 00007FFB1BAD0A94
                                                                  • PySequence_GetItem.PYTHON312(?,00000000,00007FFB1BAD0A18), ref: 00007FFB1BAD0AC7
                                                                    • Part of subcall function 00007FFB1BAD0B5C: PyMapping_Check.PYTHON312(?,?,?,00000028,00007FFB1BAD0AE3,?,00000000,00007FFB1BAD0A18), ref: 00007FFB1BAD0B81
                                                                    • Part of subcall function 00007FFB1BAD0B5C: PyMapping_GetItemString.PYTHON312(?,?,?,00000028,00007FFB1BAD0AE3,?,00000000,00007FFB1BAD0A18), ref: 00007FFB1BAD0B9B
                                                                    • Part of subcall function 00007FFB1BAD0B5C: PyLong_AsUnsignedLongLong.PYTHON312(?,?,?,00000028,00007FFB1BAD0AE3,?,00000000,00007FFB1BAD0A18), ref: 00007FFB1BAD0BB0
                                                                    • Part of subcall function 00007FFB1BAD0B5C: PyErr_Occurred.PYTHON312(?,?,?,00000028,00007FFB1BAD0AE3,?,00000000,00007FFB1BAD0A18), ref: 00007FFB1BAD0BC7
                                                                  • PyErr_Format.PYTHON312(?,00000000,00007FFB1BAD0A18), ref: 00007FFB1BAD5D09
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Err_ItemLongMapping_Sequence_$CheckFormatLong_OccurredSizeStringUnsigned
                                                                  • String ID: Too many filters - liblzma supports a maximum of %d
                                                                  • API String ID: 1062705235-2617632755
                                                                  • Opcode ID: ccf5a64d07049f618c25ab74cbb4974c3106e7c7554985af56aab865a0a260af
                                                                  • Instruction ID: 3b3f674b6ce28f93db7e90dddaaee8f47780d73672de6b8d910a64e9894a5954
                                                                  • Opcode Fuzzy Hash: ccf5a64d07049f618c25ab74cbb4974c3106e7c7554985af56aab865a0a260af
                                                                  • Instruction Fuzzy Hash: 4E319FA1B69E0285EA249F36E8141396692AB49FF8F14A331DD7D877F5DE3CE4418300
                                                                  Function 00007FFB1BAD20DC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Err_$FormatOccurred
                                                                  • String ID: Invalid compression preset: %u$Invalid filter chain for FORMAT_ALONE - must be a single LZMA1 filter
                                                                  • API String ID: 4038069558-4068623215
                                                                  • Opcode ID: 42de15237a213d44223ebd833c4df5f098df34b0787ac9d39a2d3eb57667bed4
                                                                  • Instruction ID: ed0bd3a6160f9cccb1cdd0eed889e62983c34be11ef44fb877117ce95525476b
                                                                  • Opcode Fuzzy Hash: 42de15237a213d44223ebd833c4df5f098df34b0787ac9d39a2d3eb57667bed4
                                                                  • Instruction Fuzzy Hash: C32155A1A3CF4251EA209B35E8413792252BF59BB4F40E732EA6E876F5DE2CE5058700
                                                                  Function 00007FFB1E3B3774 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Arg_$KeywordsModuleModule_PositionalStateType_
                                                                  • String ID: BZ2Decompressor
                                                                  • API String ID: 2980520244-1337346095
                                                                  • Opcode ID: f57c856a1eaa85dad08e037339d259dc31bffbd300076d52cdc827e69f7ac027
                                                                  • Instruction ID: 61a9e16dffb1b1346ecd3c9152ea5fcc4dd93c39367ef4805e5e9613306b9ed6
                                                                  • Opcode Fuzzy Hash: f57c856a1eaa85dad08e037339d259dc31bffbd300076d52cdc827e69f7ac027
                                                                  • Instruction Fuzzy Hash: 252149A2A09E6690EA669B22F80017967A6FB44FA4F484032DE4F47364DE7CF4898301
                                                                  Function 00007FFB1BAD314C Relevance: 7.6, APIs: 5, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Dealloc$Module_State
                                                                  • String ID:
                                                                  • API String ID: 3434497292-0
                                                                  • Opcode ID: db67306de73857620c4aba995a460db50807d40a919903c7b44c58eb7544d94b
                                                                  • Instruction ID: 552ea93bf885a583c4704c420146cd9a304cae3a36196f266053fe80d67cb660
                                                                  • Opcode Fuzzy Hash: db67306de73857620c4aba995a460db50807d40a919903c7b44c58eb7544d94b
                                                                  • Instruction Fuzzy Hash: 6021CCB6D2AE03C5FF594F75C89833822E2AF45B29F18E736D51E851A0CF7DA4858310
                                                                  Function 00007FFB1E3B9F74 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Module_$FromModuleSpecTypeType_$State
                                                                  • String ID:
                                                                  • API String ID: 1138651315-0
                                                                  • Opcode ID: 385c81540caf7594d2d79f420c7c64eb9f9f90bd2783a20cd1ed782b2f8c24c0
                                                                  • Instruction ID: 95445ff9791aa82d9dac328da6051c8f8c1cb9151c7704fca80e7e7b18a68250
                                                                  • Opcode Fuzzy Hash: 385c81540caf7594d2d79f420c7c64eb9f9f90bd2783a20cd1ed782b2f8c24c0
                                                                  • Instruction Fuzzy Hash: 330171B1B19F5681FA128B3AF58463A63A6AF08BF0B585434EA5F47B64DF3CF1458700
                                                                  Function 00007FFB1E3B2358 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 175COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: __acrt_iob_func
                                                                  • String ID: block %d: crc = 0x%08x, combined CRC = 0x%08x, size = %d$ final combined CRC = 0x%08x
                                                                  • API String ID: 711238415-3357347091
                                                                  • Opcode ID: bae728a6bf01b28945588ec33f57403ca6373a91784663bbbb4fd72b5314d822
                                                                  • Instruction ID: f3135f4c3612ce8334bfc60bce7ccb0b7cec18c5b2679f21dfca2a5216e094f9
                                                                  • Opcode Fuzzy Hash: bae728a6bf01b28945588ec33f57403ca6373a91784663bbbb4fd72b5314d822
                                                                  • Instruction Fuzzy Hash: 4E61F9B5B6961686E621EF3AF8012BA3392EB85F94F145535DE0F07746CE7DF4028B40
                                                                  Function 00007FFB1BAD1E7C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PyLong_AsUnsignedLongLong.PYTHON312(?,?,00000006,00007FFB1BAD0CFC), ref: 00007FFB1BAD1E89
                                                                  • PyErr_Occurred.PYTHON312(?,?,00000006,00007FFB1BAD0CFC), ref: 00007FFB1BAD1E92
                                                                  • PyErr_SetString.PYTHON312(?,?,00000006,00007FFB1BAD0CFC), ref: 00007FFB1BAD607B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Err_Long$Long_OccurredStringUnsigned
                                                                  • String ID: Value too large for uint32_t type
                                                                  • API String ID: 944333170-1712686559
                                                                  • Opcode ID: beb8bb3f21a158d48b7ae8f5362e1cc07ff4e792364f621d751ee79adeb98e45
                                                                  • Instruction ID: fb75c3d0e8ce663951687787b96e9174fbde26b163ccba102db2b3d22c6ad2dd
                                                                  • Opcode Fuzzy Hash: beb8bb3f21a158d48b7ae8f5362e1cc07ff4e792364f621d751ee79adeb98e45
                                                                  • Instruction Fuzzy Hash: C6F012A1B28E0395EF105F77E9941382362EF48BA4F14E634D91DC6371DE3CE4958300
                                                                  Function 00007FFB1BAD6490 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Err_Long$Long_OccurredStringUnsigned
                                                                  • String ID: Value too large for lzma_match_finder type
                                                                  • API String ID: 944333170-1161044407
                                                                  • Opcode ID: 9914e4eca75eb01d789d50a663b97705113751f3ba4ec09a09449ef1f848119f
                                                                  • Instruction ID: 11fab0a70ceea48e95876f8c00ed3c8f71114db5879a51dff2efcbe2eec71ce1
                                                                  • Opcode Fuzzy Hash: 9914e4eca75eb01d789d50a663b97705113751f3ba4ec09a09449ef1f848119f
                                                                  • Instruction Fuzzy Hash: 77F0FEF1A28E4691EB144F7AF6841356362AF48BA4F18E234DA1D86374DE3CE4948700
                                                                  Function 00007FFB1BAD64E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Err_Long$Long_OccurredStringUnsigned
                                                                  • String ID: Value too large for lzma_mode type
                                                                  • API String ID: 944333170-1290617251
                                                                  • Opcode ID: c75928b8bcefc147294998117d43192376e487e7008253cef88493b04ebec458
                                                                  • Instruction ID: 7bf25fc59d75aee037dbde00a1de8b52353e14ce792ee706b9cdbf5df4b01810
                                                                  • Opcode Fuzzy Hash: c75928b8bcefc147294998117d43192376e487e7008253cef88493b04ebec458
                                                                  • Instruction Fuzzy Hash: 42F0FEA1A28E42D1EB504F76F5841386362AF48BA4F58F635E91E86278DE3CE4958310
                                                                  Function 00007FFB1BAC838C Relevance: 6.1, APIs: 4, Instructions: 102threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PyType_GetModuleState.PYTHON312(?,?,?,00000000,?,?,?,00007FFB1BAC8041), ref: 00007FFB1BAC83C1
                                                                    • Part of subcall function 00007FFB1BAD2574: PyBytes_FromStringAndSize.PYTHON312(?,?,?,00007FFB1BAC83DB,?,?,?,00000000,?,?,?,00007FFB1BAC8041), ref: 00007FFB1BAD25AB
                                                                    • Part of subcall function 00007FFB1BAD2574: PyList_New.PYTHON312(?,?,?,00007FFB1BAC83DB,?,?,?,00000000,?,?,?,00007FFB1BAC8041), ref: 00007FFB1BAD25BE
                                                                  • PyEval_SaveThread.PYTHON312(?,?,?,00000000,?,?,?,00007FFB1BAC8041), ref: 00007FFB1BAC83E8
                                                                  • PyEval_RestoreThread.PYTHON312(?,?,?,00000000,?,?,?,00007FFB1BAC8041), ref: 00007FFB1BAC8401
                                                                  • _Py_Dealloc.PYTHON312(?,?,?,00000000,?,?,?,00007FFB1BAC8041), ref: 00007FFB1BAC84C1
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: Eval_Thread$Bytes_DeallocFromList_ModuleRestoreSaveSizeStateStringType_
                                                                  • String ID:
                                                                  • API String ID: 2935988267-0
                                                                  • Opcode ID: 00cfe97c0164a270be03c1d104ab45d7f8779960225675756503997d0fd06301
                                                                  • Instruction ID: ca642173352edc427831b1e72be0cba8bb68ac4e23d49576764a93007d51c2c2
                                                                  • Opcode Fuzzy Hash: 00cfe97c0164a270be03c1d104ab45d7f8779960225675756503997d0fd06301
                                                                  • Instruction Fuzzy Hash: 8B41B3B6A29E42C5EA248F35D9401B92392FF84BB8F64A235EA0D47774DF3CE485C300
                                                                  Function 00007FFB1BAC76FC Relevance: 6.0, APIs: 4, Instructions: 40threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: DeallocFreeMem_Thread_free_lock
                                                                  • String ID:
                                                                  • API String ID: 2783890233-0
                                                                  • Opcode ID: 01b42428c534275dc39dda495b1f2b4eedd2e9a3cd2baa85ec5288ad07ab9b92
                                                                  • Instruction ID: 8fd1b237d7cc9f1da872219042258511bab9c412bbba1da633c69307b4793f76
                                                                  • Opcode Fuzzy Hash: 01b42428c534275dc39dda495b1f2b4eedd2e9a3cd2baa85ec5288ad07ab9b92
                                                                  • Instruction Fuzzy Hash: 08115BA6A29D46C2EB598F75D5547782762EF44BA4F28E230D61E866B4CF3CA4948300
                                                                  Function 00007FFB1BAD3A1C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: e14f81335c7f0e89c555c48fc70369245093cfa0888173eb1084b591f0c493ce
                                                                  • Instruction ID: 0eed3d3ad3ceb0b088fa4e4606ea654b76691686afa53d39e50e7456ef42aa68
                                                                  • Opcode Fuzzy Hash: e14f81335c7f0e89c555c48fc70369245093cfa0888173eb1084b591f0c493ce
                                                                  • Instruction Fuzzy Hash: 9A113C66B24F019AEB00CF70E8543B833A5FB19768F446E31DA6D867A4DF7CE1588340
                                                                  Function 00007FFB0AF68960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1465088210.00007FFB0ADC1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFB0ADC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1465059876.00007FFB0ADC0000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1465289411.00007FFB0B042000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1465289411.00007FFB0B062000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1465289411.00007FFB0B071000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1465289411.00007FFB0B0E7000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1465289411.00007FFB0B1B2000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1465612113.00007FFB0B2B6000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1465728204.00007FFB0B323000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1465749873.00007FFB0B325000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1465773801.00007FFB0B326000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1465794454.00007FFB0B327000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1465814524.00007FFB0B329000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1465873562.00007FFB0B3AF000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1465899038.00007FFB0B3B1000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1465920494.00007FFB0B3BB000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1465953286.00007FFB0B3E0000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1465975622.00007FFB0B3E1000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1465999622.00007FFB0B3E2000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466022378.00007FFB0B3E3000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466042974.00007FFB0B3E5000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466069610.00007FFB0B3F1000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466097245.00007FFB0B3F2000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466130650.00007FFB0B434000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466150026.00007FFB0B451000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb0adc0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: d2285d0ca78b08e9284e6539fe4cd286835083a25521d89012cfe7de672bd859
                                                                  • Instruction ID: 600372e70e0d56269792f0871a24b78e08a7da47f71383032a8448e054f497c8
                                                                  • Opcode Fuzzy Hash: d2285d0ca78b08e9284e6539fe4cd286835083a25521d89012cfe7de672bd859
                                                                  • Instruction Fuzzy Hash: CD112EA2B14F068AEB00DF71E8546B833B4FB19B58F440E35EA6E867A4EF78D1548340
                                                                  Function 00007FFB1E3BA640 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466356506.00007FFB1E3B1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFB1E3B0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466329846.00007FFB1E3B0000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466379056.00007FFB1E3BE000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466406772.00007FFB1E3C2000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466434339.00007FFB1E3C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1e3b0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: c9d2bc6b1f4b90143cfcf8b72833dd591a01bb31496536103f8e1994dd480a1d
                                                                  • Instruction ID: 09576ce39683b9982926633cd031378bfa19570c57652d3a665a51275c1e94eb
                                                                  • Opcode Fuzzy Hash: c9d2bc6b1f4b90143cfcf8b72833dd591a01bb31496536103f8e1994dd480a1d
                                                                  • Instruction Fuzzy Hash: 00114C62B14F058AEB008B75E8542A833A5FB18B68F040E31EA6E427A4DF38E1548340
                                                                  Function 00007FF65BBBD6F4 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1464555232.00007FF65BB91000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FF65BB90000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1464534004.00007FF65BB90000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1464603823.00007FF65BBDC000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1464631295.00007FF65BBF6000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1464652410.00007FF65BC01000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ff65bb90000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: 3e9bf284f51a014416bd2e884015404433c55462ee1280fbdb526b963edf0727
                                                                  • Instruction ID: b466237d6d340bbc8d1eeee04cebdec764db7140ac7510119da9bc1b2edcb5b1
                                                                  • Opcode Fuzzy Hash: 3e9bf284f51a014416bd2e884015404433c55462ee1280fbdb526b963edf0727
                                                                  • Instruction Fuzzy Hash: 9D111626B18F018AEB00CF65E8552B833A4FB5E758F481E35EA6D96774DF7CD1948340
                                                                  Function 00007FFB1BAC9D80 Relevance: 5.1, APIs: 4, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1466199130.00007FFB1BAC1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FFB1BAC0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1466174535.00007FFB1BAC0000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BAD8000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466226785.00007FFB1BADC000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466277336.00007FFB1BAE4000.00000004.00000001.01000000.00000013.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1466300629.00007FFB1BAE5000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffb1bac0000_l4.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy$memmove
                                                                  • String ID:
                                                                  • API String ID: 1283327689-0
                                                                  • Opcode ID: eee6edfa71bb2dedfcc37b73b2f55b6b239783ac4416e26ed470dd15ede7d960
                                                                  • Instruction ID: 74670eb347d53b91af021f8b36c129636b731a7bb2572772dc3bf6be7b50585f
                                                                  • Opcode Fuzzy Hash: eee6edfa71bb2dedfcc37b73b2f55b6b239783ac4416e26ed470dd15ede7d960
                                                                  • Instruction Fuzzy Hash: BF31E572B28B8583DA149F7AE40407DB762F754BA0B289239DF8E57BA5DF3CE4458700