Edit tour

Windows Analysis Report
main.exe

Overview

General Information

Sample name:	main.exe
Analysis ID:	1577508
MD5:	935ddf8c175da8cb95fff0870e0718fc
SHA1:	8c026153157f0b84e29080326bbbd1ea6d1ddcb6
SHA256:	19ea2bfba48a832b1342fdb60e1d5686d47f3b788d3de162f6ff087a71ed96e4
Tags:	18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Found pyInstaller with non standard icon

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

main.exe (PID: 1080 cmdline: "C:\Users\user\Desktop\main.exe" MD5: 935DDF8C175DA8CB95FFF0870E0718FC)

main.exe (PID: 4368 cmdline: "C:\Users\user\Desktop\main.exe" MD5: 935DDF8C175DA8CB95FFF0870E0718FC)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: main.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: main.exe

ReversingLabs: Detection: 44%

Source: main.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\Desktop\main.exe

File opened: C:\Users\user\AppData\Local\Temp\_MEI10802\msvcr90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.6:49708 version: TLS 1.2

Source:	Binary string: C:\build27\cpython\PCBuild\select.pdb source: main.exe, 00000000.00000003.2161442847.0000000002551000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
Source:	Binary string: msvcp90.i386.pdb source: main.exe, 00000000.00000003.2157220383.0000000002659000.00000004.00000020.00020000.00000000.sdmp, msvcp90.dll.0.dr
Source:	Binary string: msvcr90.i386.pdb source: main.exe, 00000000.00000003.2156562438.0000000002657000.00000004.00000020.00020000.00000000.sdmp, msvcr90.dll.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\_hashlib.pdb source: main.exe, 00000000.00000003.2161232064.00000000026E8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2196089633.000000006D0E8000.00000002.00000001.01000000.00000005.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\_socket.pdb source: main.exe, 00000000.00000003.2159823373.0000000002555000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.2159535838.0000000002551000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2197056073.0000000074A97000.00000002.00000001.01000000.00000006.sdmp, _socket.pyd.0.dr
Source:	Binary string: msvcm90.i386.pdb source: main.exe, 00000000.00000003.2157767880.0000000002560000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.2157282027.0000000002551000.00000004.00000020.00020000.00000000.sdmp, msvcm90.dll.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\bz2.pdb% source: main.exe, 00000000.00000003.2159483968.0000000002561000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.2159332778.0000000002551000.00000004.00000020.00020000.00000000.sdmp, bz2.pyd.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\_socket.pdbEi source: main.exe, 00000000.00000003.2159823373.0000000002555000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.2159535838.0000000002551000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2197056073.0000000074A97000.00000002.00000001.01000000.00000006.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\unicodedata.pdb source: main.exe, 00000000.00000003.2159130410.000000000265B000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\python27.pdb source: main.exe, 00000000.00000003.2158543447.0000000002782000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2196356518.000000006D28A000.00000002.00000001.01000000.00000004.sdmp, python27.dll.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\_ssl.pdb source: main.exe, 00000000.00000003.2160566596.0000000002701000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmp, _ssl.pyd.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\_hashlib.pdb%x source: main.exe, 00000000.00000003.2161232064.00000000026E8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2196089633.000000006D0E8000.00000002.00000001.01000000.00000005.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\bz2.pdb source: main.exe, 00000000.00000003.2159483968.0000000002561000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.2159332778.0000000002551000.00000004.00000020.00020000.00000000.sdmp, bz2.pyd.0.dr

Source: C:\Users\user\Desktop\main.exe

Code function: 2_2_6CF99DC0 _errno,_errno,malloc,memset,malloc,free,_errno,FindFirstFileA,free,free,free,_errno,FindNextFileA,strncpy,_errno,

2_2_6CF99DC0

Source: C:\Users\user\Desktop\main.exe

Code function: 4x nop then movd mm0, dword ptr [edx]

2_2_6CFA28B0

Source: Joe Sandbox View

IP Address: 20.233.83.145 20.233.83.145

Source: Joe Sandbox View

JA3 fingerprint: e0fe397a5edfba9a6facc7c7b341f4eb

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\main.exe

Code function: 2_2_6CF983A0 WSASetLastError,recv,WSAGetLastError,

2_2_6CF983A0

Source: global traffic

HTTP traffic detected: GET /franklenzer/0101010101/raw/main/mpc.part01.rar HTTP/1.1Accept-Encoding: identityHost: github.comConnection: closeUser-Agent: Python-urllib/2.7

Source: global traffic

DNS traffic detected: DNS query: github.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: GitHub.comDate: Wed, 18 Dec 2024 13:33:53 GMTContent-Type: text/html; charset=utf-8Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-WithCache-Control: no-cacheStrict-Transport-Security: max-age=31536000; includeSubdomains; preloadX-Frame-Options: denyX-Content-Type-Options: nosniffX-XSS-Protection: 0Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin

Source: python27.dll.0.dr	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: main.exe, 00000002.00000002.2195201644.0000000002551000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: main.exe, 00000002.00000002.2195201644.0000000002551000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2195332778.000000000298E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.faqs.org/rfcs/rfc2822.html
Source: main.exe, 00000002.00000002.2195332778.000000000298E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.faqs.org/rfcs/rfc822.html
Source: main.exe, 00000002.00000002.2195332778.000000000298E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: main.exe, main.exe, 00000002.00000002.2196089633.000000006D0E8000.00000002.00000001.01000000.00000005.sdmp, main.exe, 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmp, _ssl.pyd.0.dr, _hashlib.pyd.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: main.exe, 00000000.00000003.2161232064.00000000026E8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.2160566596.0000000002701000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2196089633.000000006D0E8000.00000002.00000001.01000000.00000005.sdmp, main.exe, 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmp, _ssl.pyd.0.dr, _hashlib.pyd.0.dr	String found in binary or memory: http://www.openssl.org/support/faq.htmlC:
Source: main.exe, 00000002.00000002.2195332778.0000000002851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/
Source: main.exe, 00000000.00000003.2159130410.00000000026C8000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr	String found in binary or memory: http://www.unicode.org/reports/tr44/tr44-4.html).
Source: main.exe, 00000002.00000002.2195201644.0000000002551000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2195316484.0000000002750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/franklenzer/0101010101/raw/main/mpc.part01.rar
Source: main.exe, 00000002.00000002.2195332778.000000000298E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/franklenzer/0101010101/raw/main/mpc.part01.rar:
Source: main.exe, 00000002.00000002.2195201644.0000000002551000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2195316484.0000000002750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/franklenzer/0101010101/raw/main/mpc.part02.rar
Source: main.exe, 00000002.00000002.2195201644.0000000002551000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2195316484.0000000002750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/franklenzer/0101010101/raw/main/x0x.exe
Source: main.exe, 00000002.00000002.2195332778.0000000002851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.6:49708 version: TLS 1.2

Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00401850 ntohl,fwrite,fclose,free,	0_2_00401850
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00401910 fseek,ftell,ntohl,ntohl,ntohl,fseek,ntohl,malloc,ntohl,fread,ntohl,ferror,fclose,fseek,fread,fseek,fread,fseek,fread,fseek,fread,	0_2_00401910
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00401610 ntohl,ntohl,fseek,ntohl,malloc,ntohl,fread,fclose,ntohl,malloc,ntohl,ntohl,free,free,	0_2_00401610
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00401CE9 ntohl,	0_2_00401CE9
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00404170 free,strlen,ntohl,free,ntohl,	0_2_00404170
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00401D1C ntohl,	0_2_00401D1C
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_004015D0 ntohl,	0_2_004015D0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_004042F7 free,ntohl,	0_2_004042F7
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00403B40 ntohl,strcpy,GetLastError,	0_2_00403B40
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00403BE9 ntohl,sprintf,GetModuleHandleA,	0_2_00403BE9
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00404380 ntohl,free,strlen,	0_2_00404380
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_00401910 fseek,ftell,ntohl,ntohl,ntohl,fseek,ntohl,malloc,ntohl,fread,ntohl,ferror,fclose,fseek,fread,fseek,fread,fseek,fread,fseek,fread,	2_2_00401910
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_00401610 ntohl,ntohl,fseek,ntohl,malloc,ntohl,fread,fclose,ntohl,malloc,ntohl,ntohl,free,free,	2_2_00401610
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_00401850 ntohl,fwrite,fclose,free,	2_2_00401850
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_00401CE9 ntohl,	2_2_00401CE9
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_00404170 PyString_FromString,free,strlen,PySys_SetObject,PyImport_ImportModule,PyModule_GetDict,PyDict_GetItemString,ntohl,PyObject_CallFunction,PyObject_CallFunction,PyImport_ExecCodeModule,PyErr_Occurred,PyErr_Print,PyErr_Clear,free,ntohl,PyObject_CallFunction,	2_2_00404170
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_00401D1C ntohl,	2_2_00401D1C
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_004015D0 ntohl,	2_2_004015D0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_004042F7 PyObject_CallFunction,PyObject_CallFunction,PyImport_ExecCodeModule,PyErr_Occurred,PyErr_Print,PyErr_Clear,free,ntohl,PyObject_CallFunction,	2_2_004042F7
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_00403B40 ntohl,strcpy,GetLastError,	2_2_00403B40
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_00403BE9 ntohl,sprintf,GetModuleHandleA,	2_2_00403BE9
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_00404380 ntohl,PyString_FromFormat,free,strlen,Py_DecRef,PySys_GetObject,PyList_Append,Py_DecRef,	2_2_00404380

Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_004064D2	0_2_004064D2
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00406595	0_2_00406595
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00408769	0_2_00408769
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00408710	0_2_00408710
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_004064D2	2_2_004064D2
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_00406595	2_2_00406595
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_00408769	2_2_00408769
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_00408710	2_2_00408710
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CEDE870	2_2_6CEDE870
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF88AD0	2_2_6CF88AD0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF7CA70	2_2_6CF7CA70
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF7B050	2_2_6CF7B050
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF48CC0	2_2_6CF48CC0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF50CA0	2_2_6CF50CA0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFBCC9D	2_2_6CFBCC9D
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF4AC70	2_2_6CF4AC70
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFBEC40	2_2_6CFBEC40
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFBEDF2	2_2_6CFBEDF2
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF4AD6B	2_2_6CF4AD6B
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF48D4C	2_2_6CF48D4C
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF5CD30	2_2_6CF5CD30
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFB0D17	2_2_6CFB0D17
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF94F60	2_2_6CF94F60
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF84F00	2_2_6CF84F00
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF948D0	2_2_6CF948D0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFAE800	2_2_6CFAE800
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CEDE9EC	2_2_6CEDE9EC
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFBA9F0	2_2_6CFBA9F0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFBE980	2_2_6CFBE980
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFB0970	2_2_6CFB0970
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF52960	2_2_6CF52960
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF9C960	2_2_6CF9C960
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF44920	2_2_6CF44920
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF46900	2_2_6CF46900
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFBEAC0	2_2_6CFBEAC0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF18A80	2_2_6CF18A80
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF48A70	2_2_6CF48A70
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF94A70	2_2_6CF94A70
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF46BE0	2_2_6CF46BE0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF94B6C	2_2_6CF94B6C
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CEDE420	2_2_6CEDE420
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF48410	2_2_6CF48410
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF4C590	2_2_6CF4C590
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFB656C	2_2_6CFB656C
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFBA540	2_2_6CFBA540
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF5A510	2_2_6CF5A510
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFB6500	2_2_6CFB6500
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFB6660	2_2_6CFB6660
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CED27F0	2_2_6CED27F0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFB6790	2_2_6CFB6790
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF8C760	2_2_6CF8C760
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF46740	2_2_6CF46740
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF1E700	2_2_6CF1E700
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF4A0F0	2_2_6CF4A0F0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CEEE0E0	2_2_6CEEE0E0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF4E0A0	2_2_6CF4E0A0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF9C020	2_2_6CF9C020
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF501B0	2_2_6CF501B0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF2A180	2_2_6CF2A180
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF48180	2_2_6CF48180
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFB22E0	2_2_6CFB22E0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF4A2D0	2_2_6CF4A2D0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF4E280	2_2_6CF4E280
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF1E260	2_2_6CF1E260
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF2A210	2_2_6CF2A210
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CEE6380	2_2_6CEE6380
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF2A350	2_2_6CF2A350
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF47C40	2_2_6CF47C40
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFB5DE0	2_2_6CFB5DE0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CEF9DF0	2_2_6CEF9DF0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFB7DA9	2_2_6CFB7DA9
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF9BD20	2_2_6CF9BD20

Source: C:\Users\user\Desktop\main.exe	Code function: String function: 6CEDCDA0 appears 72 times
Source: C:\Users\user\Desktop\main.exe	Code function: String function: 6CED0E00 appears 803 times
Source: C:\Users\user\Desktop\main.exe	Code function: String function: 6CEDB1E0 appears 154 times
Source: C:\Users\user\Desktop\main.exe	Code function: String function: 6CEE3870 appears 71 times
Source: C:\Users\user\Desktop\main.exe	Code function: String function: 6CF29B30 appears 36 times

Source: main.exe	Static PE information: Resource name: STYLE type: Zip archive data, at least v2.0 to extract, compression method=store
Source: main.exe	Static PE information: Resource name: STYLE type: Zip archive data, at least v2.0 to extract, compression method=store

Source: main.exe, 00000000.00000003.2157220383.0000000002659000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSVCP90.DLL^ vs main.exe
Source: main.exe, 00000000.00000003.2156562438.00000000026F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSVCR90.DLL^ vs main.exe
Source: main.exe, 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWinCam.exe. vs main.exe
Source: main.exe, 00000000.00000003.2157767880.0000000002560000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSVCM90.DLL^ vs main.exe
Source: main.exe, 00000000.00000003.2157282027.0000000002551000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSVCM90.DLL^ vs main.exe
Source: main.exe, 00000000.00000003.2158543447.00000000029B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython27.dll. vs main.exe
Source: main.exe, 00000002.00000002.2196978143.000000006D3C4000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython27.dll. vs main.exe
Source: main.exe, 00000002.00000000.2161841749.0000000000568000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWinCam.exe. vs main.exe
Source: main.exe	Binary or memory string: OriginalFilenameWinCam.exe. vs main.exe

Source: main.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal60.winEXE@3/12@1/1

Source: C:\Users\user\Desktop\main.exe

Code function: 0_2_00404E70 GetLastError,FormatMessageA,

0_2_00404E70

Source: C:\Users\user\Desktop\main.exe

Code function: 2_2_6CF072A0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetVersion,GetVersion,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

2_2_6CF072A0

Source: C:\Users\user\Desktop\main.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI10802

Jump to behavior

Source: main.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\main.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: main.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\main.exe

File read: C:\Users\user\Desktop\main.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\main.exe "C:\Users\user\Desktop\main.exe"
Source: C:\Users\user\Desktop\main.exe	Process created: C:\Users\user\Desktop\main.exe "C:\Users\user\Desktop\main.exe"
Source: C:\Users\user\Desktop\main.exe	Process created: C:\Users\user\Desktop\main.exe "C:\Users\user\Desktop\main.exe"	Jump to behavior

Source: C:\Users\user\Desktop\main.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: main.exe

Static file information: File size 5620920 > 1048576

Source: C:\Users\user\Desktop\main.exe

File opened: C:\Users\user\AppData\Local\Temp\_MEI10802\msvcr90.dll

Jump to behavior

Source: main.exe	Static PE information: section name: RT_CURSOR
Source: main.exe	Static PE information: section name: RT_BITMAP
Source: main.exe	Static PE information: section name: RT_ICON
Source: main.exe	Static PE information: section name: RT_MENU
Source: main.exe	Static PE information: section name: RT_DIALOG
Source: main.exe	Static PE information: section name: RT_STRING
Source: main.exe	Static PE information: section name: RT_ACCELERATOR
Source: main.exe	Static PE information: section name: RT_GROUP_ICON

Source: main.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x159400

Source:	Binary string: C:\build27\cpython\PCBuild\select.pdb source: main.exe, 00000000.00000003.2161442847.0000000002551000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
Source:	Binary string: msvcp90.i386.pdb source: main.exe, 00000000.00000003.2157220383.0000000002659000.00000004.00000020.00020000.00000000.sdmp, msvcp90.dll.0.dr
Source:	Binary string: msvcr90.i386.pdb source: main.exe, 00000000.00000003.2156562438.0000000002657000.00000004.00000020.00020000.00000000.sdmp, msvcr90.dll.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\_hashlib.pdb source: main.exe, 00000000.00000003.2161232064.00000000026E8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2196089633.000000006D0E8000.00000002.00000001.01000000.00000005.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\_socket.pdb source: main.exe, 00000000.00000003.2159823373.0000000002555000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.2159535838.0000000002551000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2197056073.0000000074A97000.00000002.00000001.01000000.00000006.sdmp, _socket.pyd.0.dr
Source:	Binary string: msvcm90.i386.pdb source: main.exe, 00000000.00000003.2157767880.0000000002560000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.2157282027.0000000002551000.00000004.00000020.00020000.00000000.sdmp, msvcm90.dll.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\bz2.pdb% source: main.exe, 00000000.00000003.2159483968.0000000002561000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.2159332778.0000000002551000.00000004.00000020.00020000.00000000.sdmp, bz2.pyd.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\_socket.pdbEi source: main.exe, 00000000.00000003.2159823373.0000000002555000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.2159535838.0000000002551000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2197056073.0000000074A97000.00000002.00000001.01000000.00000006.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\unicodedata.pdb source: main.exe, 00000000.00000003.2159130410.000000000265B000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\python27.pdb source: main.exe, 00000000.00000003.2158543447.0000000002782000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2196356518.000000006D28A000.00000002.00000001.01000000.00000004.sdmp, python27.dll.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\_ssl.pdb source: main.exe, 00000000.00000003.2160566596.0000000002701000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmp, _ssl.pyd.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\_hashlib.pdb%x source: main.exe, 00000000.00000003.2161232064.00000000026E8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2196089633.000000006D0E8000.00000002.00000001.01000000.00000005.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: C:\build27\cpython\PCBuild\bz2.pdb source: main.exe, 00000000.00000003.2159483968.0000000002561000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.2159332778.0000000002551000.00000004.00000020.00020000.00000000.sdmp, bz2.pyd.0.dr

Source: C:\Users\user\Desktop\main.exe

Code function: 0_2_004052F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,free,

0_2_004052F0

Source: unicodedata.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xac2ee
Source: bz2.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1cba6
Source: _ssl.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x15d97a
Source: python27.dll.0.dr	Static PE information: real checksum: 0x29675c should be: 0x296813
Source: _socket.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x145cb
Source: _hashlib.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1117e2
Source: select.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xe180

Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CF6AA21 pushad ; ret	2_2_6CF6AA23
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CEE4691 push esp; ret	2_2_6CEE4693
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CEF9CA1 push esp; ret	2_2_6CEF9CA3

Source: msvcr90.dll.0.dr

Static PE information: section name: .text entropy: 6.921830750319084

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\main.exe

Process created: "C:\Users\user\Desktop\main.exe"

Source: C:\Users\user\Desktop\main.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI10802\python27.dll	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI10802\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI10802\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI10802\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI10802\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI10802\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI10802\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI10802\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI10802\bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI10802\msvcm90.dll	Jump to dropped file

Source: C:\Users\user\Desktop\main.exe

Code function: 0_2_00402ED0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00402ED0

Source: C:\Users\user\Desktop\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\main.exe

Code function: 2_2_6CFA21C0 rdtsc

2_2_6CFA21C0

Source: C:\Users\user\Desktop\main.exe

2_2_6CF072A0

Source: C:\Users\user\Desktop\main.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI10802\python27.dll	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI10802\msvcp90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI10802\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI10802\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI10802\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI10802\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI10802\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI10802\bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI10802\msvcr90.dll	Jump to dropped file
Source: C:\Users\user\Desktop\main.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI10802\msvcm90.dll	Jump to dropped file

Source: C:\Users\user\Desktop\main.exe

Code function: 2_2_6CF99DC0 _errno,_errno,malloc,memset,malloc,free,_errno,FindFirstFileA,free,free,free,_errno,FindNextFileA,strncpy,_errno,

2_2_6CF99DC0

Source: main.exe, 00000002.00000002.2195201644.0000000002551000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: main.exe, 00000002.00000002.2195316484.0000000002750000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if re.search(r'Virtual\|VMware\|VirtualBox\|KVM\|QEMU\|Hyper-V', model, re.IGNORECASE):
Source: main.exe, 00000002.00000002.2195332778.0000000002851000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Virtual\|VMware\|VirtualBox\|KVM\|QEMU\|Hyper-V
Source: main.exe, 00000002.00000002.2195332778.0000000002851000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6Virtual\|VMware\|VirtualBox\|KVM\|QEMU\|Hyper-V
Source: main.exe, 00000002.00000002.2195201644.0000000002551000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @VMware, Inc.
Source: main.exe, 00000002.00000002.2195316484.0000000002750000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if manufacturer in ["VMware, Inc.", "Microsoft Corporation", "Xen", "VirtualBox"]:
Source: main.exe, 00000002.00000002.2195201644.0000000002551000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EMU\|Hyper-V'a
Source: main.exe, 00000002.00000002.2195075242.0000000000848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\main.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\main.exe

Code function: 2_2_6CFA21C0 rdtsc

2_2_6CFA21C0

Source: C:\Users\user\Desktop\main.exe

Code function: 2_2_6CFC08F0 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

2_2_6CFC08F0

Source: C:\Users\user\Desktop\main.exe

2_2_6CF072A0

Source: C:\Users\user\Desktop\main.exe

Code function: 0_2_004052F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,free,

0_2_004052F0

Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00401179 Sleep,Sleep,SetUnhandledExceptionFilter,_wcmdln,malloc,malloc,memcpy,__winitenv,_cexit,_amsg_exit,_initterm,GetStartupInfoW,_initterm,exit,	0_2_00401179
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00409FC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	0_2_00409FC0
Source: C:\Users\user\Desktop\main.exe	Code function: 0_2_00409FBC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	0_2_00409FBC
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_00401179 Sleep,Sleep,SetUnhandledExceptionFilter,_wcmdln,malloc,malloc,memcpy,__winitenv,_cexit,_amsg_exit,_initterm,GetStartupInfoW,_initterm,exit,	2_2_00401179
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_00409FC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	2_2_00409FC0
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_00409FBC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	2_2_00409FBC
Source: C:\Users\user\Desktop\main.exe	Code function: 2_2_6CFC08F0 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,	2_2_6CFC08F0

Source: C:\Users\user\Desktop\main.exe

Process created: C:\Users\user\Desktop\main.exe "C:\Users\user\Desktop\main.exe"

Jump to behavior

Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI10802\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI10802\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\main.exe	Queries volume information: C:\Users\user\Desktop\main.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\main.exe

Code function: 0_2_00409F10 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00409F10

Source: C:\Users\user\Desktop\main.exe

2_2_6CF072A0

Source: C:\Users\user\Desktop\main.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	4 Obfuscated Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	14 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
main.exe	45%	ReversingLabs	Win32.Trojan.Generic
main.exe	100%	Avira	TR/Dldr.Agent.prntl

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI10802\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI10802\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI10802\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI10802\bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI10802\msvcm90.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI10802\msvcp90.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI10802\msvcr90.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI10802\python27.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI10802\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI10802\unicodedata.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.faqs.org/rfcs/rfc2822.html	0%	Avira URL Cloud	safe
http://www.faqs.org/rfcs/rfc822.html	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
github.com	20.233.83.145	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://github.com/franklenzer/0101010101/raw/main/mpc.part01.rar	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://python.org/dev/peps/pep-0263/	python27.dll.0.dr	false		high
https://mahler:8092/site-updates.py	main.exe, 00000002.00000002.2195332778.0000000002851000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	main.exe, 00000002.00000002.2195332778.000000000298E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.faqs.org/rfcs/rfc2822.html	main.exe, 00000002.00000002.2195201644.0000000002551000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2195332778.000000000298E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tools.ietf.org/html/rfc6125#section-6.4.3	main.exe, 00000002.00000002.2195201644.0000000002551000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.unicode.org/reports/tr44/tr44-4.html).	main.exe, 00000000.00000003.2159130410.00000000026C8000.00000004.00000020.00020000.00000000.sdmp, unicodedata.pyd.0.dr	false		high
http://www.openssl.org/support/faq.htmlC:	main.exe, 00000000.00000003.2161232064.00000000026E8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000000.00000003.2160566596.0000000002701000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2196089633.000000006D0E8000.00000002.00000001.01000000.00000005.sdmp, main.exe, 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmp, _ssl.pyd.0.dr, _hashlib.pyd.0.dr	false		high
http://www.python.org/	main.exe, 00000002.00000002.2195332778.0000000002851000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/franklenzer/0101010101/raw/main/x0x.exe	main.exe, 00000002.00000002.2195201644.0000000002551000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2195316484.0000000002750000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/franklenzer/0101010101/raw/main/mpc.part01.rar:	main.exe, 00000002.00000002.2195332778.000000000298E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.faqs.org/rfcs/rfc822.html	main.exe, 00000002.00000002.2195332778.000000000298E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/franklenzer/0101010101/raw/main/mpc.part02.rar	main.exe, 00000002.00000002.2195201644.0000000002551000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000002.00000002.2195316484.0000000002750000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html	main.exe, main.exe, 00000002.00000002.2196089633.000000006D0E8000.00000002.00000001.01000000.00000005.sdmp, main.exe, 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmp, _ssl.pyd.0.dr, _hashlib.pyd.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
20.233.83.145	github.com	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577508
Start date and time:	2024-12-18 14:32:54 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	main.exe
Detection:	MAL
Classification:	mal60.winEXE@3/12@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 57 Number of non-executed functions: 181
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
VT rate limit hit for: main.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
20.233.83.145	Y5kEUsYDFr.exe	Get hash	malicious	Unknown	Browse	github.com/keygroup777-Ransomware/DOWNLOADER/raw/refs/heads/main/telefron.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
github.com	pyld611114.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
	Lu4421.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	20.233.83.145
	x0EMKX5G1g.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	140.82.113.4
	x0EMKX5G1g.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	20.233.83.145
	ORDER-2412180Y6890PF57682456HTVC789378909759..jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	20.233.83.145
	IAK4Rn3bfO.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	20.233.83.145
	ORDER-24171200967.XLS..js	Get hash	malicious	WSHRat, Caesium Obfuscator, STRRAT	Browse	140.82.121.3
	3gJQoqWpxb.bat	Get hash	malicious	Unknown	Browse	140.82.113.4
	uZgbejeJkT.bat	Get hash	malicious	Unknown	Browse	20.233.83.145
	ni2OwV1y9u.bat	Get hash	malicious	Unknown	Browse	20.233.83.145

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	52.151.111.14
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	20.55.13.142
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	40.92.162.115
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	20.173.233.245
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	20.183.227.19
	pyld611114.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
	Lu4421.exe	Get hash	malicious	AsyncRAT, DcRat, Stealerium	Browse	20.233.83.145
	http://trackmail.info/QLTRG66TP4/offer/00248/811/iuk7x/b4q/41/32	Get hash	malicious	Unknown	Browse	52.170.203.157
	EXTERNALRe.msg	Get hash	malicious	Unknown	Browse	52.182.143.210
	x0EMKX5G1g.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	20.233.83.145

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
e0fe397a5edfba9a6facc7c7b341f4eb	nnu_malware.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
	eb436d4f.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
	Ace_Stream_Media_3.1.32.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
	RFQ546092227865431209PDF.exe	Get hash	malicious	Unknown	Browse	20.233.83.145
	ORDER-210309.exe	Get hash	malicious	AsyncRAT	Browse	20.233.83.145
	99ytGeokLb.exe	Get hash	malicious	Unknown	Browse	20.233.83.145

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI10802\_hashlib.pyd	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Amadey	Browse
	t2KTeQbdBN.exe	Get hash	malicious	Unknown	Browse
	IuoEx4dekI.exe	Get hash	malicious	Unknown	Browse
	VxJYz09IcU	Get hash	malicious	Unknown	Browse
	winUpdSrv.exe	Get hash	malicious	Unknown	Browse
	nnu_malware.exe	Get hash	malicious	Unknown	Browse
	Lumberjack.exe	Get hash	malicious	Unknown	Browse
	03abedd5_by_Libranalysis.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI10802\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\main.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1101824
Entropy (8bit):	6.872224946601528
Encrypted:	false
SSDEEP:	24576:wYeKOt9Hb/4BGjUIWbL5bEromH/1+Mb7zV+KpPoBsEeMZ1pSJx+waNJ:GQBjIwL98f7b7ZHMLpS3+waNJ
MD5:	55A29EC9721C509A5B20D1A037726CFA
SHA1:	EABA230581D7B46F316D6603EA15C1E3C9740D04
SHA-256:	DBDCF9E8CBA52043B5246AD0D234DA8BA4D6534B326BBBB28A6A391EDF6FA4CE
SHA-512:	E1A2993D4DD5F2E81F299FE158EE6D1F8EF95983113C9BEA9A087E42205FF06AC563762DE5A0B70B535EFE8CF9F980FFC14C1318AAF58DE3644277E3602E0AB3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: t2KTeQbdBN.exe, Detection: malicious, Browse Filename: IuoEx4dekI.exe, Detection: malicious, Browse Filename: VxJYz09IcU, Detection: malicious, Browse Filename: winUpdSrv.exe, Detection: malicious, Browse Filename: nnu_malware.exe, Detection: malicious, Browse Filename: Lumberjack.exe, Detection: malicious, Browse Filename: 03abedd5_by_Libranalysis.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FX.Z.9...9...9...A...9...A...9...A...9...A...9...9...9...9...9...A...8...A...9...A...9..Rich.9..........PE..L......^...........!.....n...........r....................................... ............@.............................L....................................p......p...................................@...............P............................text....m.......n.................. ..`.rdata...^.......`...r..............@..@.data............T..................@....reloc......p.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI10802\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\main.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	6.53763754638404
Encrypted:	false
SSDEEP:	768:LRZyVeIHZOETVI+KHtjEGDqFPBesNoC+M6Le+rA8X:deOETV1KH5qFPMC7gLDJ
MD5:	3986998B3753483F8B28C721FEF6F8E4
SHA1:	2EF3C0FAC94C85276721EE2980F49B1BAFEF597D
SHA-256:	CBC23D6C2E3E2950452C7D255DA1452338301A4C9A0B09EBA83287709D2A5000
SHA-512:	258E2805440B36E20702C1447597698EF18A5A7F890CFECE55BD4F797073C87E7BDE659DB3E2474E9B998213D76E2C3D5221659C6827237E06B3B6F4B3643AE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......AV2..7\..7\..7\..O..7\..O..7\..O..7\..7]..7\..O..7\..O..7\..O..7\..O..7\.Rich.7\.........................PE..L.....^...........!.....\...Z.......e.......p............................................@............................d...L...d...............................\|...`r..............................(...@............p..@............................text....[.......\.................. ..`.rdata..4 ...p..."...`..............@..@.data...x*.......(..................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI10802\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\main.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1422336
Entropy (8bit):	6.8498093470232755
Encrypted:	false
SSDEEP:	24576:6ULSpvnsen1MiGl/hW5nGwwpMFmdLdl3Bp4vuPH5HUMecjhpXu4Fq+KpPZTx63g4:QvnZopheGwXk4i0Mo4ASgHpv5RKHjQj8
MD5:	9BE53B53C1EC6B56663F45464EDFCDE9
SHA1:	F8F5DD5640D594A2B53F5BBD12893C11CF4B7D55
SHA-256:	B572BF14CA3D3E5158B89314B6FE2129A753EDACA1958E252784561F33F9ECDA
SHA-512:	A52727B54A03246B74460A2741324B371CCAA083A4F3123FD1175A3061D3B6707DDBAAA73B3E39435CFFD8D3018EE2DEE8BAD6C58A17FAA55B6D05A3B38EE78B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................0......&......!..................6......,.:....7......4....Rich...................PE..L....^...........!......................... ............................................@..........................<..D....(............................... .......#...............................'..@............ ...............................text...7........................... ..`.rdata..$.... ......................@..@.data........@.......*..............@....reloc..\|.... ......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI10802\bz2.pyd

Download File

Process:	C:\Users\user\Desktop\main.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	71168
Entropy (8bit):	6.739969664926487
Encrypted:	false
SSDEEP:	1536:Ijfp8+QhToyh3Y1rr24S1uBXTZva+j+d8S+fkPPYnLr:IbLuYlq4SuXTZva+j+yZfWC
MD5:	813C016E2898C6A2C1825B586DE0AE61
SHA1:	7113EFCCCB6AB047CDFDB65BA4241980C88196F4
SHA-256:	693DFC5CCB8555A4183D4E196865EF0A766D7E53087C39059D096D03D6F64724
SHA-512:	DBB4ADD301EA127669D5DAC4226CE0F5D6E5B2E50773DB5C8083A9045A3CBA0FCF6EA253A1183A4C87752BD3C5EB84128103A6D8ADE71A7E410831B826D323AD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.S.9.=K9.=K9.=K..K:.=K0..K:.=K0..K7.=K0..K;.=K0..K>.=K9.<KS.=K0..K1.=K0..K8.=K0..K8.=KRich9.=K................PE..L......^...........!.........P...............................................@............@.............................B...L...P............................0......................................H...@............................................text............................... ..`.rdata.."...........................@..@.data...P'.......$..................@....reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI10802\data.exe.manifest

Download File

Process:	C:\Users\user\Desktop\main.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1341
Entropy (8bit):	5.280300736417038
Encrypted:	false
SSDEEP:	24:2dtn3ZlglN2v+zg4NnEN4X1mc0+bLg4fNRme5rcb3S:ch3jgX2+zg4i01mJ+bLg4VRmemS
MD5:	585BDFE3FA40F4667674269E31CB3CDB
SHA1:	646DF297C69AEE3E57293521346118EDEBE248E2
SHA-256:	DEC743E7FE1078B06B91D60B03609DE800D81756C61004B8F2F0234D15757903
SHA-512:	A21F6E7E24BD736279A2A49CCEDBD94D2BD366673A5D9F0966CE5A2A5A1A1E2A6BBE68F39A525A8B3083AAC82D1B0A145FED52FBFA1A3505F1A17CA432F6F20D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">.. <assemblyIdentity name="data" processorArchitecture="x86" type="win32" version="1.0.0.0"/>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.VC90.CRT" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b" type="win32" version="9.0.30729.4940"/>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"/>.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity language="*" name="Microsoft.Windows.Common-Controls" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" type="win32" version="6.0.0.0"/>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"/>.. </dependentAssembly>.. </dependency>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">.. <application>.. <supportedOS Id="{1f676c76-80e1-42

C:\Users\user\AppData\Local\Temp\_MEI10802\microsoft.vc90.crt.manifest

Download File

Process:	C:\Users\user\Desktop\main.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1050
Entropy (8bit):	5.382088691477628
Encrypted:	false
SSDEEP:	24:2dtn3mGv+zg4NnEN4XojC6vuVWV5rcb3S:ch35+zg4i0oKWmS
MD5:	FEDFDF2256720BADEFF9205E784B5DC8
SHA1:	014F80BBB14D6F9ED5FCF0757BF2BEF1A22B3B88
SHA-256:	6373FB8261AF01506DC57DEE535A0BE800F3A59B18B0CC1E276807C746329FF6
SHA-512:	F327A925FC067D0CBF06DE57DB791906629509CEE109CB3DBCA2349901EF4E41FD8BF33B56F5FAA647388F6266174960244E4F5CCA260F218440D9A1CC4DAA9B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">.. <noInheritable/>.. <assemblyIdentity name="Microsoft.VC90.CRT" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b" type="win32" version="9.0.30729.4940"/>.. <file hash="c27a4547fb05f4fb4a675713da9fe280405d4e7b" hashalg="SHA1" name="msvcr90.dll"/>.. <file hash="965ba7119c94a3e462b0480492a114411a85c396" hashalg="SHA1" name="msvcp90.dll"/>.. <file hash="216d23bdea36a638d68a9f9287c25008a88285ad" hashalg="SHA1" name="msvcm90.dll"/>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">.. <application>.. <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>.. <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>.. <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>.. <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>.. <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>..

C:\Users\user\AppData\Local\Temp\_MEI10802\msvcm90.dll

Download File

Process:	C:\Users\user\Desktop\main.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	225280
Entropy (8bit):	6.036101465527911
Encrypted:	false
SSDEEP:	3072:Yk3eocziNzMLSMOYscmnWCAXm00LRk86Goao1IJU87/amFYw8fF01OyA9LX:v6OMqcEJAXb0LRn6fa3/amiX2Oy0
MD5:	7200DCA324F3D1ECD11B2B1250B2D6C7
SHA1:	DF3219CFBC6F6EE6EF025B320563A195BE46D803
SHA-256:	636E12FEA8C47EA528DBA48827AC51A2E98B2EF0864854C9375B8170555C0A6E
SHA-512:	DAC1154FC4E55F9E78C39FCD9FA28B1ABE36D67D9C71660BD58990A1F3864ACEAD7D1C7F55E390F3875B20685B447C3C494B3634F0DC4C7EF3B1E7A17115EB4B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;...h...h...h..ah...h1.dh...h..gh...h...h...h.-.h...h...h...h..qh...h..vh...h..`h...h..fh...h..ch...hRich...h........................PE..L...b.L...........!.....:..........Z........P....?x.........................0......\|w....@......................... 3..4....&..d...............................d...P...............................H...@...............(...........p...H............text...T9.......:.................. ..`.data........P.......>..............@....rsrc................H..............@..@.reloc...#.......$...L..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI10802\msvcp90.dll

Download File

Process:	C:\Users\user\Desktop\main.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	569680
Entropy (8bit):	6.52221622647759
Encrypted:	false
SSDEEP:	12288:fCFE340h3e34GVZQACkIrYhUgiW6QR7t5183Ooc8SHkC2eHgAfl:fCh0h3e3vgzrA83Ooc8SHkC2eHgAfl
MD5:	DB001FAEA818AE2E14A74E0ADC530FC0
SHA1:	7DB49C1A611B38A4F494B1DB23087C751FAA3DE1
SHA-256:	45CB405589C92BF74C47B7C90E299A5732A99403C51F301A5B60579CAF3116E7
SHA-512:	90B8B52E797A43488D21AC9FC73C693B1337ABF46801BD5957C2AECCBA2A50550C54E6842D2CB26035B7F0C706C950C2F6AC99EB4DDD6E433B156BFDB2DF62E1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#%..Mv..Mv..Mv.66v..Mv...v..Mv..Lv:.Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..MvRich..Mv........................PE..L...\.L...........!.....4...p..............P....Hx......................................@..........................P..,....E..<.......................P.......D3...................................%..@............................................text....2.......4.................. ..`.data...t'...P.......8..............@....rsrc................R..............@..@.reloc..HC.......D...V..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI10802\msvcr90.dll

Download File

Process:	C:\Users\user\Desktop\main.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	653136
Entropy (8bit):	6.883567262143348
Encrypted:	false
SSDEEP:	12288:Zhr4UCe8uLQrIYE8EdPz1n0/WGipK5d7AO7QlxxdmRyy1:981FYPz8WGip0d7AhpdmRyy1
MD5:	B3892E6DA8E2C8CE4B0A9D3EB9A185E5
SHA1:	E81C5908187D359EEDB6304184E761EFB38D6634
SHA-256:	AE163388201EF2F119E11265586E7DA32C6E5B348E0CC32E3F72E21EBFD0843B
SHA-512:	22E01E25BF97A0169049755246773CFC26162AF28248B27BF4B3DAAF3E89A853738064A2B42C0FEDB9BEDCB3DDAF3AE957A960E2AAB29784CBA312ED9E1C9285
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L...W.L...........!.....\..........@-.......p....Rx.........................0......*.....@..............................\|..0...(.......................P........3......................................@............................................text...T[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI10802\python27.dll

Download File

Process:	C:\Users\user\Desktop\main.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2650112
Entropy (8bit):	6.72219915141047
Encrypted:	false
SSDEEP:	49152:ld0krhjbVYU9U/ElyrLKlvGBO58GBjG9nYM6JBe4PjnhMsQHNClhIdYTf2O+yX3T:QkrRyylvGB65YNCMghMtHIledkp+h
MD5:	9E9E57B47F4F840DDDC938DB54841D86
SHA1:	1ED0BE9C0DADCF602136C81097DA6FDA9E07DBBC
SHA-256:	608FEAFC63A0D1B38772E275C9E6D3B8A5B03EFC0A27EB397107DB0A6D079C50
SHA-512:	1A0DAB38EBF4D995BCDA3BDF0453C85D524CC1FFF1C1B92160794D7C2F98F53088BA15C4B00B35D06E0BE82A4BFA6D92CD4F09DEC4EC98D615A82D5FFD5CB6C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Bu....{...{...{..[...{..l...{..l....{..l....{..l...{...z.<.{..l..{..l...{..l...{..l...{.Rich..{.................PE..L...x..^...........!.........................................................).....\g)...@..........................g!..\|...Q!.x....@(.D....................P(.P\.. ................................O!.@............................................text...z........................... ..`.rdata...D.......F..................@..@.data...pC....!..(....!.............@....rsrc...D....@(.......&.............@..@.reloc..~f...P(..h....'.............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI10802\select.pyd

Download File

Process:	C:\Users\user\Desktop\main.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	5.843142645527012
Encrypted:	false
SSDEEP:	192:qFXJRZobEm7QNw7MPDdqPSU+QErXUnv3XDVR6yiXc1U5O:qFXJnjCAPDdFBQGXoPzV5ku1
MD5:	E6ECFF0D1588FED3A61EDC1A1A5EB9BB
SHA1:	2A3913A69DBDDA8AEFBE1F290753435979791A37
SHA-256:	345969D43B33717415BD5796D5A7B266592DC79A96543714828FF8FC1F249D18
SHA-512:	F59B356833840126F31F70DDB0E7F661DB8528D82AA9450E299B81FE5ADDA35D44F3BCEB52FB27E6843CF497211470F439A232C73245F8C606B31CB13322CD6F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i)...z...z...z...z...z...z...z...z...z...z...z...z...z...z...z...z...z...z...zRich...z........PE..L......^...........!.........................0...............................`............@..........................8..H....3..d............................P.......1...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@....... ..............@....reloc.......P.......&..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI10802\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\main.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	687104
Entropy (8bit):	5.428887209456378
Encrypted:	false
SSDEEP:	12288:Qs363AxoMPBt8FpQsVdFiI5mZMPXubUxktwd:d3oxM8XQsVdXSPAxLd
MD5:	A46E180E03AB5C2D802B8E6214067500
SHA1:	5DE5EFBCE2E6E81B6B954B843090B387B7BA927E
SHA-256:	689E5061CEFDA6223477A6A05906A500D59BD1B2A7458730B8D43C9D3B43BDBA
SHA-512:	68BD7AE714FB4F117EB53A0FB968083772AAEAA6428AE8510E5C109361B140C98415A1955FCA49DB3E9E1B6AE19909E9C50110F499306476D01141C479C16335
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{H..?).?).?).6QE.=).6QS.1).6QT.=).6QC.8).?)..).6QY.>).6QB.>).6QA.>).Rich?).................PE..L......^...........!.....(...R.......0.......@............................................@.........................pX..R...LR..P................................... A..............................@Q..@............@...............................text... &.......(.................. ..`.rdata.......@.......,..............@..@.data....+...`...*...F..............@....reloc..,............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.750153765963463
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	main.exe
File size:	5'620'920 bytes
MD5:	935ddf8c175da8cb95fff0870e0718fc
SHA1:	8c026153157f0b84e29080326bbbd1ea6d1ddcb6
SHA256:	19ea2bfba48a832b1342fdb60e1d5686d47f3b788d3de162f6ff087a71ed96e4
SHA512:	bc77c2ede8a5c4f8fb8b23cc5b9299cbb0af12ee4dbd4d1519c1fbc9835b89d38acbfe0e987ea73c7944823e69e91fae5cd2e3a3d4b1ea0fc96e8ff0390fc0a3
SSDEEP:	98304:I/HKcBQvb4YiTZ7FnsLeSAUZqTxQefq0BSvi0WcGlt6:9caZiF7FsvA0qltC0l0W/6
TLSH:	AB46F190A3504149D07D987DCC6999F8D6AE3C559F205A7F209BFE0F29B218D0F81EFA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................./...............................@..................................'V....... ............................

File Icon


Icon Hash:	ba8acb2bcba6a6ba

Static PE Info

General

Entrypoint:	0x4014d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x409620, 0x4095d0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d67ee6607bbc19dbb5da771971f8b90a

Entrypoint Preview

Instruction
sub esp, 0Ch
mov dword ptr [0041E2D8h], 00000001h
call 00007F00E0DBF463h
add esp, 0Ch
jmp 00007F00E0DB66CBh
lea esi, dword ptr [esi+00000000h]
sub esp, 0Ch
mov dword ptr [0041E2D8h], 00000000h
call 00007F00E0DBF443h
add esp, 0Ch
jmp 00007F00E0DB66ABh
nop
nop
nop
nop
nop
nop
sub esp, 1Ch
mov eax, dword ptr [0041F2CCh]
mov eax, dword ptr [eax]
mov dword ptr [esp+04h], eax
mov eax, dword ptr [0041F2B8h]
mov eax, dword ptr [eax]
mov dword ptr [esp], eax
call 00007F00E0DBA678h
mov dword ptr [esp+04h], eax
mov eax, dword ptr [0041F2B8h]
mov eax, dword ptr [eax]
mov dword ptr [esp], eax
call 00007F00E0DB7C75h
add esp, 1Ch
retn 0010h
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push edi
push esi
sub edx, 58h
push ebx
mov ebx, eax
sub esp, 10h
mov dword ptr [esp+08h], 00000000h
mov dword ptr [esp+04h], edx
mov eax, dword ptr [eax]
mov dword ptr [esp], eax
call 00007F00E0DBFD44h
test eax, eax
jne 00007F00E0DB6A72h
mov eax, dword ptr [ebx]
lea esi, dword ptr [ebx+10h]
mov dword ptr [esp+08h], 00000001h
mov dword ptr [esp+04h], 00000058h
mov dword ptr [esp], esi
mov dword ptr [esp+0Ch], eax
call 00007F00E0DBFD27h
test eax, eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f000	0xbbc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22000	0x1592da	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x21004	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1f220	0x1bc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x99f0	0x9a00	aee982858c412ceb6af96d2da3068960	False	0.5291193181818182	data	6.128830026698397	IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xb000	0x38	0x200	402e682b5ef4cfc4b27a3bb1da4048a4	False	0.095703125	data	0.6574341217726709	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xc000	0x5008	0x5200	8bfb0ecac1fc615c56762732a6d45dd9	False	0.5832221798780488	data	6.940294876766259	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x12000	0xc698	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1f000	0xbbc	0xc00	83f5ce5d9a68a49299ae90e9cd91badd	False	0.4140625	data	5.1321959974465745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x20000	0x34	0x200	a58f7b8492558123b26aaa6b66f63276	False	0.0703125	Matlab v4 mat-file (little endian) \260\226@, numeric, rows 4198704, columns 0	0.2748254782599745	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x21000	0x20	0x200	88ccc80dac4bd1f9148b2513bb8c801b	False	0.056640625	data	0.190488766434666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x22000	0x1592da	0x159400	c712722c8663503994a379906f5cee0b	False	0.45304297157856627	data	6.273628377493384	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x27d84	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x27d88	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x27d8c	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x27d90	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x27d94	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x27d98	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x27d9c	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x27da0	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x27da4	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x27da8	0x2	data	English	United States	5.0
PNG	0x27dac	0x59c	PNG image data, 52 x 52, 8-bit/color RGBA, non-interlaced	English	United States	1.0076601671309193
PNG	0x28348	0x581	PNG image data, 52 x 52, 8-bit/color RGBA, non-interlaced	English	United States	1.0078069552874378
PNG	0x288cc	0x4e0	PNG image data, 43 x 43, 8-bit/color RGBA, non-interlaced	English	United States	1.0088141025641026
PNG	0x28dac	0x4cc	PNG image data, 43 x 43, 8-bit/color RGBA, non-interlaced	English	United States	1.008957654723127
PNG	0x29278	0x3b5	PNG image data, 35 x 35, 8-bit/color RGBA, non-interlaced	English	United States	1.01159114857745
PNG	0x29630	0x399	PNG image data, 35 x 35, 8-bit/color RGBA, non-interlaced	English	United States	1.011943539630836
PNG	0x299cc	0x49a	PNG image data, 52 x 52, 8-bit/color RGBA, non-interlaced	English	United States	1.0093378607809846
PNG	0x29e68	0x485	PNG image data, 52 x 52, 8-bit/color RGBA, non-interlaced	English	United States	1.0095073465859983
PNG	0x2a2f0	0x401	PNG image data, 43 x 43, 8-bit/color RGBA, non-interlaced	English	United States	1.0107317073170732
PNG	0x2a6f4	0x3ef	PNG image data, 43 x 43, 8-bit/color RGBA, non-interlaced	English	United States	1.0109235352532273
PNG	0x2aae4	0x31a	PNG image data, 35 x 35, 8-bit/color RGBA, non-interlaced	English	United States	1.013853904282116
PNG	0x2ae00	0x2f4	PNG image data, 35 x 35, 8-bit/color RGBA, non-interlaced	English	United States	1.0145502645502646
PNG	0x2b0f4	0xda	PNG image data, 16 x 14, 8-bit/color RGBA, non-interlaced	English	United States	0.9954128440366973
PNG	0x2b1d0	0xc7	PNG image data, 20 x 18, 8-bit/color RGBA, non-interlaced	English	United States	0.9949748743718593
PNG	0x2b298	0xe6	PNG image data, 24 x 21, 8-bit/color RGBA, non-interlaced	English	United States	0.9869565217391304
PNG	0x2b380	0xd3	PNG image data, 32 x 28, 8-bit/color RGBA, non-interlaced	English	United States	0.981042654028436
PNG	0x2b454	0xb24	PNG image data, 5 x 3, 8-bit/color RGBA, non-interlaced			1.0038569424964936
PNG	0x2bf78	0x5f8	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced			1.007198952879581
PNG	0x2c570	0x31d	PNG image data, 120 x 20, 8-bit/color RGBA, non-interlaced	English	United States	1.013801756587202
PNG	0x2c890	0x170	PNG image data, 288 x 32, 8-bit/color RGBA, non-interlaced	English	United States	1.002717391304348
PNG	0x2ca00	0x2151	PNG image data, 224 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.0012897174346347
PNG	0x2eb54	0x3ced	PNG image data, 336 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.0007052638327885
PNG	0x32844	0x54c8	PNG image data, 448 x 32, 8-bit/color RGBA, non-interlaced	English	United States	1.0007371913011427
PNG	0x37d0c	0x7453	PNG image data, 560 x 40, 8-bit/color RGBA, non-interlaced	English	United States	1.0005372913798314
PNG	0x3f160	0x8594	PNG image data, 672 x 48, 8-bit/color RGBA, non-interlaced	English	United States	1.0001462159316878
PNG	0x476f4	0x96f	PNG image data, 160 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.0045548654244307
PNG	0x48064	0x11de	PNG image data, 240 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.0024048972452995
PNG	0x49244	0x1816	PNG image data, 320 x 32, 8-bit/color RGBA, non-interlaced	English	United States	0.9970807654881609
PNG	0x4aa5c	0x21df	PNG image data, 480 x 48, 8-bit/color RGBA, non-interlaced	English	United States	0.994233652404567
PNG	0x4cc3c	0x97a	PNG image data, 160 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.0045342126957955
PNG	0x4d5b8	0x11f8	PNG image data, 240 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.002391304347826
PNG	0x4e7b0	0x17f9	PNG image data, 320 x 32, 8-bit/color RGBA, non-interlaced	English	United States	0.997229916897507
PNG	0x4ffac	0x21fb	PNG image data, 480 x 48, 8-bit/color RGBA, non-interlaced	English	United States	0.9952868145763881
PNG	0x521a8	0x8bf	PNG image data, 160 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.0049129075480125
PNG	0x52a68	0x1070	PNG image data, 240 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.0026140684410647
PNG	0x53ad8	0x15f1	PNG image data, 320 x 32, 8-bit/color RGBA, non-interlaced	English	United States	0.997507566316539
PNG	0x550cc	0x1f15	PNG image data, 480 x 48, 8-bit/color RGBA, non-interlaced	English	United States	0.9940932512253362
PNG	0x56fe4	0x20f0	PNG image data, 343 x 85, 8-bit/color RGBA, non-interlaced	English	United States	0.9730787476280834
PNG	0x590d4	0x2092	PNG image data, 256 x 16, 8-bit/color RGBA, non-interlaced			1.0013192612137203
PNG	0x5b168	0x1313	PNG image data, 160 x 16, 8-bit/color RGBA, non-interlaced			1.0022527134958017
PNG	0x5c47c	0x54d	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced			1.0081061164333087
PNG	0x5c9cc	0xdb	PNG image data, 43 x 43, 4-bit colormap, non-interlaced			0.9452054794520548
PNG	0x5caa8	0x17e2	PNG image data, 120 x 109, 8-bit colormap, non-interlaced			1.001799149492967
PNG	0x5e28c	0x188b	PNG image data, 120 x 109, 8-bit colormap, non-interlaced			1.0017507560082763
PNG	0x5fb18	0x1928	PNG image data, 120 x 109, 8-bit colormap, non-interlaced			1.0017080745341616
PNG	0x61440	0x156d	PNG image data, 391 x 75, 8-bit colormap, non-interlaced			1.0
PNG	0x629b0	0x986	PNG image data, 272 x 160, 8-bit/color RGB, non-interlaced			0.9905660377358491
PNG	0x63338	0x7ff	PNG image data, 340 x 200, 8-bit/color RGB, non-interlaced			0.9399120664386907
PNG	0x63b38	0x942	PNG image data, 408 x 240, 8-bit/color RGB, non-interlaced			0.9143459915611815
PNG	0x6447c	0xb2d	PNG image data, 544 x 320, 8-bit/color RGB, non-interlaced			0.834673191191891
PNG	0x64fac	0x8b7	PNG image data, 272 x 160, 8-bit/color RGB, non-interlaced			0.9834155087404751
PNG	0x65864	0x74e	PNG image data, 340 x 200, 8-bit/color RGB, non-interlaced			0.9566844919786096
PNG	0x65fb4	0x84b	PNG image data, 408 x 240, 8-bit/color RGB, non-interlaced			0.8657560056523788
PNG	0x66800	0xa55	PNG image data, 544 x 320, 8-bit/color RGB, non-interlaced			0.831758034026465
PNG	0x67258	0x10e5	PNG image data, 272 x 160, 8-bit/color RGB, non-interlaced			0.9176878612716763
PNG	0x68340	0xaee	PNG image data, 340 x 200, 8-bit/color RGB, non-interlaced			0.9560400285918513
PNG	0x68e30	0xc81	PNG image data, 408 x 240, 8-bit/color RGB, non-interlaced			0.9406435488909716
PNG	0x69ab4	0xeae	PNG image data, 544 x 320, 8-bit/color RGB, non-interlaced			0.8610963278339542
PNG	0x6a964	0x17e8	PNG image data, 161 x 122, 8-bit/color RGB, non-interlaced			1.0001633986928105
PNG	0x6c14c	0x278f	PNG image data, 200 x 152, 8-bit/color RGB, non-interlaced			0.9972351140515454
PNG	0x6e8dc	0x2a8e	PNG image data, 241 x 182, 8-bit/color RGB, non-interlaced			0.9926565081696347
PNG	0x7136c	0x4295	PNG image data, 322 x 244, 8-bit/color RGB, non-interlaced			0.9931358169551188
PNG	0x75604	0xf6e	PNG image data, 48 x 16, 8-bit/color RGBA, non-interlaced			1.0027848101265824
PNG	0x76574	0x4e9	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced			1.0087509944311854
STYLE	0x76a60	0x63e0	Zip archive data, at least v2.0 to extract, compression method=store	English	United States	0.5156836670838548
STYLE	0x7ce40	0xa00a	Zip archive data, at least v2.0 to extract, compression method=store	English	United States	0.6362216255796924
TEXTFILE	0x86e4c	0x58d0	Generic INItialization configuration [Theme]	English	United States	0.21257037297677692
TEXTFILE	0x8c71c	0x5765	Generic INItialization configuration [Theme]	English	United States	0.2125776605730121
TEXTFILE	0x91e84	0x5727	Generic INItialization configuration [Theme]	English	United States	0.20980682174712026
TEXTFILE	0x975ac	0x594c	Generic INItialization configuration [Theme]	English	United States	0.21071741032370953
TEXTFILE	0x9cef8	0x5995	Generic INItialization configuration [Theme]	English	United States	0.20306981206122182
WAVE	0xa2890	0x2402c	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz			0.6094305084745762
WAVE	0xc68bc	0x1f72c	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz			0.653200012421203
RT_CURSOR	0xe5fe8	0x10ac	AmigaOS bitmap font "(", fc_YSize 0, 3840 elements, 2nd "", 3rd ""	English	United States	0.07333645735707592
RT_CURSOR	0xe7094	0x8ac	AmigaOS bitmap font "(", fc_YSize 0, 3840 elements, 2nd "", 3rd ""	English	United States	0.051351351351351354
RT_CURSOR	0xe7940	0x2ec	AmigaOS bitmap font "(", fc_YSize 4294963200, 3840 elements, 2nd "", 3rd ""	English	United States	0.15240641711229946
RT_CURSOR	0xe7c2c	0x134	AmigaOS bitmap font "(", fc_YSize 4294967292, 3840 elements, 2nd "\377\374\177\377\377\374\177\377\377\374\177\377\377\374\177\377\377\374\177\377\377\374\177\377\377\374\177\377\377\374\177\377\377\376\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.262987012987013
RT_CURSOR	0xe7d60	0x134	data	English	United States	0.12337662337662338
RT_CURSOR	0xe7e94	0x134	data	English	United States	0.512987012987013
RT_CURSOR	0xe7fc8	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.4512987012987013
RT_CURSOR	0xe80fc	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.39285714285714285
RT_CURSOR	0xe8230	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_CURSOR	0xe8364	0x134	AmigaOS bitmap font "(", fc_YSize 4294966784, 3072 elements, 2nd "\376", 3rd			0.4318181818181818
RT_CURSOR	0xe8498	0x134	data			0.5909090909090909
RT_CURSOR	0xe85cc	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.22077922077922077
RT_CURSOR	0xe8700	0x134	data			0.4383116883116883
RT_CURSOR	0xe8834	0x134	data			0.4675324675324675
RT_CURSOR	0xe8968	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"			0.40584415584415584
RT_CURSOR	0xe8a9c	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.4512987012987013
RT_CURSOR	0xe8bd0	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.39285714285714285
RT_CURSOR	0xe8d04	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_CURSOR	0xe8e38	0xcac	data			0.08631319358816276
RT_CURSOR	0xe9ae4	0x134	AmigaOS bitmap font "(", fc_YSize 4294967288, 3840 elements, 2nd "\377\370\037\377\377\370\037\377\377\370\037\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd			0.32142857142857145
RT_CURSOR	0xe9c18	0xb4	Targa image data - RLE 32 x 65536 x 1 +16 "\001"			0.49444444444444446
RT_CURSOR	0xe9ccc	0x134	AmigaOS bitmap font "(", fc_YSize 4294967288, 3840 elements, 2nd "\377\360\037\377\377\370?\377\377\374\177\377\377\376\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd			0.33766233766233766
RT_CURSOR	0xe9e00	0xb4	Targa image data - RLE 32 x 65536 x 1 +16 "\001"			0.5
RT_CURSOR	0xe9eb4	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"			0.3181818181818182
RT_CURSOR	0xe9fe8	0x134	data			0.37012987012987014
RT_CURSOR	0xea11c	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4805194805194805
RT_CURSOR	0xea250	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"			0.7
RT_CURSOR	0xea304	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"			0.4025974025974026
RT_CURSOR	0xea438	0xb4	data			0.55
RT_CURSOR	0xea4ec	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.37662337662337664
RT_CURSOR	0xea620	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd			0.36363636363636365
RT_CURSOR	0xea754	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.36688311688311687
RT_CURSOR	0xea888	0x134	data			0.37662337662337664
RT_CURSOR	0xea9bc	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd			0.5422077922077922
RT_CURSOR	0xeaaf0	0x134	data			0.37337662337662336
RT_CURSOR	0xeac24	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0xead58	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"			0.35714285714285715
RT_CURSOR	0xeae8c	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"			0.36688311688311687
RT_CURSOR	0xeafc0	0x134	data			0.44155844155844154
RT_CURSOR	0xeb0f4	0x134	data			0.4155844155844156
RT_CURSOR	0xeb228	0x134	data			0.2662337662337662
RT_CURSOR	0xeb35c	0x134	data			0.2824675324675325
RT_CURSOR	0xeb490	0x134	data			0.3246753246753247
RT_BITMAP	0xeb5c4	0x3a0	Device independent bitmap graphic, 80 x 11 x 8, image size 0, resolution 3780 x 3780 px/m, 2 important colors	English	United States	0.15301724137931033
RT_BITMAP	0xeb964	0x1090	Device independent bitmap graphic, 100 x 14 x 24, image size 4200, resolution 3779 x 3779 px/m	English	United States	0.061556603773584906
RT_BITMAP	0xec9f4	0x16a8	Device independent bitmap graphic, 120 x 16 x 24, image size 5760, resolution 3779 x 3779 px/m	English	United States	0.046724137931034485
RT_BITMAP	0xee09c	0x2968	Device independent bitmap graphic, 160 x 22 x 24, image size 10560, resolution 3779 x 3779 px/m	English	United States	0.038867924528301886
RT_BITMAP	0xf0a04	0x428	Device independent bitmap graphic, 128 x 15 x 4, image size 960	English	United States	0.3618421052631579
RT_BITMAP	0xf0e2c	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768, 16 important colors	English	United States	0.1915137614678899
RT_BITMAP	0xf1194	0x1268	Device independent bitmap graphic, 288 x 32 x 4, image size 4608, 16 important colors	English	United States	0.039473684210526314
RT_BITMAP	0xf23fc	0x1268	Device independent bitmap graphic, 288 x 32 x 4, image size 4608, 16 important colors	English	United States	0.039473684210526314
RT_BITMAP	0xf3664	0xba8	Device independent bitmap graphic, 240 x 24 x 4, image size 2880, resolution 3779 x 3779 px/m	English	United States	0.10924932975871314
RT_BITMAP	0xf420c	0xb0	Device independent bitmap graphic, 64 x 16 x 1, image size 128, 2 important colors			0.5284090909090909
RT_BITMAP	0xf42bc	0x1568	Device independent bitmap graphic, 672 x 16 x 4, image size 0			0.30620437956204377
RT_BITMAP	0xf5824	0x168	Device independent bitmap graphic, 32 x 16 x 4, image size 256			0.25833333333333336
RT_BITMAP	0xf598c	0x24c	Device independent bitmap graphic, 88 x 11 x 4, image size 484			0.25510204081632654
RT_BITMAP	0xf5bd8	0x158	Device independent bitmap graphic, 32 x 15 x 4, image size 240			0.436046511627907
RT_BITMAP	0xf5d30	0x24a	Device independent bitmap graphic, 64 x 15 x 4, image size 482, resolution 2834 x 2834 px/m			0.30716723549488056
RT_BITMAP	0xf5f7c	0x1b8	Device independent bitmap graphic, 56 x 12 x 4, image size 336			0.43863636363636366
RT_BITMAP	0xf6134	0x158	Device independent bitmap graphic, 36 x 12 x 4, image size 240			0.33430232558139533
RT_BITMAP	0xf628c	0x158	Device independent bitmap graphic, 36 x 12 x 4, image size 240			0.36046511627906974
RT_BITMAP	0xf63e4	0x2c0	Device independent bitmap graphic, 80 x 15 x 4, image size 600			0.2741477272727273
RT_BITMAP	0xf66a4	0x158	Device independent bitmap graphic, 32 x 15 x 4, image size 240			0.3488372093023256
RT_BITMAP	0xf67fc	0x2c0	Device independent bitmap graphic, 80 x 15 x 4, image size 600			0.4005681818181818
RT_BITMAP	0xf6abc	0x668	Device independent bitmap graphic, 20 x 20 x 32, image size 0			0.3603658536585366
RT_BITMAP	0xf7124	0x668	Device independent bitmap graphic, 20 x 20 x 32, image size 0			0.3567073170731707
RT_BITMAP	0xf778c	0xc8	Device independent bitmap graphic, 10 x 12 x 4, image size 96, resolution 3780 x 3780 px/m			0.51
RT_BITMAP	0xf7854	0xec	Device independent bitmap graphic, 22 x 11 x 4, image size 132, resolution 3779 x 3779 px/m			0.3898305084745763
RT_BITMAP	0xf7940	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80			0.44565217391304346
RT_BITMAP	0xf79f8	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220			0.37962962962962965
RT_ICON	0xf7b3c	0x138c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9456434852118305
RT_ICON	0xf8ec8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.06349816633147995
RT_ICON	0x1096f0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.2491701244813278
RT_ICON	0x10bc98	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.2682926829268293
RT_ICON	0x10cd40	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.42418032786885246
RT_ICON	0x10d6c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.4601063829787234
RT_ICON	0x10db30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.2950207468879668
RT_ICON	0x1100d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.3562382739212008
RT_ICON	0x111180	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5016393442622951
RT_ICON	0x111b08	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.574468085106383
RT_ICON	0x111f70	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.03848547717842324
RT_ICON	0x114518	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720	English	United States	0.046005917159763314
RT_ICON	0x115f80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.058395872420262666
RT_ICON	0x117028	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.08278688524590164
RT_ICON	0x1179b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.1276595744680851
RT_ICON	0x117e18	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.27665245202558636
RT_ICON	0x118cc0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.2901624548736462
RT_ICON	0x119568	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.271889400921659
RT_ICON	0x119c30	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.20014450867052022
RT_ICON	0x11a198	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.15487551867219918
RT_ICON	0x11c740	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.2523452157598499
RT_ICON	0x11d7e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.3651639344262295
RT_ICON	0x11e170	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5115248226950354
RT_ICON	0x11e5d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.5631663113006397
RT_ICON	0x11f480	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.6805054151624549
RT_ICON	0x11fd28	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.5702764976958525
RT_ICON	0x1203f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.3258670520231214
RT_ICON	0x120958	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.15829875518672198
RT_ICON	0x122f00	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.2579737335834897
RT_ICON	0x123fa8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.3790983606557377
RT_ICON	0x124930	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.5132978723404256
RT_ICON	0x124d98	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.0953757225433526
RT_ICON	0x125300	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.24097510373443984
RT_ICON	0x1278a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.37030956848030017
RT_ICON	0x128950	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.46557377049180326
RT_ICON	0x1292d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6338652482269503
RT_ICON	0x129740	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors			0.4118663594470046
RT_ICON	0x129e08	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.06937883797827114
RT_ICON	0x12e030	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.10560165975103734
RT_ICON	0x1305d8	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720			0.12337278106508875
RT_ICON	0x132040	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.1343808630393996
RT_ICON	0x1330e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.2647540983606557
RT_ICON	0x133a70	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680			0.2633720930232558
RT_ICON	0x134128	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.2801418439716312
RT_ICON	0x134590	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.0776452527161077
RT_ICON	0x1387b8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.10612033195020747
RT_ICON	0x13ad60	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720			0.16272189349112426
RT_ICON	0x13c7c8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.18691369606003752
RT_ICON	0x13d870	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.29221311475409834
RT_ICON	0x13e1f8	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680			0.3436046511627907
RT_ICON	0x13e8b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.30851063829787234
RT_ICON	0x13ed18	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.059931506849315065
RT_ICON	0x142f40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.09647302904564316
RT_ICON	0x1454e8	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720			0.11079881656804734
RT_ICON	0x146f50	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.12288930581613508
RT_ICON	0x147ff8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.21762295081967212
RT_ICON	0x148980	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680			0.24302325581395348
RT_ICON	0x149038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.2526595744680851
RT_ICON	0x1494a0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.09169815777042985
RT_ICON	0x14d6c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.11991701244813278
RT_ICON	0x14fc70	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720			0.1853550295857988
RT_ICON	0x1516d8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.21974671669793622
RT_ICON	0x152780	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.32008196721311477
RT_ICON	0x153108	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680			0.37790697674418605
RT_ICON	0x1537c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.39184397163120566
RT_ICON	0x153c28	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.0886868209730751
RT_ICON	0x157e50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.13309128630705394
RT_ICON	0x15a3f8	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720			0.14852071005917158
RT_ICON	0x15be60	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.175422138836773
RT_ICON	0x15cf08	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.28852459016393445
RT_ICON	0x15d890	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680			0.3377906976744186
RT_ICON	0x15df48	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.35638297872340424
RT_ICON	0x15e3b0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.02202409069437884
RT_ICON	0x1625d8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.028526970954356846
RT_ICON	0x164b80	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 6720			0.033579881656804735
RT_ICON	0x1665e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.04221388367729831
RT_ICON	0x167690	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.05450819672131148
RT_ICON	0x168018	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1680			0.06511627906976744
RT_ICON	0x1686d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.07446808510638298
RT_MENU	0x168b38	0x832	data	English	United States	0.42087702573879887
RT_MENU	0x16936c	0xac	data	English	United States	0.6569767441860465
RT_MENU	0x169418	0x690	data	English	United States	0.3142857142857143
RT_MENU	0x169aa8	0xb0	Matlab v4 mat-file (little endian) &, numeric, rows 5505168, columns 6357106, imaginary	English	United States	0.6534090909090909
RT_MENU	0x169b58	0x1cc	data	English	United States	0.45869565217391306
RT_MENU	0x169d24	0x1d0	data	English	United States	0.49353448275862066
RT_MENU	0x169ef4	0x144	data	English	United States	0.49074074074074076
RT_MENU	0x16a038	0x1e2	data	English	United States	0.34854771784232363
RT_MENU	0x16a21c	0x9a	data	English	United States	0.5909090909090909
RT_MENU	0x16a2b8	0x222	data	English	United States	0.4175824175824176
RT_DIALOG	0x16a4dc	0x122	data	English	United States	0.6275862068965518
RT_DIALOG	0x16a600	0x4ea	data	English	United States	0.42845786963434024
RT_DIALOG	0x16aaec	0x3b0	data	English	United States	0.4099576271186441
RT_DIALOG	0x16ae9c	0x20a	data	English	United States	0.5019157088122606
RT_DIALOG	0x16b0a8	0x128	data	English	United States	0.6114864864864865
RT_DIALOG	0x16b1d0	0x294	data	English	United States	0.4318181818181818
RT_DIALOG	0x16b464	0x2a4	data	English	United States	0.4334319526627219
RT_DIALOG	0x16b708	0x428	data	English	United States	0.36466165413533835
RT_DIALOG	0x16bb30	0x36c	data	English	United States	0.4691780821917808
RT_DIALOG	0x16be9c	0x23c	data	English	United States	0.48776223776223776
RT_DIALOG	0x16c0d8	0x20e	data	English	United States	0.5038022813688213
RT_DIALOG	0x16c2e8	0x212	data	English	United States	0.569811320754717
RT_DIALOG	0x16c4fc	0xa0	data	English	United States	0.58125
RT_DIALOG	0x16c59c	0x690	data	English	United States	0.3535714285714286
RT_DIALOG	0x16cc2c	0x276	data	English	United States	0.44126984126984126
RT_DIALOG	0x16cea4	0x2c4	data	English	United States	0.4505649717514124
RT_DIALOG	0x16d168	0x2bc	data	English	United States	0.48142857142857143
RT_DIALOG	0x16d424	0x16e	data	English	United States	0.5109289617486339
RT_DIALOG	0x16d594	0x350	data	English	United States	0.44221698113207547
RT_DIALOG	0x16d8e4	0x1f4	data	English	United States	0.486
RT_DIALOG	0x16dad8	0x104	data	English	United States	0.6
RT_DIALOG	0x16dbdc	0x52	data			0.8048780487804879
RT_DIALOG	0x16dc30	0x128	data	English	United States	0.5844594594594594
RT_DIALOG	0x16dd58	0x436	data	English	United States	0.32189239332096475
RT_DIALOG	0x16e190	0xa0	data	English	United States	0.7
RT_DIALOG	0x16e230	0x26a	data	English	United States	0.4563106796116505
RT_DIALOG	0x16e49c	0x20a	data	English	United States	0.524904214559387
RT_DIALOG	0x16e6a8	0x3cc	data	English	United States	0.40843621399176955
RT_DIALOG	0x16ea74	0x286	data	English	United States	0.47523219814241485
RT_DIALOG	0x16ecfc	0xf8	data	English	United States	0.6209677419354839
RT_DIALOG	0x16edf4	0x140	data	English	United States	0.55625
RT_DIALOG	0x16ef34	0xd8	data	English	United States	0.6064814814814815
RT_DIALOG	0x16f00c	0x15a	data	English	United States	0.5115606936416185
RT_DIALOG	0x16f168	0xe8	data			0.6336206896551724
RT_DIALOG	0x16f250	0x1a2	data			0.4688995215311005
RT_DIALOG	0x16f3f4	0x15a	data			0.5086705202312138
RT_DIALOG	0x16f550	0x34	data			0.9038461538461539
RT_DIALOG	0x16f584	0x29a	data			0.35735735735735735
RT_DIALOG	0x16f820	0x23a	data			0.543859649122807
RT_DIALOG	0x16fa5c	0x126	data			0.6122448979591837
RT_STRING	0x16fb84	0x24	data	English	United States	0.4444444444444444
RT_STRING	0x16fba8	0x4e	data	English	United States	0.6794871794871795
RT_STRING	0x16fbf8	0xd8	data	English	United States	0.4722222222222222
RT_STRING	0x16fcd0	0xcc	data	English	United States	0.6421568627450981
RT_STRING	0x16fd9c	0x7c	Matlab v4 mat-file (little endian) l, numeric, rows 0, columns 0	English	United States	0.6532258064516129
RT_STRING	0x16fe18	0x3c	data	English	United States	0.6333333333333333
RT_STRING	0x16fe54	0x94	data	English	United States	0.6554054054054054
RT_STRING	0x16fee8	0x42	Matlab v4 mat-file (little endian) e, numeric, rows 0, columns 0	English	United States	0.7121212121212122
RT_STRING	0x16ff2c	0x5c	data	English	United States	0.6739130434782609
RT_STRING	0x16ff88	0x42	data	English	United States	0.7121212121212122
RT_STRING	0x16ffcc	0x104	data	English	United States	0.43846153846153846
RT_STRING	0x1700d0	0x7a	data	English	United States	0.7131147540983607
RT_STRING	0x17014c	0x126	data	English	United States	0.5816326530612245
RT_STRING	0x170274	0x2a2	AmigaOS bitmap font "R", fc_YSize 8192, 2560 elements, 2nd "a", 3rd "m"	English	United States	0.4421364985163205
RT_STRING	0x170518	0x82e	data	English	United States	0.3237822349570201
RT_STRING	0x170d48	0x260	data	English	United States	0.4342105263157895
RT_STRING	0x170fa8	0xca	data	English	United States	0.49504950495049505
RT_STRING	0x171074	0x12e	Matlab v4 mat-file (little endian) e, numeric, rows 0, columns 0	English	United States	0.47019867549668876
RT_STRING	0x1711a4	0x24e	data	English	United States	0.4576271186440678
RT_STRING	0x1713f4	0x260	data	English	United States	0.4555921052631579
RT_STRING	0x171654	0x4dc	data	English	United States	0.3520900321543408
RT_STRING	0x171b30	0xb8	AmigaOS bitmap font "t", 21248 elements, 2nd, 3rd	English	United States	0.6684782608695652
RT_STRING	0x171be8	0x10e	data	English	United States	0.5037037037037037
RT_STRING	0x171cf8	0x5e	data	English	United States	0.6382978723404256
RT_STRING	0x171d58	0xa0	Matlab v4 mat-file (little endian) A, numeric, rows 0, columns 0	English	United States	0.6875
RT_STRING	0x171df8	0x11e	data	English	United States	0.48951048951048953
RT_STRING	0x171f18	0x10a	data	English	United States	0.575187969924812
RT_STRING	0x172024	0x80	Matlab v4 mat-file (little endian) c, numeric, rows 0, columns 0	English	United States	0.5625
RT_STRING	0x1720a4	0x5e	data	English	United States	0.6595744680851063
RT_STRING	0x172104	0x106	data	English	United States	0.5458015267175572
RT_STRING	0x17220c	0x102	StarOffice Gallery theme q, 1795190272 objects, 1st o	English	United States	0.5852713178294574
RT_STRING	0x172310	0x12e	AmigaOS bitmap font "i", fc_YSize 28416, 19456 elements, 2nd "o", 3rd	English	United States	0.5761589403973509
RT_STRING	0x172440	0x66	data	English	United States	0.5588235294117647
RT_STRING	0x1724a8	0x62	data	English	United States	0.4897959183673469
RT_STRING	0x17250c	0x38	data	English	United States	0.625
RT_STRING	0x172544	0xaa	data	English	United States	0.6705882352941176
RT_STRING	0x1725f0	0x74	data	English	United States	0.31896551724137934
RT_STRING	0x172664	0x66	data	English	United States	0.6078431372549019
RT_STRING	0x1726cc	0x5a	data	English	United States	0.5111111111111111
RT_STRING	0x172728	0xa0	data	English	United States	0.60625
RT_STRING	0x1727c8	0x13e	data	English	United States	0.5566037735849056
RT_STRING	0x172908	0x13e	Matlab v4 mat-file (little endian) o, numeric, rows 0, columns 0	English	United States	0.5220125786163522
RT_STRING	0x172a48	0x5a	data	English	United States	0.6111111111111112
RT_STRING	0x172aa4	0x9c	data	English	United States	0.6858974358974359
RT_STRING	0x172b40	0xa6	Matlab v4 mat-file (little endian) C, numeric, rows 0, columns 0	English	United States	0.5602409638554217
RT_STRING	0x172be8	0x232	data	English	United States	0.4234875444839858
RT_STRING	0x172e1c	0x594	data	English	United States	0.3382352941176471
RT_STRING	0x1733b0	0x1a8	data	English	United States	0.5660377358490566
RT_STRING	0x173558	0x70	Matlab v4 mat-file (little endian) b, numeric, rows 0, columns 0	English	United States	0.6607142857142857
RT_STRING	0x1735c8	0x1fe	data	English	United States	0.5117647058823529
RT_STRING	0x1737c8	0xec	data	English	United States	0.5805084745762712
RT_STRING	0x1738b4	0x52	data	English	United States	0.7073170731707317
RT_STRING	0x173908	0x3e	data			0.5806451612903226
RT_STRING	0x173948	0x36	data	English	United States	0.6296296296296297
RT_STRING	0x173980	0x2f8	data			0.3355263157894737
RT_STRING	0x173c78	0x260	data			0.0805921052631579
RT_STRING	0x173ed8	0x40a	data			0.3152804642166344
RT_STRING	0x1742e4	0x27c	data			0.33176100628930816
RT_STRING	0x174560	0x2a2	data			0.4258160237388724
RT_STRING	0x174804	0xda	data			0.43119266055045874
RT_STRING	0x1748e0	0x6c	data			0.5
RT_STRING	0x17494c	0x162	data			0.4293785310734463
RT_STRING	0x174ab0	0x460	data			0.06160714285714286
RT_STRING	0x174f10	0x4e	data			0.717948717948718
RT_STRING	0x174f60	0x4c	data	English	United States	0.6842105263157895
RT_STRING	0x174fac	0xc6	data			0.41919191919191917
RT_STRING	0x175074	0x12e	data			0.3543046357615894
RT_STRING	0x1751a4	0x1f8	data			0.36706349206349204
RT_STRING	0x17539c	0xae	data			0.5689655172413793
RT_STRING	0x17544c	0x4c	data			0.6447368421052632
RT_STRING	0x175498	0xa4	data			0.6097560975609756
RT_STRING	0x17553c	0x6c	data	English	United States	0.7129629629629629
RT_STRING	0x1755a8	0x184	data			0.48711340206185566
RT_STRING	0x17572c	0x124	data			0.4897260273972603
RT_STRING	0x175850	0x130	Matlab v4 mat-file (little endian) &, numeric, rows 0, columns 0			0.5361842105263158
RT_STRING	0x175980	0x142	AmigaOS bitmap font "i", fc_YSize 24832, 16896 elements, 2nd "t", 3rd			0.4906832298136646
RT_STRING	0x175ac4	0x4ee	data			0.375594294770206
RT_STRING	0x175fb4	0x264	data			0.3333333333333333
RT_STRING	0x176218	0x2da	data			0.3698630136986301
RT_STRING	0x1764f4	0x8a	data			0.6594202898550725
RT_STRING	0x176580	0x54a	data			0.3552437223042836
RT_STRING	0x176acc	0xde	data			0.536036036036036
RT_STRING	0x176bac	0x4a8	data			0.3221476510067114
RT_STRING	0x177054	0x228	data			0.4003623188405797
RT_STRING	0x17727c	0x2c	data			0.5227272727272727
RT_STRING	0x1772a8	0x5f4	Targa image data - Color 101 x 100 x 32 +105 +108			0.3589238845144357
RT_STRING	0x17789c	0x440	data			0.3713235294117647
RT_STRING	0x177cdc	0x250	data			0.47466216216216217
RT_STRING	0x177f2c	0x53e	data			0.2965722801788376
RT_STRING	0x17846c	0x198	data			0.41911764705882354
RT_STRING	0x178604	0x162	data			0.5112994350282486
RT_STRING	0x178768	0x284	AmigaOS bitmap font "P", fc_YSize 29184, 10240 elements, 2nd "\|", 3rd "r"			0.40062111801242234
RT_STRING	0x1789ec	0x6e	AmigaOS bitmap font "r", 16896 elements, 2nd, 3rd			0.6818181818181818
RT_STRING	0x178a5c	0x46	data			0.6285714285714286
RT_STRING	0x178aa4	0x268	data			0.30844155844155846
RT_STRING	0x178d0c	0x21a	data			0.4368029739776952
RT_STRING	0x178f28	0x328	data			0.37995049504950495
RT_STRING	0x179250	0x190	data			0.485
RT_FONTDIR	0x1793e0	0xa1	data	English	United States	0.968944099378882
RT_FONT	0x179484	0x1148	TrueType Font data, 13 tables, 1st "FFTM", 14 names, Macintosh			0.5915461121157324
RT_ACCELERATOR	0x17a5cc	0x98	data	English	United States	0.7368421052631579
RT_ACCELERATOR	0x17a664	0xc0	data	English	United States	0.5572916666666666
RT_ACCELERATOR	0x17a724	0x18	data			1.2083333333333333
RT_GROUP_CURSOR	0x17a73c	0x3e	Lotus unknown worksheet or configuration, revision 0x4	English	United States	0.8225806451612904
RT_GROUP_CURSOR	0x17a77c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x17a790	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x17a7a4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a7b8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a7cc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a7e0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a7f4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a808	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a81c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a830	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a844	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a858	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a86c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a880	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a894	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a8a8	0x22	Lotus unknown worksheet or configuration, revision 0x2			1.0294117647058822
RT_GROUP_CURSOR	0x17a8cc	0x22	Lotus unknown worksheet or configuration, revision 0x2			1.0294117647058822
RT_GROUP_CURSOR	0x17a8f0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a904	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a918	0x22	Lotus unknown worksheet or configuration, revision 0x2			1.0294117647058822
RT_GROUP_CURSOR	0x17a93c	0x22	Lotus unknown worksheet or configuration, revision 0x2			1.0294117647058822
RT_GROUP_CURSOR	0x17a960	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a974	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a988	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x17a99c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a9b0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a9c4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a9d8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17a9ec	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17aa00	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17aa14	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17aa28	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17aa3c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17aa50	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x17aa64	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x17aa78	0x5a	data	English	United States	0.7777777777777778
RT_GROUP_ICON	0x17aad4	0x3e	data	English	United States	0.8870967741935484
RT_GROUP_ICON	0x17ab14	0x4c	data	English	United States	0.8421052631578947
RT_GROUP_ICON	0x17ab60	0x76	data	English	United States	0.6694915254237288
RT_GROUP_ICON	0x17abd8	0x76	data	English	United States	0.6694915254237288
RT_GROUP_ICON	0x17ac50	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x17ac64	0x3e	data	English	United States	0.8709677419354839
RT_GROUP_ICON	0x17aca4	0x14	data			1.25
RT_GROUP_ICON	0x17acb8	0x68	data			0.7884615384615384
RT_GROUP_ICON	0x17ad20	0x68	data			0.7884615384615384
RT_GROUP_ICON	0x17ad88	0x68	data			0.7980769230769231
RT_GROUP_ICON	0x17adf0	0x68	data			0.7788461538461539
RT_GROUP_ICON	0x17ae58	0x68	data			0.7980769230769231
RT_GROUP_ICON	0x17aec0	0x68	data			0.7980769230769231
RT_VERSION	0x17af28	0x2b4	data	English	United States	0.4667630057803468
None	0x17b1dc	0x16	data			1.3181818181818181
None	0x17b1f4	0x1c	data	English	United States	1.25
None	0x17b210	0x14	Targa image data 32798 x 32799 x 32 +32796 +32797 - four way interleave "!\200"	English	United States	1.3
None	0x17b224	0x1a	data	English	United States	1.2692307692307692
None	0x17b240	0x1a	data	English	United States	1.2692307692307692
None	0x17b25c	0x22	data	English	United States	1.088235294117647
None	0x17b280	0x22	data			1.1470588235294117
None	0x17b2a4	0x14	data			1.4
None	0x17b2b8	0xc	data			1.6666666666666667
None	0x17b2c4	0x16	data			1.3181818181818181

Imports

DLL	Import
KERNEL32.dll	CreateProcessW, DeleteCriticalSection, EnterCriticalSection, ExpandEnvironmentStringsW, FormatMessageA, GetCommandLineW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentVariableW, GetExitCodeProcess, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetProcAddress, GetShortPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, GetTempPathW, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, SetDllDirectoryW, SetEnvironmentVariableW, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte
msvcrt.dll	__argc, __dllonexit, __lconv_init, __set_app_type, __setusermatherr, __wargv, __wgetmainargs, __winitenv, _amsg_exit, _cexit, _findclose, _findfirst, _fileno, _findnext, _fmode, _fullpath, _get_osfhandle, _initterm, _iob, _lock, _getpid, _mkdir, _onexit, _rmdir, _setmode, _stat, _strdup, _tempnam, _unlock, _vsnprintf, _wcmdln, _wfopen, abort, calloc, clearerr, exit, fclose, feof, ferror, fflush, fprintf, fread, free, fseek, ftell, fwrite, getenv, malloc, mbstowcs, memcpy, memset, remove, setbuf, setlocale, signal, sprintf, strcat, strchr, strcmp, strcpy, strlen, strncat, strncmp, strncpy, strrchr, strtok, vfprintf, wcslen
USER32.dll	MessageBoxA
WS2_32.dll	ntohl

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 14:33:50.994556904 CET	49708	443	192.168.2.6	20.233.83.145
Dec 18, 2024 14:33:50.994604111 CET	443	49708	20.233.83.145	192.168.2.6
Dec 18, 2024 14:33:50.994712114 CET	49708	443	192.168.2.6	20.233.83.145
Dec 18, 2024 14:33:50.995337963 CET	49708	443	192.168.2.6	20.233.83.145
Dec 18, 2024 14:33:50.995352030 CET	443	49708	20.233.83.145	192.168.2.6
Dec 18, 2024 14:33:52.591790915 CET	443	49708	20.233.83.145	192.168.2.6
Dec 18, 2024 14:33:52.591871023 CET	49708	443	192.168.2.6	20.233.83.145
Dec 18, 2024 14:33:52.595398903 CET	49708	443	192.168.2.6	20.233.83.145
Dec 18, 2024 14:33:52.595411062 CET	443	49708	20.233.83.145	192.168.2.6
Dec 18, 2024 14:33:52.595685005 CET	443	49708	20.233.83.145	192.168.2.6
Dec 18, 2024 14:33:52.595882893 CET	49708	443	192.168.2.6	20.233.83.145
Dec 18, 2024 14:33:52.639354944 CET	443	49708	20.233.83.145	192.168.2.6
Dec 18, 2024 14:33:53.535603046 CET	443	49708	20.233.83.145	192.168.2.6
Dec 18, 2024 14:33:53.535686016 CET	443	49708	20.233.83.145	192.168.2.6
Dec 18, 2024 14:33:53.535764933 CET	443	49708	20.233.83.145	192.168.2.6
Dec 18, 2024 14:33:53.535816908 CET	443	49708	20.233.83.145	192.168.2.6
Dec 18, 2024 14:33:53.535854101 CET	49708	443	192.168.2.6	20.233.83.145
Dec 18, 2024 14:33:53.535882950 CET	443	49708	20.233.83.145	192.168.2.6
Dec 18, 2024 14:33:53.535921097 CET	49708	443	192.168.2.6	20.233.83.145
Dec 18, 2024 14:33:53.535921097 CET	49708	443	192.168.2.6	20.233.83.145
Dec 18, 2024 14:33:53.536413908 CET	49708	443	192.168.2.6	20.233.83.145

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 14:33:50.849088907 CET	55468	53	192.168.2.6	1.1.1.1
Dec 18, 2024 14:33:50.987406969 CET	53	55468	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 14:33:50.849088907 CET	192.168.2.6	1.1.1.1	0xdf55	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 14:33:50.987406969 CET	1.1.1.1	192.168.2.6	0xdf55	No error (0)	github.com		20.233.83.145	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

github.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49708	20.233.83.145	443	4368	C:\Users\user\Desktop\main.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 13:33:52 UTC	159	OUT	GET /franklenzer/0101010101/raw/main/mpc.part01.rar HTTP/1.1 Accept-Encoding: identity Host: github.com Connection: close User-Agent: Python-urllib/2.7
2024-12-18 13:33:53 UTC	473	IN	HTTP/1.1 404 Not Found Server: GitHub.com Date: Wed, 18 Dec 2024 13:33:53 GMT Content-Type: text/html; charset=utf-8 Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With Cache-Control: no-cache Strict-Transport-Security: max-age=31536000; includeSubdomains; preload X-Frame-Options: deny X-Content-Type-Options: nosniff X-XSS-Protection: 0 Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
2024-12-18 13:33:53 UTC	3389	IN	Data Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co
2024-12-18 13:33:53 UTC	248	IN	Data Raw: 38 30 30 30 0d 0a 0a 0a 0a 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 0a 20 20 6c 61 6e 67 3d 22 65 6e 22 0a 20 20 0a 20 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 6d 6f 64 65 3d 22 61 75 74 6f 22 20 64 61 74 61 2d 6c 69 67 68 74 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 22 20 64 61 74 61 2d 64 61 72 6b 2d 74 68 65 6d 65 3d 22 64 61 72 6b 22 0a 20 20 64 61 74 61 2d 61 31 31 79 2d 61 6e 69 6d 61 74 65 64 2d 69 6d 61 67 65 73 3d 22 73 79 73 74 65 6d 22 20 64 61 74 61 2d 61 31 31 79 2d 6c 69 6e 6b 2d 75 6e 64 65 72 6c 69 6e 65 73 3d 22 74 72 75 65 22 0a 20 20 0a 20 20 3e 0a 0a 0a 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 Data Ascii: 8000<!DOCTYPE html><html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark" data-a11y-animated-images="system" data-a11y-link-underlines="true" > <head> <meta charset="utf-8"> <link r
2024-12-18 13:33:53 UTC	1370	IN	Data Raw: 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 76 61 74 61 72 73 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2d 63 6c 6f 75 64 2e 73 33 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 75 73 65 72 2d 69 6d 61 67 65 Data Ascii: el="dns-prefetch" href="https://github.githubassets.com"> <link rel="dns-prefetch" href="https://avatars.githubusercontent.com"> <link rel="dns-prefetch" href="https://github-cloud.s3.amazonaws.com"> <link rel="dns-prefetch" href="https://user-image
2024-12-18 13:33:53 UTC	1370	IN	Data Raw: 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 64 61 74 61 2d 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 67 69 74 68 75 62 61 73 73 65 74 73 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 64 61 72 6b 5f 63 6f 6c 6f 72 62 6c 69 6e 64 2d 37 30 30 39 37 66 37 35 61 65 63 31 2e 63 73 73 22 20 2f 3e 3c 6c 69 6e 6b 20 64 61 74 61 2d 63 6f 6c 6f 72 2d 74 68 65 6d 65 3d 22 6c 69 67 68 74 5f 63 6f 6c 6f 72 62 6c 69 6e 64 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 64 61 74 61 2d 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 Data Ascii: ssorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_colorblind-70097f75aec1.css" /><link data-color-theme="light_colorblind" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://githu

Target ID:	0
Start time:	08:33:48
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\main.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\main.exe"
Imagebase:	0x400000
File size:	5'620'920 bytes
MD5 hash:	935DDF8C175DA8CB95FFF0870E0718FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:33:48
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\main.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\main.exe"
Imagebase:	0x400000
File size:	5'620'920 bytes
MD5 hash:	935DDF8C175DA8CB95FFF0870E0718FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	29.1%
Total number of Nodes:	1226
Total number of Limit Nodes:	30

Executed Functions

Function 00401910 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fseek.MSVCRT ref: 00401937
ftell.MSVCRT ref: 00401941

Part of subcall function 00401550: fseek.MSVCRT ref: 0040156C
Part of subcall function 00401550: fread.MSVCRT ref: 00401591

ntohl.WS2_32 ref: 0040196F
ntohl.WS2_32 ref: 0040197F
fseek.MSVCRT ref: 00401997
ntohl.WS2_32 ref: 004019A2
malloc.MSVCRT ref: 004019AA
ntohl.WS2_32(?,?,?,?,?,?,?,?,?,?,00401CBC,0040284B), ref: 004019C2
fread.MSVCRT ref: 004019DD
ntohl.WS2_32 ref: 004019F3
ferror.MSVCRT ref: 00401A02
fclose.MSVCRT ref: 00401A1A
fseek.MSVCRT ref: 00401A51
fread.MSVCRT ref: 00401A6F
fseek.MSVCRT ref: 00401AA3
fread.MSVCRT ref: 00401AC1
fseek.MSVCRT ref: 00401ADE
fread.MSVCRT ref: 00401B01
fseek.MSVCRT ref: 00401B3C
fread.MSVCRT ref: 00401B5A

Strings

Z, xrefs: 00401A7F
<, xrefs: 00401A92
M, xrefs: 00401A74

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: fseek$fread$ntohl$fcloseferrorftellmalloc
String ID: <$M$Z
API String ID: 1210635778-2411191596
Opcode ID: 4a1bf72df02ce091b41d225c7df38ada368d76f986c534d94f33ad46a64377fe
Instruction ID: 63e9dff835d06efa9c253b72d6fa9fbe9e8e210f0df08c9395a141b2f83197ea
Opcode Fuzzy Hash: 4a1bf72df02ce091b41d225c7df38ada368d76f986c534d94f33ad46a64377fe
Instruction Fuzzy Hash: A781F8B19087108FDB00AF29C48531ABBF0AF45354F05896EE994AB3D5E778D889CF87

Function 00401610 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ntohl.WS2_32 ref: 0040163E
fseek.MSVCRT ref: 00401656
ntohl.WS2_32 ref: 00401661
malloc.MSVCRT ref: 00401669
ntohl.WS2_32 ref: 00401684
fread.MSVCRT ref: 004016A0
fclose.MSVCRT ref: 004016BC
ntohl.WS2_32 ref: 004016DC
malloc.MSVCRT ref: 004016E4
ntohl.WS2_32 ref: 00401717
ntohl.WS2_32 ref: 0040172E
free.MSVCRT ref: 0040177E

Strings

8, xrefs: 00401737

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: ntohl$malloc$fclosefreadfreefseek
String ID: 8
API String ID: 3563950672-4194326291
Opcode ID: 27d071a7e7ed52b285afe04f28aa3bca27c4a3b08c13d708f22c650bb261ef32
Instruction ID: 41aeb47febc30618cac309c64aa81c6421efd7c50b9d6fbac4d1b3f2b222a95d
Opcode Fuzzy Hash: 27d071a7e7ed52b285afe04f28aa3bca27c4a3b08c13d708f22c650bb261ef32
Instruction Fuzzy Hash: 1D51D2B4908700CFD700BF65C58561ABBE0AF45344F05893EE8C8A7391E779E845CB8B

Function 00401179 Relevance: 16.7, APIs: 11, Instructions: 205
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00401211
SetUnhandledExceptionFilter.KERNEL32 ref: 00401292
malloc.MSVCRT ref: 00401342
malloc.MSVCRT ref: 00401383
memcpy.MSVCRT ref: 0040139F
GetStartupInfoW.KERNEL32 ref: 0040148A

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpy
String ID:
API String ID: 772431862-0
Opcode ID: dd6dcba165866b8adce3520a465e3e7c68692c583378782ddd6ef9cfcf506481
Instruction ID: c8aecaf62c9696b9110834f88a24b20446e6a75ea57b9a4d6652262331ab5fd4
Opcode Fuzzy Hash: dd6dcba165866b8adce3520a465e3e7c68692c583378782ddd6ef9cfcf506481
Instruction Fuzzy Hash: AE817CB1A043018FD710EF6AD980B9ABBF1FB54304F41853ED944AB3B1D7789846CB8A

Function 00401850 Relevance: 6.1, APIs: 4, Instructions: 58
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401610: ntohl.WS2_32 ref: 0040163E
Part of subcall function 00401610: fseek.MSVCRT ref: 00401656
Part of subcall function 00401610: ntohl.WS2_32 ref: 00401661
Part of subcall function 00401610: malloc.MSVCRT ref: 00401669
Part of subcall function 00401610: ntohl.WS2_32 ref: 00401684
Part of subcall function 00401610: fread.MSVCRT ref: 004016A0
Part of subcall function 00401610: fclose.MSVCRT ref: 004016BC

Part of subcall function 004049D0: strcpy.MSVCRT(?,?,00000000,0040188F,?,?,?,?,?,?,004023E6), ref: 004049FC
Part of subcall function 004049D0: strcpy.MSVCRT(?,?,00000000,0040188F,?,?,?,?,?,?,004023E6), ref: 00404A0F
Part of subcall function 004049D0: strtok.MSVCRT(?,?,00000000), ref: 00404A1F
Part of subcall function 004049D0: strcpy.MSVCRT(?,?,00000000), ref: 00404A73
Part of subcall function 004049D0: strtok.MSVCRT(?,?,00000000), ref: 00404A87
Part of subcall function 004049D0: _mkdir.MSVCRT ref: 00404AA5

ntohl.WS2_32(?,?,?,?,?,?,004023E6), ref: 00401897
fwrite.MSVCRT ref: 004018B9
fclose.MSVCRT ref: 004018CA
free.MSVCRT ref: 004018D2

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: ntohl$strcpy$fclosestrtok$_mkdirfreadfreefseekfwritemalloc
String ID:
API String ID: 1532958511-0
Opcode ID: 0ba678467c42b7276a9b9f58baee698a193ff6bd679b52bd55292dfe46ec37f8
Instruction ID: 8df8dfa69511768c1765381bdb0415dcaef8feb7ccc1299cfd62f9c5395cf5e0
Opcode Fuzzy Hash: 0ba678467c42b7276a9b9f58baee698a193ff6bd679b52bd55292dfe46ec37f8
Instruction Fuzzy Hash: 0A114CB18087009BC3107F3A848401EBBE0AF81368F458A3EF8D8A73D1C73898559B4B

Function 00404C80 Relevance: 22.6, APIs: 15, Instructions: 101
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405210: MultiByteToWideChar.KERNEL32 ref: 00405249

signal.MSVCRT ref: 00404CCC
signal.MSVCRT ref: 00404CE0
signal.MSVCRT ref: 00404CF4
signal.MSVCRT ref: 00404D08
GetStartupInfoW.KERNEL32(00000000,?,?,00402A0F), ref: 00404D28
_fileno.MSVCRT ref: 00404D69
_get_osfhandle.MSVCRT ref: 00404D77
_fileno.MSVCRT ref: 00404D8B
_get_osfhandle.MSVCRT ref: 00404D93
_fileno.MSVCRT ref: 00404DA7
_get_osfhandle.MSVCRT ref: 00404DAF
GetCommandLineW.KERNEL32 ref: 00404DB8
CreateProcessW.KERNELBASE ref: 00404E01
WaitForSingleObject.KERNEL32 ref: 00404E3F
GetExitCodeProcess.KERNELBASE ref: 00404E57

Part of subcall function 00401E10: MessageBoxA.USER32 ref: 00401E5C

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: signal$_fileno_get_osfhandle$Process$ByteCharCodeCommandCreateExitInfoLineMessageMultiObjectSingleStartupWaitWide
String ID:
API String ID: 2917712702-0
Opcode ID: 04f97da4b6471231529615fe277737a2d960c5eeca71b3878ce8ae2f7f18ba33
Instruction ID: c039b241e3be979fe19aad14a7bb84f350d9c54bc61ae4a3153f7adda5648e3d
Opcode Fuzzy Hash: 04f97da4b6471231529615fe277737a2d960c5eeca71b3878ce8ae2f7f18ba33
Instruction Fuzzy Hash: D04183B45093409FD710AF69D54939EBBF0BF84308F418D2EE8D897391D7BA94898B87

Function 004046D0 Relevance: 12.1, APIs: 8, Instructions: 55
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,00000000,00000000,?,004047C2), ref: 004046F6

Part of subcall function 00405070: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,004051C2), ref: 004050B9

_getpid.MSVCRT ref: 0040471C
sprintf.MSVCRT ref: 00404730
_tempnam.MSVCRT ref: 0040473C
_mkdir.MSVCRT ref: 00404747
free.MSVCRT ref: 00404753
strcpy.MSVCRT ref: 00404777
free.MSVCRT ref: 0040477F

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: free$ByteCharMultiPathTempWide_getpid_mkdir_tempnamsprintfstrcpy
String ID:
API String ID: 4026032204-0
Opcode ID: 972a40e05b08f5920e33b11fd4b1195e8e184c6f1d9bc4e4429b7fe5e68ec7e8
Instruction ID: 8af45b2eb4d8999d0f30d607f7cb0d6f007660f1bfc7651df242240114390b61
Opcode Fuzzy Hash: 972a40e05b08f5920e33b11fd4b1195e8e184c6f1d9bc4e4429b7fe5e68ec7e8
Instruction Fuzzy Hash: 07113AB25083009BD311BF65D58925EBBE4EF84354F01883FF9C8A3282D7798459CB97

Function 00404800 Relevance: 10.6, APIs: 7, Instructions: 70
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcpy.MSVCRT(00000000,00000000,?,00000000,00402A75), ref: 00404825
strlen.MSVCRT ref: 0040482D
_findfirst.MSVCRT(00000000,00000000,?,00000000,00402A75), ref: 00404869
_findnext.MSVCRT ref: 004048C7
_findclose.MSVCRT ref: 004048DB
_rmdir.MSVCRT ref: 004048EB
strlen.MSVCRT ref: 00404917

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: strlen$_findclose_findfirst_findnext_rmdirstrcpy
String ID:
API String ID: 3562715594-0
Opcode ID: 2dbbbe8cf3e2b3a7e0de0e1cce5bdd052717f65bdb620466f24c1fb4e7b5b20e
Instruction ID: a9f9e793eeeb33f534e218ca316462fb85fcee30f47b237a2dfaca896a0b628e
Opcode Fuzzy Hash: 2dbbbe8cf3e2b3a7e0de0e1cce5bdd052717f65bdb620466f24c1fb4e7b5b20e
Instruction Fuzzy Hash: D5216BB56087448BC720BF3AD48469FB7E5FF85310F50893EE588D3381DA3998558B8B

Function 0040A620 Relevance: 9.2, APIs: 6, Instructions: 158
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_stat.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00404ABC,?), ref: 0040A645
strlen.MSVCRT ref: 0040A6A7
malloc.MSVCRT ref: 0040A6ED
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00404ABC,?), ref: 0040A702
_stat.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00404ABC,?), ref: 0040A717
free.MSVCRT ref: 0040A729

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: _stat$freemallocmemcpystrlen
String ID:
API String ID: 2821670080-0
Opcode ID: 90f5734936ac426298cd35e1001e69113a45d7aed77e4f3ef29410a2590a8f47
Instruction ID: 2a6783eb98c8a97f91c7dab9c1c018cf784cb8e0381fd108a659056ea1bb8cf7
Opcode Fuzzy Hash: 90f5734936ac426298cd35e1001e69113a45d7aed77e4f3ef29410a2590a8f47
Instruction Fuzzy Hash: 95516D715083458FD720DE288081767BBF1AB55354F58893BE8D8A73C1D33ED8A69B4B

Function 004048FC Relevance: 7.5, APIs: 5, Instructions: 43
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_findfirst.MSVCRT(00000000,00000000,?,00000000,00402A75), ref: 00404869
_findnext.MSVCRT ref: 004048C7
_findclose.MSVCRT ref: 004048DB
_rmdir.MSVCRT ref: 004048EB
strlen.MSVCRT ref: 00404917

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: _findclose_findfirst_findnext_rmdirstrlen
String ID:
API String ID: 4076562980-0
Opcode ID: 5db3324efa8d5a59e1ac116cce6dfcb7576e815c89ee10725f153e3bacf499f5
Instruction ID: 2720cdc07daff6db77de306d3cf3bc652a8836d630f878814009698f8ee34e24
Opcode Fuzzy Hash: 5db3324efa8d5a59e1ac116cce6dfcb7576e815c89ee10725f153e3bacf499f5
Instruction Fuzzy Hash: B4115BB96087408BC720AF39D48819EB7E1FF84310F108D3EE588D3381DA3998558B4A

Function 00401550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fseek.MSVCRT ref: 0040156C
fread.MSVCRT ref: 00401591

Strings

X, xrefs: 00401582

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: freadfseek
String ID: X
API String ID: 612888758-3081909835
Opcode ID: 18d448d26b348c4c421f6481d275da3b867e41667ed67bb33ab50c020d7620e3
Instruction ID: 63b23579973b0fc2a8c848cc11070a24b4d4b75e095fd3bb4bfadd2259f2d151
Opcode Fuzzy Hash: 18d448d26b348c4c421f6481d275da3b867e41667ed67bb33ab50c020d7620e3
Instruction Fuzzy Hash: 53F0C2716043119BDB006F6DD88425B7BE4EF80364F40CA6EE894DB3C5E639C4448B82

Function 00404899 Relevance: 4.5, APIs: 3, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_findnext.MSVCRT ref: 004048C7
_findclose.MSVCRT ref: 004048DB
_rmdir.MSVCRT ref: 004048EB

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: _findclose_findnext_rmdir
String ID:
API String ID: 3230100040-0
Opcode ID: b1e7f838138ec92de27dd9e376b12120053d0fba011f4529915d580854f68d29
Instruction ID: a666bf544f04f59834d01d7671ffd54f1655e2cb5a606e467f6e0f9155e4d243
Opcode Fuzzy Hash: b1e7f838138ec92de27dd9e376b12120053d0fba011f4529915d580854f68d29
Instruction Fuzzy Hash: D2F012B57047008BC720AF75E48429FB7E1BFC9310F51483DE588D3340D63998658A86

Function 00404930 Relevance: 3.0, APIs: 2, Instructions: 43
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcat.MSVCRT ref: 0040497D
remove.MSVCRT ref: 0040498C

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: removestrcat
String ID:
API String ID: 2811761235-0
Opcode ID: 17891d87391b937335652f71d208cf03c7e94b2e2630af4a6de93be5c06651c0
Instruction ID: c1634100a14a06ff154aef6d3f48bf18f800374bae873a542931504996a5b4e7
Opcode Fuzzy Hash: 17891d87391b937335652f71d208cf03c7e94b2e2630af4a6de93be5c06651c0
Instruction Fuzzy Hash: B6F0C8F2A0820857D3203E76658136BB6946BC1318F99457FAF49773C2D33D4C0543AB

Function 00404E29 Relevance: 3.0, APIs: 2, Instructions: 18
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32 ref: 00404E3F
GetExitCodeProcess.KERNELBASE ref: 00404E57

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: CodeExitObjectProcessSingleWait
String ID:
API String ID: 1680577353-0
Opcode ID: a5f30db53a6ebf0e1f1dba67a9f2935eafc66dd49288b968f977358a6abb89f5
Instruction ID: 5b9c685faab18bc8a349c6b0566d76161fa5a1757068f5bb72ade2368f94402b
Opcode Fuzzy Hash: a5f30db53a6ebf0e1f1dba67a9f2935eafc66dd49288b968f977358a6abb89f5
Instruction Fuzzy Hash: 04E0E5355197008FC710EF6CE84824DFBF0EB84311F408A3EF8A4C3250D2319449CB46

Function 0040A76C Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_stat.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00404ABC,?), ref: 0040A645

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: _stat
String ID:
API String ID: 2107477818-0
Opcode ID: ab5b2011f0a72c431d9ae8a0e2ad9cabacf84a19eec302708ed945d48b774fb4
Instruction ID: 423eb16645b140ea1387a62674fe805d0ca2e753bba939399faaedd52ee62fd0
Opcode Fuzzy Hash: ab5b2011f0a72c431d9ae8a0e2ad9cabacf84a19eec302708ed945d48b774fb4
Instruction Fuzzy Hash: 9711BAB5A057159FC750CF2DC080656FBF0BB48314F448A2AE8D8E3740D335E9A69F86

Function 00402E70 Relevance: 1.5, APIs: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405210: MultiByteToWideChar.KERNEL32 ref: 00405249

_wfopen.MSVCRT ref: 00402EBD

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: ByteCharMultiWide_wfopen
String ID:
API String ID: 372205238-0
Opcode ID: e52c21d214796629a240c51fb7b60e75d21fb52d549f7b961c803426c5818c4c
Instruction ID: 74126713ab80da84faf4757f36691f79a295a803dc0f7ed3549fcb3a874f13b0
Opcode Fuzzy Hash: e52c21d214796629a240c51fb7b60e75d21fb52d549f7b961c803426c5818c4c
Instruction Fuzzy Hash: 0CF0F2B04093019BC710BF64E58828BBBE0EF84744F008C6EE4C893240C2389589CF86

Non-executed Functions

Function 00402ED0 Relevance: 74.1, APIs: 49, Instructions: 562libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00402EEF
GetProcAddress.KERNEL32 ref: 00402F0C
GetProcAddress.KERNEL32 ref: 00402F29
GetProcAddress.KERNEL32 ref: 00402F46
GetProcAddress.KERNEL32 ref: 00402F63
GetProcAddress.KERNEL32 ref: 00402F80
GetProcAddress.KERNEL32 ref: 00402F9D
GetProcAddress.KERNEL32 ref: 00402FBA
GetProcAddress.KERNEL32 ref: 00402FD7
GetProcAddress.KERNEL32 ref: 00402FF4
GetProcAddress.KERNEL32 ref: 00403011
GetProcAddress.KERNEL32 ref: 0040302E
GetProcAddress.KERNEL32 ref: 0040304B
GetProcAddress.KERNEL32 ref: 00403068
GetProcAddress.KERNEL32 ref: 00403085
GetProcAddress.KERNEL32 ref: 004030AB
GetProcAddress.KERNEL32 ref: 004030C8
GetProcAddress.KERNEL32 ref: 004030E5
GetProcAddress.KERNEL32 ref: 00403102
GetProcAddress.KERNEL32 ref: 0040311F
GetProcAddress.KERNEL32 ref: 0040313C
GetProcAddress.KERNEL32 ref: 00403159
GetProcAddress.KERNEL32 ref: 00403176
GetProcAddress.KERNEL32 ref: 00403193
GetProcAddress.KERNEL32 ref: 004031B0
GetProcAddress.KERNEL32 ref: 004031CD
GetProcAddress.KERNEL32 ref: 004031EA
GetProcAddress.KERNEL32 ref: 00403207
GetProcAddress.KERNEL32 ref: 00403224
GetProcAddress.KERNEL32 ref: 00403241
GetProcAddress.KERNEL32 ref: 0040325E
GetProcAddress.KERNEL32 ref: 0040327B
GetProcAddress.KERNEL32 ref: 00403298
GetProcAddress.KERNEL32 ref: 004032B5
GetProcAddress.KERNEL32 ref: 004032DB
GetProcAddress.KERNEL32 ref: 004032F8
GetProcAddress.KERNEL32 ref: 00403315
GetProcAddress.KERNEL32 ref: 00403332
GetProcAddress.KERNEL32 ref: 0040334F
GetProcAddress.KERNEL32 ref: 0040336C
GetProcAddress.KERNEL32 ref: 0040339B
GetProcAddress.KERNEL32 ref: 004033CB
GetProcAddress.KERNEL32 ref: 004033E8
GetProcAddress.KERNEL32 ref: 0040341B
GetProcAddress.KERNEL32 ref: 00403441
GetProcAddress.KERNEL32 ref: 0040345E
GetProcAddress.KERNEL32 ref: 0040347B
GetProcAddress.KERNEL32 ref: 004034A1

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 6229fbc5233439c47c8b67c81c86e0bf8ca63511389802b2367917b425b38900
Instruction ID: 9e7fcc73262e20b42b639f672265d991016f4d6e573a491f5b49d059b41d6497
Opcode Fuzzy Hash: 6229fbc5233439c47c8b67c81c86e0bf8ca63511389802b2367917b425b38900
Instruction Fuzzy Hash: C12219B0408600CAC7107F799A8122E7EE4AA44766F118B3FE8E4A72D0DB7C9555DB9F

Function 004052F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00405210: MultiByteToWideChar.KERNEL32 ref: 00405249

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00002068,00000000,00000000,004026E0), ref: 0040531C
GetProcAddress.KERNEL32 ref: 00405338
GetProcAddress.KERNEL32 ref: 0040534A
free.MSVCRT ref: 00405395

Strings

, xrefs: 0040536F

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryLoadMultiWidefree
String ID:
API String ID: 2285496191-3916222277
Opcode ID: 2ac8f77ed49929fa662af1c337a87eee209ea6daacdb08c566386e2e1e4db84b
Instruction ID: f7fa3d31de41ebfc25f04b6bfa2f7641fe892b4ca97745c4cd34cacb2e0a35f9
Opcode Fuzzy Hash: 2ac8f77ed49929fa662af1c337a87eee209ea6daacdb08c566386e2e1e4db84b
Instruction Fuzzy Hash: 422162B15147004BD710BFB9E94824FBBE0EB80358F014E3EE99497390E7B994498B8A

Function 00409F10 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00409F48
GetCurrentProcessId.KERNEL32 ref: 00409F59
GetCurrentThreadId.KERNEL32 ref: 00409F61
GetTickCount.KERNEL32 ref: 00409F6A
QueryPerformanceCounter.KERNEL32 ref: 00409F79

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: bf07b027104416ae5e153ab52a2392b0606540b33cc6aaa1f377dc49a5b247e6
Instruction ID: 753706d0f2432ae2e52699c1b63fcbad426ce9513c65138fb8e1d97fcb4c84e2
Opcode Fuzzy Hash: bf07b027104416ae5e153ab52a2392b0606540b33cc6aaa1f377dc49a5b247e6
Instruction Fuzzy Hash: 5B11167AD012188BCF10AFA8E9482CEFBB4FB0C664F454176E915F7210DB3569198BD9

Function 00409FBC Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0040A00F
UnhandledExceptionFilter.KERNEL32 ref: 0040A01F
GetCurrentProcess.KERNEL32 ref: 0040A028
TerminateProcess.KERNEL32 ref: 0040A039
abort.MSVCRT ref: 0040A042

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: 32597a08885f00a5d96f52d968800da127951a2effd2a68d820def550ef04dbf
Instruction ID: 908e5fe2e4d4b4f9fd135d1aae07c580cbffd01a49a55d17d848d4be7f730e2e
Opcode Fuzzy Hash: 32597a08885f00a5d96f52d968800da127951a2effd2a68d820def550ef04dbf
Instruction Fuzzy Hash: 6F0196B8905308DFD700EFAAE948299BBF4BB04304F018539E95997220E77594458F4A

Function 00409FC0 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0040A00F
UnhandledExceptionFilter.KERNEL32 ref: 0040A01F
GetCurrentProcess.KERNEL32 ref: 0040A028
TerminateProcess.KERNEL32 ref: 0040A039
abort.MSVCRT ref: 0040A042

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: cfe80107bd9ea8fc3025abd89124e695585fe244c5293105b08e45eba9f73a9a
Instruction ID: b20f870d5eea2d1b28bc474f0d21cf6229e8d97dce3512df4533b4e671bbbf1c
Opcode Fuzzy Hash: cfe80107bd9ea8fc3025abd89124e695585fe244c5293105b08e45eba9f73a9a
Instruction Fuzzy Hash: 1E01A4B8905308DFD700EFAAEA48289BBF4BB04304F01853AE95997320E77994498F4A

Function 00404170 Relevance: 6.1, APIs: 4, Instructions: 129stringCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 004041BB
strlen.MSVCRT ref: 004041CB

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: freestrlen
String ID:
API String ID: 322734593-0
Opcode ID: 8f7503a9e546433cb4419c4cb9a77774b34f1f97c41043beffb785841530b2c9
Instruction ID: 13ef81bd32d2d37f53a87a5a2f43fe793e1eca721c993885f661f54c21999dda
Opcode Fuzzy Hash: 8f7503a9e546433cb4419c4cb9a77774b34f1f97c41043beffb785841530b2c9
Instruction Fuzzy Hash: A35116B59087018BC700AF75D54825EBBE0EF88350F01CA3EE999E7390DB78D995CB5A

Function 00404E70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405155), ref: 00404E73
FormatMessageA.KERNEL32 ref: 00404EB4

Strings

FormatMessage failed., xrefs: 00404EBD

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID: FormatMessage failed.
API String ID: 3479602957-2374551320
Opcode ID: e3e88c1ca8d9d908ac7fb40ebe42d6c5ba71c6a0b71db535dbf4255836295caf
Instruction ID: 95bcd40d16130ee153334ec2c51760062741ad72a3ca2a6fd624054d12426a6e
Opcode Fuzzy Hash: e3e88c1ca8d9d908ac7fb40ebe42d6c5ba71c6a0b71db535dbf4255836295caf
Instruction Fuzzy Hash: 69F045B45083018FD300EF69C55934BBBE0BF88349F40C96DE8989B254D3B9864A8F97

Function 00404380 Relevance: 4.6, APIs: 3, Instructions: 83stringCOMMON

Download Yara Rule

APIs

ntohl.WS2_32(00000000,?,00000000,004044F8), ref: 0040439A
free.MSVCRT ref: 004043EE
strlen.MSVCRT ref: 004043F8

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: freentohlstrlen
String ID:
API String ID: 2640735475-0
Opcode ID: 984e9ade652589232d31f43c82da606c20372c5aa59593a5c6ba2251645aef03
Instruction ID: bd494f12bd0fd589b41595198eaed635d65b3c603cc781ed69caae3811d7099d
Opcode Fuzzy Hash: 984e9ade652589232d31f43c82da606c20372c5aa59593a5c6ba2251645aef03
Instruction Fuzzy Hash: 8F3108B59083009BC300AFA9D98825EBFE0EF88354F558A7EE588E7391D778C4548B5B

Function 00403B40 Relevance: 4.5, APIs: 3, Instructions: 47stringCOMMON

Download Yara Rule

APIs

ntohl.WS2_32(?,00002068,00000000,00402710), ref: 00403B5C
strcpy.MSVCRT ref: 00403B8C

Part of subcall function 00402B60: strlen.MSVCRT ref: 00402BA5
Part of subcall function 00402B60: strncpy.MSVCRT ref: 00402BB5
Part of subcall function 00402B60: strlen.MSVCRT ref: 00402BBD
Part of subcall function 00402B60: strlen.MSVCRT ref: 00402BD5
Part of subcall function 00402B60: strcat.MSVCRT(?,?,?,00002068,00000000,00000000,004026D6), ref: 00402BE8

Part of subcall function 00404C10: LoadLibraryExW.KERNEL32 ref: 00404C46
Part of subcall function 00404C10: free.MSVCRT ref: 00404C54

GetLastError.KERNEL32 ref: 00403BC7

Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402EEF
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402F0C
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402F29
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402F46
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402F63
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402F80
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402F9D
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402FBA
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402FD7
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402FF4
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00403011
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 0040302E
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 0040304B

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: AddressProc$strlen$ErrorLastLibraryLoadfreentohlstrcatstrcpystrncpy
String ID:
API String ID: 3735295752-0
Opcode ID: a30c35a5edf63183ab236df58a91212f74bb6424d3fe14319b4dfa0906cd0897
Instruction ID: 57b9e7d5ebf3f48e0d16ea0a8e11f40bd3117facce84cc2d1a1fa162a79011ac
Opcode Fuzzy Hash: a30c35a5edf63183ab236df58a91212f74bb6424d3fe14319b4dfa0906cd0897
Instruction Fuzzy Hash: 7F1118B18093009FC310AF29D58519EBBE4EF84754F41893EF895D3292E6789588CB96

Function 00403BE9 Relevance: 4.5, APIs: 3, Instructions: 42COMMON

Download Yara Rule

APIs

ntohl.WS2_32 ref: 00403C0C
sprintf.MSVCRT ref: 00403C2A
GetModuleHandleA.KERNEL32 ref: 00403C32

Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402EEF
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402F0C
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402F29
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402F46
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402F63
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402F80
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402F9D
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402FBA
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402FD7
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00402FF4
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 00403011
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 0040302E
Part of subcall function 00402ED0: GetProcAddress.KERNEL32 ref: 0040304B

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: AddressProc$HandleModulentohlsprintf
String ID:
API String ID: 485294236-0
Opcode ID: da0ca28235d9975a42174c135f958a5bfb2cd23306347b21fa1a4d0000fd98ea
Instruction ID: a48ebef88de88412cc269be28994e2eeeddfe05877bd30aac89bcfcaf0afdd3b
Opcode Fuzzy Hash: da0ca28235d9975a42174c135f958a5bfb2cd23306347b21fa1a4d0000fd98ea
Instruction Fuzzy Hash: 570152B25093408FD320BF38E98429EBBF4FB84344F01493EE8C497345D77894848B86

Function 004042F7 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 004042ED

Part of subcall function 00401E10: MessageBoxA.USER32 ref: 00401E5C

ntohl.WS2_32 ref: 00404300

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: Messagefreentohl
String ID:
API String ID: 4271883244-0
Opcode ID: 05a5d8637a678731937d9435b33a18cd99650de25d466b888777b7839d4be945
Instruction ID: fec6499228cd980bc1a5bd415eb7bde3f067a76568abea53337277d3fabf13d9
Opcode Fuzzy Hash: 05a5d8637a678731937d9435b33a18cd99650de25d466b888777b7839d4be945
Instruction Fuzzy Hash: 372126B19087058FC710AF76D94429FBBE0AF84350F01CA3EE999E7290DB38D845CB5A

Function 004064D2 Relevance: 1.6, APIs: 1, Instructions: 334COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0040697A

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8599f5733cdf4118adf48b927d8b0d50b415f89ccb17bc7ecaac003ed1edccb4
Instruction ID: 41342daca16726e54e0c13df0eb99482f4fd97d254f91c000b7e421b5de1af0f
Opcode Fuzzy Hash: 8599f5733cdf4118adf48b927d8b0d50b415f89ccb17bc7ecaac003ed1edccb4
Instruction Fuzzy Hash: C4D13E71A083118FC714CF19C58061BB7E1BF88704F168A6EE999AB392D739ED51CF86

Function 004015D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

ntohl.WS2_32(?,?,00000000,?,0040235F), ref: 004015E2

Part of subcall function 00401E10: MessageBoxA.USER32 ref: 00401E5C

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: Messagentohl
String ID:
API String ID: 1113028865-0
Opcode ID: 5df4d1036d3baa0035b21599ecfa5809bfa3fa36da580a73d4d0fe4b2b6eab6c
Instruction ID: 18c8b82ecdf5668f8979df22beb8225e375ab4ca3fbc107856349d94857a2061
Opcode Fuzzy Hash: 5df4d1036d3baa0035b21599ecfa5809bfa3fa36da580a73d4d0fe4b2b6eab6c
Instruction Fuzzy Hash: 19E046B14042108FCB00BB28E9C584BBBE0BB04318F064A7DE88AA7315D234F898CB96

Function 00401CE9 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

ntohl.WS2_32 ref: 00401CFD

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: ntohl
String ID:
API String ID: 2933279035-0
Opcode ID: bc879bc03d858c4d7b65980463d4abb7f901037eee2ac8277e74bc6cb836b6d3
Instruction ID: e07d720f56c77245dbdbaf1b73df6dcd8410e71af28e3b67d1106041cb90f460
Opcode Fuzzy Hash: bc879bc03d858c4d7b65980463d4abb7f901037eee2ac8277e74bc6cb836b6d3
Instruction Fuzzy Hash: A6E012766041048FC700EF68C9C574AB7F1BB48200F954668ED8997305D234E9558B82

Function 00401D1C Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

ntohl.WS2_32 ref: 00401D2D

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: ntohl
String ID:
API String ID: 2933279035-0
Opcode ID: cd8d9ea744651efaafd7bcc0cfbc5bc49d461f17787117c5a25c736b0ec4b300
Instruction ID: cf9c9d715a8f012fde126e83e9f9d89cf767587d5d9a9d3cf59019e7f3215ee8
Opcode Fuzzy Hash: cd8d9ea744651efaafd7bcc0cfbc5bc49d461f17787117c5a25c736b0ec4b300
Instruction Fuzzy Hash: 72C012B68006008FC700FF7CC64941A7BF0BB08200F820AACEC8993311E634E6188F83

Function 00406595 Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5260375c8d0483fd7771c9a0b86c142595593206cf1c75b8b376e18bb4858f2c
Instruction ID: 056b8a74b8deec84d76fcfe71442ec8fc86901b0a6ed04b709976002280c5927
Opcode Fuzzy Hash: 5260375c8d0483fd7771c9a0b86c142595593206cf1c75b8b376e18bb4858f2c
Instruction Fuzzy Hash: FB126875A083108FC314CF29C58062ABBF1BB89704F15897EE8999B391E779ED45CF86

Function 00408710 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00afe832e94b3227e72132b73478f51711c63fee430121d58c3df34d01806d39
Instruction ID: f263875ed641db833459d2d31a96348c8e74d65fbe7152a36a6fe40729ff5df7
Opcode Fuzzy Hash: 00afe832e94b3227e72132b73478f51711c63fee430121d58c3df34d01806d39
Instruction Fuzzy Hash: 1C71D235124121CFD310DF6BED8453673E2B7C9300B498E3AD680A73A9D634F826DBA4

Function 00408769 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 580bc4f04b9f05c7fb5bb8fc7dfca4deea774db62f23c7425ee650edbd58eca4
Instruction ID: 5b482d0d85de398615bf0be6c1f1b94ce347ec6920f5dfcbc48908df107c0240
Opcode Fuzzy Hash: 580bc4f04b9f05c7fb5bb8fc7dfca4deea774db62f23c7425ee650edbd58eca4
Instruction Fuzzy Hash: 5D619E35524125CFD310DF6BED8453673E3B7C9301B4A8E2AD680A736AD235B826DBA4

Function 00403DE0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 180stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00403E5A
strncpy.MSVCRT ref: 00403E6E
free.MSVCRT ref: 00403F37
strlen.MSVCRT ref: 00403F50
strncpy.MSVCRT ref: 00403F64
strlen.MSVCRT ref: 00403FE0
strncat.MSVCRT ref: 00403FF4

Strings

base, xrefs: 00403FB1
.zip, xrefs: 00403FCF
rary, xrefs: 00403FC5
_lib, xrefs: 00403FBB

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: strlen$strncpy$freestrncat
String ID: .zip$_lib$base$rary
API String ID: 536656556-23906921
Opcode ID: f2e278f87ce012b6d9b4be3befbb68824989871af049ce91ad2e29cbc1d6b51a
Instruction ID: 14274933dd56787fdb82c6a91d81d47f866d2d9f51aee60e5476c2917c75af4e
Opcode Fuzzy Hash: f2e278f87ce012b6d9b4be3befbb68824989871af049ce91ad2e29cbc1d6b51a
Instruction Fuzzy Hash: FE7148B05083019AD700BF65C54526ABAE4AF84345F04CA7EE9D8AB3D1DB7C8885CB9F

Function 00403930 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

pyi-, xrefs: 004039CF

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID:
String ID: pyi-
API String ID: 0-3770392772
Opcode ID: 3991ea21385366fad50a3174c8101d38cc614240c90f5204e2e8c51596cf13b5
Instruction ID: de32975ff2c34a0d384c2c2b91ec4d8f43b36af93b0298a640d216871d4c163f
Opcode Fuzzy Hash: 3991ea21385366fad50a3174c8101d38cc614240c90f5204e2e8c51596cf13b5
Instruction Fuzzy Hash: 1B513CF46083048FD710DF29D98475ABBE4BB48305F01897AE8859B3E2D3B8D995CF5A

Function 00401F40 Relevance: 16.5, APIs: 13, Instructions: 220stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(?,?,?,?,?,004023FF), ref: 00401F73
strtok.MSVCRT(?,?,?,?,?), ref: 00401F83
strcpy.MSVCRT(?,?,?,?,?), ref: 00401F8F
strtok.MSVCRT(?,?,?,?,?), ref: 00401FA3
strcpy.MSVCRT(?,?,?,?,?), ref: 00401FAF

Part of subcall function 00402A90: strlen.MSVCRT ref: 00402AA0
Part of subcall function 00402A90: strncpy.MSVCRT ref: 00402AB3
Part of subcall function 00402A90: strlen.MSVCRT ref: 00402ABB
Part of subcall function 00402A90: strrchr.MSVCRT ref: 00402AD2

malloc.MSVCRT ref: 0040222B
strcpy.MSVCRT ref: 0040224C
strcpy.MSVCRT ref: 0040226A
strcpy.MSVCRT ref: 00402282

Part of subcall function 00404B00: feof.MSVCRT ref: 00404B63
Part of subcall function 00404B00: fread.MSVCRT ref: 00404B87
Part of subcall function 00404B00: fwrite.MSVCRT ref: 00404BA8
Part of subcall function 00404B00: ferror.MSVCRT ref: 00404BB0
Part of subcall function 00404B00: clearerr.MSVCRT(?,?,?,00402048), ref: 00404BC1
Part of subcall function 00404B00: fclose.MSVCRT ref: 00404BC9
Part of subcall function 00404B00: fclose.MSVCRT ref: 00404BD1

free.MSVCRT ref: 004022DD

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: strcpy$fclosestrlenstrtok$clearerrfeofferrorfreadfreefwritemallocstrncpystrrchr
String ID:
API String ID: 3828028293-0
Opcode ID: a77b4d8c847c3ce1b0c902bc234ff4f196e9ef69af6165add1aca0c96433bb30
Instruction ID: a4d73d656237814dcd04340808e77ce35a8a995e884b39acc9a19a7b3963f51e
Opcode Fuzzy Hash: a77b4d8c847c3ce1b0c902bc234ff4f196e9ef69af6165add1aca0c96433bb30
Instruction Fuzzy Hash: 1FA114B1408701DAC710AF25C58815EFBE4BF84354F018A2FF598AB391E7B89599DF8B

Function 00402780 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 187stringCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 0040279F

Part of subcall function 00402D90: GetModuleFileNameW.KERNEL32(00000000,004027CE), ref: 00402DB4

Part of subcall function 00402E40: strcpy.MSVCRT(004027E1), ref: 00402E53
Part of subcall function 00402E40: strlen.MSVCRT ref: 00402E5B

Part of subcall function 00404560: GetEnvironmentVariableW.KERNEL32(00000000,004027F9), ref: 0040459F

Part of subcall function 00404680: SetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00409EFD), ref: 004046AE
Part of subcall function 00404680: free.MSVCRT ref: 004046BC

SetDllDirectoryW.KERNEL32 ref: 00402892
free.MSVCRT ref: 0040289E
strcmp.MSVCRT ref: 004028AA

Strings

x@, xrefs: 00402790

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: EnvironmentVariablefree$DirectoryFileModuleNamecallocstrcmpstrcpystrlen
String ID: x@
API String ID: 3249012681-3504578705
Opcode ID: 93a21116db041d76872c1f2ea1ac2c97b3888d0437c3630c2af1652b54957dad
Instruction ID: e104b7bf5c1657f9fcfcb026d7b3760e70e9bc9fefb3156e1469a83aead3bb76
Opcode Fuzzy Hash: 93a21116db041d76872c1f2ea1ac2c97b3888d0437c3630c2af1652b54957dad
Instruction Fuzzy Hash: AF714FB19097008BD710BF65C58925EBBE4EF80744F05897EE8C4A72D1DBBC9585CB4B

Function 00402B60 Relevance: 15.1, APIs: 10, Instructions: 76stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00402BA5
strncpy.MSVCRT ref: 00402BB5
strlen.MSVCRT ref: 00402BBD
strlen.MSVCRT ref: 00402BD5
strcat.MSVCRT(?,?,?,00002068,00000000,00000000,004026D6), ref: 00402BE8
strlen.MSVCRT ref: 00402C23
strlen.MSVCRT ref: 00402C2D
malloc.MSVCRT ref: 00402C39
memset.MSVCRT ref: 00402C53

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: strlen$mallocmemsetstrcatstrncpy
String ID:
API String ID: 2372556553-0
Opcode ID: b1f1849f05ce0ff8bacceced4ea5584e092206f6b527d9f258b2ddc6be8f817e
Instruction ID: 4e5b45eb7927c94f1d22b83f789647f1df1ceb98ced22de3d3d6df2cb3644ce9
Opcode Fuzzy Hash: b1f1849f05ce0ff8bacceced4ea5584e092206f6b527d9f258b2ddc6be8f817e
Instruction Fuzzy Hash: AB2171B16187409FD710BF29C58932EBBE0EF84344F058C7EE889573C2C67994558B57

Function 00404B00 Relevance: 13.6, APIs: 9, Instructions: 69fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00402E70: _wfopen.MSVCRT ref: 00402EBD

Part of subcall function 004049D0: strcpy.MSVCRT(?,?,00000000,0040188F,?,?,?,?,?,?,004023E6), ref: 004049FC
Part of subcall function 004049D0: strcpy.MSVCRT(?,?,00000000,0040188F,?,?,?,?,?,?,004023E6), ref: 00404A0F
Part of subcall function 004049D0: strtok.MSVCRT(?,?,00000000), ref: 00404A1F
Part of subcall function 004049D0: strcpy.MSVCRT(?,?,00000000), ref: 00404A73
Part of subcall function 004049D0: strtok.MSVCRT(?,?,00000000), ref: 00404A87
Part of subcall function 004049D0: _mkdir.MSVCRT ref: 00404AA5

feof.MSVCRT ref: 00404B63
fread.MSVCRT ref: 00404B87
fwrite.MSVCRT ref: 00404BA8
ferror.MSVCRT ref: 00404BB0
clearerr.MSVCRT(?,?,?,00402048), ref: 00404BC1
fclose.MSVCRT ref: 00404BC9
fclose.MSVCRT ref: 00404BD1
ferror.MSVCRT ref: 00404BE5
clearerr.MSVCRT(?,?,?,00402048), ref: 00404BFA

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: strcpy$clearerrfcloseferrorstrtok$_mkdir_wfopenfeoffreadfwrite
String ID:
API String ID: 1950404359-0
Opcode ID: 93bd33223e85fb11a146f5b896dace3b7b8c76cb97467dca7c93416fcf14d850
Instruction ID: 26d6a4cf61ebdb6355e6ceb81002ce2c87545b0f6dcfc6701eb30fc9d8599a57
Opcode Fuzzy Hash: 93bd33223e85fb11a146f5b896dace3b7b8c76cb97467dca7c93416fcf14d850
Instruction Fuzzy Hash: FD21FFB15087409BD310BF36848525FB7E4AF84364F068A3EE9D4A73C1D77C98958B4B

Function 00403A2C Relevance: 13.5, APIs: 9, Instructions: 47COMMON

Download Yara Rule

APIs

_fileno.MSVCRT ref: 00403A44
_setmode.MSVCRT ref: 00403A5A
_fileno.MSVCRT ref: 00403A67
_setmode.MSVCRT ref: 00403A77
fflush.MSVCRT ref: 00403A84
fflush.MSVCRT ref: 00403A94
setbuf.MSVCRT ref: 00403AA9
setbuf.MSVCRT ref: 00403AC1
setbuf.MSVCRT ref: 00403AD9

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: setbuf$_fileno_setmodefflush
String ID:
API String ID: 1650367497-0
Opcode ID: 89f21892b56f0ebe04f8f4ab3193396831d21f4360e53e8cf01e6c508885f887
Instruction ID: cc43520b513ba5077f312cde79b293d2698d7df8d1e11f86a6c566b79f11c99e
Opcode Fuzzy Hash: 89f21892b56f0ebe04f8f4ab3193396831d21f4360e53e8cf01e6c508885f887
Instruction Fuzzy Hash: EB1166F66047048BD710AF75E88565AB7E0BB44309F428C3EF8D89B352D638D8598B4A

Function 00403C81 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00403CAE
_strdup.MSVCRT ref: 00403CB6
malloc.MSVCRT ref: 00403CD5
setlocale.MSVCRT ref: 00403CF5
free.MSVCRT ref: 00403D29
setlocale.MSVCRT ref: 00403D6B
free.MSVCRT ref: 00403D73

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: setlocale$free$_strdupmalloc
String ID:
API String ID: 622151147-0
Opcode ID: 2216b20451d62f20745c34c0079e0d5653cb042771b455d446aaf0d876c1dfda
Instruction ID: 68c60b90b3b600dc1113df833d63427205b546dfef12d4db0e67074f200f9145
Opcode Fuzzy Hash: 2216b20451d62f20745c34c0079e0d5653cb042771b455d446aaf0d876c1dfda
Instruction Fuzzy Hash: 8021F6B19083018FD700BF65D54532EBFE4AF84359F058C3EE9C8A7291E37D99558B8A

Function 004097C0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 004097FB
signal.MSVCRT ref: 00409852
signal.MSVCRT ref: 0040989D
signal.MSVCRT ref: 004098C5

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 532ee5b54350ce70bdd1106a76f6d06ddd669e1cbb891edb7e2e0f643126e5aa
Instruction ID: 9d308533a8223dfef7a89781035b754c20cf20f4fabe4e2d4f00fdb0abfba49e
Opcode Fuzzy Hash: 532ee5b54350ce70bdd1106a76f6d06ddd669e1cbb891edb7e2e0f643126e5aa
Instruction Fuzzy Hash: A82153B25142009AE710BFA5C5403AF7694AB46354F12CC2BD594AB3C3C77D8C84879B

Function 004049D0 Relevance: 9.1, APIs: 6, Instructions: 77stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(?,?,00000000,0040188F,?,?,?,?,?,?,004023E6), ref: 004049FC
strcpy.MSVCRT(?,?,00000000,0040188F,?,?,?,?,?,?,004023E6), ref: 00404A0F
strtok.MSVCRT(?,?,00000000), ref: 00404A1F
strcpy.MSVCRT(?,?,00000000), ref: 00404A73
strtok.MSVCRT(?,?,00000000), ref: 00404A87
_mkdir.MSVCRT ref: 00404AA5

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: strcpy$strtok$_mkdir
String ID:
API String ID: 282790443-0
Opcode ID: 7974ecabf02546f031a8d0c50aa10801c90b2676b543c811c044bd71695961ef
Instruction ID: bc7f6ab74147c8da80bf5d81ea8fc10b92e5ddafd3e107eff54335975dc46d33
Opcode Fuzzy Hash: 7974ecabf02546f031a8d0c50aa10801c90b2676b543c811c044bd71695961ef
Instruction Fuzzy Hash: 482150B16497018BD700AF6AC58526EF7E4EF84304F45883FE6C4A7285E77C944A9B8B

Function 00402CAC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57stringCOMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00402CC7
strncpy.MSVCRT ref: 00402D00
strchr.MSVCRT ref: 00402D33
strncpy.MSVCRT ref: 00402D4D

Strings

;, xrefs: 00402D28

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: strncpy$getenvstrchr
String ID: ;
API String ID: 3873711002-1661535913
Opcode ID: ce95854b577eb0fc7b5acb80eaf0a36448d1a3075479a920298e83c55b719eb2
Instruction ID: 87c5bb83796384b620ac70d2af4799a21704787c12b47bdc202f2420c99d8292
Opcode Fuzzy Hash: ce95854b577eb0fc7b5acb80eaf0a36448d1a3075479a920298e83c55b719eb2
Instruction Fuzzy Hash: B411FEB15083419BD310AF39C58829EBBE4EF84784F11882EF5C8E7281D3BD99819B47

Function 00402A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00402AA0
strncpy.MSVCRT ref: 00402AB3
strlen.MSVCRT ref: 00402ABB
strrchr.MSVCRT ref: 00402AD2

Strings

\, xrefs: 00402AC7

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: strlen$strncpystrrchr
String ID: \
API String ID: 4057206489-2967466578
Opcode ID: 3821e1f33afa086847be12ccc8347bff2b393beb44a30b85bb316eb0e4ebce14
Instruction ID: 0e2399b5ff7e40ea0bbb02d0b353f885c60a2e8f14f7b0118b964a3f0aa896c3
Opcode Fuzzy Hash: 3821e1f33afa086847be12ccc8347bff2b393beb44a30b85bb316eb0e4ebce14
Instruction Fuzzy Hash: 40F031F25087908EDB117F29998530ABFD0AF55308F0A48AEE4851B383D6B98441DB67

Function 00404FC0 Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNEL32 ref: 00404FE6
malloc.MSVCRT ref: 00405017
GetShortPathNameW.KERNEL32 ref: 00405029
free.MSVCRT ref: 00405035

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: NamePathShort$freemalloc
String ID:
API String ID: 859375759-0
Opcode ID: b5d1cb79c11bea7cdbeeebb9fa79e8f7d26d2ea5a9617e2b28465e8aa5917cd8
Instruction ID: 3beaf80c49d4d74242e0349f6237524424644aeea3499a333aa3f78d0f17a321
Opcode Fuzzy Hash: b5d1cb79c11bea7cdbeeebb9fa79e8f7d26d2ea5a9617e2b28465e8aa5917cd8
Instruction Fuzzy Hash: 56011BB15087058FC700BF76D48925FBBE4EF84358F05883EEA8897241E73998558BDB

Function 00404ED0 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00404F1C
wcslen.MSVCRT ref: 00404F2A
malloc.MSVCRT ref: 00404F35
WideCharToMultiByte.KERNEL32 ref: 00404F6F

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: ByteCharMultiWide$mallocwcslen
String ID:
API String ID: 173459892-0
Opcode ID: 40e82204155d44d6ccb6382534266779ee53d7cab2275232043852edb5f21bc9
Instruction ID: 9744097a12f8b822ab610269ec99efc9aea7c821b864e54a547139bda5badfde
Opcode Fuzzy Hash: 40e82204155d44d6ccb6382534266779ee53d7cab2275232043852edb5f21bc9
Instruction Fuzzy Hash: 2321F7B15083019FD300EF66D48431BBBE4AB84368F01893EE9985B2C1D7B985498BD7

Function 004096E0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 00409705
__dllonexit.MSVCRT ref: 00409743
_unlock.MSVCRT ref: 00409773
_onexit.MSVCRT ref: 00409787

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: __dllonexit_lock_onexit_unlock
String ID:
API String ID: 209411981-0
Opcode ID: e72dbf5e36769850f66dedf14dbdfcd0cf83797c3aff72795d0b5d1688932a61
Instruction ID: 94322562d448f61ab5e389db5415b64235926ac514306a4d16e9030116057e7b
Opcode Fuzzy Hash: e72dbf5e36769850f66dedf14dbdfcd0cf83797c3aff72795d0b5d1688932a61
Instruction Fuzzy Hash: C91183F49197018FC700EF76D48555EBBE0AB98314F818D3EF8D497392E63998948B86

Function 00402CDC Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 00402D00

Part of subcall function 00402B60: strlen.MSVCRT ref: 00402BA5
Part of subcall function 00402B60: strncpy.MSVCRT ref: 00402BB5
Part of subcall function 00402B60: strlen.MSVCRT ref: 00402BBD
Part of subcall function 00402B60: strlen.MSVCRT ref: 00402BD5
Part of subcall function 00402B60: strcat.MSVCRT(?,?,?,00002068,00000000,00000000,004026D6), ref: 00402BE8

strchr.MSVCRT ref: 00402D33
strncpy.MSVCRT ref: 00402D4D

Strings

;, xrefs: 00402D28

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: strlenstrncpy$strcatstrchr
String ID: ;
API String ID: 1837988602-1661535913
Opcode ID: 8fc9b7576c0a419203d23bf9b58d9aab0d32351923dc3836b5ccfaade7827991
Instruction ID: cafbc012400062e9836ad638cb34517f3ac44faff61307575af338ded75cce7e
Opcode Fuzzy Hash: 8fc9b7576c0a419203d23bf9b58d9aab0d32351923dc3836b5ccfaade7827991
Instruction Fuzzy Hash: EB11DEB16083419FD710AF69C1C429EBBE0EF84784F008C2EF5C8D7341D3B999818B46

Function 00402B00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00402B18
strrchr.MSVCRT ref: 00402B4B

Strings

/, xrefs: 00402B40

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: strrchr
String ID: /
API String ID: 3418686817-2043925204
Opcode ID: 0cfd4f32b849586b70a7353986d77b0206b4deb400bbcf53468c15147e581287
Instruction ID: d17ca4ae87394f5675dde1efdaccee299bc168ef5c4884823c421eedceabe6da
Opcode Fuzzy Hash: 0cfd4f32b849586b70a7353986d77b0206b4deb400bbcf53468c15147e581287
Instruction Fuzzy Hash: C8E039B04083008BD300AF158A8855BFBF4BF48348F45497EA98927382D379D908CB6B

Function 0040A160 Relevance: 5.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0040A187
free.MSVCRT ref: 0040A1D1
LeaveCriticalSection.KERNEL32 ref: 0040A1DD

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 27de6c540a5b32b140bfe52988ff2264b0743fa1c65192d6c79474fe29240fe2
Instruction ID: 205ad730fa9d849b6dcd85aca9a8edb478e236a23f6659a9e29df5da5504daa6
Opcode Fuzzy Hash: 27de6c540a5b32b140bfe52988ff2264b0743fa1c65192d6c79474fe29240fe2
Instruction Fuzzy Hash: 79015B747002028FD700EF79D98545ABBE0BB64304B988A7AE845DB351E738EC95CB4B

Function 0040A050 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0040A060
TlsGetValue.KERNEL32 ref: 0040A085
GetLastError.KERNEL32 ref: 0040A090
LeaveCriticalSection.KERNEL32 ref: 0040A0B0

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: deaaa24b9fa4b4d1e7b522dcaef3998b3bbfd73c4541e91bdd6be517b23479c5
Instruction ID: 1d3ce6b71eab003d7cf42bd7384e75d6cbe8db24f84eea3f059a5883f4db0426
Opcode Fuzzy Hash: deaaa24b9fa4b4d1e7b522dcaef3998b3bbfd73c4541e91bdd6be517b23479c5
Instruction Fuzzy Hash: 08F0DC7A5007048BCB00BFBAE94828ABBF4FB94310F454539DC9893310D739A829CACB

Function 00401C20 Relevance: 5.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(?,?,?,00401CB0,0040284B), ref: 00401C38
strcat.MSVCRT(?,?,?,00401CB0,0040284B), ref: 00401C54
strcpy.MSVCRT(?,?,?,00401CB0,0040284B), ref: 00401C60
strcpy.MSVCRT ref: 00401C76

Memory Dump Source

Source File: 00000000.00000002.2197352833.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2197333160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197377968.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197398164.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2197417997.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_main.jbxd

Similarity

API ID: strcpy$strcat
String ID:
API String ID: 3927648046-0
Opcode ID: 6c814ddd8a824b4bd2636785863bacbba6574ce59f97f3a803a5a9257da0b1bd
Instruction ID: 9c2cac98e7d877e8ae7db83d823dbc52851c1e70b87a1bb4017c5684ab7af4db
Opcode Fuzzy Hash: 6c814ddd8a824b4bd2636785863bacbba6574ce59f97f3a803a5a9257da0b1bd
Instruction Fuzzy Hash: 7FF01DB28193109BD700BF29D98114EBBE8EF84758F41896EF8C867346C3749556CB97

Analysis Process: main.exePID: 4368, Parent PID: 1080COMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9%
Total number of Nodes:	1106
Total number of Limit Nodes:	117

Executed Functions

Function 6CF072A0 Relevance: 140.6, APIs: 51, Strings: 29, Instructions: 589
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(ADVAPI32.DLL,7AEC0E1A,00000001,?,00000000), ref: 6CF072F2
LoadLibraryA.KERNEL32(KERNEL32.DLL,?,00000000), ref: 6CF072FF
LoadLibraryA.KERNELBASE(NETAPI32.DLL,?,00000000), ref: 6CF0730E
GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 6CF07340
GetProcAddress.KERNELBASE(00000000,NetApiBufferFree), ref: 6CF0734E
NetStatisticsGet.NETAPI32(00000000,LanmanWorkstation,00000000,00000000,?,?,00000000), ref: 6CF07382
NetStatisticsGet.NETAPI32(00000000,LanmanServer,00000000,00000000,?,?,00000000), ref: 6CF073CB
FreeLibrary.KERNELBASE(00000000,?,00000000), ref: 6CF07404
GetProcAddress.KERNEL32(00000000,CryptAcquireContextW), ref: 6CF0741F
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 6CF0742D
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 6CF0743B
FreeLibrary.KERNEL32(00000000,?,00000000), ref: 6CF07540
GetVersion.KERNEL32(?,00000000), ref: 6CF07546
LoadLibraryA.KERNEL32(USER32.DLL,?,00000000), ref: 6CF07565
GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 6CF0757B
GetProcAddress.KERNEL32(00000000,GetCursorInfo), ref: 6CF07589
GetProcAddress.KERNEL32(00000000,GetQueueStatus), ref: 6CF07597
GetVersion.KERNEL32(?,00000000), ref: 6CF075D6
GetVersion.KERNEL32(?,00000000), ref: 6CF075E3
FreeLibrary.KERNEL32(00000000,?,00000000), ref: 6CF07667
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 6CF07685
GetProcAddress.KERNEL32(00000000,CloseToolhelp32Snapshot), ref: 6CF0768F
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 6CF0769D
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 6CF076AB
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 6CF076B9
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 6CF076C7
GetProcAddress.KERNEL32(00000000,Process32First), ref: 6CF076D5
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 6CF076E3
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 6CF076F1
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 6CF076FF
GetProcAddress.KERNEL32(00000000,Module32First), ref: 6CF0770D
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 6CF0771B
CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,?,00000000), ref: 6CF077AC
GetTickCount.KERNEL32 ref: 6CF077EF
Heap32ListFirst.KERNEL32(?,00000010,?,00000000), ref: 6CF07805
Heap32First.KERNEL32(00000024,?,?), ref: 6CF0789D
Heap32Next.KERNEL32(00000024), ref: 6CF078DB
GetTickCount.KERNEL32 ref: 6CF078EE
Heap32ListNext.KERNEL32(?,00000010), ref: 6CF07942
GetTickCount.KERNEL32 ref: 6CF07955
GetTickCount.KERNEL32 ref: 6CF07984
Process32First.KERNEL32(?,00000128,?,00000000), ref: 6CF07994
GetTickCount.KERNEL32 ref: 6CF079E9
GetTickCount.KERNEL32 ref: 6CF07A11
GetTickCount.KERNEL32 ref: 6CF07A80
GetTickCount.KERNEL32 ref: 6CF07AA4

Strings

Heap32ListFirst, xrefs: 6CF076B3
ADVAPI32.DLL, xrefs: 6CF072E7
Heap32First, xrefs: 6CF07697
NetStatisticsGet, xrefs: 6CF0733A
KERNEL32.DLL, xrefs: 6CF072FA
LanmanWorkstation, xrefs: 6CF0737B
NetApiBufferFree, xrefs: 6CF07348
CryptReleaseContext, xrefs: 6CF07435
Thread32First, xrefs: 6CF076EB
Heap32ListNext, xrefs: 6CF076C1
Heap32Next, xrefs: 6CF076A5
GetQueueStatus, xrefs: 6CF07591
Intel Hardware Cryptographic Service Provider, xrefs: 6CF074D2
GetCursorInfo, xrefs: 6CF07583
CryptGenRandom, xrefs: 6CF07427
USER32.DLL, xrefs: 6CF07560
Process32Next, xrefs: 6CF076DD
CryptAcquireContextW, xrefs: 6CF07413
$, xrefs: 6CF0787E
LanmanServer, xrefs: 6CF073C4
CloseToolhelp32Snapshot, xrefs: 6CF07689
Module32Next, xrefs: 6CF07715
NETAPI32.DLL, xrefs: 6CF07309
Process32First, xrefs: 6CF076CF
*, xrefs: 6CF07813
Module32First, xrefs: 6CF07707
CreateToolhelp32Snapshot, xrefs: 6CF0767F
GetForegroundWindow, xrefs: 6CF07575
Thread32Next, xrefs: 6CF076F9

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: AddressProc$CountTick$Library$Heap32Load$FirstFreeVersion$ListNextStatistics$CreateProcess32SnapshotToolhelp32
String ID: $$*$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
API String ID: 622057041-688639677
Opcode ID: b029ace5a0f9eb2274816ab46e62cdc5a1d9eecbfdda3c93e7fc77c86b80d57d
Instruction ID: 8e9c2729d1df2fb28e799666647505148d62c3b3374587e93f4ea14287251017
Opcode Fuzzy Hash: b029ace5a0f9eb2274816ab46e62cdc5a1d9eecbfdda3c93e7fc77c86b80d57d
Instruction Fuzzy Hash: C83280B1E11329DBEB629F64CC94BAEB7BCFB04708F1055DAE608A2580DB744B84CF55

Function 00401910 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fseek.MSVCRT ref: 00401937
ftell.MSVCRT ref: 00401941

Part of subcall function 00401550: fseek.MSVCRT ref: 0040156C
Part of subcall function 00401550: fread.MSVCRT ref: 00401591

ntohl.WS2_32 ref: 0040196F
ntohl.WS2_32 ref: 0040197F
fseek.MSVCRT ref: 00401997
ntohl.WS2_32 ref: 004019A2
malloc.MSVCRT ref: 004019AA
ntohl.WS2_32(?,?,?,?,?,?,?,?,?,?,00401CBC,0040284B), ref: 004019C2
fread.MSVCRT ref: 004019DD
ntohl.WS2_32 ref: 004019F3
ferror.MSVCRT ref: 00401A02
fclose.MSVCRT ref: 00401A1A
fseek.MSVCRT ref: 00401A51
fread.MSVCRT ref: 00401A6F
fseek.MSVCRT ref: 00401AA3
fread.MSVCRT ref: 00401AC1
fseek.MSVCRT ref: 00401ADE
fread.MSVCRT ref: 00401B01
fseek.MSVCRT ref: 00401B3C
fread.MSVCRT ref: 00401B5A

Strings

<, xrefs: 00401A92
Z, xrefs: 00401A7F
M, xrefs: 00401A74

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: fseek$fread$ntohl$fcloseferrorftellmalloc
String ID: <$M$Z
API String ID: 1210635778-2411191596
Opcode ID: 22c94d8cbfd2c8a756679ede75317217de67614fe7dbd657829fe7cd87c47316
Instruction ID: 63e9dff835d06efa9c253b72d6fa9fbe9e8e210f0df08c9395a141b2f83197ea
Opcode Fuzzy Hash: 22c94d8cbfd2c8a756679ede75317217de67614fe7dbd657829fe7cd87c47316
Instruction Fuzzy Hash: A781F8B19087108FDB00AF29C48531ABBF0AF45354F05896EE994AB3D5E778D889CF87

Function 00401610 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ntohl.WS2_32 ref: 0040163E
fseek.MSVCRT ref: 00401656
ntohl.WS2_32 ref: 00401661
malloc.MSVCRT ref: 00401669
ntohl.WS2_32 ref: 00401684
fread.MSVCRT ref: 004016A0
fclose.MSVCRT ref: 004016BC
ntohl.WS2_32 ref: 004016DC
malloc.MSVCRT ref: 004016E4
ntohl.WS2_32 ref: 00401717
ntohl.WS2_32 ref: 0040172E
free.MSVCRT ref: 0040177E

Strings

8, xrefs: 00401737

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: ntohl$malloc$fclosefreadfreefseek
String ID: 8
API String ID: 3563950672-4194326291
Opcode ID: 71c987e3ab84fa5ae62887f41dbef14642ab441643ae0335d389b5b4044012b5
Instruction ID: 41aeb47febc30618cac309c64aa81c6421efd7c50b9d6fbac4d1b3f2b222a95d
Opcode Fuzzy Hash: 71c987e3ab84fa5ae62887f41dbef14642ab441643ae0335d389b5b4044012b5
Instruction Fuzzy Hash: 1D51D2B4908700CFD700BF65C58561ABBE0AF45344F05893EE8C8A7391E779E845CB8B

Function 00401179 Relevance: 16.7, APIs: 11, Instructions: 205
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00401211
SetUnhandledExceptionFilter.KERNEL32 ref: 00401292
malloc.MSVCRT ref: 00401342
malloc.MSVCRT ref: 00401383
memcpy.MSVCRT ref: 0040139F
GetStartupInfoW.KERNEL32 ref: 0040148A

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpy
String ID:
API String ID: 772431862-0
Opcode ID: 19d6fbc226cdd4db3d11f52ab5f5630fc0c68800101226e4b1f4ca7a7eef5a3a
Instruction ID: c8aecaf62c9696b9110834f88a24b20446e6a75ea57b9a4d6652262331ab5fd4
Opcode Fuzzy Hash: 19d6fbc226cdd4db3d11f52ab5f5630fc0c68800101226e4b1f4ca7a7eef5a3a
Instruction Fuzzy Hash: AE817CB1A043018FD710EF6AD980B9ABBF1FB54304F41853ED944AB3B1D7789846CB8A

Function 6CEDE870 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 465
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\rand\md_rand.c, xrefs: 6CEDE8F4, 6CEDE910, 6CEDE967, 6CEDEAB2, 6CEDECF9, 6CEDED8D, 6CEDEDC1, 6CEDEE1B
ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 6CEDEDF5
...................., xrefs: 6CEDE9FA
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html, xrefs: 6CEDEDD2
gfff, xrefs: 6CEDE8C9
C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\digest.c, xrefs: 6CEDEDFF

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: ....................$C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\digest.c$C:\build27\cpython\externals\openssl-1.0.2t\crypto\rand\md_rand.c$You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html$ctx->digest->md_size <= EVP_MAX_MD_SIZE$gfff
API String ID: 0-2963164398
Opcode ID: 124b665820e06b934e628a982245ac4ce4074a465cb64cb69657eccb41eca836
Instruction ID: d6775d1cdf902167b3496179c584c009e5cd983053a856be7b226da431cdf88b
Opcode Fuzzy Hash: 124b665820e06b934e628a982245ac4ce4074a465cb64cb69657eccb41eca836
Instruction Fuzzy Hash: 1EF103306097419FD704CFA5D885B9AB7F0AB85708F25492CF9A9C7781D7B1E80ACBC2

Function 6CF7CA70 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 445COMMON

Download Yara Rule

APIs

_time64.MSVCR90 ref: 6CF7CB76
memcpy.MSVCR90(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CF7CD37

Strings

C:\build27\cpython\externals\openssl-1.0.2t\ssl\s23_clnt.c, xrefs: 6CF7CBE4
, xrefs: 6CF7CB6B

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: _time64memcpy
String ID: $C:\build27\cpython\externals\openssl-1.0.2t\ssl\s23_clnt.c
API String ID: 1622878224-1811189137
Opcode ID: 9f8f2ad9349fc6236f7a91a9e7738b211675f2f4f428edfc352957cc9c5eef1c
Instruction ID: 3f0db605ee445dca452f8262e8fcc782a0bf4db06aaa596574496679441d482e
Opcode Fuzzy Hash: 9f8f2ad9349fc6236f7a91a9e7738b211675f2f4f428edfc352957cc9c5eef1c
Instruction Fuzzy Hash: D4F14771E042418BEB24DF6CD8807DEBBB5AF45308F2881AED849AB782D375D945C7B1

Function 6CF7B050 Relevance: 5.2, APIs: 1, Strings: 2, Instructions: 665COMMON

Download Yara Rule

Strings

SSL alert number , xrefs: 6CF7B7BF
C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_pkt.c, xrefs: 6CF7B0AD, 6CF7B188, 6CF7B798, 6CF7B8FA

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_pkt.c$SSL alert number
API String ID: 0-2580806745
Opcode ID: f3994f7c77f95eeb4ad651edc1823efcc729a1d2d46a9e579cd4c3a5360e1290
Instruction ID: 0de88746d1c0d20510b423c68ab25a759c13c010a87da0d59b8667f34cda2467
Opcode Fuzzy Hash: f3994f7c77f95eeb4ad651edc1823efcc729a1d2d46a9e579cd4c3a5360e1290
Instruction Fuzzy Hash: 5C32E2706047458FE720CF15E884BABB3B1EF46318F144A7FD95A8BE91C771A885CBA1

Function 6CF983A0 Relevance: 4.5, APIs: 3, Instructions: 38networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 6CF983AF
recv.WS2_32(?,?,?,00000000), ref: 6CF983C3
WSAGetLastError.WS2_32 ref: 6CF983DA

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: ErrorLast$recv
String ID:
API String ID: 316788870-0
Opcode ID: 8f3c23e2ed589bbef6a72fac62923e71b51809a565dd33da6f5e15d03c6c203e
Instruction ID: bf7093a31b027e0f6a6c48e4f62d6b92479e447b30f498094953bb8c041860fc
Opcode Fuzzy Hash: 8f3c23e2ed589bbef6a72fac62923e71b51809a565dd33da6f5e15d03c6c203e
Instruction Fuzzy Hash: 4CF09632A12611A7FE214A669808E9B7738EB05335F310712FC21E7690C731E94486E5

Function 6CEC6770 Relevance: 357.7, APIs: 106, Strings: 98, Instructions: 707
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyType_Ready.PYTHON27(6D00E8B8), ref: 6CEC6782
PyType_Ready.PYTHON27(6D00E2D0), ref: 6CEC6794
Py_InitModule4.PYTHON27(_ssl,6D00F0E0,Implementation module for SSL socket operations. See the socket modulefor documentation.,00000000,000003F5), ref: 6CEC67B7
PyModule_GetDict.PYTHON27(00000000), ref: 6CEC67CB

Part of subcall function 6CEC1000: PyCapsule_Import.PYTHON27(_socket.CAPI,00000001,6CEC67DC), ref: 6CEC1007

Part of subcall function 6CEDCA10: getenv.MSVCR90 ref: 6CEDCA33
Part of subcall function 6CEDCA10: sscanf.MSVCR90 ref: 6CEDCA5D
Part of subcall function 6CEDCA10: strtoul.MSVCR90 ref: 6CEDCA6D
Part of subcall function 6CEDCA10: strchr.MSVCR90 ref: 6CEDCAC6
Part of subcall function 6CEDCA10: strtoul.MSVCR90 ref: 6CEDCAE7

Part of subcall function 6CEC6640: PyMem_Malloc.PYTHON27(000000A4,?,00000000,6CEC6807), ref: 6CEC665E
Part of subcall function 6CEC6640: PyErr_NoMemory.PYTHON27(6CEC6807), ref: 6CEC6670

PyErr_NewExceptionWithDoc.PYTHON27(ssl.SSLError,An error occurred in the SSL implementation.,028AF968,00000000), ref: 6CEC6828
PyErr_NewExceptionWithDoc.PYTHON27(ssl.SSLZeroReturnError,SSL/TLS session closed cleanly.,00000000,00000000), ref: 6CEC6850
PyErr_NewExceptionWithDoc.PYTHON27(ssl.SSLWantReadError,Non-blocking SSL socket needs to read more databefore the requested operation can be completed.,028CB208,00000000), ref: 6CEC686A
PyErr_NewExceptionWithDoc.PYTHON27(ssl.SSLWantWriteError,Non-blocking SSL socket needs to write more databefore the requested operation can be completed.,028CB208,00000000), ref: 6CEC6884
PyErr_NewExceptionWithDoc.PYTHON27(ssl.SSLSyscallError,System error when attempting SSL operation.,028CB208,00000000), ref: 6CEC689D
PyErr_NewExceptionWithDoc.PYTHON27(ssl.SSLEOFError,SSL/TLS connection terminated abruptly.,028CB208,00000000), ref: 6CEC68BA
PyDict_SetItemString.PYTHON27(?,SSLError,028CB208), ref: 6CEC692E
PyDict_SetItemString.PYTHON27(?,SSLZeroReturnError,028CB3E0), ref: 6CEC6947
PyDict_SetItemString.PYTHON27(?,SSLWantReadError,028CB5B8), ref: 6CEC6961
PyDict_SetItemString.PYTHON27(?,SSLWantWriteError,028CB790), ref: 6CEC697B
PyDict_SetItemString.PYTHON27(?,SSLSyscallError,028CB968), ref: 6CEC6994
PyDict_SetItemString.PYTHON27(?,SSLEOFError,028CBB40), ref: 6CEC69AE
PyDict_SetItemString.PYTHON27(?,_SSLContext,6D00E8B8), ref: 6CEC69C6
PyDict_SetItemString.PYTHON27(?,_SSLSocket,6D00E2D0), ref: 6CEC69DE
PyModule_AddIntConstant.PYTHON27(00000000,SSL_ERROR_ZERO_RETURN,00000006), ref: 6CEC69F9
PyModule_AddIntConstant.PYTHON27(00000000,SSL_ERROR_WANT_READ,00000002), ref: 6CEC6A03
PyModule_AddIntConstant.PYTHON27(00000000,SSL_ERROR_WANT_WRITE,00000003), ref: 6CEC6A0D
PyModule_AddIntConstant.PYTHON27(00000000,SSL_ERROR_WANT_X509_LOOKUP,00000004), ref: 6CEC6A17
PyModule_AddIntConstant.PYTHON27(00000000,SSL_ERROR_SYSCALL,00000005), ref: 6CEC6A21
PyModule_AddIntConstant.PYTHON27(00000000,SSL_ERROR_SSL,00000001), ref: 6CEC6A2B
PyModule_AddIntConstant.PYTHON27(00000000,SSL_ERROR_WANT_CONNECT,00000007), ref: 6CEC6A38
PyModule_AddIntConstant.PYTHON27(00000000,SSL_ERROR_EOF,00000008), ref: 6CEC6A42
PyModule_AddIntConstant.PYTHON27(00000000,SSL_ERROR_INVALID_ERROR_CODE,0000000A), ref: 6CEC6A4C
PyModule_AddIntConstant.PYTHON27(00000000,CERT_NONE,00000000), ref: 6CEC6A56
PyModule_AddIntConstant.PYTHON27(00000000,CERT_OPTIONAL,00000001), ref: 6CEC6A60
PyModule_AddIntConstant.PYTHON27(00000000,CERT_REQUIRED,00000002), ref: 6CEC6A6A
PyModule_AddIntConstant.PYTHON27(00000000,VERIFY_DEFAULT,00000000), ref: 6CEC6A77
PyModule_AddIntConstant.PYTHON27(00000000,VERIFY_CRL_CHECK_LEAF,00000004), ref: 6CEC6A81
PyModule_AddIntConstant.PYTHON27(00000000,VERIFY_CRL_CHECK_CHAIN,0000000C), ref: 6CEC6A8B
PyModule_AddIntConstant.PYTHON27(00000000,VERIFY_X509_STRICT,00000020), ref: 6CEC6A95
PyModule_AddIntConstant.PYTHON27(00000000,VERIFY_X509_TRUSTED_FIRST,00008000), ref: 6CEC6AA2
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_CLOSE_NOTIFY,00000000), ref: 6CEC6AAC
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_UNEXPECTED_MESSAGE,0000000A), ref: 6CEC6AB9
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_BAD_RECORD_MAC,00000014), ref: 6CEC6AC3
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_RECORD_OVERFLOW,00000016), ref: 6CEC6ACD
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_DECOMPRESSION_FAILURE,0000001E), ref: 6CEC6AD7
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_HANDSHAKE_FAILURE,00000028), ref: 6CEC6AE1
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_BAD_CERTIFICATE,0000002A), ref: 6CEC6AEB
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE,0000002B), ref: 6CEC6AF8
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_CERTIFICATE_REVOKED,0000002C), ref: 6CEC6B02
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_CERTIFICATE_EXPIRED,0000002D), ref: 6CEC6B0C
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN,0000002E), ref: 6CEC6B16
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_ILLEGAL_PARAMETER,0000002F), ref: 6CEC6B20
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_UNKNOWN_CA,00000030), ref: 6CEC6B2A
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_ACCESS_DENIED,00000031), ref: 6CEC6B37
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_DECODE_ERROR,00000032), ref: 6CEC6B41
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_DECRYPT_ERROR,00000033), ref: 6CEC6B4B
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_PROTOCOL_VERSION,00000046), ref: 6CEC6B55
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_INSUFFICIENT_SECURITY,00000047), ref: 6CEC6B5F
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_INTERNAL_ERROR,00000050), ref: 6CEC6B69
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_USER_CANCELLED,0000005A), ref: 6CEC6B76
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_NO_RENEGOTIATION,00000064), ref: 6CEC6B80
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION,0000006E), ref: 6CEC6B8A
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE,0000006F), ref: 6CEC6B94
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_UNRECOGNIZED_NAME,00000070), ref: 6CEC6B9E
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE,00000071), ref: 6CEC6BA8
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE,00000072), ref: 6CEC6BB5
PyModule_AddIntConstant.PYTHON27(00000000,ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY,00000073), ref: 6CEC6BBF
PyModule_AddIntConstant.PYTHON27(00000000,PROTOCOL_SSLv3,00000001), ref: 6CEC6BC9
PyModule_AddIntConstant.PYTHON27(00000000,PROTOCOL_SSLv23,00000002), ref: 6CEC6BD3
PyModule_AddIntConstant.PYTHON27(00000000,PROTOCOL_TLS,00000002), ref: 6CEC6BDD
PyModule_AddIntConstant.PYTHON27(00000000,PROTOCOL_TLSv1,00000003), ref: 6CEC6BE7
PyModule_AddIntConstant.PYTHON27(00000000,PROTOCOL_TLSv1_1,00000004), ref: 6CEC6BF4
PyModule_AddIntConstant.PYTHON27(00000000,PROTOCOL_TLSv1_2,00000005), ref: 6CEC6BFE
PyModule_AddIntConstant.PYTHON27(00000000,OP_ALL,800003FF), ref: 6CEC6C0B
PyModule_AddIntConstant.PYTHON27(00000000,OP_NO_SSLv2,01000000), ref: 6CEC6C18
PyModule_AddIntConstant.PYTHON27(00000000,OP_NO_SSLv3,02000000), ref: 6CEC6C25
PyModule_AddIntConstant.PYTHON27(00000000,OP_NO_TLSv1,04000000), ref: 6CEC6C32
PyModule_AddIntConstant.PYTHON27(00000000,OP_NO_TLSv1_1,10000000), ref: 6CEC6C42
PyModule_AddIntConstant.PYTHON27(00000000,OP_NO_TLSv1_2,08000000), ref: 6CEC6C4F
PyModule_AddIntConstant.PYTHON27(00000000,OP_NO_TLSv1_3,00000000), ref: 6CEC6C59
PyModule_AddIntConstant.PYTHON27(00000000,OP_CIPHER_SERVER_PREFERENCE,00400000), ref: 6CEC6C66
PyModule_AddIntConstant.PYTHON27(00000000,OP_SINGLE_DH_USE,00100000), ref: 6CEC6C73
PyModule_AddIntConstant.PYTHON27(00000000,OP_SINGLE_ECDH_USE,00080000), ref: 6CEC6C80
PyModule_AddIntConstant.PYTHON27(00000000,OP_NO_COMPRESSION,00020000), ref: 6CEC6C90
PyModule_AddObject.PYTHON27(00000000,HAS_SNI,6D3864BD), ref: 6CEC6CA6
PyModule_AddObject.PYTHON27(00000000,HAS_TLS_UNIQUE,6D3864BD), ref: 6CEC6CB6
PyModule_AddObject.PYTHON27(00000000,HAS_ECDH,6D3864BD), ref: 6CEC6CC6
PyModule_AddObject.PYTHON27(00000000,HAS_NPN,6D3864BD), ref: 6CEC6CD6
PyModule_AddObject.PYTHON27(00000000,HAS_ALPN,6D3864BD), ref: 6CEC6CE6
PyModule_AddObject.PYTHON27(00000000,HAS_TLSv1_3,6D3863ED), ref: 6CEC6CF9
PyDict_New.PYTHON27 ref: 6CEC6D04
PyDict_New.PYTHON27 ref: 6CEC6D0B
PyUnicodeUCS2_FromString.PYTHON27(00000000), ref: 6CEC6D46
_Py_BuildValue_SizeT.PYTHON27(6CFC4B68,00000009,00000064), ref: 6CEC6D5E
PyDict_SetItem.PYTHON27(028C78A0,00000000,00000000), ref: 6CEC6D82
PyDict_SetItem.PYTHON27(028C7C90,00000000,?), ref: 6CEC6D9F
PyModule_AddObject.PYTHON27(00000000,err_codes_to_names,028C78A0), ref: 6CEC6DFA
PyModule_AddObject.PYTHON27(00000000,err_names_to_codes,028C7C90), ref: 6CEC6E13
PyDict_New.PYTHON27 ref: 6CEC6E20
PyLong_FromLong.PYTHON27(00000009), ref: 6CEC6E4A
PyUnicodeUCS2_FromString.PYTHON27 ref: 6CEC6E58
PyDict_SetItem.PYTHON27(028C7D20,00000000,00000000), ref: 6CEC6E7D
PyModule_AddObject.PYTHON27(00000000,lib_codes_to_names,00000000), ref: 6CEC6ECD
PyLong_FromUnsignedLong.PYTHON27(1000214F), ref: 6CEC6EDF
PyModule_AddObject.PYTHON27(00000000,OPENSSL_VERSION_NUMBER,00000000), ref: 6CEC6EF7
_Py_BuildValue_SizeT.PYTHON27(IIIII,?,?,?,?,6D00C8C8,?,?,?,?), ref: 6CEC6F40
PyModule_AddObject.PYTHON27(00000000,OPENSSL_VERSION_INFO,00000000), ref: 6CEC6F50
PyString_FromString.PYTHON27(OpenSSL 1.0.2t 10 Sep 2019), ref: 6CEC6F5E
PyModule_AddObject.PYTHON27(00000000,OPENSSL_VERSION,00000000), ref: 6CEC6F72
_Py_BuildValue_SizeT.PYTHON27(IIIII,?,?,?,?,6D00C8C8,?,?,?,?), ref: 6CEC6FB1
PyModule_AddObject.PYTHON27(00000000,_OPENSSL_API_VERSION,00000000), ref: 6CEC6FC1

Strings

HAS_ALPN, xrefs: 6CEC6CE0
HAS_NPN, xrefs: 6CEC6CD0
_SSLSocket, xrefs: 6CEC69D8
SSLSyscallError, xrefs: 6CEC698E
OP_NO_TLSv1_3, xrefs: 6CEC6C53
ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION, xrefs: 6CEC6B84
PROTOCOL_SSLv3, xrefs: 6CEC6BC3
SSL_ERROR_ZERO_RETURN, xrefs: 6CEC69F3
Non-blocking SSL socket needs to read more databefore the requested operation can be completed., xrefs: 6CEC685B
OPENSSL_VERSION_INFO, xrefs: 6CEC6F4A
ALERT_DESCRIPTION_HANDSHAKE_FAILURE, xrefs: 6CEC6ADB
OPENSSL_VERSION, xrefs: 6CEC6F6C
PROTOCOL_SSLv23, xrefs: 6CEC6BCD
OP_SINGLE_ECDH_USE, xrefs: 6CEC6C7A
lib_codes_to_names, xrefs: 6CEC6EC7
SSLWantWriteError, xrefs: 6CEC6975
ALERT_DESCRIPTION_INTERNAL_ERROR, xrefs: 6CEC6B63
OP_NO_SSLv2, xrefs: 6CEC6C12
An error occurred in the SSL implementation., xrefs: 6CEC681E
Non-blocking SSL socket needs to write more databefore the requested operation can be completed., xrefs: 6CEC6875
ssl.SSLWantReadError, xrefs: 6CEC6860
ALERT_DESCRIPTION_UNRECOGNIZED_NAME, xrefs: 6CEC6B98
ALERT_DESCRIPTION_BAD_CERTIFICATE, xrefs: 6CEC6AE5
ALERT_DESCRIPTION_UNEXPECTED_MESSAGE, xrefs: 6CEC6AB3
CERT_OPTIONAL, xrefs: 6CEC6A5A
ALERT_DESCRIPTION_UNKNOWN_CA, xrefs: 6CEC6B24
ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN, xrefs: 6CEC6B10
OP_CIPHER_SERVER_PREFERENCE, xrefs: 6CEC6C60
ALERT_DESCRIPTION_DECODE_ERROR, xrefs: 6CEC6B3B
OP_SINGLE_DH_USE, xrefs: 6CEC6C6D
VERIFY_X509_TRUSTED_FIRST, xrefs: 6CEC6A9C
ALERT_DESCRIPTION_CERTIFICATE_REVOKED, xrefs: 6CEC6AFC
ssl.SSLEOFError, xrefs: 6CEC68B0
ssl.SSLError, xrefs: 6CEC6823
ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE, xrefs: 6CEC6B8E
VERIFY_CRL_CHECK_CHAIN, xrefs: 6CEC6A85
HAS_SNI, xrefs: 6CEC6CA0
ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE, xrefs: 6CEC6BAF
HAS_TLSv1_3, xrefs: 6CEC6CF3
PROTOCOL_TLS, xrefs: 6CEC6BD7
SSL_ERROR_WANT_WRITE, xrefs: 6CEC6A07
SSL_ERROR_INVALID_ERROR_CODE, xrefs: 6CEC6A46
SSL_ERROR_EOF, xrefs: 6CEC6A3C
err_names_to_codes, xrefs: 6CEC6E0D
ALERT_DESCRIPTION_RECORD_OVERFLOW, xrefs: 6CEC6AC7
Implementation module for SSL socket operations. See the socket modulefor documentation., xrefs: 6CEC67A8
SSL/TLS connection terminated abruptly., xrefs: 6CEC68AB
OP_NO_COMPRESSION, xrefs: 6CEC6C8A
ALERT_DESCRIPTION_USER_CANCELLED, xrefs: 6CEC6B70
VERIFY_X509_STRICT, xrefs: 6CEC6A8F
PROTOCOL_TLSv1_2, xrefs: 6CEC6BF8
ALERT_DESCRIPTION_CERTIFICATE_EXPIRED, xrefs: 6CEC6B06
PROTOCOL_TLSv1_1, xrefs: 6CEC6BEE
ssl.SSLSyscallError, xrefs: 6CEC6898
OP_NO_SSLv3, xrefs: 6CEC6C1F
ALERT_DESCRIPTION_ACCESS_DENIED, xrefs: 6CEC6B31
ALERT_DESCRIPTION_CLOSE_NOTIFY, xrefs: 6CEC6AA6
PROTOCOL_TLSv1, xrefs: 6CEC6BE1
_SSLContext, xrefs: 6CEC69C0
OPENSSL_VERSION_NUMBER, xrefs: 6CEC6EF1
ALERT_DESCRIPTION_NO_RENEGOTIATION, xrefs: 6CEC6B7A
VERIFY_DEFAULT, xrefs: 6CEC6A71
System error when attempting SSL operation., xrefs: 6CEC6893
HAS_TLS_UNIQUE, xrefs: 6CEC6CB0
SSL_ERROR_WANT_X509_LOOKUP, xrefs: 6CEC6A11
OP_NO_TLSv1, xrefs: 6CEC6C2C
ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE, xrefs: 6CEC6BA2
SSLWantReadError, xrefs: 6CEC695B
SSL_ERROR_WANT_CONNECT, xrefs: 6CEC6A32
SSLError, xrefs: 6CEC6928
err_codes_to_names, xrefs: 6CEC6DF4
HAS_ECDH, xrefs: 6CEC6CC0
SSL_ERROR_WANT_READ, xrefs: 6CEC69FD
ALERT_DESCRIPTION_INSUFFICIENT_SECURITY, xrefs: 6CEC6B59
OP_NO_TLSv1_1, xrefs: 6CEC6C3C
SSL_ERROR_SYSCALL, xrefs: 6CEC6A1B
CERT_NONE, xrefs: 6CEC6A50
ALERT_DESCRIPTION_ILLEGAL_PARAMETER, xrefs: 6CEC6B1A
OpenSSL 1.0.2t 10 Sep 2019, xrefs: 6CEC6F59
SSL/TLS session closed cleanly., xrefs: 6CEC683E
ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY, xrefs: 6CEC6BB9
SSLZeroReturnError, xrefs: 6CEC6941
CERT_REQUIRED, xrefs: 6CEC6A64
ALERT_DESCRIPTION_BAD_RECORD_MAC, xrefs: 6CEC6ABD
SSLEOFError, xrefs: 6CEC69A8
_ssl, xrefs: 6CEC67B2
OP_NO_TLSv1_2, xrefs: 6CEC6C49
IIIII, xrefs: 6CEC6F3B, 6CEC6FAC
ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE, xrefs: 6CEC6AF2
VERIFY_CRL_CHECK_LEAF, xrefs: 6CEC6A7B
ssl.SSLZeroReturnError, xrefs: 6CEC6848
ALERT_DESCRIPTION_DECRYPT_ERROR, xrefs: 6CEC6B45
OP_ALL, xrefs: 6CEC6C05
SSL_ERROR_SSL, xrefs: 6CEC6A25
ALERT_DESCRIPTION_PROTOCOL_VERSION, xrefs: 6CEC6B4F
ssl.SSLWantWriteError, xrefs: 6CEC687A
ALERT_DESCRIPTION_DECOMPRESSION_FAILURE, xrefs: 6CEC6AD1
_OPENSSL_API_VERSION, xrefs: 6CEC6FBB

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Module_$Constant$Dict_$Object$ItemString$Err_$ExceptionWith$From$BuildSizeValue_$LongLong_ReadyType_Unicodestrtoul$Capsule_DictImportInitMallocMem_MemoryModule4String_Unsignedgetenvsscanfstrchr
String ID: ALERT_DESCRIPTION_ACCESS_DENIED$ALERT_DESCRIPTION_BAD_CERTIFICATE$ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE$ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE$ALERT_DESCRIPTION_BAD_RECORD_MAC$ALERT_DESCRIPTION_CERTIFICATE_EXPIRED$ALERT_DESCRIPTION_CERTIFICATE_REVOKED$ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN$ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE$ALERT_DESCRIPTION_CLOSE_NOTIFY$ALERT_DESCRIPTION_DECODE_ERROR$ALERT_DESCRIPTION_DECOMPRESSION_FAILURE$ALERT_DESCRIPTION_DECRYPT_ERROR$ALERT_DESCRIPTION_HANDSHAKE_FAILURE$ALERT_DESCRIPTION_ILLEGAL_PARAMETER$ALERT_DESCRIPTION_INSUFFICIENT_SECURITY$ALERT_DESCRIPTION_INTERNAL_ERROR$ALERT_DESCRIPTION_NO_RENEGOTIATION$ALERT_DESCRIPTION_PROTOCOL_VERSION$ALERT_DESCRIPTION_RECORD_OVERFLOW$ALERT_DESCRIPTION_UNEXPECTED_MESSAGE$ALERT_DESCRIPTION_UNKNOWN_CA$ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY$ALERT_DESCRIPTION_UNRECOGNIZED_NAME$ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE$ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION$ALERT_DESCRIPTION_USER_CANCELLED$An error occurred in the SSL implementation.$CERT_NONE$CERT_OPTIONAL$CERT_REQUIRED$HAS_ALPN$HAS_ECDH$HAS_NPN$HAS_SNI$HAS_TLS_UNIQUE$HAS_TLSv1_3$IIIII$Implementation module for SSL socket operations. See the socket modulefor documentation.$Non-blocking SSL socket needs to read more databefore the requested operation can be completed.$Non-blocking SSL socket needs to write more databefore the requested operation can be completed.$OPENSSL_VERSION$OPENSSL_VERSION_INFO$OPENSSL_VERSION_NUMBER$OP_ALL$OP_CIPHER_SERVER_PREFERENCE$OP_NO_COMPRESSION$OP_NO_SSLv2$OP_NO_SSLv3$OP_NO_TLSv1$OP_NO_TLSv1_1$OP_NO_TLSv1_2$OP_NO_TLSv1_3$OP_SINGLE_DH_USE$OP_SINGLE_ECDH_USE$OpenSSL 1.0.2t 10 Sep 2019$PROTOCOL_SSLv23$PROTOCOL_SSLv3$PROTOCOL_TLS$PROTOCOL_TLSv1$PROTOCOL_TLSv1_1$PROTOCOL_TLSv1_2$SSL/TLS connection terminated abruptly.$SSL/TLS session closed cleanly.$SSLEOFError$SSLError$SSLSyscallError$SSLWantReadError$SSLWantWriteError$SSLZeroReturnError$SSL_ERROR_EOF$SSL_ERROR_INVALID_ERROR_CODE$SSL_ERROR_SSL$SSL_ERROR_SYSCALL$SSL_ERROR_WANT_CONNECT$SSL_ERROR_WANT_READ$SSL_ERROR_WANT_WRITE$SSL_ERROR_WANT_X509_LOOKUP$SSL_ERROR_ZERO_RETURN$System error when attempting SSL operation.$VERIFY_CRL_CHECK_CHAIN$VERIFY_CRL_CHECK_LEAF$VERIFY_DEFAULT$VERIFY_X509_STRICT$VERIFY_X509_TRUSTED_FIRST$_OPENSSL_API_VERSION$_SSLContext$_SSLSocket$_ssl$err_codes_to_names$err_names_to_codes$lib_codes_to_names$ssl.SSLEOFError$ssl.SSLError$ssl.SSLSyscallError$ssl.SSLWantReadError$ssl.SSLWantWriteError$ssl.SSLZeroReturnError
API String ID: 353964823-2835524041
Opcode ID: a3932a82f3d4261d6bbc1bd444d45304d4ec091cc8324c16473cf76a671b9183
Instruction ID: a769f0f731b8ca00223817ba975f3d4b0c4ad772962a9e61206aa670db2ff401
Opcode Fuzzy Hash: a3932a82f3d4261d6bbc1bd444d45304d4ec091cc8324c16473cf76a671b9183
Instruction Fuzzy Hash: 40221770B052067BE710FB658E46FAF367CDF85308F110514FA10FAA81DB669E05DAAB

Function 6CEC31C0 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_PyArg_ParseTuple_SizeT.PYTHON27(?,s*:write,?), ref: 6CEC31E6
PyErr_Format.PYTHON27(?,string longer than %d bytes,7FFFFFFF), ref: 6CEC322A
PyErr_SetString.PYTHON27(028CB208,The write operation timed out), ref: 6CEC329A
PyErr_SetString.PYTHON27(028CB208,Underlying socket has been closed.), ref: 6CEC32B8
PyErr_SetString.PYTHON27(028CB208,Underlying socket too large for select().), ref: 6CEC32D7
PyBuffer_Release.PYTHON27(?), ref: 6CEC33FD

Strings

s*:write, xrefs: 6CEC31DC
Underlying socket has been closed., xrefs: 6CEC32B2, 6CEC33D4
Underlying socket too large for select()., xrefs: 6CEC32D1
string longer than %d bytes, xrefs: 6CEC3224
The write operation timed out, xrefs: 6CEC3294, 6CEC33C6

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Err_$String$Arg_Buffer_FormatParseReleaseSizeTuple_
String ID: The write operation timed out$Underlying socket has been closed.$Underlying socket too large for select().$s*:write$string longer than %d bytes
API String ID: 3277940145-1779320975
Opcode ID: c5cc1c2cacce251ba2f60ce4b822fc54b845de186733be110b668acabf4e7c10
Instruction ID: 2c93fb635cb474a70279a268e48c064c3424f7ebd9e0aa70f300b287ddfe5783
Opcode Fuzzy Hash: c5cc1c2cacce251ba2f60ce4b822fc54b845de186733be110b668acabf4e7c10
Instruction Fuzzy Hash: CF610675B042019BCB00CF68DD85A9B73B4FB86329F244729E93987741DB32E955CB93

Function 6CEC34A0 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 257
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_PyArg_ParseTuple_SizeT.PYTHON27(?,i|w*:read,?,?), ref: 6CEC34E2
PyErr_SetString.PYTHON27(?,size should not be negative), ref: 6CEC351E
PyString_FromStringAndSize.PYTHON27(00000000,?), ref: 6CEC352F
PyEval_RestoreThread.PYTHON27(?), ref: 6CEC3655
PyErr_CheckSignals.PYTHON27 ref: 6CEC365E
_PyString_Resize.PYTHON27(?,00000000), ref: 6CEC374B
PyErr_SetString.PYTHON27(028CB208,The read operation timed out), ref: 6CEC376B
PyBuffer_Release.PYTHON27(?), ref: 6CEC377B
PyBuffer_Release.PYTHON27(?), ref: 6CEC3792
PyLong_FromLong.PYTHON27(00000000), ref: 6CEC379C

Strings

size should not be negative, xrefs: 6CEC3518
i|w*:read, xrefs: 6CEC34D8
The read operation timed out, xrefs: 6CEC3765
C:\build27\cpython\externals\openssl-1.0.2t\ssl\ssl_lib.c, xrefs: 6CEC35CD

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Err_String$Buffer_FromReleaseSizeString_$Arg_CheckEval_LongLong_ParseResizeRestoreSignalsThreadTuple_
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\ssl_lib.c$The read operation timed out$i|w*:read$size should not be negative
API String ID: 4119156880-2442610700
Opcode ID: f1bda5f5284cff6d786a6519481a0c0936f5e2f68755d6e151bc4cfc51884794
Instruction ID: 3e3c909c3a4259ff44dceabbb3aa4c4a0b8369f3cc6a96761c5e9b963f6c8963
Opcode Fuzzy Hash: f1bda5f5284cff6d786a6519481a0c0936f5e2f68755d6e151bc4cfc51884794
Instruction Fuzzy Hash: 7591AD71B083018BD700CF69D984A9BB3F4FB85328F24066DE96997781E731D955CB93

Function 6CEC15D0 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 189
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyEval_SaveThread.PYTHON27 ref: 6CEC1632
PyEval_RestoreThread.PYTHON27(00007000), ref: 6CEC16AD
PyErr_CheckSignals.PYTHON27 ref: 6CEC16B6
PyErr_SetString.PYTHON27(028CB208,_ssl.c:711: The handshake operation timed out), ref: 6CEC1752
PyErr_SetString.PYTHON27(028CB208,_ssl.c:715: Underlying socket has been closed.), ref: 6CEC1769
PyEval_SaveThread.PYTHON27 ref: 6CEC17C6
PyEval_RestoreThread.PYTHON27(00000000), ref: 6CEC17E3

Strings

_ssl.c:711: The handshake operation timed out, xrefs: 6CEC174C
_ssl.c:715: Underlying socket has been closed., xrefs: 6CEC1763
_ssl.c:719: Underlying socket too large for select()., xrefs: 6CEC177A
C:\build27\cpython\externals\openssl-1.0.2t\ssl\ssl_lib.c, xrefs: 6CEC1657

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Eval_Thread$Err_$RestoreSaveString$CheckSignals
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\ssl_lib.c$_ssl.c:711: The handshake operation timed out$_ssl.c:715: Underlying socket has been closed.$_ssl.c:719: Underlying socket too large for select().
API String ID: 1947425757-4144061731
Opcode ID: 25dba743e73f1dd03a9bf78057245705769100301a3f313a21e02894ae0c40d2
Instruction ID: 5c53b4b25cfda6c690c3582e0dc958fd911306b27c3357615cfe28c7b9a66915
Opcode Fuzzy Hash: 25dba743e73f1dd03a9bf78057245705769100301a3f313a21e02894ae0c40d2
Instruction Fuzzy Hash: D251F675B003008BDB00DFA8D945B8A73B5FB87328F280659E96987B41D732E965CBD3

Function 6CEC3A60 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 201
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(?,?,i:_SSLContext,?,?), ref: 6CEC3A92
PyEval_SaveThread.PYTHON27 ref: 6CEC3AB0
PyEval_RestoreThread.PYTHON27(00000000), ref: 6CEC3B39
PyErr_SetString.PYTHON27(?,invalid protocol version), ref: 6CEC3B56

Strings

i:_SSLContext, xrefs: 6CEC3A76
No cipher can be selected., xrefs: 6CEC3C3F
HIGH:!aNULL:!eNULL, xrefs: 6CEC3C15
HIGH:!aNULL:!eNULL:!MD5, xrefs: 6CEC3C0E
invalid protocol version, xrefs: 6CEC3B50

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Eval_Thread$Arg_Err_Keywords_ParseRestoreSaveSizeStringTuple
String ID: HIGH:!aNULL:!eNULL$HIGH:!aNULL:!eNULL:!MD5$No cipher can be selected.$i:_SSLContext$invalid protocol version
API String ID: 3720710401-3967712203
Opcode ID: c5bdb940ac2b81c90c97842337c302557c81a876f80a4986e5e5c2682e930423
Instruction ID: 3abd2b4744e28956557232dd06a628bb71321b94b8e6bfa2ecd5dfb90a5ff120
Opcode Fuzzy Hash: c5bdb940ac2b81c90c97842337c302557c81a876f80a4986e5e5c2682e930423
Instruction Fuzzy Hash: D5510772B041059BD710DF6AD981ADFB3B4EB8522CF244679E829C7B00DB32DD158793

Function 6CF6BDF0 Relevance: 12.3, APIs: 2, Strings: 6, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2, xrefs: 6CF6BF69, 6CF6BF77, 6CF6BF82
SSLv2, xrefs: 6CF6BF62
ssl3-sha1, xrefs: 6CF6C006
ssl3-md5, xrefs: 6CF6BFDE
ssl2-md5, xrefs: 6CF6BFB6
C:\build27\cpython\externals\openssl-1.0.2t\ssl\ssl_lib.c, xrefs: 6CF6BE0B, 6CF6BE39, 6CF6BE5F, 6CF6C110, 6CF6C1A2

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2$C:\build27\cpython\externals\openssl-1.0.2t\ssl\ssl_lib.c$SSLv2$ssl2-md5$ssl3-md5$ssl3-sha1
API String ID: 0-762417532
Opcode ID: d8c4742ebb63e429c15e117a409b36fdf46ad15b5bd11bda906d0c385aef530d
Instruction ID: dc52da06a5b95d991f9391725cecf117f707775905e11fda7849f80edf2f2a57
Opcode Fuzzy Hash: d8c4742ebb63e429c15e117a409b36fdf46ad15b5bd11bda906d0c385aef530d
Instruction Fuzzy Hash: F1A18EB1A007019BE7209F2AC841B97F7E4BF95308F10496EE59ACBB51E7B5E504CF91

Function 00402440 Relevance: 10.6, APIs: 7, Instructions: 95
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyImport_AddModule.PYTHON27 ref: 00402465
strcpy.MSVCRT ref: 004024B9
PyString_FromString.PYTHON27 ref: 00402500
PyObject_SetAttrString.PYTHON27 ref: 0040251F
Py_DecRef.PYTHON27 ref: 0040252C
PyRun_SimpleString.PYTHON27 ref: 00402535
free.MSVCRT ref: 00402542

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: String$AttrFromImport_ModuleObject_Run_SimpleString_freestrcpy
String ID:
API String ID: 2863042373-0
Opcode ID: 38a5d0987218056ee668aea603d0878fa816bf4b0bedfba9df5d0f11675cc43b
Instruction ID: e8fd23f063c17629a143328e0033cfeb96340cb5f85429ec93d48a0f7a74ee99
Opcode Fuzzy Hash: 38a5d0987218056ee668aea603d0878fa816bf4b0bedfba9df5d0f11675cc43b
Instruction Fuzzy Hash: 11314EB5A083018FD714EF65D68855ABBE0EF88344F00893EE4C9D7391E7789989CB5A

Function 6CF7D3A0 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCR90(?,?,00000000), ref: 6CF7D3F0
memcpy.MSVCR90(?,?,00000000), ref: 6CF7D417

Strings

C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_both.c, xrefs: 6CF7D431, 6CF7D494
@, xrefs: 6CF7D43B
i <= EVP_MAX_MD_SIZE, xrefs: 6CF7D427, 6CF7D48A
@, xrefs: 6CF7D401

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memcpy
String ID: @$@$C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_both.c$i <= EVP_MAX_MD_SIZE
API String ID: 3510742995-3082968397
Opcode ID: dea27ee191c17b2c0c213cca880953e279db9afff0d1d99849c7e0b6cbe8447a
Instruction ID: 95278c659104c6814cdb0ca2fbe3da0700ff99fbef4ca1d3b880a08946cb330f
Opcode Fuzzy Hash: dea27ee191c17b2c0c213cca880953e279db9afff0d1d99849c7e0b6cbe8447a
Instruction Fuzzy Hash: D631E0712017019FE310EF84D980E97B7E9EF85318B1480ADE9498BF11D375F956CBA1

Function 004052F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405210: MultiByteToWideChar.KERNEL32 ref: 00405249

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00002068,00000000,00000000,004026E0), ref: 0040531C
GetProcAddress.KERNEL32 ref: 00405338
GetProcAddress.KERNEL32 ref: 0040534A
CreateActCtxWWorker.KERNEL32 ref: 00405386
free.MSVCRT ref: 00405395

Strings

, xrefs: 0040536F

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: AddressProc$ByteCharCreateLibraryLoadMultiWideWorkerfree
String ID:
API String ID: 1453477836-3916222277
Opcode ID: aa8bcccdedd4f4024c265faddddaa8f9a41ed6605e16622b8acee048b89dca75
Instruction ID: f7fa3d31de41ebfc25f04b6bfa2f7641fe892b4ca97745c4cd34cacb2e0a35f9
Opcode Fuzzy Hash: aa8bcccdedd4f4024c265faddddaa8f9a41ed6605e16622b8acee048b89dca75
Instruction Fuzzy Hash: 422162B15147004BD710BFB9E94824FBBE0EB80358F014E3EE99497390E7B994498B8A

Function 0040254C Relevance: 9.1, APIs: 6, Instructions: 60
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcpy.MSVCRT ref: 004024B9
PyString_FromString.PYTHON27 ref: 00402500
PyObject_SetAttrString.PYTHON27 ref: 0040251F
Py_DecRef.PYTHON27 ref: 0040252C
PyRun_SimpleString.PYTHON27 ref: 00402535
free.MSVCRT ref: 00402542

Part of subcall function 004015D0: ntohl.WS2_32(?,?,00000000,?,0040235F), ref: 004015E2

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: String$AttrFromObject_Run_SimpleString_freentohlstrcpy
String ID:
API String ID: 1114997145-0
Opcode ID: 237dfa5a32e5763ef6e43fba204de41ae2a913351412f05c3ed5b181bf43df63
Instruction ID: 32504a1939c2323dedb865ed5e74e7e0c3da6bf7179223560a8ee1a271ee221e
Opcode Fuzzy Hash: 237dfa5a32e5763ef6e43fba204de41ae2a913351412f05c3ed5b181bf43df63
Instruction Fuzzy Hash: 352110B45087018FD714EF25C58915ABBE0EF84744F00893EE485D7395D778D989CB4A

Function 00402479 Relevance: 9.1, APIs: 6, Instructions: 57stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004015D0: ntohl.WS2_32(?,?,00000000,?,0040235F), ref: 004015E2

strcpy.MSVCRT ref: 004024B9
PyString_FromString.PYTHON27 ref: 00402500
PyObject_SetAttrString.PYTHON27 ref: 0040251F
Py_DecRef.PYTHON27 ref: 0040252C
PyRun_SimpleString.PYTHON27 ref: 00402535
free.MSVCRT ref: 00402542

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: String$AttrFromObject_Run_SimpleString_freentohlstrcpy
String ID:
API String ID: 1114997145-0
Opcode ID: b0e2dd3581f0fa98c5a9871b7647d1f62c40080b42c7a6d65e4c7262ab752b8a
Instruction ID: 2d4c2cf9b4146ebcee53eb0a73992dcdba7c51992c818bc209d4c21239ce87a4
Opcode Fuzzy Hash: b0e2dd3581f0fa98c5a9871b7647d1f62c40080b42c7a6d65e4c7262ab752b8a
Instruction Fuzzy Hash: 84210EB49087018FD714EF25C58925ABBE0EF84704F04893EE889D7395D778D989CB4A

Function 00404FC0 Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

GetShortPathNameW.KERNELBASE ref: 00404FE6
malloc.MSVCRT ref: 00405017
GetShortPathNameW.KERNELBASE ref: 00405029
free.MSVCRT ref: 00405035

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: NamePathShort$freemalloc
String ID:
API String ID: 859375759-0
Opcode ID: 2df2b412d309d7c36f49991fc7ba5eed1ce7a99e1fb9888bf44697f781b362b8
Instruction ID: 3beaf80c49d4d74242e0349f6237524424644aeea3499a333aa3f78d0f17a321
Opcode Fuzzy Hash: 2df2b412d309d7c36f49991fc7ba5eed1ce7a99e1fb9888bf44697f781b362b8
Instruction Fuzzy Hash: 56011BB15087058FC700BF76D48925FBBE4EF84358F05883EEA8897241E73998558BDB

Function 6CF8FDE0 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 280COMMON

Download Yara Rule

APIs

Part of subcall function 6CEDCDA0: raise.MSVCR90 ref: 6CEDCDAF
Part of subcall function 6CEDCDA0: _exit.MSVCR90 ref: 6CEDCDBA
Part of subcall function 6CEDCDA0: __iob_func.MSVCR90 ref: 6CEDCDD0

Part of subcall function 6CEF95C0: memcpy.MSVCR90(00000000,00000000,?,?,?,?,?,?,6CEF95B1,00000000,?,?,?,6CF0A494), ref: 6CEF9687

memcpy.MSVCR90(?,?,?), ref: 6CF900E1

Strings

chunk >= 0, xrefs: 6CF8FE34
C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\evp_lib.c, xrefs: 6CF8FE22
C:\build27\cpython\externals\openssl-1.0.2t\ssl\t1_enc.c, xrefs: 6CF8FE3E

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memcpy$__iob_func_exitraise
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\evp_lib.c$C:\build27\cpython\externals\openssl-1.0.2t\ssl\t1_enc.c$chunk >= 0
API String ID: 13576257-1872200342
Opcode ID: d6a3f14d2d87d04bdc09bf135555d5abc6a4d90089ab83147cab5bc2a852f12c
Instruction ID: c96ab8dccf5ccde7638751845b6117817b9c6e1568c05ee06f461e09037d481b
Opcode Fuzzy Hash: d6a3f14d2d87d04bdc09bf135555d5abc6a4d90089ab83147cab5bc2a852f12c
Instruction Fuzzy Hash: 80A14F71D043199BEF00CFA5CC44BDEB7B9AF48208F144169E919E7641EB71EA19CFA1

Function 6CF7A1D0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 235COMMON

Download Yara Rule

APIs

memmove.MSVCR90(?,?,?), ref: 6CF7A24B

Strings

C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_pkt.c, xrefs: 6CF7A312, 6CF7A3B6

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memmove
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_pkt.c
API String ID: 2162964266-36802313
Opcode ID: 614231aaa3728b40967091c94e7bcf5776f07cbfcccbb8979f1e15acd782e3f9
Instruction ID: a3fb308da5fee5111c5cd455b5f3fd3f97ec465c6e039cec1e05fab3c292d3c4
Opcode Fuzzy Hash: 614231aaa3728b40967091c94e7bcf5776f07cbfcccbb8979f1e15acd782e3f9
Instruction Fuzzy Hash: F9917271B042449FDB50CF69D480B99B7F1FF84328F25929AEC588BB45D732D986CBA0

Function 6CF7D500 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(?,?,?), ref: 6CF7D627
memcpy.MSVCR90(?,?,?), ref: 6CF7D5E0

Part of subcall function 6CEDCDA0: raise.MSVCR90 ref: 6CEDCDAF
Part of subcall function 6CEDCDA0: _exit.MSVCR90 ref: 6CEDCDBA
Part of subcall function 6CEDCDA0: __iob_func.MSVCR90 ref: 6CEDCDD0

Strings

C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_both.c, xrefs: 6CF7D598, 6CF7D607, 6CF7D64E
i <= EVP_MAX_MD_SIZE, xrefs: 6CF7D5FD, 6CF7D644

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memcpy$__iob_func_exitraise
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_both.c$i <= EVP_MAX_MD_SIZE
API String ID: 13576257-3443307041
Opcode ID: 81d8d818bec62486554e5bccb2874c4666ca0315e44686507b25e0c34ca4d77c
Instruction ID: 615a70d75ed9ac95fb6697226038c8d8314e34bdd3ca9901af333fec89763e24
Opcode Fuzzy Hash: 81d8d818bec62486554e5bccb2874c4666ca0315e44686507b25e0c34ca4d77c
Instruction Fuzzy Hash: F73126727003045BE320D754EC81BDA73A9EB8531CF584179E6098BF90D775ED4AC7A1

Function 6CF87220 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 510COMMON

Download Yara Rule

APIs

_time64.MSVCR90 ref: 6CF87233
SetLastError.KERNEL32(00000000), ref: 6CF87260

Strings

C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_clnt.c, xrefs: 6CF879CB, 6CF87A09, 6CF87A2A

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: ErrorLast_time64
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_clnt.c
API String ID: 16934928-1398658996
Opcode ID: 7d3487a5eed5fdc0d91b47080184780cb0026e5987ce90fead8b464201b990d8
Instruction ID: db4f633bbb629064d8d7f5173460d1c7c319dc0a2e55de80bcb9801dc1d078a3
Opcode Fuzzy Hash: 7d3487a5eed5fdc0d91b47080184780cb0026e5987ce90fead8b464201b990d8
Instruction Fuzzy Hash: 30128071706B02EBE3048F25C984BA6BBB4BF45318F54522AFA148BF91D775E468CBC1

Function 6CF7C750 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 171COMMON

Download Yara Rule

APIs

_time64.MSVCR90 ref: 6CF7C763
SetLastError.KERNEL32(00000000), ref: 6CF7C78C

Strings

C:\build27\cpython\externals\openssl-1.0.2t\ssl\s23_clnt.c, xrefs: 6CF7C95B

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: ErrorLast_time64
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\s23_clnt.c
API String ID: 16934928-2782156764
Opcode ID: 97b7043b52967e9763929d4b0102c849ff5e1c9ddea047ec7ac4942feeaee345
Instruction ID: 4f63c4f834620f577cbea96d07fb2437da4d8ed27aceb690c21587888bfa35c1
Opcode Fuzzy Hash: 97b7043b52967e9763929d4b0102c849ff5e1c9ddea047ec7ac4942feeaee345
Instruction Fuzzy Hash: 3E512331606601ABD371AF24E98079EB6B4FB44B48F10152BFA50E7F80D7B4D851CBE2

Function 00401550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

fseek.MSVCRT ref: 0040156C
fread.MSVCRT ref: 00401591

Strings

X, xrefs: 00401582

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: freadfseek
String ID: X
API String ID: 612888758-3081909835
Opcode ID: 539abc343e9f64d8d4d1f49f56d28b956ce32b5eb8628532d6cc967c8fb8ac93
Instruction ID: 63b23579973b0fc2a8c848cc11070a24b4d4b75e095fd3bb4bfadd2259f2d151
Opcode Fuzzy Hash: 539abc343e9f64d8d4d1f49f56d28b956ce32b5eb8628532d6cc967c8fb8ac93
Instruction Fuzzy Hash: 53F0C2716043119BDB006F6DD88425B7BE4EF80364F40CA6EE894DB3C5E639C4448B82

Function 6CF87F00 Relevance: 5.0, APIs: 1, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_clnt.c, xrefs: 6CF87FA3, 6CF88022, 6CF88235, 6CF88258, 6CF88459, 6CF8852A
F, xrefs: 6CF8854C

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_clnt.c$F
API String ID: 0-3079694442
Opcode ID: e5168824db83f38f9e7938fcb1a84908c08ff3f90cc586865d5e58dc117c40ee
Instruction ID: 1c3b56dc646a79b35b1d7ac6514212edf3437e8b6266a0f7f36f37c2116531e2
Opcode Fuzzy Hash: e5168824db83f38f9e7938fcb1a84908c08ff3f90cc586865d5e58dc117c40ee
Instruction Fuzzy Hash: 9902E471B06201DBEB10CF15C880B99B7B2EF41318F2841BAED58AFB86D775E945CB91

Function 6CF98400 Relevance: 4.5, APIs: 3, Instructions: 35networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000), ref: 6CF98407
send.WS2_32(?,?,?,00000000), ref: 6CF9841E
WSAGetLastError.WS2_32 ref: 6CF98435

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: ErrorLast$send
String ID:
API String ID: 3964319974-0
Opcode ID: 06aee71e38f98bf265c7d9b37170a1551e0d3f2bb00601f440bd91679b4cdffe
Instruction ID: 26a16eec42e2f1d4345ad6140e6a852af2f782e1937c66772c4f63d259e4ae42
Opcode Fuzzy Hash: 06aee71e38f98bf265c7d9b37170a1551e0d3f2bb00601f440bd91679b4cdffe
Instruction Fuzzy Hash: 36F0903570161167EA104E689848B5A7734EF86379F204712FD24D7680C331E94186E1

Function 00405009 Relevance: 4.5, APIs: 3, Instructions: 23COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00405017
GetShortPathNameW.KERNELBASE ref: 00405029
free.MSVCRT ref: 00405035

Part of subcall function 00404E70: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405155), ref: 00404E73
Part of subcall function 00404E70: FormatMessageA.KERNEL32 ref: 00404EB4

free.MSVCRT ref: 0040504F

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: free$ErrorFormatLastMessageNamePathShortmalloc
String ID:
API String ID: 3972796230-0
Opcode ID: 50f28673293c9481b71ab48fc0896d0721b4577a95fe12ffa1399bf1bbab0f98
Instruction ID: 14395f89bb27aa1ca1f9753598149e6359d334e72cd4ccc6b7e353c60daad64f
Opcode Fuzzy Hash: 50f28673293c9481b71ab48fc0896d0721b4577a95fe12ffa1399bf1bbab0f98
Instruction Fuzzy Hash: 00E0EDB15087058FC340BF35944526ABBE1FF84318F01453FDA88A7242E73955559BC7

Function 6CF8A350 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 383COMMON

Download Yara Rule

Strings

C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_clnt.c, xrefs: 6CF8A4B0, 6CF8A8E1

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_clnt.c
API String ID: 0-1398658996
Opcode ID: 40eea5f0e165e5230ad21bf772359fa0b44037c4c78a0ba59828295df77fa05a
Instruction ID: e86892473b1d40c794684cc9e958c23add9e981bfe2976277dcbb9fa5b27ff5b
Opcode Fuzzy Hash: 40eea5f0e165e5230ad21bf772359fa0b44037c4c78a0ba59828295df77fa05a
Instruction Fuzzy Hash: 44E1C370A053019BD304CF24D481B9AB7F0FB85318F14867DE99C9BB82D775E95ACB92

Function 6CF67390 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 295COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(?,?), ref: 6CF674A0

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\bio\bf_buff.c, xrefs: 6CF6745D, 6CF674FB, 6CF67525, 6CF67550

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memcpy
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\bio\bf_buff.c
API String ID: 3510742995-3609943304
Opcode ID: 05a2a272639426b8b5750b11a9ef32db3b7f7bd711cd59b2ca2b674874e8b402
Instruction ID: 0aa5510d9724a0141e3e4164e1ee6c7c6db308da3222c8560dee3788633cd297
Opcode Fuzzy Hash: 05a2a272639426b8b5750b11a9ef32db3b7f7bd711cd59b2ca2b674874e8b402
Instruction Fuzzy Hash: 57B12071A01619EFCB04CF5AD580A99BBB1FF48324F2582AAD8189BB40D331FE55CBD1

Function 6CF7ABA0 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_pkt.c, xrefs: 6CF7AE11

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_pkt.c
API String ID: 0-36802313
Opcode ID: 0904b02ada99ca671e465becf49e86f65f893e89bc902c447a025bc6d37ec0b2
Instruction ID: 49abd7bb5f9da6bbfa08d0ae58bd50eed37f1a739a0aa2249c4dc389199cc335
Opcode Fuzzy Hash: 0904b02ada99ca671e465becf49e86f65f893e89bc902c447a025bc6d37ec0b2
Instruction Fuzzy Hash: 98910571205301DFD720CF19D880B9AB7E1FF84319F158A6EE8A98B781D374E885CBA1

Function 6CF90140 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

memset.MSVCR90 ref: 6CF901BA

Strings

C:\build27\cpython\externals\openssl-1.0.2t\ssl\t1_enc.c, xrefs: 6CF9017B, 6CF90271

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memset
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\t1_enc.c
API String ID: 2221118986-433900044
Opcode ID: b38d51b185752cd937a1a091c441538b1221271aa516fdf7b43ed2b95036d89c
Instruction ID: 52725e5fd9434cdd225019ed1690f5e2261d172b501db1a02e71b760a896d9d9
Opcode Fuzzy Hash: b38d51b185752cd937a1a091c441538b1221271aa516fdf7b43ed2b95036d89c
Instruction Fuzzy Hash: 1B41FD32604248AFEB08CE69D88099B77F4EF8D718F11422DFD5A87641D271EC86CB92

Function 6CEF95C0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(00000000,00000000,?,?,?,?,?,?,6CEF95B1,00000000,?,?,?,6CF0A494), ref: 6CEF9687

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\digest.c, xrefs: 6CEF9652, 6CEF96E4

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memcpy
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\digest.c
API String ID: 3510742995-3606865183
Opcode ID: 0d76ea2c97f5621450072102bc535ea0d86d6fba01f89cff7dce7e2fc7c3827c
Instruction ID: 51ae172d4a4a5f24bbb932d657f9f3283ca392bc9bcffb563f68e9e6d2fc5f80
Opcode Fuzzy Hash: 0d76ea2c97f5621450072102bc535ea0d86d6fba01f89cff7dce7e2fc7c3827c
Instruction Fuzzy Hash: A441C7757052029FE704CF65E880A5AB3B4FF84368B25816AE928CBB44E735F952CBD1

Function 6CF7AF30 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 6CF7AF75

Strings

C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_pkt.c, xrefs: 6CF7AFB3, 6CF7B032

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: ErrorLast
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_pkt.c
API String ID: 1452528299-36802313
Opcode ID: b392fee75df4843d119bd85ca1cc7cdf803ce9de0c667a7da8ee5ae1bf78f6b5
Instruction ID: ea0571838a0ba5617bb8424160e4287bd0c10fc84abb48c643a31a978cf47234
Opcode Fuzzy Hash: b392fee75df4843d119bd85ca1cc7cdf803ce9de0c667a7da8ee5ae1bf78f6b5
Instruction Fuzzy Hash: 3331D1B1308601ABD718CF24E8C4BD5B7A1FF51328F21426AE96C8B681D771F899C7E0

Function 00405B00 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

malloc.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00405C37), ref: 00405B61

Strings

8, xrefs: 00405B1F

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: malloc
String ID: 8
API String ID: 2803490479-4194326291
Opcode ID: 09b62ba97610634032aaee03a65527072419f5a16653db5ab8349d4636d06d90
Instruction ID: 27960196ec068ea2d4ca984ce8f34aca0f5bb8a1c584f74e4cce3054eee653b0
Opcode Fuzzy Hash: 09b62ba97610634032aaee03a65527072419f5a16653db5ab8349d4636d06d90
Instruction Fuzzy Hash: 502171B1604B008BEB109F29D4887677BE0EF88324F55467EE8589B3C5D778E840DF86

Function 00404C10 Relevance: 3.0, APIs: 2, Instructions: 22libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405210: MultiByteToWideChar.KERNEL32 ref: 00405249

LoadLibraryExW.KERNEL32 ref: 00404C46
free.MSVCRT ref: 00404C54

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWidefree
String ID:
API String ID: 3231889924-0
Opcode ID: ffee880f393c4c36bb1ce4ed726f15dbcabc5eeb0a1e1c12815f15cab301fbda
Instruction ID: 05c8f3ae87b294e81e5ad3021f5e9e1271b0214f14fb420bb6d6726f0d24f828
Opcode Fuzzy Hash: ffee880f393c4c36bb1ce4ed726f15dbcabc5eeb0a1e1c12815f15cab301fbda
Instruction Fuzzy Hash: 37E0E5B19097009BDB00BF78D48930BBEE0EB84344F01897DE4C89B241E67988488B86

Function 00402E70 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00405210: MultiByteToWideChar.KERNEL32 ref: 00405249

_wfopen.MSVCRT ref: 00402EBD

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: ByteCharMultiWide_wfopen
String ID:
API String ID: 372205238-0
Opcode ID: e52c21d214796629a240c51fb7b60e75d21fb52d549f7b961c803426c5818c4c
Instruction ID: 74126713ab80da84faf4757f36691f79a295a803dc0f7ed3549fcb3a874f13b0
Opcode Fuzzy Hash: e52c21d214796629a240c51fb7b60e75d21fb52d549f7b961c803426c5818c4c
Instruction Fuzzy Hash: 0CF0F2B04093019BC710BF64E58828BBBE0EF84744F008C6EE4C893240C2389589CF86

Function 00401130 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

__wgetmainargs.MSVCRT ref: 00401165

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: __wgetmainargs
String ID:
API String ID: 1709950718-0
Opcode ID: b50a7d618143305fccf7f4221a87454376e91ed455ac815f7f5e224d524365dc
Instruction ID: 9780a8ee34f3fd3c1c610ca31369fa4129d0e73ea6bad815c2c5347cee1c24e9
Opcode Fuzzy Hash: b50a7d618143305fccf7f4221a87454376e91ed455ac815f7f5e224d524365dc
Instruction Fuzzy Hash: BBE092B49043008BD700DF2596441897FE0F748348F40CA2EEA94A7210D3F981A8DB8E

Function 6CF74900 Relevance: 1.3, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 6CF74907

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 9934eeca4d6e8519e04470ab1fe7874abde31953f3240c1bf21af8e6731e4ea4
Instruction ID: 06af19880cd1d7c97a91de0c97e45970943ac790e69976961bfa34455d31a56f
Opcode Fuzzy Hash: 9934eeca4d6e8519e04470ab1fe7874abde31953f3240c1bf21af8e6731e4ea4
Instruction Fuzzy Hash: 28218175200706AFE310CF56E885BA6B7B4FF85328F154155E9188BB81D370F8A5CBE1

Function 6CF749C0 Relevance: 1.3, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 6CF749C5

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: d0b13e04aa9ca28ddd3b2e93ea282a7baff431c3907ecf32563e82f4bc3381d6
Instruction ID: 07488ca4417f057eb117175fd112e18a0ef605a63640a9d367b784b4242ec3b0
Opcode Fuzzy Hash: d0b13e04aa9ca28ddd3b2e93ea282a7baff431c3907ecf32563e82f4bc3381d6
Instruction Fuzzy Hash: CE019E74200704DFE324CF01E845F9777B9FF89318F440269E84A0BA82C771E882CBA1

Function 00405BC9 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

malloc.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00405C37), ref: 00405B61

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 289d6bc5cf9225bddf9a4ba4c434dce53377662ef230caec052a21ad90f6e574
Instruction ID: 327cd040e8be9800a2601c75deb4d6c2f338156f6ee823721eb14b8e1700891f
Opcode Fuzzy Hash: 289d6bc5cf9225bddf9a4ba4c434dce53377662ef230caec052a21ad90f6e574
Instruction Fuzzy Hash: 3EF06DB5604B018BD700DF29C488357BBE0EF84314F96897ED848AB381DB78E8008F89

Non-executed Functions

Function 6CF99DC0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 187filestringCOMMON

Download Yara Rule

APIs

_errno.MSVCR90 ref: 6CF99DDE
_errno.MSVCR90 ref: 6CF99E0D
malloc.MSVCR90 ref: 6CF99E27
memset.MSVCR90 ref: 6CF99E44
malloc.MSVCR90 ref: 6CF99E5B
free.MSVCR90 ref: 6CF99E71
_errno.MSVCR90 ref: 6CF99E7F
FindFirstFileA.KERNEL32(?,?,?,?,?,00000000), ref: 6CF99F0C
free.MSVCR90 ref: 6CF99F26
free.MSVCR90 ref: 6CF99F35
_errno.MSVCR90 ref: 6CF99F43
FindNextFileA.KERNEL32(?,00000000,?,?,00000000), ref: 6CF99F60
strncpy.MSVCR90 ref: 6CF99F85
_errno.MSVCR90 ref: 6CF99FA3

Strings

N;Zn, xrefs: 6CF99E71, 6CF99F12

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: _errno$free$FileFindmalloc$FirstNextmemsetstrncpy
String ID: N;Zn
API String ID: 3162083030-2565800930
Opcode ID: 4dd04b57bf6dbe1ce3c181080ae667940185ae9d091a744669293ab077b37650
Instruction ID: 7c815d542fa5ba9c79e28421f7d21b0d47dca91996cd28743a2d919d4b1e16d0
Opcode Fuzzy Hash: 4dd04b57bf6dbe1ce3c181080ae667940185ae9d091a744669293ab077b37650
Instruction Fuzzy Hash: A551E375B052059FEB019F6DD8487DABBB8EF4A318F1542A5D84DC7310EB72DA04C7A1

Function 00404170 Relevance: 22.6, APIs: 15, Instructions: 129stringCOMMON

Download Yara Rule

APIs

PyString_FromString.PYTHON27 ref: 004041B0
free.MSVCRT ref: 004041BB
strlen.MSVCRT ref: 004041CB
PySys_SetObject.PYTHON27 ref: 00404202
PyImport_ImportModule.PYTHON27 ref: 0040420F
PyModule_GetDict.PYTHON27 ref: 00404218
PyDict_GetItemString.PYTHON27 ref: 00404229

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: String$DictDict_FromImportImport_ItemModuleModule_ObjectString_Sys_freestrlen
String ID:
API String ID: 2813007557-0
Opcode ID: 8638e13c9b08a381a820a06e5729c40eb11c6702f34f87e04ccf3f99befd6a24
Instruction ID: 13ef81bd32d2d37f53a87a5a2f43fe793e1eca721c993885f661f54c21999dda
Opcode Fuzzy Hash: 8638e13c9b08a381a820a06e5729c40eb11c6702f34f87e04ccf3f99befd6a24
Instruction Fuzzy Hash: A35116B59087018BC700AF75D54825EBBE0EF88350F01CA3EE999E7390DB78D995CB5A

Function 00404380 Relevance: 12.1, APIs: 8, Instructions: 83stringCOMMON

Download Yara Rule

APIs

ntohl.WS2_32(00000000,?,00000000,004044F8), ref: 0040439A
PyString_FromFormat.PYTHON27 ref: 004043DF
free.MSVCRT ref: 004043EE
strlen.MSVCRT ref: 004043F8
Py_DecRef.PYTHON27 ref: 00404436
PySys_GetObject.PYTHON27 ref: 00404443
PyList_Append.PYTHON27 ref: 00404454

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: AppendFormatFromList_ObjectString_Sys_freentohlstrlen
String ID:
API String ID: 1602724986-0
Opcode ID: 36c6db5c0c6acf27683b7631ae5c6a626e1c8faec13436edad47b81ef97ce63a
Instruction ID: bd494f12bd0fd589b41595198eaed635d65b3c603cc781ed69caae3811d7099d
Opcode Fuzzy Hash: 36c6db5c0c6acf27683b7631ae5c6a626e1c8faec13436edad47b81ef97ce63a
Instruction Fuzzy Hash: 8F3108B59083009BC300AFA9D98825EBFE0EF88354F558A7EE588E7391D778C4548B5B

Function 004042F7 Relevance: 12.1, APIs: 8, Instructions: 65COMMON

Download Yara Rule

APIs

PyObject_CallFunction.PYTHON27 ref: 004042BA
PyImport_ExecCodeModule.PYTHON27 ref: 004042CA
PyErr_Occurred.PYTHON27 ref: 004042D4
PyErr_Print.PYTHON27 ref: 004042DE
PyErr_Clear.PYTHON27 ref: 004042E4
free.MSVCRT ref: 004042ED

Part of subcall function 00401E10: MessageBoxA.USER32 ref: 00401E5C

ntohl.WS2_32 ref: 00404300
PyObject_CallFunction.PYTHON27 ref: 00404326

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: Err_$CallFunctionObject_$ClearCodeExecImport_MessageModuleOccurredPrintfreentohl
String ID:
API String ID: 2592510725-0
Opcode ID: 0010ccedf207171e35fda171a142b8362fc69459d4931e80034877df5d9c225f
Instruction ID: fec6499228cd980bc1a5bd415eb7bde3f067a76568abea53337277d3fabf13d9
Opcode Fuzzy Hash: 0010ccedf207171e35fda171a142b8362fc69459d4931e80034877df5d9c225f
Instruction Fuzzy Hash: 372126B19087058FC710AF76D94429FBBE0AF84350F01CA3EE999E7290DB38D845CB5A

Function 6CFC08F0 Relevance: 10.6, APIs: 7, Instructions: 58COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6CFC0EB5
_crt_debugger_hook.MSVCR90(00000001), ref: 6CFC0EC2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CFC0ECA
UnhandledExceptionFilter.KERNEL32(6CFC23F0), ref: 6CFC0ED5
_crt_debugger_hook.MSVCR90(00000001), ref: 6CFC0EE6
GetCurrentProcess.KERNEL32(C0000409), ref: 6CFC0EF1
TerminateProcess.KERNEL32(00000000), ref: 6CFC0EF8

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled_crt_debugger_hook$CurrentDebuggerPresentTerminate
String ID:
API String ID: 3369434319-0
Opcode ID: 386b7999abe296a442e2d9f23a6da65aad89e48199716a6eac901edcb1af5cbc
Instruction ID: a9d93254d563a1fb06485161eed817e313a319d4627ba7a911d19ea57c65266c
Opcode Fuzzy Hash: 386b7999abe296a442e2d9f23a6da65aad89e48199716a6eac901edcb1af5cbc
Instruction Fuzzy Hash: 3421D2B8A51205EFCB44DF29D0487867FB8FB0A314F20516EE50887250E7B19689EF0D

Function 00409FBC Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0040A00F
UnhandledExceptionFilter.KERNEL32 ref: 0040A01F
GetCurrentProcess.KERNEL32 ref: 0040A028
TerminateProcess.KERNEL32 ref: 0040A039
abort.MSVCRT ref: 0040A042

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: 32597a08885f00a5d96f52d968800da127951a2effd2a68d820def550ef04dbf
Instruction ID: 908e5fe2e4d4b4f9fd135d1aae07c580cbffd01a49a55d17d848d4be7f730e2e
Opcode Fuzzy Hash: 32597a08885f00a5d96f52d968800da127951a2effd2a68d820def550ef04dbf
Instruction Fuzzy Hash: 6F0196B8905308DFD700EFAAE948299BBF4BB04304F018539E95997220E77594458F4A

Function 00409FC0 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0040A00F
UnhandledExceptionFilter.KERNEL32 ref: 0040A01F
GetCurrentProcess.KERNEL32 ref: 0040A028
TerminateProcess.KERNEL32 ref: 0040A039
abort.MSVCRT ref: 0040A042

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminateabort
String ID:
API String ID: 520269711-0
Opcode ID: cfe80107bd9ea8fc3025abd89124e695585fe244c5293105b08e45eba9f73a9a
Instruction ID: b20f870d5eea2d1b28bc474f0d21cf6229e8d97dce3512df4533b4e671bbbf1c
Opcode Fuzzy Hash: cfe80107bd9ea8fc3025abd89124e695585fe244c5293105b08e45eba9f73a9a
Instruction Fuzzy Hash: 1E01A4B8905308DFD700EFAAEA48289BBF4BB04304F01853AE95997320E77994498F4A

Function 6CEF9DF0 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 331stringCOMMON

Download Yara Rule

APIs

strncpy.MSVCR90 ref: 6CEF9E8B

Part of subcall function 6CEEA260: memset.MSVCR90 ref: 6CEEA289

memcpy.MSVCR90(?,?,?), ref: 6CEFA06E

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\x509\x509_obj.c, xrefs: 6CEFA0ED, 6CEFA136
NO X509_NAME, xrefs: 6CEF9E85

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memcpymemsetstrncpy
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\x509\x509_obj.c$NO X509_NAME
API String ID: 2927123951-544225123
Opcode ID: c007fde934f37e5d7b6f9ea1de591d25a3d289b442879c508815ef4867c54429
Instruction ID: 66d480153a0e284a6024e4de1925e2aba11a6a9f8e27667de46bfcf251d297a9
Opcode Fuzzy Hash: c007fde934f37e5d7b6f9ea1de591d25a3d289b442879c508815ef4867c54429
Instruction Fuzzy Hash: 5BC1E5726483418FD700CF29D88075AB7F1EF8931CF24896DE8A99B741D775D90ACB92

Function 6CF94A70 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

memset.MSVCR90 ref: 6CF94B0B

Strings

C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_cbc.c, xrefs: 6CF94C54, 6CF94C68
orig_len >= md_size, xrefs: 6CF94C5E
md_size <= EVP_MAX_MD_SIZE, xrefs: 6CF94C4A

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memset
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\s3_cbc.c$md_size <= EVP_MAX_MD_SIZE$orig_len >= md_size
API String ID: 2221118986-3221712105
Opcode ID: d5a540874114244c6cb7ffd8135be92f91e818fd89c8bc8a6951b7cad17075b1
Instruction ID: ce817cea63a35bbefb526bb613e0ba17bfc452ded65736d13067eec9c83cf472
Opcode Fuzzy Hash: d5a540874114244c6cb7ffd8135be92f91e818fd89c8bc8a6951b7cad17075b1
Instruction Fuzzy Hash: EB81B2356082A48FCB15CF398894799BFB2AF9B200F58C1D9D4DDDB747CA32994ACB50

Function 00401850 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00401610: ntohl.WS2_32 ref: 0040163E
Part of subcall function 00401610: fseek.MSVCRT ref: 00401656
Part of subcall function 00401610: ntohl.WS2_32 ref: 00401661
Part of subcall function 00401610: malloc.MSVCRT ref: 00401669
Part of subcall function 00401610: ntohl.WS2_32 ref: 00401684
Part of subcall function 00401610: fread.MSVCRT ref: 004016A0
Part of subcall function 00401610: fclose.MSVCRT ref: 004016BC

Part of subcall function 004049D0: strcpy.MSVCRT(?,?,00000000,0040188F,?,?,?,?,?,?,004023E6), ref: 004049FC
Part of subcall function 004049D0: strcpy.MSVCRT(?,?,00000000,0040188F,?,?,?,?,?,?,004023E6), ref: 00404A0F
Part of subcall function 004049D0: strtok.MSVCRT(?,?,00000000), ref: 00404A1F
Part of subcall function 004049D0: strcpy.MSVCRT(?,?,00000000), ref: 00404A73
Part of subcall function 004049D0: strtok.MSVCRT(?,?,00000000), ref: 00404A87
Part of subcall function 004049D0: _mkdir.MSVCRT ref: 00404AA5

ntohl.WS2_32(?,?,?,?,?,?,004023E6), ref: 00401897
fwrite.MSVCRT ref: 004018B9
fclose.MSVCRT ref: 004018CA
free.MSVCRT ref: 004018D2

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: ntohl$strcpy$fclosestrtok$_mkdirfreadfreefseekfwritemalloc
String ID:
API String ID: 1532958511-0
Opcode ID: 9b1658ee59e78418a1a896e7d1f1d8056e2a366c7e11f4c54195c886a90b60ba
Instruction ID: 8df8dfa69511768c1765381bdb0415dcaef8feb7ccc1299cfd62f9c5395cf5e0
Opcode Fuzzy Hash: 9b1658ee59e78418a1a896e7d1f1d8056e2a366c7e11f4c54195c886a90b60ba
Instruction Fuzzy Hash: 0A114CB18087009BC3107F3A848401EBBE0AF81368F458A3EF8D8A73D1C73898559B4B

Function 6CEDE420 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 309COMMON

Download Yara Rule

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\rand\md_rand.c, xrefs: 6CEDE49A, 6CEDE4D0, 6CEDE4F1, 6CEDE5F4, 6CEDE78A, 6CEDE810
gfff, xrefs: 6CEDE5BA

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\rand\md_rand.c$gfff
API String ID: 0-1304535762
Opcode ID: f135fa1ed1f78a1eaf2bba992e82b5f4e7ca16102e2bd24ddfbfd3b861f6b235
Instruction ID: e3e3f7792d5658038f288026655c5fa1aa9c62ee8c6d24d62b7ca7e54b6103d5
Opcode Fuzzy Hash: f135fa1ed1f78a1eaf2bba992e82b5f4e7ca16102e2bd24ddfbfd3b861f6b235
Instruction Fuzzy Hash: A2B1D431A087419FD704CF68C84575ABBF4AB8A718F25892DF9A4D7381E770E906CBC2

Function 6CFA28B0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3c2c2f370dfa4265cfb92d671151a03b6835ddd4f161b2aed8a7dc64b52055f
Instruction ID: 5902d527c8ff325b9a159f110558f8c138b2dd0b558a20c0c4e348baa7ed48f4
Opcode Fuzzy Hash: f3c2c2f370dfa4265cfb92d671151a03b6835ddd4f161b2aed8a7dc64b52055f
Instruction Fuzzy Hash: 1D4182B1901B029FD3A4CF2EC285512FBF4FB986107108A2AD49DC7E24E331FA959B94

Function 6CFA21C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31cb95ee1a82421ede6f0fee0baa24ab469750fc944d5542bdbe00e50f8cada3
Instruction ID: bb02bab132e0af868fcaa38565c13997f13b754994f9bd7d7b2636fdb35aa209
Opcode Fuzzy Hash: 31cb95ee1a82421ede6f0fee0baa24ab469750fc944d5542bdbe00e50f8cada3
Instruction Fuzzy Hash: 89D02B7E5080009AD605CD35DC95911F3B3F2D6720F4D8E05F095C2408D73BC315A132

Function 6CEC2640 Relevance: 44.2, APIs: 15, Strings: 10, Instructions: 411COMMON

Download Yara Rule

APIs

PyDict_New.PYTHON27 ref: 6CEC2657
PyDict_SetItemString.PYTHON27(00000000,subject,00000000), ref: 6CEC2699

Strings

issuer, xrefs: 6CEC26EA
subjectAltName, xrefs: 6CEC29A9
notAfter, xrefs: 6CEC2961
version, xrefs: 6CEC2747
subject, xrefs: 6CEC2693
notBefore, xrefs: 6CEC28C0
serialNumber, xrefs: 6CEC2809
crlDistributionPoints, xrefs: 6CEC2AB5
caIssuers, xrefs: 6CEC2A6A
OCSP, xrefs: 6CEC2A0F

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Dict_$ItemString
String ID: OCSP$caIssuers$crlDistributionPoints$issuer$notAfter$notBefore$serialNumber$subject$subjectAltName$version
API String ID: 1169755417-3036028867
Opcode ID: 69ae59b7e478e1659b2bda66adab4d4de7bdb5ab5a6c30f8898044503eb3af2f
Instruction ID: e2afc49c4630697ccbfeaba7e3b44e3a05349eeaa90e8010e1621a6dbf4a5e29
Opcode Fuzzy Hash: 69ae59b7e478e1659b2bda66adab4d4de7bdb5ab5a6c30f8898044503eb3af2f
Instruction Fuzzy Hash: A7D1E671B002019BD7108FA4CEC4ADB73B4EF55328F259668E92547781EB35DE46CB93

Function 6CEC4B00 Relevance: 38.8, APIs: 18, Strings: 4, Instructions: 313COMMON

Download Yara Rule

APIs

_errno.MSVCR90 ref: 6CEC4B3D
_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(?,?,|OOO:load_verify_locations,6CFC53B4,?,?,?), ref: 6CEC4B62
PyErr_SetString.PYTHON27(?,cafile, capath and cadata cannot be all omitted), ref: 6CEC4BC7

Strings

cadata should be a contiguous buffer with a single dimension, xrefs: 6CEC4D0E
cadata should be an ASCII string or a bytes-like object, xrefs: 6CEC4D3D
cafile, capath and cadata cannot be all omitted, xrefs: 6CEC4BBA
|OOO:load_verify_locations, xrefs: 6CEC4B5B

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Arg_Err_Keywords_ParseSizeStringTuple_errno
String ID: cadata should be a contiguous buffer with a single dimension$cadata should be an ASCII string or a bytes-like object$cafile, capath and cadata cannot be all omitted$|OOO:load_verify_locations
API String ID: 3659128005-2120920770
Opcode ID: 4c21733ca4cb80ebfd3e0f946903f8f2bdd2e87c537d321a29ccffa8323e63f0
Instruction ID: 07b12fefca81a29d4444c0d1e7f7335788970befb5255f0331a830bb4c1d9586
Opcode Fuzzy Hash: 4c21733ca4cb80ebfd3e0f946903f8f2bdd2e87c537d321a29ccffa8323e63f0
Instruction Fuzzy Hash: 8BB1C271F002059FDB04DFA8CA84BAEB7B5FF85318F31822AE92597740D7359A45CB92

Function 6CEC4550 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 279threadCOMMON

Download Yara Rule

APIs

_errno.MSVCR90 ref: 6CEC459F
_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(?,?,et|OO:load_cert_chain,6CFC5304,?,?,?,?), ref: 6CEC45D1
PyUnicodeUCS2_FromObject.PYTHON27(?), ref: 6CEC4605
PyUnicodeUCS2_AsEncodedString.PYTHON27(00000000,?,00000000), ref: 6CEC4622
PyCallable_Check.PYTHON27(?), ref: 6CEC4659
PyEval_SaveThread.PYTHON27 ref: 6CEC46A5
PyEval_RestoreThread.PYTHON27(?), ref: 6CEC46CD
_errno.MSVCR90 ref: 6CEC46EB
PyErr_SetFromErrno.PYTHON27 ref: 6CEC4702
PyEval_SaveThread.PYTHON27 ref: 6CEC473D
PyEval_RestoreThread.PYTHON27(?), ref: 6CEC476B
_errno.MSVCR90 ref: 6CEC4789
PyErr_SetFromErrno.PYTHON27 ref: 6CEC47A1
PyMem_Free.PYTHON27(?), ref: 6CEC4845
PyMem_Free.PYTHON27(?), ref: 6CEC484B
PyMem_Free.PYTHON27(?), ref: 6CEC488A
PyMem_Free.PYTHON27(?), ref: 6CEC4890

Strings

password should be a string or callable, xrefs: 6CEC4674
et|OO:load_cert_chain, xrefs: 6CEC45CA

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Eval_FreeMem_Thread$From_errno$Err_ErrnoRestoreSaveUnicode$Arg_Callable_CheckEncodedKeywords_ObjectParseSizeStringTuple
String ID: et|OO:load_cert_chain$password should be a string or callable
API String ID: 3791093290-3981768526
Opcode ID: 64bf706a8f5c3787180ee2753730bac1ca27ba4ae0218200ab012dffcc0daffa
Instruction ID: fa8fa652319877e6ce9106168d2761a79fab4160d9954f323c7d6b1f2e882c4f
Opcode Fuzzy Hash: 64bf706a8f5c3787180ee2753730bac1ca27ba4ae0218200ab012dffcc0daffa
Instruction Fuzzy Hash: D5B16BB5F102099FCB04DFA4D9849AEB7B5FB4A718B30811AF82597700D735EA51CFA2

Function 6CEC1C30 Relevance: 35.4, APIs: 14, Strings: 6, Instructions: 393COMMON

Download Yara Rule

APIs

PyList_New.PYTHON27(00000000), ref: 6CEC1CB6

Strings

Registered ID, xrefs: 6CEC1F01
DirName, xrefs: 6CEC1DE4
<INVALID>, xrefs: 6CEC1F42
Unknown general name type, xrefs: 6CEC1F9F
p~, xrefs: 6CEC1F2B
URI, xrefs: 6CEC1E90

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: List_
String ID: <INVALID>$DirName$Registered ID$URI$Unknown general name type$p~
API String ID: 4215266370-2014928804
Opcode ID: 4076a0f5b847017f6f196b12132952f9840425468f359b8c45a1c2fafbe1dc8b
Instruction ID: 2616fe375486e835f9e055c136915c4a4dbd8b7aa7ce658ce1ab90355d59e909
Opcode Fuzzy Hash: 4076a0f5b847017f6f196b12132952f9840425468f359b8c45a1c2fafbe1dc8b
Instruction Fuzzy Hash: DBD1A071B053018BDB04CFA4CA85B5B77F4AF85318F24462DE9298B781EB75E905CB93

Function 6CF66950 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 6CF66981
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 6CF669CB
FreeLibrary.KERNEL32(00000000), ref: 6CF669D4
GetProcAddress.KERNEL32(00000000,Module32First), ref: 6CF669E7
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 6CF669F5
FreeLibrary.KERNEL32(00000000), ref: 6CF66A0B
CloseHandle.KERNEL32(00000000), ref: 6CF66A38
FreeLibrary.KERNEL32(00000000), ref: 6CF66A3F
CloseHandle.KERNEL32(00000000), ref: 6CF66A80
FreeLibrary.KERNEL32(00000000), ref: 6CF66A87
CloseHandle.KERNEL32(00000000), ref: 6CF66AA1
FreeLibrary.KERNEL32(00000000), ref: 6CF66AA8
memcpy.MSVCR90(?,?,?), ref: 6CF66ADF

Strings

KERNEL32.DLL, xrefs: 6CF6697C
Module32First, xrefs: 6CF669E1
CreateToolhelp32Snapshot, xrefs: 6CF669C5
Module32Next, xrefs: 6CF669E9
C:\build27\cpython\externals\openssl-1.0.2t\crypto\dso\dso_win32.c, xrefs: 6CF66997

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Library$Free$AddressCloseHandleProc$Loadmemcpy
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\dso\dso_win32.c$CreateToolhelp32Snapshot$KERNEL32.DLL$Module32First$Module32Next
API String ID: 3784454856-1517652985
Opcode ID: 0444d7138ff3b03b185df6e9eb029d2075d0115d6c79a28ad03d746defc16ff2
Instruction ID: 2313a0be28f055855695cb793a0a547f9998e2e5d524263ae916604d2a46f9fd
Opcode Fuzzy Hash: 0444d7138ff3b03b185df6e9eb029d2075d0115d6c79a28ad03d746defc16ff2
Instruction Fuzzy Hash: 6C41D532B40119ABCB109B65DC8CBDF77B4EF4A314F0442A9F90AD7A80DB359A46CB91

Function 00403DE0 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 180stringCOMMON

Download Yara Rule

APIs

Py_SetProgramName.PYTHON27 ref: 00403E3E
strlen.MSVCRT ref: 00403E5A
strncpy.MSVCRT ref: 00403E6E
Py_Initialize.PYTHON27 ref: 00403EA6
free.MSVCRT ref: 00403F37
PyErr_Occurred.PYTHON27 ref: 00403F3C
strlen.MSVCRT ref: 00403F50
strncpy.MSVCRT ref: 00403F64
strlen.MSVCRT ref: 00403FE0
strncat.MSVCRT ref: 00403FF4
Py_SetPythonHome.PYTHON27 ref: 0040405E

Strings

base, xrefs: 00403FB1
_lib, xrefs: 00403FBB
.zip, xrefs: 00403FCF
rary, xrefs: 00403FC5

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: strlen$strncpy$Err_HomeInitializeNameOccurredProgramPythonfreestrncat
String ID: .zip$_lib$base$rary
API String ID: 4172513644-23906921
Opcode ID: b55798043e5a0df401c4117ddb03c2adf06e6b3e64bdd6c2b2d945946a7d70bf
Instruction ID: 14274933dd56787fdb82c6a91d81d47f866d2d9f51aee60e5476c2917c75af4e
Opcode Fuzzy Hash: b55798043e5a0df401c4117ddb03c2adf06e6b3e64bdd6c2b2d945946a7d70bf
Instruction Fuzzy Hash: FE7148B05083019AD700BF65C54526ABAE4AF84345F04CA7EE9D8AB3D1DB7C8885CB9F

Function 6CF66B00 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 125libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 6CF66B22
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 6CF66B67
FreeLibrary.KERNEL32(00000000), ref: 6CF66B70

Strings

KERNEL32.DLL, xrefs: 6CF66B17
Module32First, xrefs: 6CF66BA5
CreateToolhelp32Snapshot, xrefs: 6CF66B61
Module32Next, xrefs: 6CF66BAD
C:\build27\cpython\externals\openssl-1.0.2t\crypto\dso\dso_win32.c, xrefs: 6CF66B36, 6CF66B80

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\dso\dso_win32.c$CreateToolhelp32Snapshot$KERNEL32.DLL$Module32First$Module32Next
API String ID: 145871493-1517652985
Opcode ID: 3d529d73e07a81694cb2b32d1aa62562e7bfe2823f3e64fc3412af5d0f1123ca
Instruction ID: c676347fb0f0f3e4a2e1690a0013458ace850f00d92c70d7aca287ca924522b6
Opcode Fuzzy Hash: 3d529d73e07a81694cb2b32d1aa62562e7bfe2823f3e64fc3412af5d0f1123ca
Instruction Fuzzy Hash: B541A232B41118ABCB10EBB5EC4CBDF73B8EF49315F10419AF90997680DB359A05CB95

Function 6CF7C080 Relevance: 26.7, APIs: 8, Strings: 7, Instructions: 476COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(00001FE0,?,00000020,?,?), ref: 6CF7C4F4
memcpy.MSVCR90(00000000,?,?), ref: 6CF7C630
_time64.MSVCR90 ref: 6CF7C6E2

Strings

PUT , xrefs: 6CF7C375
CONNECT, xrefs: 6CF7C386
GET , xrefs: 6CF7C342
HEAD , xrefs: 6CF7C364
s->version <= TLS_MAX_VERSION, xrefs: 6CF7C6C2
POST , xrefs: 6CF7C353
C:\build27\cpython\externals\openssl-1.0.2t\ssl\s23_srvr.c, xrefs: 6CF7C69A, 6CF7C6CC

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memcpy$_time64
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\s23_srvr.c$CONNECT$GET $HEAD $POST $PUT $s->version <= TLS_MAX_VERSION
API String ID: 2936696573-3503775687
Opcode ID: 50380f34bcf8f023f873a3f96cc0225b37369dc807416db8c9df1d002e0f81d7
Instruction ID: 54beca7d4c47ffa490d82bbefca4a4b46fed02606c48827fe8003b80a2e4714a
Opcode Fuzzy Hash: 50380f34bcf8f023f873a3f96cc0225b37369dc807416db8c9df1d002e0f81d7
Instruction Fuzzy Hash: 85020670A043429BE7309F69E89079ABBB1FF05308F18416BD8999BF81D375E554CBB1

Function 6CED5D40 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 319COMMON

Download Yara Rule

APIs

fseek.MSVCR90 ref: 6CED5D7A
feof.MSVCR90 ref: 6CED5D8E
ftell.MSVCR90 ref: 6CED5DA2
_fileno.MSVCR90 ref: 6CED5DCF
_setmode.MSVCR90 ref: 6CED5DE3
GetLastError.KERNEL32(C:\build27\cpython\externals\openssl-1.0.2t\crypto\bio\bss_file.c,0000019D), ref: 6CED5F52
fflush.MSVCR90 ref: 6CED601E
GetLastError.KERNEL32(C:\build27\cpython\externals\openssl-1.0.2t\crypto\bio\bss_file.c,000001B9), ref: 6CED603A

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\bio\bss_file.c, xrefs: 6CED5F4D, 6CED5F89, 6CED5FCA, 6CED6035, 6CED6061
fflush(), xrefs: 6CED604C
',', xrefs: 6CED5F6D
fopen(', xrefs: 6CED5F73

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: ErrorLast$_fileno_setmodefeoffflushfseekftell
String ID: ','$C:\build27\cpython\externals\openssl-1.0.2t\crypto\bio\bss_file.c$fflush()$fopen('
API String ID: 1079641532-2199427359
Opcode ID: bbb60f31226001cf9dfc2de213ad7d752c496ed9ad9f068bf75425f725f8927b
Instruction ID: b45c05c0bcd7d2ba9e36d4b342f6012f2e19a200f91ec2fa75f42d97da5d85ca
Opcode Fuzzy Hash: bbb60f31226001cf9dfc2de213ad7d752c496ed9ad9f068bf75425f725f8927b
Instruction Fuzzy Hash: CEA16BB17062049BD700DF5CE841BEAB7F9EF8631DF75456AED088BB40D732AA068791

Function 6CEC6150 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(?,?,s:enum_certificates,?,?), ref: 6CEC617E
PyList_New.PYTHON27(00000000), ref: 6CEC6192

Strings

s:enum_certificates, xrefs: 6CEC6165

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Arg_Keywords_List_ParseSizeTuple
String ID: s:enum_certificates
API String ID: 2451796958-680348632
Opcode ID: a56000db18b62cfcdf01cf13e346b1983e2dc3d7a4ff9d6088b7be81d972570f
Instruction ID: af3046ddef135e1069cb2eaeb569dd32d3a8bbc9ac31197a8ce425a69e485c07
Opcode Fuzzy Hash: a56000db18b62cfcdf01cf13e346b1983e2dc3d7a4ff9d6088b7be81d972570f
Instruction Fuzzy Hash: 85815FB1F002059BDB04CFA8D944AAF77B9EF85328B254269E935D7780D735ED02CB92

Function 6CEC63C0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(?,?,s:enum_crls,?,?), ref: 6CEC63EB
PyList_New.PYTHON27(00000000), ref: 6CEC63FF

Strings

s:enum_crls, xrefs: 6CEC63D5

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Arg_Keywords_List_ParseSizeTuple
String ID: s:enum_crls
API String ID: 2451796958-1859697249
Opcode ID: 1826bace73fff675a5729086033495c92c2d29d7307d9821767e4755b27f193f
Instruction ID: cd785272889e1ebd98cc32a2a5e8a309193e2779b996969592da98103866aa85
Opcode Fuzzy Hash: 1826bace73fff675a5729086033495c92c2d29d7307d9821767e4755b27f193f
Instruction Fuzzy Hash: 4F618DB1F002059BCB04CFA8D9489AF77B9EF85328B344659E929D7744D735DE02CB92

Function 6CEE0EE0 Relevance: 22.9, APIs: 10, Strings: 5, Instructions: 427stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCR90 ref: 6CEE0FC4
strncmp.MSVCR90 ref: 6CEE0FF0
memcpy.MSVCR90(?,?,?), ref: 6CEE105F
strncmp.MSVCR90 ref: 6CEE1118
memcpy.MSVCR90(?,00000000,00000002), ref: 6CEE1137
strncmp.MSVCR90 ref: 6CEE123E
memcpy.MSVCR90(?,00000000,00000002), ref: 6CEE1284
strncmp.MSVCR90 ref: 6CEE1355
strncmp.MSVCR90 ref: 6CEE136E

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\pem\pem_lib.c, xrefs: 6CEE1497, 6CEE1506
-----BEGIN , xrefs: 6CEE0FAE
-----, xrefs: 6CEE0FEA, 6CEE1384
-----END , xrefs: 6CEE1112, 6CEE1238, 6CEE134D
, xrefs: 6CEE12F6

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: strncmp$memcpy
String ID: $-----$-----BEGIN $-----END $C:\build27\cpython\externals\openssl-1.0.2t\crypto\pem\pem_lib.c
API String ID: 2549481713-920802336
Opcode ID: 2f8d34425f716b827fd6faf9207555b01a8f14dff36c312f20862fa73b87862f
Instruction ID: 8278ec851163f4419f501b5369139a5f2115563a7affa55e2c62c1183de9b7ce
Opcode Fuzzy Hash: 2f8d34425f716b827fd6faf9207555b01a8f14dff36c312f20862fa73b87862f
Instruction Fuzzy Hash: 59F1D671A042599BDB20CFA8CC807D977B4AF0D348F2481E8D90DA7B41E775AE89CF91

Function 00404C80 Relevance: 22.6, APIs: 15, Instructions: 101processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00405210: MultiByteToWideChar.KERNEL32 ref: 00405249

signal.MSVCRT ref: 00404CCC
signal.MSVCRT ref: 00404CE0
signal.MSVCRT ref: 00404CF4
signal.MSVCRT ref: 00404D08
GetStartupInfoW.KERNEL32(00000000,?,?,00402A0F), ref: 00404D28
_fileno.MSVCRT ref: 00404D69
_get_osfhandle.MSVCRT ref: 00404D77
_fileno.MSVCRT ref: 00404D8B
_get_osfhandle.MSVCRT ref: 00404D93
_fileno.MSVCRT ref: 00404DA7
_get_osfhandle.MSVCRT ref: 00404DAF
GetCommandLineW.KERNEL32 ref: 00404DB8
CreateProcessW.KERNEL32 ref: 00404E01
WaitForSingleObject.KERNEL32 ref: 00404E3F
GetExitCodeProcess.KERNEL32 ref: 00404E57

Part of subcall function 00401E10: MessageBoxA.USER32 ref: 00401E5C

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: signal$_fileno_get_osfhandle$Process$ByteCharCodeCommandCreateExitInfoLineMessageMultiObjectSingleStartupWaitWide
String ID:
API String ID: 2917712702-0
Opcode ID: 04f97da4b6471231529615fe277737a2d960c5eeca71b3878ce8ae2f7f18ba33
Instruction ID: c039b241e3be979fe19aad14a7bb84f350d9c54bc61ae4a3153f7adda5648e3d
Opcode Fuzzy Hash: 04f97da4b6471231529615fe277737a2d960c5eeca71b3878ce8ae2f7f18ba33
Instruction Fuzzy Hash: D04183B45093409FD710AF69D54939EBBF0BF84308F418D2EE8D897391D7BA94898B87

Function 00403930 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

pyi-, xrefs: 004039CF

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID:
String ID: pyi-
API String ID: 0-3770392772
Opcode ID: 3991ea21385366fad50a3174c8101d38cc614240c90f5204e2e8c51596cf13b5
Instruction ID: de32975ff2c34a0d384c2c2b91ec4d8f43b36af93b0298a640d216871d4c163f
Opcode Fuzzy Hash: 3991ea21385366fad50a3174c8101d38cc614240c90f5204e2e8c51596cf13b5
Instruction Fuzzy Hash: 1B513CF46083048FD710DF29D98475ABBE4BB48305F01897AE8859B3E2D3B8D995CF5A

Function 6CEDCC70 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 100registryfilewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,?), ref: 6CEDCC86
GetFileType.KERNEL32(00000000), ref: 6CEDCC93
_vsnprintf.MSVCR90 ref: 6CEDCCB1
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 6CEDCCD5
_vsnprintf.MSVCR90 ref: 6CEDCCFE
GetVersion.KERNEL32 ref: 6CEDCD0B
RegisterEventSourceA.ADVAPI32(00000000,OpenSSL), ref: 6CEDCD28
ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 6CEDCD56
DeregisterEventSource.ADVAPI32(00000000), ref: 6CEDCD5D
MessageBoxA.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 6CEDCD82

Strings

OpenSSL, xrefs: 6CEDCD21
OpenSSL: FATAL, xrefs: 6CEDCD74

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Event$FileSource_vsnprintf$DeregisterHandleMessageRegisterReportTypeVersionWrite
String ID: OpenSSL$OpenSSL: FATAL
API String ID: 3842704995-4224901669
Opcode ID: 47a2ffe74ec53d3e2f295241e23f2c2c3a21ca24a65f2d0fb95972c42fb5f3ec
Instruction ID: e29d7a854b5ff8aeb991ca2c1b2bffa8c439a96f492f42b02eea2ad48a0fd1c3
Opcode Fuzzy Hash: 47a2ffe74ec53d3e2f295241e23f2c2c3a21ca24a65f2d0fb95972c42fb5f3ec
Instruction Fuzzy Hash: 1131B471B50218ABEB149B64CC49FEE7778EF09704F104189FA0A9A2C0DBB16B85CB91

Function 0040259C Relevance: 21.1, APIs: 14, Instructions: 66COMMON

Download Yara Rule

APIs

PyImport_AddModule.PYTHON27 ref: 004025AD
PyModule_GetDict.PYTHON27 ref: 004025BE
PyDict_GetItemString.PYTHON27 ref: 004025CF
PyObject_CallFunction.PYTHON27 ref: 004025EA
PyErr_Clear.PYTHON27 ref: 004025FA
PyLong_AsLong.PYTHON27 ref: 00402608
PyErr_Occurred.PYTHON27 ref: 00402614
Py_DecRef.PYTHON27 ref: 00402621
Py_DecRef.PYTHON27 ref: 0040262A
PyErr_Print.PYTHON27 ref: 00402630
PyErr_Clear.PYTHON27 ref: 00402636
Py_DecRef.PYTHON27 ref: 0040264A
Py_DecRef.PYTHON27 ref: 00402653
PyErr_Clear.PYTHON27 ref: 00402659

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: Err_$Clear$CallDictDict_FunctionImport_ItemLongLong_ModuleModule_Object_OccurredPrintString
String ID:
API String ID: 925224682-0
Opcode ID: 8284304efd43d9ab4285c5a8999a048a53c7a993873e65a3ce520b895afff7f8
Instruction ID: 6e3fe36d3e398bcb121eacd201e11187e14c0780b5c0b7dddb2c741b5b09a4ce
Opcode Fuzzy Hash: 8284304efd43d9ab4285c5a8999a048a53c7a993873e65a3ce520b895afff7f8
Instruction Fuzzy Hash: 522150755046108FC7106F74AA4C15A7FE1FB88321B158B3DEA9AD32E0CBB48951CB9A

Function 6CF07D20 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 156windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 6CF07D30
GetDC.USER32(00000000), ref: 6CF07D50
GetDeviceCaps.GDI32(00000000,00000008), ref: 6CF07D64
GetDeviceCaps.GDI32(00000000,0000000A), ref: 6CF07D6C
CreateCompatibleBitmap.GDI32(00000000,?,00000010), ref: 6CF07D78
GetObjectA.GDI32(00000000,00000018,?), ref: 6CF07D88
GetDIBits.GDI32(?,?,00000000,00000010,00000000,00000028,00000000), ref: 6CF07E12

Part of subcall function 6CEDCB30: GetModuleHandleA.KERNEL32(FFFFFFFF,00000074,00000000,C:\build27\cpython\externals\openssl-1.0.2t\crypto\user\eng_lib.c,?,6CEDCD1D), ref: 6CEDCB51
Part of subcall function 6CEDCB30: GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 6CEDCB61
Part of subcall function 6CEDCB30: GetProcessWindowStation.USER32(00000074,00000000,C:\build27\cpython\externals\openssl-1.0.2t\crypto\user\eng_lib.c,?,6CEDCD1D), ref: 6CEDCB85
Part of subcall function 6CEDCB30: GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,6CEDCD1D), ref: 6CEDCBA0
Part of subcall function 6CEDCB30: GetLastError.KERNEL32(?,6CEDCD1D), ref: 6CEDCBAE
Part of subcall function 6CEDCB30: GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,6CEDCD1D), ref: 6CEDCBE7
Part of subcall function 6CEDCB30: wcsstr.MSVCR90 ref: 6CEDCC09

DeleteObject.GDI32(?), ref: 6CF07EC2
ReleaseDC.USER32(00000000,?), ref: 6CF07ECE

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\rand\rand_win.c, xrefs: 6CF07DC1
(, xrefs: 6CF07DC6

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Object$CapsDeviceInformationUser$AddressBitmapBitsCompatibleCreateDeleteErrorHandleLastModuleProcProcessReleaseStationVersionWindowwcsstr
String ID: ($C:\build27\cpython\externals\openssl-1.0.2t\crypto\rand\rand_win.c
API String ID: 1521540791-3691025673
Opcode ID: 06c8589362f09e10e7dd9604da4361c8cdd298199e0a7ef150720d667619f93d
Instruction ID: edb628b473fc798c3b21406f3e09bc51cd45077fdfe0896b37ff88c9ff3f40f3
Opcode Fuzzy Hash: 06c8589362f09e10e7dd9604da4361c8cdd298199e0a7ef150720d667619f93d
Instruction Fuzzy Hash: 31518B70F51209ABEB04DFA9CC95BEFB7B8EF49704F10401AE915A7380DB759905CBA1

Function 6CFA0770 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 253COMMON

Download Yara Rule

APIs

__iob_func.MSVCR90 ref: 6CFA0988
fprintf.MSVCR90 ref: 6CFA0992

Part of subcall function 6CEEA360: memset.MSVCR90 ref: 6CEEA37E

__iob_func.MSVCR90 ref: 6CFA09C9
fprintf.MSVCR90 ref: 6CFA09D3
__iob_func.MSVCR90 ref: 6CFA0A06
fprintf.MSVCR90 ref: 6CFA0A10

Part of subcall function 6CEEA260: memset.MSVCR90 ref: 6CEEA289

Strings

failure in sk_push, xrefs: 6CFA0983
C:\build27\cpython\externals\openssl-1.0.2t\crypto\txt_db\txt_db.c, xrefs: 6CFA07B5, 6CFA0906
wrong number of fields on line %ld (looking for field %d, got %d, '%s' left), xrefs: 6CFA09C4
OPENSSL_malloc failure, xrefs: 6CFA0A01

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: __iob_funcfprintf$memset
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\txt_db\txt_db.c$OPENSSL_malloc failure$failure in sk_push$wrong number of fields on line %ld (looking for field %d, got %d, '%s' left)
API String ID: 886766458-710548800
Opcode ID: edd3fa465533fbd32986b395da7352e681db99d0984d237e5ae85d95dd706247
Instruction ID: 9978048156e67474dc7d3df3a28e869e13666b702ce0aeadb42b114ccac5833a
Opcode Fuzzy Hash: edd3fa465533fbd32986b395da7352e681db99d0984d237e5ae85d95dd706247
Instruction Fuzzy Hash: 50919071E04246CFEB04CFA5D88475AFBB0EF49318F2981ADC8599B702D7B1E946CB94

Function 6CF00C50 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 180stringCOMMON

Download Yara Rule

APIs

isspace.MSVCR90 ref: 6CF00C69
isspace.MSVCR90 ref: 6CF00CA7
isspace.MSVCR90 ref: 6CF00CD7
strtoul.MSVCR90 ref: 6CF00D1A
isspace.MSVCR90 ref: 6CF00D3C
isspace.MSVCR90 ref: 6CF00D74
isspace.MSVCR90 ref: 6CF00D91

Strings

Code=, xrefs: 6CF00DC5, 6CF00DE4
,Reason=, xrefs: 6CF00DDE
C:\build27\cpython\externals\openssl-1.0.2t\crypto\ocsp\ocsp_ht.c, xrefs: 6CF00C89, 6CF00CF4, 6CF00DAD

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: isspace$strtoul
String ID: ,Reason=$C:\build27\cpython\externals\openssl-1.0.2t\crypto\ocsp\ocsp_ht.c$Code=
API String ID: 3910935903-2238531526
Opcode ID: 5f5ae01b198f54159126243a184171bac4523204e49383933636ffbe65addc2a
Instruction ID: 4522a8a0feae9e451f20e23a5314bf7ec18b9e9d12b17898be76a4d4be81502c
Opcode Fuzzy Hash: 5f5ae01b198f54159126243a184171bac4523204e49383933636ffbe65addc2a
Instruction Fuzzy Hash: 14518671B092C16AF7108F75AC61BD67BF4CF41708F1841BAECC8C7681E696E605E3A2

Function 6CF08C00 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 156COMMON

Download Yara Rule

Strings

DIR_LOAD, xrefs: 6CF08D2E
id=, xrefs: 6CF08DAC
LOAD, xrefs: 6CF08D6F
LIST_ADD, xrefs: 6CF08D5A
DIR_ADD, xrefs: 6CF08D42
OPENSSL_ENGINES, xrefs: 6CF08CE5
C:\build27\cpython\externals\openssl-1.0.2t\crypto\user\eng_list.c, xrefs: 6CF08C0E, 6CF08C9A, 6CF08D98
/usr/local/ssl/lib/engines, xrefs: 6CF08CF9
dynamic, xrefs: 6CF08C32, 6CF08CB0, 6CF08CFE, 6CF08D11, 6CF08DA7

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: /usr/local/ssl/lib/users$C:\build27\cpython\externals\openssl-1.0.2t\crypto\user\eng_list.c$DIR_ADD$DIR_LOAD$LIST_ADD$LOAD$OPENSSL_userS$dynamic$id=
API String ID: 0-1966498346
Opcode ID: 26d6fcb7d0ece6ca63083e54e80e208b88525b5239175db28a2b9b5917cf849d
Instruction ID: 6a63081bc98a998a89f06a38133aae7dd64e5523d4e5e215ee698e933705a4c3
Opcode Fuzzy Hash: 26d6fcb7d0ece6ca63083e54e80e208b88525b5239175db28a2b9b5917cf849d
Instruction Fuzzy Hash: 9A416A2274668126E70105796C727AB21A20F56F5CF2C4A37EC50DFFC2EB13CD0992D2

Function 6CEC4330 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

PyUnicodeUCS2_AsEncodedString.PYTHON27(?,00000000,00000000), ref: 6CEC434B
PyErr_Format.PYTHON27(6D38C2D8,password cannot be longer than %d bytes,7FFFFFFF), ref: 6CEC43DA
PyMem_Free.PYTHON27(?), ref: 6CEC43EC
PyMem_Malloc.PYTHON27(?), ref: 6CEC43F3
PyErr_SetString.PYTHON27(00000000,unable to allocate password buffer), ref: 6CEC4414
memcpy.MSVCR90(00000000,6D3C2788,?), ref: 6CEC443C

Strings

unable to allocate password buffer, xrefs: 6CEC440E
password cannot be longer than %d bytes, xrefs: 6CEC43D4

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Err_Mem_String$EncodedFormatFreeMallocUnicodememcpy
String ID: password cannot be longer than %d bytes$unable to allocate password buffer
API String ID: 3034729608-2395793021
Opcode ID: 533b4b519f251915035109b276029afdfc309925b0f6fa794e2e5a8b6ab2c323
Instruction ID: 4fb3b164fcc8bf40ca57279963bed7326462152cc0d4c4c4ae3d18a8d2d60925
Opcode Fuzzy Hash: 533b4b519f251915035109b276029afdfc309925b0f6fa794e2e5a8b6ab2c323
Instruction Fuzzy Hash: 2941A235B012019BD704CF58D984AAB73B8FBC63287344719E93987B40D736E956CBA2

Function 6CEDCB30 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 107libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(FFFFFFFF,00000074,00000000,C:\build27\cpython\externals\openssl-1.0.2t\crypto\user\eng_lib.c,?,6CEDCD1D), ref: 6CEDCB51
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 6CEDCB61
GetProcessWindowStation.USER32(00000074,00000000,C:\build27\cpython\externals\openssl-1.0.2t\crypto\user\eng_lib.c,?,6CEDCD1D), ref: 6CEDCB85
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?,?,6CEDCD1D), ref: 6CEDCBA0
GetLastError.KERNEL32(?,6CEDCD1D), ref: 6CEDCBAE
GetUserObjectInformationW.USER32(00000000,00000002,?,?,?,?,6CEDCD1D), ref: 6CEDCBE7
wcsstr.MSVCR90 ref: 6CEDCC09

Strings

_OPENSSL_isservice, xrefs: 6CEDCB5B
Service-0x, xrefs: 6CEDCBFF
C:\build27\cpython\externals\openssl-1.0.2t\crypto\user\eng_lib.c, xrefs: 6CEDCB45

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindowwcsstr
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\user\eng_lib.c$Service-0x$_OPENSSL_isservice
API String ID: 459917433-1028230771
Opcode ID: 2c11ac9bf8a078835ddbf05a274a4f2fa3089d4648a59733f5df506446be939e
Instruction ID: 1bc25cd4de2834f76b0e4a850f405512654d47f158088b7b81495dc6da7f5592
Opcode Fuzzy Hash: 2c11ac9bf8a078835ddbf05a274a4f2fa3089d4648a59733f5df506446be939e
Instruction Fuzzy Hash: 0C310731B00205ABDB00DBB9DC89B9F7778EB463A5F204225E926D32C0DB31AA15C795

Function 6CEC5C80 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 93COMMON

Download Yara Rule

APIs

PyString_FromString.PYTHON27(SSL_CERT_FILE), ref: 6CEC5C99
PyString_FromString.PYTHON27(/usr/local/ssl/cert.pem), ref: 6CEC5CAD
PyString_FromString.PYTHON27(SSL_CERT_DIR), ref: 6CEC5CBE
PyString_FromString.PYTHON27(/usr/local/ssl/certs), ref: 6CEC5CCE
_Py_BuildValue_SizeT.PYTHON27(NNNN,00000000,?,00000000,00000000), ref: 6CEC5CE5

Strings

/usr/local/ssl/certs, xrefs: 6CEC5CC9
/usr/local/ssl/cert.pem, xrefs: 6CEC5CA8
SSL_CERT_FILE, xrefs: 6CEC5C91
SSL_CERT_DIR, xrefs: 6CEC5CB9
NNNN, xrefs: 6CEC5CE0

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: FromStringString_$BuildSizeValue_
String ID: /usr/local/ssl/cert.pem$/usr/local/ssl/certs$NNNN$SSL_CERT_DIR$SSL_CERT_FILE
API String ID: 640227754-3399985264
Opcode ID: 5b5126d6643e33065d6331dddde1b11f718bb3c5577b56b621d72eca43e25052
Instruction ID: 1b9ceebb8e1eb7aad12f80ecd1db0827ab1168024e38f09304688b7478cacca1
Opcode Fuzzy Hash: 5b5126d6643e33065d6331dddde1b11f718bb3c5577b56b621d72eca43e25052
Instruction Fuzzy Hash: 4621F671B022016BD7009AA99E8494B77F4AE49338B350364DD3987751D625DD02DBD3

Function 6CF3AB80 Relevance: 16.8, APIs: 5, Strings: 6, Instructions: 257COMMON

Download Yara Rule

APIs

atoi.MSVCR90(?), ref: 6CF3ABC1
atoi.MSVCR90(?), ref: 6CF3AC9B
atoi.MSVCR90(?), ref: 6CF3ACED
atoi.MSVCR90(?), ref: 6CF3AD74
atoi.MSVCR90(?), ref: 6CF3ADFD

Strings

dh_paramgen_generator, xrefs: 6CF3ACB8
dh_rfc5114, xrefs: 6CF3AC61
dh_paramgen_prime_len, xrefs: 6CF3AB87
dh_paramgen_subprime_len, xrefs: 6CF3AD40
C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\pmeth_lib.c, xrefs: 6CF3AC00, 6CF3AC4A, 6CF3AE4E
dh_paramgen_type, xrefs: 6CF3ADC7

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: atoi
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\pmeth_lib.c$dh_paramgen_generator$dh_paramgen_prime_len$dh_paramgen_subprime_len$dh_paramgen_type$dh_rfc5114
API String ID: 657269090-2095898903
Opcode ID: 4fa62db877ffef529aa997a33cde8345df9021cb09a10cf2c091e764098b535e
Instruction ID: a9e72af6f9532959764c98dfd4c59823396dbc512d595b086f47a0f800542737
Opcode Fuzzy Hash: 4fa62db877ffef529aa997a33cde8345df9021cb09a10cf2c091e764098b535e
Instruction Fuzzy Hash: 6B81E7327082616BDF018E7788917A337A7AF92B5CF2C6258D95D8FAD2D627C845C3C0

Function 00401F40 Relevance: 16.5, APIs: 13, Instructions: 220stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(?,?,?,?,?,004023FF), ref: 00401F73
strtok.MSVCRT(?,?,?,?,?), ref: 00401F83
strcpy.MSVCRT(?,?,?,?,?), ref: 00401F8F
strtok.MSVCRT(?,?,?,?,?), ref: 00401FA3
strcpy.MSVCRT(?,?,?,?,?), ref: 00401FAF

Part of subcall function 00402A90: strlen.MSVCRT ref: 00402AA0
Part of subcall function 00402A90: strncpy.MSVCRT ref: 00402AB3
Part of subcall function 00402A90: strlen.MSVCRT ref: 00402ABB
Part of subcall function 00402A90: strrchr.MSVCRT ref: 00402AD2

malloc.MSVCRT ref: 0040222B
strcpy.MSVCRT ref: 0040224C
strcpy.MSVCRT ref: 0040226A
strcpy.MSVCRT ref: 00402282

Part of subcall function 00404B00: feof.MSVCRT ref: 00404B63
Part of subcall function 00404B00: fread.MSVCRT ref: 00404B87
Part of subcall function 00404B00: fwrite.MSVCRT ref: 00404BA8
Part of subcall function 00404B00: ferror.MSVCRT ref: 00404BB0
Part of subcall function 00404B00: clearerr.MSVCRT(?,?,?,00402048), ref: 00404BC1
Part of subcall function 00404B00: fclose.MSVCRT ref: 00404BC9
Part of subcall function 00404B00: fclose.MSVCRT ref: 00404BD1

free.MSVCRT ref: 004022DD

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: strcpy$fclosestrlenstrtok$clearerrfeofferrorfreadfreefwritemallocstrncpystrrchr
String ID:
API String ID: 3828028293-0
Opcode ID: 7c8148c38fa369b09270c99f24db186f6cb578f64c8fc15fa937ef474bbc09d3
Instruction ID: a4d73d656237814dcd04340808e77ce35a8a995e884b39acc9a19a7b3963f51e
Opcode Fuzzy Hash: 7c8148c38fa369b09270c99f24db186f6cb578f64c8fc15fa937ef474bbc09d3
Instruction Fuzzy Hash: 1FA114B1408701DAC710AF25C58815EFBE4BF84354F018A2FF598AB391E7B89599DF8B

Function 00402780 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 187stringCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 0040279F

Part of subcall function 00402D90: GetModuleFileNameW.KERNEL32(00000000,004027CE), ref: 00402DB4

Part of subcall function 00402E40: strcpy.MSVCRT(004027E1), ref: 00402E53
Part of subcall function 00402E40: strlen.MSVCRT ref: 00402E5B

Part of subcall function 00404560: GetEnvironmentVariableW.KERNEL32(00000000,004027F9), ref: 0040459F

Part of subcall function 00404680: SetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00409EFD), ref: 004046AE
Part of subcall function 00404680: free.MSVCRT ref: 004046BC

SetDllDirectoryW.KERNEL32 ref: 00402892
free.MSVCRT ref: 0040289E
strcmp.MSVCRT ref: 004028AA

Strings

x@, xrefs: 00402790

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: EnvironmentVariablefree$DirectoryFileModuleNamecallocstrcmpstrcpystrlen
String ID: x@
API String ID: 3249012681-3504578705
Opcode ID: d486fdd31f4afe26102c53015cf556989d09d3e5a7663a3437f51184b6a64bce
Instruction ID: e104b7bf5c1657f9fcfcb026d7b3760e70e9bc9fefb3156e1469a83aead3bb76
Opcode Fuzzy Hash: d486fdd31f4afe26102c53015cf556989d09d3e5a7663a3437f51184b6a64bce
Instruction Fuzzy Hash: AF714FB19097008BD710BF65C58925EBBE4EF80744F05897EE8C4A72D1DBBC9585CB4B

Function 6CEC2BD0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 100COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON27(?,s:test_decode_certificate,?), ref: 6CEC2BEC
PyErr_SetString.PYTHON27(028CB208,Can't malloc memory to read file), ref: 6CEC2C1E

Strings

s:test_decode_certificate, xrefs: 6CEC2BE0
Can't open file, xrefs: 6CEC2C49
Error decoding PEM-encoded file, xrefs: 6CEC2C8E
Can't malloc memory to read file, xrefs: 6CEC2C18
TRUSTED CERTIFICATE, xrefs: 6CEC2C6A

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Arg_Err_ParseSizeStringTuple_
String ID: Can't malloc memory to read file$Can't open file$Error decoding PEM-encoded file$TRUSTED CERTIFICATE$s:test_decode_certificate
API String ID: 4247878537-2384835699
Opcode ID: 85a723014dfef4a62d23bb54c353892621ca3872d2b8f2d73f520a51ea91ba50
Instruction ID: f5a20d287cd1ed15874d8f91a1585e4ef6e33528e7ff7e3c34980a179ebb0305
Opcode Fuzzy Hash: 85a723014dfef4a62d23bb54c353892621ca3872d2b8f2d73f520a51ea91ba50
Instruction Fuzzy Hash: 5121EA33F0410467DB10DBA9BD459DFBB78DB8512AF24426AED08D3B01DB329A1547D7

Function 6CF67DB0 Relevance: 15.5, APIs: 2, Strings: 8, Instructions: 458COMMON

Download Yara Rule

Strings

ctx->buf_off <= (int)sizeof(ctx->buf), xrefs: 6CF67EA4, 6CF6810A
ctx->buf_len >= ctx->buf_off, xrefs: 6CF67E90, 6CF67F9D, 6CF6805C, 6CF680F6, 6CF68132, 6CF6815A, 6CF68249, 6CF68271
ctx->tmp_len <= 3, xrefs: 6CF68084
i <= n, xrefs: 6CF67EB8, 6CF6811E
VUUU, xrefs: 6CF67F6E
C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\bio_b64.c, xrefs: 6CF67E9A, 6CF67EAE, 6CF67EC2, 6CF67FA7, 6CF68066, 6CF6807A, 6CF6808E, 6CF680C3, 6CF68100, 6CF68114, 6CF68128, 6CF6813C, 6CF68150, 6CF68164, 6CF68178, 6CF6818C, 6CF68253, 6CF6827B
ctx->buf_len <= (int)sizeof(ctx->buf), xrefs: 6CF68070, 6CF680B9, 6CF68146, 6CF6816E
ctx->buf_off < (int)sizeof(ctx->buf), xrefs: 6CF68182

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\bio_b64.c$VUUU$ctx->buf_len <= (int)sizeof(ctx->buf)$ctx->buf_len >= ctx->buf_off$ctx->buf_off < (int)sizeof(ctx->buf)$ctx->buf_off <= (int)sizeof(ctx->buf)$ctx->tmp_len <= 3$i <= n
API String ID: 0-3721295489
Opcode ID: e5d4827558bc07b18a2d68ca3dab8efbb4a1737e5c96742748d40ba32876de22
Instruction ID: 009424f063b02daab2c287c05aa4663a3b6f46d311898ff1dcf85df56f6596e2
Opcode Fuzzy Hash: e5d4827558bc07b18a2d68ca3dab8efbb4a1737e5c96742748d40ba32876de22
Instruction Fuzzy Hash: A6F1CF717116069BEB14CF19D980696B7A1FB85308F20863EE8298BF90D731FD5ACBD1

Function 00402B60 Relevance: 15.1, APIs: 10, Instructions: 76stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00402BA5
strncpy.MSVCRT ref: 00402BB5
strlen.MSVCRT ref: 00402BBD
strlen.MSVCRT ref: 00402BD5
strcat.MSVCRT(?,?,?,00002068,00000000,00000000,004026D6), ref: 00402BE8
strlen.MSVCRT ref: 00402C23
strlen.MSVCRT ref: 00402C2D
malloc.MSVCRT ref: 00402C39
memset.MSVCRT ref: 00402C53

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: strlen$mallocmemsetstrcatstrncpy
String ID:
API String ID: 2372556553-0
Opcode ID: 1f05f27f7ca53c699f76451239f9410ff7a63fb7e991746bd5680e8f30aa2687
Instruction ID: 4e5b45eb7927c94f1d22b83f789647f1df1ceb98ced22de3d3d6df2cb3644ce9
Opcode Fuzzy Hash: 1f05f27f7ca53c699f76451239f9410ff7a63fb7e991746bd5680e8f30aa2687
Instruction Fuzzy Hash: AB2171B16187409FD710BF29C58932EBBE0EF84344F058C7EE889573C2C67994558B57

Function 6CF80EB0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 131COMMON

Download Yara Rule

APIs

_errno.MSVCR90 ref: 6CF80FA3
GetLastError.KERNEL32(C:\build27\cpython\externals\openssl-1.0.2t\ssl\ssl_cert.c,0000040E), ref: 6CF80FB8
FindClose.KERNEL32(?), ref: 6CF81036
free.MSVCR90 ref: 6CF8103D

Strings

OPENSSL_DIR_read(&ctx, ', xrefs: 6CF80FD0
C:\build27\cpython\externals\openssl-1.0.2t\ssl\ssl_cert.c, xrefs: 6CF80EE9, 6CF80FB3, 6CF80FE1, 6CF81006, 6CF81055
N;Zn, xrefs: 6CF8103D
%s/%s, xrefs: 6CF80F41

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: CloseErrorFindLast_errnofree
String ID: %s/%s$C:\build27\cpython\externals\openssl-1.0.2t\ssl\ssl_cert.c$N;Zn$OPENSSL_DIR_read(&ctx, '
API String ID: 1454177507-1907821825
Opcode ID: 57c67857496e3ea6c59d0bdd7eaad5180209b766bd42cd270a281354564cb073
Instruction ID: 3b6738596075ddc718be9dbbe3e7fcd7dc1d9ac1e337204bb8d59633796f7134
Opcode Fuzzy Hash: 57c67857496e3ea6c59d0bdd7eaad5180209b766bd42cd270a281354564cb073
Instruction Fuzzy Hash: 39419EB0B011449BEB008B64DD81BDE7774DB0470CF0081A8FB28BBA81DBB2DF4A8795

Function 6CEDCA10 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 93stringCOMMON

Download Yara Rule

APIs

getenv.MSVCR90 ref: 6CEDCA33
sscanf.MSVCR90 ref: 6CEDCA5D
strtoul.MSVCR90 ref: 6CEDCA6D
strchr.MSVCR90 ref: 6CEDCAC6
strtoul.MSVCR90 ref: 6CEDCAE7

Strings

OPENSSL_ia32cap, xrefs: 6CEDCA24
gl, xrefs: 6CEDCAFF, 6CEDCA91
%I64i, xrefs: 6CEDCA54

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: strtoul$getenvsscanfstrchr
String ID: %I64i$OPENSSL_ia32cap$gl
API String ID: 3016710027-1490722825
Opcode ID: b635b40fd4c5acef23771e6d0515d9cdaa27b43fb7697d8a2cc864155bfea77a
Instruction ID: 3a6c4d125cbb9855eaddaf3d0f7f1cee1f3add036d067f662fb1eaa787253e28
Opcode Fuzzy Hash: b635b40fd4c5acef23771e6d0515d9cdaa27b43fb7697d8a2cc864155bfea77a
Instruction Fuzzy Hash: D83138B5F04344EFEB00DBE0CC0576A7BB5EB067CCF2A00A5D905A3B40E7756646C652

Function 6CEC4470 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 79threadCOMMON

Download Yara Rule

APIs

PyEval_RestoreThread.PYTHON27 ref: 6CEC4484
PyObject_CallFunctionObjArgs.PYTHON27(?,00000000), ref: 6CEC4497
PyErr_Format.PYTHON27(?,password cannot be longer than %d bytes,?), ref: 6CEC44DF
PyEval_SaveThread.PYTHON27 ref: 6CEC4504
PyEval_SaveThread.PYTHON27 ref: 6CEC4523
memcpy.MSVCR90(?,?,?), ref: 6CEC4537

Strings

password callback must return a string, xrefs: 6CEC44A6
password cannot be longer than %d bytes, xrefs: 6CEC44D9

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Eval_Thread$Save$ArgsCallErr_FormatFunctionObject_Restorememcpy
String ID: password callback must return a string$password cannot be longer than %d bytes
API String ID: 3573400504-1265974473
Opcode ID: ca1cf761d24fb741a628c84e17031d1e5f90be9fd05d0461a917f32151fdb315
Instruction ID: 1160d84291a159cfbc452bd68e8342d20712073f766e1f2c67b5fffc1b019bed
Opcode Fuzzy Hash: ca1cf761d24fb741a628c84e17031d1e5f90be9fd05d0461a917f32151fdb315
Instruction Fuzzy Hash: AC218375B006029BD704CF64D948B96B3B8FB46329F308726E87987B40D735E955CB92

Function 6CF76590 Relevance: 13.9, APIs: 3, Strings: 6, Instructions: 421COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(?,?,00000000), ref: 6CF7674F
memcpy.MSVCR90(?,?,?), ref: 6CF76A06
memcpy.MSVCR90(?,?,?), ref: 6CF76AA0

Strings

C:\build27\cpython\externals\openssl-1.0.2t\ssl\t1_lib.c, xrefs: 6CF766C4
*, xrefs: 6CF768D2
*, xrefs: 6CF768F6
t, xrefs: 6CF769E5
, xrefs: 6CF76896
*, xrefs: 6CF768AE

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memcpy
String ID: $*$*$*$C:\build27\cpython\externals\openssl-1.0.2t\ssl\t1_lib.c$t
API String ID: 3510742995-3981208282
Opcode ID: 4050f6857913e1108b869dea76f1271193801c2ae73e9ee19069a7067d3f3c7a
Instruction ID: 8a5fd241a1b878b636f73f661aecff3355f66b971dad6886a7a803d07ac5a437
Opcode Fuzzy Hash: 4050f6857913e1108b869dea76f1271193801c2ae73e9ee19069a7067d3f3c7a
Instruction Fuzzy Hash: D202B370A09395DFDB11CF68E8847DDBFB1AF12308F1881A9E495AF782C7755508C7A2

Function 6CF3C590 Relevance: 13.8, APIs: 1, Strings: 8, Instructions: 315COMMON

Download Yara Rule

APIs

atoi.MSVCR90(?), ref: 6CF3C89E

Strings

named_curve, xrefs: 6CF3C725
ecdh_cofactor_mode, xrefs: 6CF3C86A
C:\build27\cpython\externals\openssl-1.0.2t\crypto\ec\ec_pmeth.c, xrefs: 6CF3C5FD, 6CF3C7FE
ec_paramgen_curve, xrefs: 6CF3C59D
ec_param_enc, xrefs: 6CF3C6BA
C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\pmeth_lib.c, xrefs: 6CF3C651, 6CF3C69F, 6CF3C8F6
ecdh_kdf_md, xrefs: 6CF3C7AF
explicit, xrefs: 6CF3C6F1

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: atoi
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\ec\ec_pmeth.c$C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\pmeth_lib.c$ec_param_enc$ec_paramgen_curve$ecdh_cofactor_mode$ecdh_kdf_md$explicit$named_curve
API String ID: 657269090-145990856
Opcode ID: e0a7b486dcf881d6e4991201c3919b9c0f5e777dd1f650a7daca9c43764b67c5
Instruction ID: 7922707423fac1bc052ed48dbbd17eb8924b567ac10156b255894dfacef76c2c
Opcode Fuzzy Hash: e0a7b486dcf881d6e4991201c3919b9c0f5e777dd1f650a7daca9c43764b67c5
Instruction Fuzzy Hash: 09A1E422B4927126E7006E398C91BA637769B4275CF2963A8DDADDFAD1E713C90583C0

Function 00404B00 Relevance: 13.6, APIs: 9, Instructions: 69fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00402E70: _wfopen.MSVCRT ref: 00402EBD

Part of subcall function 004049D0: strcpy.MSVCRT(?,?,00000000,0040188F,?,?,?,?,?,?,004023E6), ref: 004049FC
Part of subcall function 004049D0: strcpy.MSVCRT(?,?,00000000,0040188F,?,?,?,?,?,?,004023E6), ref: 00404A0F
Part of subcall function 004049D0: strtok.MSVCRT(?,?,00000000), ref: 00404A1F
Part of subcall function 004049D0: strcpy.MSVCRT(?,?,00000000), ref: 00404A73
Part of subcall function 004049D0: strtok.MSVCRT(?,?,00000000), ref: 00404A87
Part of subcall function 004049D0: _mkdir.MSVCRT ref: 00404AA5

feof.MSVCRT ref: 00404B63
fread.MSVCRT ref: 00404B87
fwrite.MSVCRT ref: 00404BA8
ferror.MSVCRT ref: 00404BB0
clearerr.MSVCRT(?,?,?,00402048), ref: 00404BC1
fclose.MSVCRT ref: 00404BC9
fclose.MSVCRT ref: 00404BD1
ferror.MSVCRT ref: 00404BE5
clearerr.MSVCRT(?,?,?,00402048), ref: 00404BFA

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: strcpy$clearerrfcloseferrorstrtok$_mkdir_wfopenfeoffreadfwrite
String ID:
API String ID: 1950404359-0
Opcode ID: 7e0219a60a49a5dd7f3ffa8bcdbafe2af77f66fe998823d77456da3f0b2ce4b5
Instruction ID: 26d6a4cf61ebdb6355e6ceb81002ce2c87545b0f6dcfc6701eb30fc9d8599a57
Opcode Fuzzy Hash: 7e0219a60a49a5dd7f3ffa8bcdbafe2af77f66fe998823d77456da3f0b2ce4b5
Instruction Fuzzy Hash: FD21FFB15087409BD310BF36848525FB7E4AF84364F068A3EE9D4A73C1D77C98958B4B

Function 00403A2C Relevance: 13.5, APIs: 9, Instructions: 47COMMON

Download Yara Rule

APIs

_fileno.MSVCRT ref: 00403A44
_setmode.MSVCRT ref: 00403A5A
_fileno.MSVCRT ref: 00403A67
_setmode.MSVCRT ref: 00403A77
fflush.MSVCRT ref: 00403A84
fflush.MSVCRT ref: 00403A94
setbuf.MSVCRT ref: 00403AA9
setbuf.MSVCRT ref: 00403AC1
setbuf.MSVCRT ref: 00403AD9

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: setbuf$_fileno_setmodefflush
String ID:
API String ID: 1650367497-0
Opcode ID: 89f21892b56f0ebe04f8f4ab3193396831d21f4360e53e8cf01e6c508885f887
Instruction ID: cc43520b513ba5077f312cde79b293d2698d7df8d1e11f86a6c566b79f11c99e
Opcode Fuzzy Hash: 89f21892b56f0ebe04f8f4ab3193396831d21f4360e53e8cf01e6c508885f887
Instruction Fuzzy Hash: EB1166F66047048BD710AF75E88565AB7E0BB44309F428C3EF8D89B352D638D8598B4A

Function 6CF90BB0 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 363COMMON

Download Yara Rule

APIs

__iob_func.MSVCR90 ref: 6CF90C9D
fprintf.MSVCR90 ref: 6CF90CA7
memmove.MSVCR90(?,?,?), ref: 6CF90FE9

Strings

n >= 0, xrefs: 6CF90C1C, 6CF90D17
C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\evp_lib.c, xrefs: 6CF90C03, 6CF90CFE
C:\build27\cpython\externals\openssl-1.0.2t\ssl\t1_enc.c, xrefs: 6CF90C26, 6CF90C93, 6CF90D21
%s:%d: rec->data != rec->input, xrefs: 6CF90C98

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: __iob_funcfprintfmemmove
String ID: %s:%d: rec->data != rec->input$C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\evp_lib.c$C:\build27\cpython\externals\openssl-1.0.2t\ssl\t1_enc.c$n >= 0
API String ID: 654915848-3493170495
Opcode ID: 107a1c8b66efc64f5f3195a79e4e77bf2b46cc577456cf07379cbdc23aee369e
Instruction ID: 261ce3f9a130a2260b3af57a0687fc0d1106239fd025e5db7bd3cd687cce0cbe
Opcode Fuzzy Hash: 107a1c8b66efc64f5f3195a79e4e77bf2b46cc577456cf07379cbdc23aee369e
Instruction Fuzzy Hash: AED1B2317093819FEB14CF29C48075AB7F1EF89318F14896DE85A8BB91D7B1E845CB92

Function 6CF8E3D0 Relevance: 12.5, APIs: 2, Strings: 6, Instructions: 466COMMON

Download Yara Rule

Strings

len <= SSL3_RT_MAX_PLAIN_LENGTH, xrefs: 6CF8E774
s->d1->mtu >= dtls1_min_mtu(s), xrefs: 6CF8E788
s->init_num == (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH, xrefs: 6CF8E435
C:\build27\cpython\externals\openssl-1.0.2t\ssl\d1_pkt.c, xrefs: 6CF8E77E
len == (unsigned int)ret, xrefs: 6CF8E760
C:\build27\cpython\externals\openssl-1.0.2t\ssl\d1_both.c, xrefs: 6CF8E43F, 6CF8E76A, 6CF8E792, 6CF8E889

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\d1_both.c$C:\build27\cpython\externals\openssl-1.0.2t\ssl\d1_pkt.c$len <= SSL3_RT_MAX_PLAIN_LENGTH$len == (unsigned int)ret$s->d1->mtu >= dtls1_min_mtu(s)$s->init_num == (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH
API String ID: 0-2834953434
Opcode ID: d93db4933272c71a140b3066c45409f8d511d58d97663efb9ac0505df0af726e
Instruction ID: 8661d7072d81568c8aff0a83518a978238c1af616afecc8493b67bb742a1e00e
Opcode Fuzzy Hash: d93db4933272c71a140b3066c45409f8d511d58d97663efb9ac0505df0af726e
Instruction Fuzzy Hash: 22020835706206DFD710CF69C884B99BBB1FF45318F2881AAD9588BB82D371E855CBD1

Function 6CFA087C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 142COMMON

Download Yara Rule

APIs

__iob_func.MSVCR90 ref: 6CFA0988
fprintf.MSVCR90 ref: 6CFA0992
__iob_func.MSVCR90 ref: 6CFA0A06

Part of subcall function 6CEEA360: memset.MSVCR90 ref: 6CEEA37E

fprintf.MSVCR90 ref: 6CFA0A10

Strings

failure in sk_push, xrefs: 6CFA0983
C:\build27\cpython\externals\openssl-1.0.2t\crypto\txt_db\txt_db.c, xrefs: 6CFA0906
OPENSSL_malloc failure, xrefs: 6CFA0A01

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: __iob_funcfprintf$memset
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\txt_db\txt_db.c$OPENSSL_malloc failure$failure in sk_push
API String ID: 886766458-1988972625
Opcode ID: 29b91dbc3fa678ddc031c1ece00b2e0592fbaecf96fa70e235469ec471a10417
Instruction ID: 97aac304fabf554055ec2a8c337c8fb30d7d6a0471d1fd7fc91dfa6c96cf6fbe
Opcode Fuzzy Hash: 29b91dbc3fa678ddc031c1ece00b2e0592fbaecf96fa70e235469ec471a10417
Instruction Fuzzy Hash: A451F571E04285CFEB04CFA5D88479EFBB0AF09308F29419DC856A7702DBB1E906CB95

Function 6CEF8D90 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 132stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCR90 ref: 6CEF8D9C
strtoul.MSVCR90 ref: 6CEF8DB9

Strings

pkix, xrefs: 6CEF8E1C
utf8only, xrefs: 6CEF8E5F
nombstr, xrefs: 6CEF8DD4
default, xrefs: 6CEF8EA2
MASK:, xrefs: 6CEF8D96

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: strncmpstrtoul
String ID: MASK:$default$nombstr$pkix$utf8only
API String ID: 3007069910-3483942737
Opcode ID: b9625521aa3b3c5871f4fd78f3b2db3e6753d2c7a5142439e6107817c65a401d
Instruction ID: 53a0e1943ace75275eadeeaa8107c420067261c511deae5827b44e4df6b4c8f0
Opcode Fuzzy Hash: b9625521aa3b3c5871f4fd78f3b2db3e6753d2c7a5142439e6107817c65a401d
Instruction Fuzzy Hash: C441A32161C1841AC7214F3A5C927A23BB79B1736CF6C0796E9B8CFB91E713C90AC391

Function 6CF265A0 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(?,?,?), ref: 6CF26690
memcpy.MSVCR90(?,?,?), ref: 6CF266D9
memcpy.MSVCR90(?,?,?), ref: 6CF26707
memcpy.MSVCR90(?,?,?), ref: 6CF267DC
memcpy.MSVCR90(?,?,?), ref: 6CF26846

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\e_aes.c, xrefs: 6CF26648, 6CF2693C

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memcpy
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\e_aes.c
API String ID: 3510742995-2525042098
Opcode ID: 4f196298d92239470c0378332cf59b1641a045551f1f13706411697ba4ffd88b
Instruction ID: c082ae92d2ce38a7d96486caf7c2f814acdce17f71d18e76bc5334425782e31e
Opcode Fuzzy Hash: 4f196298d92239470c0378332cf59b1641a045551f1f13706411697ba4ffd88b
Instruction Fuzzy Hash: E1B190717056069BDB04CEB8E884B95F7A4FB84229F2443AAE82CCB740D735A865CBD1

Function 6CEC4E90 Relevance: 12.2, APIs: 8, Instructions: 160threadCOMMON

Download Yara Rule

APIs

PyUnicodeUCS2_FromObject.PYTHON27(?), ref: 6CEC4EAD
PyUnicodeUCS2_AsEncodedString.PYTHON27(00000000,?,00000000), ref: 6CEC4EC8
PyErr_SetFromErrnoWithFilenameObject.PYTHON27(?,?), ref: 6CEC4F1B
_errno.MSVCR90 ref: 6CEC4F2D
PyEval_SaveThread.PYTHON27 ref: 6CEC4F49

Part of subcall function 6CEC10E0: _Py_BuildValue_SizeT.PYTHON27(6CFC4B68,00000000,00000000,?,?,00000000,?,?,6CEC219D,028CB208,00000000,00000000,0000041F), ref: 6CEC1107
Part of subcall function 6CEC10E0: PyDict_GetItem.PYTHON27(028C78A0,00000000,00000000,00000000,0000041F), ref: 6CEC1122
Part of subcall function 6CEC10E0: PyErr_Clear.PYTHON27 ref: 6CEC1145
Part of subcall function 6CEC10E0: PyLong_FromLong.PYTHON27(00000000), ref: 6CEC114C
Part of subcall function 6CEC10E0: PyDict_GetItem.PYTHON27(028C7D20,00000000), ref: 6CEC1167
Part of subcall function 6CEC10E0: PyErr_Clear.PYTHON27 ref: 6CEC1187
Part of subcall function 6CEC10E0: PyUnicodeUCS2_FromFormat.PYTHON27([%S: %S] %s (_ssl.c:%d),00000000,0000041F,00000000,6CEC219D,?,?,00000000,?,?,6CEC219D), ref: 6CEC11C5
Part of subcall function 6CEC10E0: _Py_BuildValue_SizeT.PYTHON27(6CFC4BB8,00000000,00000000,00000000,00000000,0000041F), ref: 6CEC120F
Part of subcall function 6CEC10E0: PyObject_CallObject.PYTHON27(?,00000000), ref: 6CEC1227

PyEval_RestoreThread.PYTHON27(00000000), ref: 6CEC4F87
_errno.MSVCR90 ref: 6CEC4F94
PyErr_SetFromErrnoWithFilenameObject.PYTHON27(?,?), ref: 6CEC4FB0

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: From$Err_Object$Unicode$BuildClearDict_ErrnoEval_FilenameItemSizeThreadValue_With_errno$CallEncodedFormatLongLong_Object_RestoreSaveString
String ID:
API String ID: 921413074-0
Opcode ID: 67ee5921a6b8606d507b09179f64609a5f3865d89ecf736304adc8cd55ca0642
Instruction ID: 39b4f902b1617e0028c7e20d8a13bfd9afab0ecff3f6f9a54956f10a25921799
Opcode Fuzzy Hash: 67ee5921a6b8606d507b09179f64609a5f3865d89ecf736304adc8cd55ca0642
Instruction Fuzzy Hash: A4511971B002009FD704DFA4DD86B6B7379EB85329F314259E9258B741DB36E905CB92

Function 004046D0 Relevance: 12.1, APIs: 8, Instructions: 55stringCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,00000000,00000000,?,004047C2), ref: 004046F6

Part of subcall function 00405070: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,004051C2), ref: 004050B9

_getpid.MSVCRT ref: 0040471C
sprintf.MSVCRT ref: 00404730
_tempnam.MSVCRT ref: 0040473C
_mkdir.MSVCRT ref: 00404747
free.MSVCRT ref: 00404753
strcpy.MSVCRT ref: 00404777
free.MSVCRT ref: 0040477F

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: free$ByteCharMultiPathTempWide_getpid_mkdir_tempnamsprintfstrcpy
String ID:
API String ID: 4026032204-0
Opcode ID: bfb661e26455249228b8b0a51985220d4e7b1b1ba0b227356fb7795986ffe2f5
Instruction ID: 8af45b2eb4d8999d0f30d607f7cb0d6f007660f1bfc7651df242240114390b61
Opcode Fuzzy Hash: bfb661e26455249228b8b0a51985220d4e7b1b1ba0b227356fb7795986ffe2f5
Instruction Fuzzy Hash: 07113AB25083009BD311BF65D58925EBBE4EF84354F01883FF9C8A3282D7798459CB97

Function 6CEC48B0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 206COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON27(?,Empty certificate data), ref: 6CEC48D5
PyErr_SetString.PYTHON27(?,Certificate data is too long.), ref: 6CEC48FD

Strings

Can't allocate buffer, xrefs: 6CEC4929
Empty certificate data, xrefs: 6CEC48CF
Certificate data is too long., xrefs: 6CEC48F7
CERTIFICATE, xrefs: 6CEC49D1

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Err_String
String ID: CERTIFICATE$Can't allocate buffer$Certificate data is too long.$Empty certificate data
API String ID: 1450464846-1470385116
Opcode ID: 1b32d1aba1668f85573705b5e5d2ba0e015aceefec5f09fe7fecb915c277ef52
Instruction ID: 608f2f0a369ff2369162a8e3718894ec170a4fefab4bc6e17dc38a2a32f88d9c
Opcode Fuzzy Hash: 1b32d1aba1668f85573705b5e5d2ba0e015aceefec5f09fe7fecb915c277ef52
Instruction Fuzzy Hash: EB51D433B046015BC7109AA99981B6FB3B5DBC427CF38472EF92887B80EB35D8458697

Function 6CEE08D0 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 181stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCR90 ref: 6CEE091B
strncmp.MSVCR90 ref: 6CEE095E

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\pem\pem_lib.c, xrefs: 6CEE092E, 6CEE0971, 6CEE09AC, 6CEE09E2, 6CEE0A43
ENCRYPTED, xrefs: 6CEE0958
Proc-Type: , xrefs: 6CEE0915
DEK-Info: , xrefs: 6CEE09C9

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: strncmp
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\pem\pem_lib.c$DEK-Info: $ENCRYPTED$Proc-Type:
API String ID: 1114863663-1788503653
Opcode ID: fc51348d01d2f25f0b644a39f7f77960c0c01efaae39b1cb7fab01faf546eaf0
Instruction ID: 3f8171a9797e116ead4773e2233e50011f637f86af4f8ea5f8a7ccb4505e349b
Opcode Fuzzy Hash: fc51348d01d2f25f0b644a39f7f77960c0c01efaae39b1cb7fab01faf546eaf0
Instruction Fuzzy Hash: 81415A727892992EF7108E69AC01BD5B7A4D7847ACF340437ED8CCBB81EA6795068394

Function 6CECA530 Relevance: 10.6, APIs: 7, Instructions: 126COMMON

Download Yara Rule

APIs

isalnum.MSVCR90 ref: 6CECA593
isdigit.MSVCR90 ref: 6CECA5B4
isspace.MSVCR90 ref: 6CECA5DD
isspace.MSVCR90 ref: 6CECA5EC
isspace.MSVCR90 ref: 6CECA604
isspace.MSVCR90 ref: 6CECA620
isspace.MSVCR90 ref: 6CECA636

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: isspace$isalnumisdigit
String ID:
API String ID: 2198966314-0
Opcode ID: 1b6f7ea116eba00357383984092ac0cdbb4488411dc0f9460423a801f717609d
Instruction ID: 0d49bedc401d7e190ff75dd5755958f96fffdfb017a8cbc0e751965ded6bedb2
Opcode Fuzzy Hash: 1b6f7ea116eba00357383984092ac0cdbb4488411dc0f9460423a801f717609d
Instruction Fuzzy Hash: FE4106E0E483A95AEB218B358E847977BB49F0230CF2841E5DCB946742F635DA54CB93

Function 6CF66850 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 85stringCOMMON

Download Yara Rule

APIs

strstr.MSVCR90 ref: 6CF66879
strstr.MSVCR90 ref: 6CF66888
strstr.MSVCR90 ref: 6CF66897
sprintf.MSVCR90 ref: 6CF66905
sprintf.MSVCR90 ref: 6CF6691F

Strings

%s.dll, xrefs: 6CF668FF
C:\build27\cpython\externals\openssl-1.0.2t\crypto\dso\dso_win32.c, xrefs: 6CF668C0, 6CF668DC

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: strstr$sprintf
String ID: %s.dll$C:\build27\cpython\externals\openssl-1.0.2t\crypto\dso\dso_win32.c
API String ID: 1893147179-298671333
Opcode ID: 86914afcfc62f17d4df0f58e9aa870f09c739a517aa5c23f5000fca7aac5172f
Instruction ID: ad3de79486f5774722f736ff406fbdab383edb8351f779bad173429ea4313414
Opcode Fuzzy Hash: 86914afcfc62f17d4df0f58e9aa870f09c739a517aa5c23f5000fca7aac5172f
Instruction Fuzzy Hash: DC21D832B052146BDB00DA699C09BDA7378DF46319F1A41B5FD08EBB00E677AF1987D1

Function 6CEF6D10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCR90 ref: 6CEF6D3C
strncmp.MSVCR90 ref: 6CEF6D68
isspace.MSVCR90 ref: 6CEF6D81
isspace.MSVCR90 ref: 6CEF6D96

Strings

DER:, xrefs: 6CEF6D36
ASN1:, xrefs: 6CEF6D62

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: isspacestrncmp
String ID: ASN1:$DER:
API String ID: 1160233906-1445514312
Opcode ID: 2ae188263acf7e899d559d9b3ce496afd3bc3c13e7c08caf550f482714ebda9c
Instruction ID: a3decf515267b884fcc121268a88133747b7cd8db4bea9ca78049ed048513bd1
Opcode Fuzzy Hash: 2ae188263acf7e899d559d9b3ce496afd3bc3c13e7c08caf550f482714ebda9c
Instruction Fuzzy Hash: 32112B317082245FD3019E299C55BD737BDDF4235CB2A4161EC58CBB11F623E509C6E1

Function 00403C81 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00403CAE
_strdup.MSVCRT ref: 00403CB6
malloc.MSVCRT ref: 00403CD5
setlocale.MSVCRT ref: 00403CF5
free.MSVCRT ref: 00403D29
setlocale.MSVCRT ref: 00403D6B
free.MSVCRT ref: 00403D73

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: setlocale$free$_strdupmalloc
String ID:
API String ID: 622151147-0
Opcode ID: fe528c372a3c8d173d729cf9cb558beef77a9bc97ea738a27b0864ff348611af
Instruction ID: 68c60b90b3b600dc1113df833d63427205b546dfef12d4db0e67074f200f9145
Opcode Fuzzy Hash: fe528c372a3c8d173d729cf9cb558beef77a9bc97ea738a27b0864ff348611af
Instruction Fuzzy Hash: 8021F6B19083018FD700BF65D54532EBFE4AF84359F058C3EE9C8A7291E37D99558B8A

Function 00404800 Relevance: 10.6, APIs: 7, Instructions: 70stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(00000000,00000000,?,00000000,00402A75), ref: 00404825
strlen.MSVCRT ref: 0040482D
_findfirst.MSVCRT(00000000,00000000,?,00000000,00402A75), ref: 00404869
_findnext.MSVCRT ref: 004048C7
_findclose.MSVCRT ref: 004048DB
_rmdir.MSVCRT ref: 004048EB
strlen.MSVCRT ref: 00404917

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: strlen$_findclose_findfirst_findnext_rmdirstrcpy
String ID:
API String ID: 3562715594-0
Opcode ID: 2dbbbe8cf3e2b3a7e0de0e1cce5bdd052717f65bdb620466f24c1fb4e7b5b20e
Instruction ID: a9f9e793eeeb33f534e218ca316462fb85fcee30f47b237a2dfaca896a0b628e
Opcode Fuzzy Hash: 2dbbbe8cf3e2b3a7e0de0e1cce5bdd052717f65bdb620466f24c1fb4e7b5b20e
Instruction Fuzzy Hash: D5216BB56087448BC720BF3AD48469FB7E5FF85310F50893EE588D3381DA3998558B8B

Function 6CEC2CE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON27(?,|O:peer_certificate,?), ref: 6CEC2CF9
PyErr_SetString.PYTHON27(?,handshake not done yet), ref: 6CEC2D21

Strings

|O:peer_certificate, xrefs: 6CEC2CF0
handshake not done yet, xrefs: 6CEC2D1B

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Arg_Err_ParseSizeStringTuple_
String ID: handshake not done yet$|O:peer_certificate
API String ID: 4247878537-4228739425
Opcode ID: 01add861bb238b31728277b8138ce83b2eb058a92955ef8782353143e38a975c
Instruction ID: 25477d7b0d6647a98e1e94c68a9a4b4104cd734f14d7d862ca656ae7ecfe7cb0
Opcode Fuzzy Hash: 01add861bb238b31728277b8138ce83b2eb058a92955ef8782353143e38a975c
Instruction Fuzzy Hash: C211E730B142089BDB10CF68D908BE677F8EB56319F14169EEC0D83B11D732AA54C7C2

Function 6CEDCDA0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

Part of subcall function 6CEDCC70: GetStdHandle.KERNEL32(000000F4,?), ref: 6CEDCC86
Part of subcall function 6CEDCC70: GetFileType.KERNEL32(00000000), ref: 6CEDCC93
Part of subcall function 6CEDCC70: _vsnprintf.MSVCR90 ref: 6CEDCCB1
Part of subcall function 6CEDCC70: WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 6CEDCCD5

raise.MSVCR90 ref: 6CEDCDAF
_exit.MSVCR90 ref: 6CEDCDBA
__iob_func.MSVCR90 ref: 6CEDCDD0

Strings

pointer != NULL, xrefs: 6CEDCDA0
%s(%d): OpenSSL internal error, assertion failed: %s, xrefs: 6CEDCDA3
C:\build27\cpython\externals\openssl-1.0.2t\crypto\cryptlib.c, xrefs: 6CEDCDA2

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: File$HandleTypeWrite__iob_func_exit_vsnprintfraise
String ID: %s(%d): OpenSSL internal error, assertion failed: %s$C:\build27\cpython\externals\openssl-1.0.2t\crypto\cryptlib.c$pointer != NULL
API String ID: 4116638147-424108656
Opcode ID: 8bb15c07579166b745d7b9c83636e011bd25071c4d48e87fb7c1e4ae7f4b63d8
Instruction ID: fc30d99c809e164ad26c2a580f855d41cea5b7df1caaa164abbdd10b4f0905ac
Opcode Fuzzy Hash: 8bb15c07579166b745d7b9c83636e011bd25071c4d48e87fb7c1e4ae7f4b63d8
Instruction Fuzzy Hash: A6C012F0B101067FFA4427648C1EF3B3538EB42705F426408F30285581C9521A118579

Function 6CF663A0 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\dso\dso_win32.c, xrefs: 6CF663BA, 6CF6642E, 6CF66451, 6CF6646C

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\dso\dso_win32.c
API String ID: 0-1432767543
Opcode ID: edb3f9e48338dc1832159277de928a03bce90058eebfa4a7e21e2e5d0e2e4bc8
Instruction ID: bd5f13cb057c3a3a9c9ac915b3eb86f97392e53e638d619b74165c4fbc70aa9f
Opcode Fuzzy Hash: edb3f9e48338dc1832159277de928a03bce90058eebfa4a7e21e2e5d0e2e4bc8
Instruction Fuzzy Hash: 5F918F71B00205AFDB04CF69D885B9A77B0FB48308F248269E908CBB45E771E996CBD1

Function 6CEE8560 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 165COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(00000000,00000000,6CEC14B5,00000000,?,00000000,?,?,6CED753B,00000000,00000000), ref: 6CEE85E2
memcpy.MSVCR90(00000000,00000000,00000002,00000000,?,00000000,?,?,6CED753B,00000000,00000000), ref: 6CEE8643
memcpy.MSVCR90(00000000,?,00000002,00000000,?,00000000,?,?,6CED753B,00000000,00000000), ref: 6CEE8689

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\objects\obj_lib.c, xrefs: 6CEE859A, 6CEE85BD, 6CEE8627, 6CEE8671, 6CEE86C3
;ul, xrefs: 6CEE86B9
;ul, xrefs: 6CEE8568, 6CEE85D2, 6CEE8681, 6CEE8691, 6CEE863A, 6CEE864B

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memcpy
String ID: ;ul$;ul$C:\build27\cpython\externals\openssl-1.0.2t\crypto\objects\obj_lib.c
API String ID: 3510742995-1877206298
Opcode ID: dea0525fcbb34da12e472a0cc9359848f392cf5724af39ada5a2e548f9e451d0
Instruction ID: c11007a52497bcfd113d4c22131c270fc6c991912a56a3e4b78e5cbb0a9a3909
Opcode Fuzzy Hash: dea0525fcbb34da12e472a0cc9359848f392cf5724af39ada5a2e548f9e451d0
Instruction Fuzzy Hash: EE51A572A002059BDB10DF5DD840A9AB7B5EF8925CF3585AEDC189BB01E771ED05CBC0

Function 6CEE2A20 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 408COMMON

Download Yara Rule

APIs

isdigit.MSVCR90 ref: 6CEE2B6E
isdigit.MSVCR90 ref: 6CEE2BDB

Strings

:l, xrefs: 6CEE2AC3
*, xrefs: 6CEE2C09
*, xrefs: 6CEE2B96

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: isdigit
String ID: :l$*$*
API String ID: 2326231117-3791800508
Opcode ID: 441c63f8a5c81aaa7c420d9394ddbffea7a51918d2dfd068417717b1cd7dbe9d
Instruction ID: bb60ed51218b32500f5da7ce55a31579d5e5acb3c69d3bcbed83510fe85f9128
Opcode Fuzzy Hash: 441c63f8a5c81aaa7c420d9394ddbffea7a51918d2dfd068417717b1cd7dbe9d
Instruction Fuzzy Hash: 72E19CB06482029FD314CF18C888A6BBBF5FB9E398F644A1DF99987760D331D941CB52

Function 0040A620 Relevance: 9.2, APIs: 6, Instructions: 158stringCOMMON

Download Yara Rule

APIs

_stat.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00404ABC,?), ref: 0040A645
strlen.MSVCRT ref: 0040A6A7
malloc.MSVCRT ref: 0040A6ED
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00404ABC,?), ref: 0040A702
_stat.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,00404ABC,?), ref: 0040A717
free.MSVCRT ref: 0040A729

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: _stat$freemallocmemcpystrlen
String ID:
API String ID: 2821670080-0
Opcode ID: 288579020997fa0010920ee95a4426fe6108d227bef78f017b784bfb37d74e3a
Instruction ID: 2a6783eb98c8a97f91c7dab9c1c018cf784cb8e0381fd108a659056ea1bb8cf7
Opcode Fuzzy Hash: 288579020997fa0010920ee95a4426fe6108d227bef78f017b784bfb37d74e3a
Instruction Fuzzy Hash: 95516D715083458FD720DE288081767BBF1AB55354F58893BE8D8A73C1D33ED8A69B4B

Function 6CF28EE0 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

memset.MSVCR90 ref: 6CF28F1B
memset.MSVCR90 ref: 6CF28F36

Part of subcall function 6CF1D400: memcpy.MSVCR90(?,?,?,?,?,?,?,?,6CEFA9C0,?), ref: 6CF1D444

memcpy.MSVCR90(?,?,?), ref: 6CF28F7F
memset.MSVCR90 ref: 6CF28FA6
memset.MSVCR90 ref: 6CF28FF6

Strings

j, xrefs: 6CF28FE0

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memset$memcpy
String ID: j
API String ID: 368790112-2137352139
Opcode ID: 147fd61e64b373eadf639d8de8b66ff941f8b58b081b2f0a2d9ee6c377a576b4
Instruction ID: eac807a104faa3340fd91555184aeb068428eea295593e89debd05ed2e0bf254
Opcode Fuzzy Hash: 147fd61e64b373eadf639d8de8b66ff941f8b58b081b2f0a2d9ee6c377a576b4
Instruction Fuzzy Hash: 9751F5B2700304ABDB14CF6DD840BDEB7A5AF44308F10851DE95A9BA81DB79FA198BC1

Function 004097C0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 004097FB
signal.MSVCRT ref: 00409852
signal.MSVCRT ref: 0040989D
signal.MSVCRT ref: 004098C5

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 532ee5b54350ce70bdd1106a76f6d06ddd669e1cbb891edb7e2e0f643126e5aa
Instruction ID: 9d308533a8223dfef7a89781035b754c20cf20f4fabe4e2d4f00fdb0abfba49e
Opcode Fuzzy Hash: 532ee5b54350ce70bdd1106a76f6d06ddd669e1cbb891edb7e2e0f643126e5aa
Instruction Fuzzy Hash: A82153B25142009AE710BFA5C5403AF7694AB46354F12CC2BD594AB3C3C77D8C84879B

Function 004049D0 Relevance: 9.1, APIs: 6, Instructions: 77stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(?,?,00000000,0040188F,?,?,?,?,?,?,004023E6), ref: 004049FC
strcpy.MSVCRT(?,?,00000000,0040188F,?,?,?,?,?,?,004023E6), ref: 00404A0F
strtok.MSVCRT(?,?,00000000), ref: 00404A1F
strcpy.MSVCRT(?,?,00000000), ref: 00404A73
strtok.MSVCRT(?,?,00000000), ref: 00404A87
_mkdir.MSVCRT ref: 00404AA5

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: strcpy$strtok$_mkdir
String ID:
API String ID: 282790443-0
Opcode ID: 7974ecabf02546f031a8d0c50aa10801c90b2676b543c811c044bd71695961ef
Instruction ID: bc7f6ab74147c8da80bf5d81ea8fc10b92e5ddafd3e107eff54335975dc46d33
Opcode Fuzzy Hash: 7974ecabf02546f031a8d0c50aa10801c90b2676b543c811c044bd71695961ef
Instruction Fuzzy Hash: 482150B16497018BD700AF6AC58526EF7E4EF84304F45883FE6C4A7285E77C944A9B8B

Function 6CEC6640 Relevance: 9.1, APIs: 6, Instructions: 69threadCOMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON27(000000A4,?,00000000,6CEC6807), ref: 6CEC665E
PyErr_NoMemory.PYTHON27(6CEC6807), ref: 6CEC6670
memset.MSVCR90 ref: 6CEC668C
PyThread_allocate_lock.PYTHON27(?,?,?,6CEC6807), ref: 6CEC66A0
PyThread_free_lock.PYTHON27(?,?,?,?,?,6CEC6807), ref: 6CEC6709
PyMem_Free.PYTHON27(0259DF10,?,?,?,6CEC6807), ref: 6CEC671B

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Mem_$Err_FreeMallocMemoryThread_allocate_lockThread_free_lockmemset
String ID:
API String ID: 102247521-0
Opcode ID: 0929f78c615008cbffae1ecea5f811db6ff1e6763c415cd90906250565fa1bc3
Instruction ID: 96c4c12bbdde37441ed522f6be04d902f7e5823d8f11b24059c8dd83377a375b
Opcode Fuzzy Hash: 0929f78c615008cbffae1ecea5f811db6ff1e6763c415cd90906250565fa1bc3
Instruction Fuzzy Hash: 99216DB1700311CBEF188FA5ED8A757B379EBA2318F250029D82587740D772E596CB93

Function 00404249 Relevance: 9.0, APIs: 6, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 004015D0: ntohl.WS2_32(?,?,00000000,?,0040235F), ref: 004015E2

PyObject_CallFunction.PYTHON27 ref: 004042BA
PyImport_ExecCodeModule.PYTHON27 ref: 004042CA
PyErr_Occurred.PYTHON27 ref: 004042D4
PyErr_Print.PYTHON27 ref: 004042DE
PyErr_Clear.PYTHON27 ref: 004042E4
free.MSVCRT ref: 004042ED

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: Err_$CallClearCodeExecFunctionImport_ModuleObject_OccurredPrintfreentohl
String ID:
API String ID: 3585998205-0
Opcode ID: 60baf2f9217d2f94e8eed3dd1223d0ee593e1622d4b4fe483cf9a75bc669b227
Instruction ID: d0628bf1265d13cb8c1340164ce23b724344fd6fb48e1b9d61b2c82ec203e44c
Opcode Fuzzy Hash: 60baf2f9217d2f94e8eed3dd1223d0ee593e1622d4b4fe483cf9a75bc669b227
Instruction Fuzzy Hash: 2311E9B1508705CFC710AF36D94425EBBE0AF84751F058A3EE999D7390DB38D841CB5A

Function 6CF02FC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\x509v3\v3_utl.c, xrefs: 6CF02FDA, 6CF0300A, 6CF03022, 6CF0311A, 6CF0314E

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\x509v3\v3_utl.c
API String ID: 0-4287803440
Opcode ID: 3555383d00592e2147176c81e3198b6d91d13e20df5a7218bc7f5d521a43c5d1
Instruction ID: 3ae89dd4aa2411e8265b2f31eba2acc444730800708b28a1181efa98edc0eb20
Opcode Fuzzy Hash: 3555383d00592e2147176c81e3198b6d91d13e20df5a7218bc7f5d521a43c5d1
Instruction Fuzzy Hash: F041AF32F051446FE7008A79EC75BDA77E5CB8275DF1900B9E848CB782E6239A0D93C1

Function 6CF64C60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

isupper.MSVCR90 ref: 6CF64CA4
tolower.MSVCR90 ref: 6CF64CB2
isupper.MSVCR90 ref: 6CF64CF9
tolower.MSVCR90 ref: 6CF64D07

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\asn1\asn_mime.c, xrefs: 6CF64D49, 6CF64D5B, 6CF64D7D

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: isuppertolower
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\asn1\asn_mime.c
API String ID: 2435887076-673838732
Opcode ID: f0b8a3d0ffa8f9417ac9616f0273e74bf973201aed7363b2130f41e5104469e7
Instruction ID: 89d6803cbe4e7865d7e29475891e8140925dfcc0c00af69d92a09af2d9e68e33
Opcode Fuzzy Hash: f0b8a3d0ffa8f9417ac9616f0273e74bf973201aed7363b2130f41e5104469e7
Instruction Fuzzy Hash: 9F415A72E042426BE711DF6A8C54B677FF8EB42708F280279ED55C7F41E662C50483A5

Function 6CED0AD0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 93stringCOMMON

Download Yara Rule

APIs

strerror.MSVCR90 ref: 6CED0B8E
strncpy.MSVCR90 ref: 6CED0B9F

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\err\err.c, xrefs: 6CED0ADE, 6CED0B07, 6CED0B1F, 6CED0B3B, 6CED0B64, 6CED0BE3
Operation not permitted, xrefs: 6CED0B7B, 6CED0B9E
unknown, xrefs: 6CED0BB3

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: strerrorstrncpy
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\err\err.c$Operation not permitted$unknown
API String ID: 966412381-4110579380
Opcode ID: 08d1907831f86e556e6f697d18616af51fc9d4d9512e2d2a305d5fb06159720d
Instruction ID: 4fea387f7af9b8ffe7b57991ebd2186626121336218d08a1f5b4387df2cd585e
Opcode Fuzzy Hash: 08d1907831f86e556e6f697d18616af51fc9d4d9512e2d2a305d5fb06159720d
Instruction Fuzzy Hash: 6F21B730784341BBFF104B998C86F1175B5EB41B1CF290828FA68AA7C1D7F695968662

Function 6CEC5DE0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

_PyArg_ParseTupleAndKeywords_SizeT.PYTHON27(?,?,s|O:txt2obj,?,?,?), ref: 6CEC5E1C
PyObject_IsTrue.PYTHON27(?), ref: 6CEC5E33
PyErr_Format.PYTHON27(?,unknown object '%.100s',?), ref: 6CEC5E6B

Strings

unknown object '%.100s', xrefs: 6CEC5E65
s|O:txt2obj, xrefs: 6CEC5E00

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Arg_Err_FormatKeywords_Object_ParseSizeTrueTuple
String ID: s|O:txt2obj$unknown object '%.100s'
API String ID: 9713115-1782767778
Opcode ID: 5c0d700438661f1395c183f99b1da49bdfcfbb1df9476d6d84a4e236237bd964
Instruction ID: 4a891ad97440ad01c6c9c14d3fa4c0010cb0c90928e532b8403a4acb8c0ecaa5
Opcode Fuzzy Hash: 5c0d700438661f1395c183f99b1da49bdfcfbb1df9476d6d84a4e236237bd964
Instruction Fuzzy Hash: 7F1193B1F15209ABDB00DBA8DD05AEF77B8DB85215F104569EC09D3700E7319B15A792

Function 00402CAC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57stringCOMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00402CC7
strncpy.MSVCRT ref: 00402D00
strchr.MSVCRT ref: 00402D33
strncpy.MSVCRT ref: 00402D4D

Strings

;, xrefs: 00402D28

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: strncpy$getenvstrchr
String ID: ;
API String ID: 3873711002-1661535913
Opcode ID: ce95854b577eb0fc7b5acb80eaf0a36448d1a3075479a920298e83c55b719eb2
Instruction ID: 87c5bb83796384b620ac70d2af4799a21704787c12b47bdc202f2420c99d8292
Opcode Fuzzy Hash: ce95854b577eb0fc7b5acb80eaf0a36448d1a3075479a920298e83c55b719eb2
Instruction Fuzzy Hash: B411FEB15083419BD310AF39C58829EBBE4EF84784F11882EF5C8E7281D3BD99819B47

Function 6CEC40C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

_PyArg_Parse_SizeT.PYTHON27(?,6CFC51C8,?), ref: 6CEC40D1
PyErr_SetString.PYTHON27(?,Cannot set verify_mode to CERT_NONE when check_hostname is enabled.), ref: 6CEC40FD
PyErr_SetString.PYTHON27(?,invalid value for verify_mode), ref: 6CEC4145

Strings

invalid value for verify_mode, xrefs: 6CEC413F
Cannot set verify_mode to CERT_NONE when check_hostname is enabled., xrefs: 6CEC40F7

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Err_String$Arg_Parse_Size
String ID: Cannot set verify_mode to CERT_NONE when check_hostname is enabled.$invalid value for verify_mode
API String ID: 1619524773-3522815898
Opcode ID: f70172b2b4a857aaeb70328c2d7b0ee3f200ac1c53bec677f9f22936d21a140d
Instruction ID: 1884493ffb4593655f24c61d43f9c3e85686b6e04fb621722df6d4fd340bf5ec
Opcode Fuzzy Hash: f70172b2b4a857aaeb70328c2d7b0ee3f200ac1c53bec677f9f22936d21a140d
Instruction Fuzzy Hash: 2F11A170B102059BCB44CF24DC89A6A73B8EB0632DF2447A9F82DC7780EB32D954D752

Function 00402A90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00402AA0
strncpy.MSVCRT ref: 00402AB3
strlen.MSVCRT ref: 00402ABB
strrchr.MSVCRT ref: 00402AD2

Strings

\, xrefs: 00402AC7

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: strlen$strncpystrrchr
String ID: \
API String ID: 4057206489-2967466578
Opcode ID: 3821e1f33afa086847be12ccc8347bff2b393beb44a30b85bb316eb0e4ebce14
Instruction ID: 0e2399b5ff7e40ea0bbb02d0b353f885c60a2e8f14f7b0118b964a3f0aa896c3
Opcode Fuzzy Hash: 3821e1f33afa086847be12ccc8347bff2b393beb44a30b85bb316eb0e4ebce14
Instruction Fuzzy Hash: 40F031F25087908EDB117F29998530ABFD0AF55308F0A48AEE4851B383D6B98441DB67

Function 6CEC4060 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON27(028CB208,invalid return value from SSL_CTX_get_verify_mode), ref: 6CEC408A
PyLong_FromLong.PYTHON27(00000002), ref: 6CEC4099
PyLong_FromLong.PYTHON27(00000001), ref: 6CEC40A6
PyLong_FromLong.PYTHON27(00000000), ref: 6CEC40B3

Strings

invalid return value from SSL_CTX_get_verify_mode, xrefs: 6CEC4084

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: FromLongLong_$Err_String
String ID: invalid return value from SSL_CTX_get_verify_mode
API String ID: 2389487510-2501269723
Opcode ID: 60a7df55dc1dc6dd0e5712835f6cbbf810a090a329c8b52a8ee414ce4c76d3f9
Instruction ID: c6289214169c69f414675f89f34c03f8da61f05d9b45bd490531ec9b56993739
Opcode Fuzzy Hash: 60a7df55dc1dc6dd0e5712835f6cbbf810a090a329c8b52a8ee414ce4c76d3f9
Instruction Fuzzy Hash: 57F0A7327901055BEB405BBCED0EBB63774EB4122EF144125F90D8BB42C663D664C547

Function 6CF54000 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

EVP_CIPHER_iv_length(cipher) <= 16, xrefs: 6CF54289
C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\p5_crpt.c, xrefs: 6CF54293, 6CF542A7, 6CF542B8
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp), xrefs: 6CF5429D

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\p5_crpt.c$EVP_CIPHER_iv_length(cipher) <= 16$EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
API String ID: 0-125311407
Opcode ID: dfd2bdc1f6bd61acf5e588b263f5fa20ca7ecd95cc3d4e22ba51188cadf0f6d4
Instruction ID: efd6129478ab3101b3736ba6843b6db99b602b30078d1e7334599f11301bb4b0
Opcode Fuzzy Hash: dfd2bdc1f6bd61acf5e588b263f5fa20ca7ecd95cc3d4e22ba51188cadf0f6d4
Instruction Fuzzy Hash: 2E81A2726083419FD704CF64D880A9FB7E4BFD5308F504A1DFA9997A40EB31E929CB92

Function 6CF0A670 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 216COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(00000010,?,?,00000000,?,?,?,?,6CEE07EF,?,?,00000000,?,00000000,00000000), ref: 6CF0A874
memcpy.MSVCR90(00000020,00000000,?,00000000,?,?,?,?,6CEE07EF), ref: 6CF0A8B3

Strings

EVP_CIPHER_CTX_iv_length(ctx) <= (int)sizeof(ctx->iv), xrefs: 6CF0A886
C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\evp_enc.c, xrefs: 6CF0A6E3, 6CF0A728, 6CF0A78D, 6CF0A890
ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 || ctx->cipher->block_size == 16, xrefs: 6CF0A6D9

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memcpy
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\evp_enc.c$EVP_CIPHER_CTX_iv_length(ctx) <= (int)sizeof(ctx->iv)$ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 || ctx->cipher->block_size == 16
API String ID: 3510742995-1378150733
Opcode ID: 83252ac324fbf83b1e8b51c5ebcaceba8245ed634f94ac5e7143ccc9a7d93fb9
Instruction ID: 2b0ca647d47bc8d83758e9a11be737fa42bfe0f0817c89b2403ba438d5280e84
Opcode Fuzzy Hash: 83252ac324fbf83b1e8b51c5ebcaceba8245ed634f94ac5e7143ccc9a7d93fb9
Instruction Fuzzy Hash: 1771AF71700606ABE704CF25C4A0BAAB3F5FF84B58F24C129E9158BB81E735E856DBD1

Function 6CEC2270 Relevance: 7.7, APIs: 5, Instructions: 192COMMON

Download Yara Rule

APIs

PyList_New.PYTHON27(00000000), ref: 6CEC2311
PyList_Size.PYTHON27(00000000), ref: 6CEC234E

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: List_$Size
String ID:
API String ID: 303807810-0
Opcode ID: 27284c0cf17efb1e0218cfed243ddbccecc3f7785bd0bbcc5670956d770b79cb
Instruction ID: 6e0ecd36ff4f0525065f0ea9b2a1fb9bbc33955be2be16ddb9e4a24a4a8a521b
Opcode Fuzzy Hash: 27284c0cf17efb1e0218cfed243ddbccecc3f7785bd0bbcc5670956d770b79cb
Instruction Fuzzy Hash: 0B51E671B042028BD708CF58DA84A9AB3F4FF99318F20166DE97987740E735E906C793

Function 6CEF8A20 Relevance: 7.6, APIs: 5, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bce34115e8590c18771822a77faf2c243882d7b456259c7085056b576e69c4c
Instruction ID: 2e81aefb67e15257b8cf49cb7e51caef7c017e0fe0c1c274bc07abe0d89e86cc
Opcode Fuzzy Hash: 3bce34115e8590c18771822a77faf2c243882d7b456259c7085056b576e69c4c
Instruction Fuzzy Hash: 214119B17047168BDB10CF6AD88066AB7B8EF43218B24456BEC65C7701E331EA17D790

Function 6CF04300 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 142COMMON

Download Yara Rule

Strings

lvl, xrefs: 6CF04310
lvl, xrefs: 6CF0437B

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: lvl$lvl
API String ID: 0-3258107612
Opcode ID: c5625837917b9a4480d4024dd2349c0a636a6900450f2915633be6ef64e686e0
Instruction ID: b823837d38a06ab9fe3f7dd9c3810f6ea7f4d13f3342fb8c9cf39097ba360eb5
Opcode Fuzzy Hash: c5625837917b9a4480d4024dd2349c0a636a6900450f2915633be6ef64e686e0
Instruction Fuzzy Hash: 0D411A72F002099BDB14CFACE8906FFB7B5EF88614F20866EDC1597B80DB71A9049791

Function 6CF09CD0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(?,6CEE0674,6CEE0674,6CEE0674,6CEE0674,?), ref: 6CF09D11
memcpy.MSVCR90(?,6CEE0674,?,6CEE0674,6CEE0674,?), ref: 6CF09D2F
memcpy.MSVCR90(?,6CEE0674,?,6CEE0674,6CEE0674,?), ref: 6CF09DBF

Strings

ctx->length <= (int)sizeof(ctx->enc_data), xrefs: 6CF09DD7
C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\encode.c, xrefs: 6CF09DE1

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memcpy
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\encode.c$ctx->length <= (int)sizeof(ctx->enc_data)
API String ID: 3510742995-2998765046
Opcode ID: 4f4337b7686c8dcd07afdcc48f946ba7c8d58083642ebc818daed8dcda146c01
Instruction ID: 50002692dab2f8debdaab14815a0b5cbeae208f9f8c1f59786d119f5be3ab5f6
Opcode Fuzzy Hash: 4f4337b7686c8dcd07afdcc48f946ba7c8d58083642ebc818daed8dcda146c01
Instruction Fuzzy Hash: B931A2B1701206EFCB04CF68D590B99B7E5EF44318F20826DE8698BB40EB75AA14CBD1

Function 00409F10 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00409F48
GetCurrentProcessId.KERNEL32 ref: 00409F59
GetCurrentThreadId.KERNEL32 ref: 00409F61
GetTickCount.KERNEL32 ref: 00409F6A
QueryPerformanceCounter.KERNEL32 ref: 00409F79

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: bf07b027104416ae5e153ab52a2392b0606540b33cc6aaa1f377dc49a5b247e6
Instruction ID: 753706d0f2432ae2e52699c1b63fcbad426ce9513c65138fb8e1d97fcb4c84e2
Opcode Fuzzy Hash: bf07b027104416ae5e153ab52a2392b0606540b33cc6aaa1f377dc49a5b247e6
Instruction Fuzzy Hash: 5B11167AD012188BCF10AFA8E9482CEFBB4FB0C664F454176E915F7210DB3569198BD9

Function 004048FC Relevance: 7.5, APIs: 5, Instructions: 43stringCOMMON

Download Yara Rule

APIs

_findfirst.MSVCRT(00000000,00000000,?,00000000,00402A75), ref: 00404869
_findnext.MSVCRT ref: 004048C7
_findclose.MSVCRT ref: 004048DB
_rmdir.MSVCRT ref: 004048EB
strlen.MSVCRT ref: 00404917

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: _findclose_findfirst_findnext_rmdirstrlen
String ID:
API String ID: 4076562980-0
Opcode ID: 5db3324efa8d5a59e1ac116cce6dfcb7576e815c89ee10725f153e3bacf499f5
Instruction ID: 2720cdc07daff6db77de306d3cf3bc652a8836d630f878814009698f8ee34e24
Opcode Fuzzy Hash: 5db3324efa8d5a59e1ac116cce6dfcb7576e815c89ee10725f153e3bacf499f5
Instruction Fuzzy Hash: B4115BB96087408BC720AF39D48819EB7E1FF84310F108D3EE588D3381DA3998558B4A

Function 6CF7E810 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277COMMON

Download Yara Rule

APIs

abort.MSVCR90 ref: 6CF7E989
memcpy.MSVCR90(?,?,?), ref: 6CF7E9E1
_time64.MSVCR90 ref: 6CF7EB65

Strings

C:\build27\cpython\externals\openssl-1.0.2t\ssl\ssl_sess.c, xrefs: 6CF7E968, 6CF7E9F7, 6CF7EA2F, 6CF7EA50, 6CF7EACD

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: _time64abortmemcpy
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\ssl_sess.c
API String ID: 2708634623-1237407967
Opcode ID: 74ac41fbf3fc4746f28d7c9144fea4d7778058722f34c035d028eedb92a8a4e6
Instruction ID: f6c2938e949f41d561f84bf9018bf1dea550e75b2708f896fb24e70867abfda1
Opcode Fuzzy Hash: 74ac41fbf3fc4746f28d7c9144fea4d7778058722f34c035d028eedb92a8a4e6
Instruction Fuzzy Hash: EBB10331F042199FEB25CB68E880BD9B7B0FF05318F1442ABD55997681D770AA85CFE2

Function 6CF65D30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 132libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000), ref: 6CF65D70
FreeLibrary.KERNEL32(?), ref: 6CF65E76

Strings

filename(, xrefs: 6CF65D9C
C:\build27\cpython\externals\openssl-1.0.2t\crypto\dso\dso_win32.c, xrefs: 6CF65D51, 6CF65D84, 6CF65DB2, 6CF65DF9

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Library$FreeLoad
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\dso\dso_win32.c$filename(
API String ID: 534179979-1283850309
Opcode ID: aa8d396802cceca4fb9b70702f6915c333ae211d4bcee5183ac929c601e3adcb
Instruction ID: 351ee5c103051f0dde20ea44811a3f763d6b558b01973baf7b451a40e958598c
Opcode Fuzzy Hash: aa8d396802cceca4fb9b70702f6915c333ae211d4bcee5183ac929c601e3adcb
Instruction Fuzzy Hash: E7411535B842056BEB00DB99DC85BCB37B4EB55715F140025ED18FBB81EB72EA0683D2

Function 6CF9E540 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

getenv.MSVCR90 ref: 6CF9E55B

Strings

/usr/local/ssl/cert.pem, xrefs: 6CF9E574
SSL_CERT_FILE, xrefs: 6CF9E556
C:\build27\cpython\externals\openssl-1.0.2t\crypto\x509\by_file.c, xrefs: 6CF9E58F

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: getenv
String ID: /usr/local/ssl/cert.pem$C:\build27\cpython\externals\openssl-1.0.2t\crypto\x509\by_file.c$SSL_CERT_FILE
API String ID: 498649692-3976001
Opcode ID: b6324719b0201222234170e7efa7b0a40cdda6a71e4c4db2f9af66cf86174517
Instruction ID: fbc1e1b79638c28dc689aa89a61cdbe151fcaa0720e92e0327d42ed13defb53b
Opcode Fuzzy Hash: b6324719b0201222234170e7efa7b0a40cdda6a71e4c4db2f9af66cf86174517
Instruction Fuzzy Hash: ED11DF71B50119ABDF10CEB4EC40DAA37A4BF44758F044A24F90ECBB80F621E918C7D1

Function 6CEC5D60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON27(?,Unknown object), ref: 6CEC5D8A
_Py_BuildValue_SizeT.PYTHON27(issN,00000000,?,?,00000000), ref: 6CEC5DCB

Strings

Unknown object, xrefs: 6CEC5D84
issN, xrefs: 6CEC5DC6

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: BuildErr_FormatSizeValue_
String ID: Unknown object$issN
API String ID: 3112613300-847857892
Opcode ID: 124fd42cbe8fbafff1e813a60e8a4b8732672487a6f4f65df2012839c53ae262
Instruction ID: f67bf81330190407b62ccf50af840939cafe92ed0bb163372cfa15621a692d58
Opcode Fuzzy Hash: 124fd42cbe8fbafff1e813a60e8a4b8732672487a6f4f65df2012839c53ae262
Instruction Fuzzy Hash: FDF0F472B142116BD210EB69AC489AB77B8DB81269F100A79FD18C7700EB22CD1883E7

Function 6CED5C70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

fread.MSVCR90 ref: 6CED5C91
ferror.MSVCR90 ref: 6CED5C9D
GetLastError.KERNEL32(C:\build27\cpython\externals\openssl-1.0.2t\crypto\bio\bss_file.c,000000FF), ref: 6CED5CB4

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\bio\bss_file.c, xrefs: 6CED5CAF, 6CED5CCB

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: ErrorLastferrorfread
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\bio\bss_file.c
API String ID: 2845062543-3627588700
Opcode ID: 1bf425ffaf84e33cb103da13221b2fa2ddb29eeeae9d7a8cf9bc3a90a4cfc269
Instruction ID: 619f7a426799a691a3a172be5c387fc131506e4f24720b9218d1e398f862719c
Opcode Fuzzy Hash: 1bf425ffaf84e33cb103da13221b2fa2ddb29eeeae9d7a8cf9bc3a90a4cfc269
Instruction Fuzzy Hash: 9301F97175020467EB1056B9DC09F7B33B9FF88724F26442AFE59CBBC1DA62E90087A0

Function 6CF9EA50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON

Download Yara Rule

APIs

getenv.MSVCR90 ref: 6CF9EA71

Strings

/usr/local/ssl/certs, xrefs: 6CF9EA81
C:\build27\cpython\externals\openssl-1.0.2t\crypto\x509\by_dir.c, xrefs: 6CF9EA99
SSL_CERT_DIR, xrefs: 6CF9EA6C

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: getenv
String ID: /usr/local/ssl/certs$C:\build27\cpython\externals\openssl-1.0.2t\crypto\x509\by_dir.c$SSL_CERT_DIR
API String ID: 498649692-2629981564
Opcode ID: c26c2234a8c3fbf4ef339ffbd68c52d876d3852dc69ea44607e0d3da2232e532
Instruction ID: d3dbf969d14d22bef585098e504ccecd9084c75cae0e401e8bf17481dd067919
Opcode Fuzzy Hash: c26c2234a8c3fbf4ef339ffbd68c52d876d3852dc69ea44607e0d3da2232e532
Instruction Fuzzy Hash: 2DF028317401155BEF14CAA8AC419C6B3A9BF05729F090925FD49DBB80E722EA1587D2

Function 6CEF6CB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCR90 ref: 6CEF6CCE
isspace.MSVCR90 ref: 6CEF6CEA
isspace.MSVCR90 ref: 6CEF6CF9

Strings

critical,, xrefs: 6CEF6CC8

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: isspace$strncmp
String ID: critical,
API String ID: 1236840406-3963346253
Opcode ID: b3dca62362adf3b7c039acd94e60b32292b7a6e66309c963af61269dcdae9b4a
Instruction ID: ec92b1196479407811d6be6721c113c30282e8c7f2faac141e4766adcccd6c71
Opcode Fuzzy Hash: b3dca62362adf3b7c039acd94e60b32292b7a6e66309c963af61269dcdae9b4a
Instruction Fuzzy Hash: 17F024717086312BDB00272E6C257873BFCDF8230CB2A0861ECA5CBA16F563D602C6E1

Function 6CEC42C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

_PyArg_Parse_SizeT.PYTHON27(?,6CFC523C,?), ref: 6CEC42D1
PyObject_IsTrue.PYTHON27(?), ref: 6CEC42E2
PyErr_SetString.PYTHON27(?,check_hostname needs a SSL context with either CERT_OPTIONAL or CERT_REQUIRED), ref: 6CEC430D

Strings

check_hostname needs a SSL context with either CERT_OPTIONAL or CERT_REQUIRED, xrefs: 6CEC4307

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Arg_Err_Object_Parse_SizeStringTrue
String ID: check_hostname needs a SSL context with either CERT_OPTIONAL or CERT_REQUIRED
API String ID: 3476433147-3746664152
Opcode ID: 454fbfbcf143f75e66bc8ac66d878c68504d528078c86270fbd8e48cbb8ea6c5
Instruction ID: 45ec8385516f9ffdd1debce0b052ce832ca76f023c1ba8bcc6cce762460e3db2
Opcode Fuzzy Hash: 454fbfbcf143f75e66bc8ac66d878c68504d528078c86270fbd8e48cbb8ea6c5
Instruction Fuzzy Hash: 02F04470B10108DBDB04CB64D944B6B77B9EB8131DF2447A9F82D87641E732EA55CB92

Function 6CF966F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,00000000,?,?,?,?,?,?,6CF8FD78,?,?,?,?), ref: 6CF966FF
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,6CF8FD78,?,?,?,?), ref: 6CF9670F
__aulldvrm.LIBCMT ref: 6CF96731

Strings

gfff, xrefs: 6CF96740

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Time$System$File__aulldvrm
String ID: gfff
API String ID: 239608527-1553575800
Opcode ID: 0a821d06eb931c6f779b42ae510a7c1fd99f3b2416339a64a184daf2c1ea8b93
Instruction ID: 51af86ec8d8d693745e0b8dfb4eaf9e02f4023eebe93d6d42d3d1b35293e18ac
Opcode Fuzzy Hash: 0a821d06eb931c6f779b42ae510a7c1fd99f3b2416339a64a184daf2c1ea8b93
Instruction Fuzzy Hash: 5FF0C2B2A043056BC308DF69EC49A5BB7E8EB88214F04CA1EF599C7680E630E104CB52

Function 6CEC3D40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_PyArg_ParseTuple_SizeT.PYTHON27(?,s:set_ciphers,?), ref: 6CEC3D51
PyErr_SetString.PYTHON27(028CB208,No cipher can be selected.), ref: 6CEC3D81

Strings

s:set_ciphers, xrefs: 6CEC3D4B
No cipher can be selected., xrefs: 6CEC3D7B

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Arg_Err_ParseSizeStringTuple_
String ID: No cipher can be selected.$s:set_ciphers
API String ID: 4247878537-2686373895
Opcode ID: 328161d52a480ff30999bbe8c08cd71d221c99d78fedb6f3c6dd5d2d5068a7e5
Instruction ID: d50dd07b24743fb6d3836babed5f3400fd70ba3368f713f9c643d59471f53de0
Opcode Fuzzy Hash: 328161d52a480ff30999bbe8c08cd71d221c99d78fedb6f3c6dd5d2d5068a7e5
Instruction Fuzzy Hash: 72F05434710109ABDB44DF64DD48A9B37B8DB0621DB144299FD09C7711DB33EE10DB96

Function 6CEC5C30 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON27(?,RAND_egd() expected string, found %s,?), ref: 6CEC5C54
PyErr_SetString.PYTHON27(028CB208,EGD connection failed or EGD did not return enough data to seed the PRNG), ref: 6CEC5C6B

Strings

EGD connection failed or EGD did not return enough data to seed the PRNG, xrefs: 6CEC5C65
RAND_egd() expected string, found %s, xrefs: 6CEC5C4E

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Err_$FormatString
String ID: EGD connection failed or EGD did not return enough data to seed the PRNG$RAND_egd() expected string, found %s
API String ID: 4212644371-2904210411
Opcode ID: fee9f0591d09e8824d253cb052125b47879c2e7a346f2f5da5fc42cf8b8ecaf4
Instruction ID: bc0fe3bb48523ff54ff77715d067ddd01a9f71c90f92ac713bd3da7b902b81eb
Opcode Fuzzy Hash: fee9f0591d09e8824d253cb052125b47879c2e7a346f2f5da5fc42cf8b8ecaf4
Instruction Fuzzy Hash: 40E0DF30B202049FDB44DFA8D84CE07B3B9EB85229B048155F80C8B702E232E928FA19

Function 6CF90310 Relevance: 6.5, APIs: 2, Strings: 2, Instructions: 466COMMON

Download Yara Rule

APIs

memset.MSVCR90 ref: 6CF903D9

Part of subcall function 6CF0A590: memset.MSVCR90 ref: 6CF0A615

memcpy.MSVCR90(?,?,?), ref: 6CF90722

Strings

IV block, xrefs: 6CF90837
C:\build27\cpython\externals\openssl-1.0.2t\ssl\t1_enc.c, xrefs: 6CF903B2, 6CF9045F, 6CF9095C

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memset$memcpy
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\t1_enc.c$IV block
API String ID: 368790112-1220425162
Opcode ID: 454f30cdc33983f317a660c08d3992db88fee7a2b04ae7c32b042685bdb96762
Instruction ID: c75b4ab38fabd9c30e2ee3380a1844b0a38c44b76cd2c992136383e1dc062d01
Opcode Fuzzy Hash: 454f30cdc33983f317a660c08d3992db88fee7a2b04ae7c32b042685bdb96762
Instruction Fuzzy Hash: F0124D71A002569BEB24CF55CC85FD9B3B4BF48308F1481A9D91DABB91DBB0AD85CF90

Function 6CF183F0 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 330COMMON

Download Yara Rule

APIs

memset.MSVCR90 ref: 6CF1844A

Strings

%02x%c, xrefs: 6CF185C6
%04x - , xrefs: 6CF184EF
, xrefs: 6CF18588

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memset
String ID: $%02x%c$%04x -
API String ID: 2221118986-38741901
Opcode ID: 2447985213b54f1d69a4ae5621e1ed8dfff67ef18435b30a00deaa3d40f0cd42
Instruction ID: c14ad3cf71fad294d70d18d938e490b4736a23056d2c30f2a7ebca330f8c8910
Opcode Fuzzy Hash: 2447985213b54f1d69a4ae5621e1ed8dfff67ef18435b30a00deaa3d40f0cd42
Instruction Fuzzy Hash: 9DB1EA31E091984FEB15CE28CA607E9B7B5EF4634CF2640EBC845ABE45DA32DE45CB50

Function 6CF788B0 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 325COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(00000048,?,?), ref: 6CF78C50
memset.MSVCR90 ref: 6CF78977

Part of subcall function 6CF0B090: memset.MSVCR90 ref: 6CF0B108

Strings

C:\build27\cpython\externals\openssl-1.0.2t\ssl\t1_lib.c, xrefs: 6CF78B5F
C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\evp_lib.c, xrefs: 6CF78A89

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memset$memcpy
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\evp_lib.c$C:\build27\cpython\externals\openssl-1.0.2t\ssl\t1_lib.c
API String ID: 368790112-3263114269
Opcode ID: a0a8153b29912bbab6b158eecf1775bb84a7501934dd885cced0aef8b19c777b
Instruction ID: 5fd051f8b42950e1e6f2a83f10c6dc0b512b4120fd38d264f7c750cae707913f
Opcode Fuzzy Hash: a0a8153b29912bbab6b158eecf1775bb84a7501934dd885cced0aef8b19c777b
Instruction Fuzzy Hash: B5C19E72F012199FDB64DF28DC40BDEB3B5AF44314F0445EAD90DA7640EB30AA898FA1

Function 6CF19D10 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 311COMMON

Download Yara Rule

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\rsa\rsa_sign.c, xrefs: 6CF19D3B, 6CF19D91, 6CF19DA6, 6CF19DD4, 6CF19E98, 6CF1A022
$, xrefs: 6CF19DC9
r, xrefs: 6CF19D56

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: $$C:\build27\cpython\externals\openssl-1.0.2t\crypto\rsa\rsa_sign.c$r
API String ID: 0-1476069403
Opcode ID: 75dfc1ad57825bda3e1cd7a90fa3a3a4a0d29a54931f7fd76c6a1b96b35bca53
Instruction ID: f1441887e4a98ec1f72ad63714197c00ef98fe55c882e402418f7bb6e2255a6d
Opcode Fuzzy Hash: 75dfc1ad57825bda3e1cd7a90fa3a3a4a0d29a54931f7fd76c6a1b96b35bca53
Instruction Fuzzy Hash: A4A1D231748205AFEB10CF59C880BDA77F6AF85308F244169E9099BF81DB72EA49C7D1

Function 6CEE02C0 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

memset.MSVCR90 ref: 6CEE056B

Part of subcall function 6CEDF790: memcpy.MSVCR90(?,6CEE015F,6CEE0160,?,?,?,6CEE0771,?,00000000,?), ref: 6CEDF7BB

Part of subcall function 6CEDCDA0: raise.MSVCR90 ref: 6CEDCDAF
Part of subcall function 6CEDCDA0: _exit.MSVCR90 ref: 6CEDCDBA
Part of subcall function 6CEDCDA0: __iob_func.MSVCR90 ref: 6CEDCDD0

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\pem\pem_lib.c, xrefs: 6CEE0352, 6CEE038C, 6CEE03B1, 6CEE03CC, 6CEE0471, 6CEE0623, 6CEE0637
strlen(objstr) + 23 + 2 * enc->iv_len + 13 <= sizeof(buf), xrefs: 6CEE0619
enc->iv_len <= (int)sizeof(iv), xrefs: 6CEE062D

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: __iob_func_exitmemcpymemsetraise
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\pem\pem_lib.c$enc->iv_len <= (int)sizeof(iv)$strlen(objstr) + 23 + 2 * enc->iv_len + 13 <= sizeof(buf)
API String ID: 2625025328-1503043936
Opcode ID: 81738146a475e2866bed58892868caf81ea9f783b9585f54efaa50d3c1bdb647
Instruction ID: 288b6d920e8955354d9acb8529e3af12ab07a7a679b8cfdf63a6edc7931faad5
Opcode Fuzzy Hash: 81738146a475e2866bed58892868caf81ea9f783b9585f54efaa50d3c1bdb647
Instruction Fuzzy Hash: F7C1ACB1E0025A9BDB24CF54CD40BDEB3B5BF88348F1440A9D618A7741EB74AE89CF95

Function 6CF3EB40 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 279COMMON

Download Yara Rule

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\ec\ec2_oct.c, xrefs: 6CF3EB6E, 6CF3EBB0, 6CF3EC45, 6CF3EDE4
C:\build27\cpython\externals\openssl-1.0.2t\crypto\ec\ec_lib.c, xrefs: 6CF3EBED

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\ec\ec2_oct.c$C:\build27\cpython\externals\openssl-1.0.2t\crypto\ec\ec_lib.c
API String ID: 0-2835069463
Opcode ID: ca1cd095e2fe3b4634e1a1a27902bfc3b409860f6188502cccd7bee0e6149429
Instruction ID: 3d44ebe003719901d3f9b228795b3de0e066d1c4a4b25d59acce8987317b100d
Opcode Fuzzy Hash: ca1cd095e2fe3b4634e1a1a27902bfc3b409860f6188502cccd7bee0e6149429
Instruction Fuzzy Hash: C491E276B00219ABDB10CE64DC80B9E73A5EF84358F255565EC18EBB80E771EE14C7E1

Function 6CF72210 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 273COMMON

Download Yara Rule

Strings

C:\build27\cpython\externals\openssl-1.0.2t\ssl\ssl_rsa.c, xrefs: 6CF72367, 6CF7244C
SERVERINFO FOR , xrefs: 6CF7222C

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\ssl_rsa.c$SERVERINFO FOR
API String ID: 0-2271718345
Opcode ID: a162833b1c692e614227a9c846014a3610a80ace785035da5c17f15eb452277e
Instruction ID: 93c207ba947f75bdb2d7b5b7700ba0cacb2297597aab12b904a930283631ca76
Opcode Fuzzy Hash: a162833b1c692e614227a9c846014a3610a80ace785035da5c17f15eb452277e
Instruction Fuzzy Hash: D9A1A2B1E002099BDB10CF98EC85BEEB7B5AF45304F14412AE914B7741E776EA15CBA1

Function 6CF69CD0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

s->sid_ctx_length <= sizeof(s->sid_ctx), xrefs: 6CF6A047
C:\build27\cpython\externals\openssl-1.0.2t\ssl\ssl_lib.c, xrefs: 6CF69CE7, 6CF69D0E, 6CF69D2E, 6CF69E60, 6CF69F63, 6CF69FE0, 6CF6A051

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\ssl_lib.c$s->sid_ctx_length <= sizeof(s->sid_ctx)
API String ID: 0-543158492
Opcode ID: 11a2ad49eb7d388c96f32954ec5a98d498f84a90fb45b6e1779c3feb2689dfdd
Instruction ID: cc218da47bb3303df5a45458a634b38995d0a33c045b6d3d480c89f2c0d87beb
Opcode Fuzzy Hash: 11a2ad49eb7d388c96f32954ec5a98d498f84a90fb45b6e1779c3feb2689dfdd
Instruction Fuzzy Hash: 1CA146B0A017019FEB10CF29C881BDAB7E4EF48304F1585B9ED5D9BB91EB31A905CB91

Function 6CF5C5D0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 240COMMON

Download Yara Rule

Strings

ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 6CF5C7BD
C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\evp_lib.c, xrefs: 6CF5C63A
C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\digest.c, xrefs: 6CF5C7C7

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\digest.c$C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\evp_lib.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
API String ID: 0-2315790322
Opcode ID: dfa8cbe47f1f32c606f3c4f3f6e6ea844e3b2c27ece13aa592b1b10863eba640
Instruction ID: a380ba0bd6ebf7fae6d67eeedcdaaedf401762b4bf876c5e8a7ec72de16eb8c3
Opcode Fuzzy Hash: dfa8cbe47f1f32c606f3c4f3f6e6ea844e3b2c27ece13aa592b1b10863eba640
Instruction Fuzzy Hash: 9A819DB16083019FC304DF68D880A9BB7F5AFD8204F54892DF99AC7741E771E919CBA2

Function 6CF9A000 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 231COMMON

Download Yara Rule

APIs

memset.MSVCR90 ref: 6CF9A0C5

Part of subcall function 6CEDCDA0: raise.MSVCR90 ref: 6CEDCDAF
Part of subcall function 6CEDCDA0: _exit.MSVCR90 ref: 6CEDCDBA
Part of subcall function 6CEDCDA0: __iob_func.MSVCR90 ref: 6CEDCDD0

Strings

ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 6CF9A241
C:\build27\cpython\externals\openssl-1.0.2t\crypto\srp\srp_lib.c, xrefs: 6CF9A06C
C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\digest.c, xrefs: 6CF9A24B

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: __iob_func_exitmemsetraise
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\digest.c$C:\build27\cpython\externals\openssl-1.0.2t\crypto\srp\srp_lib.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
API String ID: 1335598159-1357769393
Opcode ID: ad8c510f265e79515c825931a595a14f71ec8cf9d22411fd0de2dfddada2a5a4
Instruction ID: f546bf9af6b925e407af8dc7f9e8a3f2c84340dfd583fe9b44dd6169d4774dd1
Opcode Fuzzy Hash: ad8c510f265e79515c825931a595a14f71ec8cf9d22411fd0de2dfddada2a5a4
Instruction Fuzzy Hash: 9171A071E00209ABEB00DFA9DC81BDEB7F5EF84318F154229E815A7750EB35E909CB91

Function 6CED8760 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 189stringCOMMON

Download Yara Rule

APIs

strchr.MSVCR90 ref: 6CED8816
strncpy.MSVCR90 ref: 6CED887D

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\x509v3\v3_info.c, xrefs: 6CED8782, 6CED8861, 6CED88D9, 6CED88F7, 6CED892A
value=, xrefs: 6CED8907

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: strchrstrncpy
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\x509v3\v3_info.c$value=
API String ID: 3824778938-1365197443
Opcode ID: b581f21dcec4c176ef47d748371b35709a14b4608172653abeff48ddff8592b1
Instruction ID: 15a3c63735b36d02fb1027514b301d9063d4d39928cd00d9eb3311cab617179f
Opcode Fuzzy Hash: b581f21dcec4c176ef47d748371b35709a14b4608172653abeff48ddff8592b1
Instruction Fuzzy Hash: 6451C771A00205ABDB20CF54CC81B9EB7B5EB44308F36556EE949ABB81D771F906C7D2

Function 6CF0A390 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 186COMMON

Download Yara Rule

APIs

memset.MSVCR90 ref: 6CF0A578

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\evp_key.c, xrefs: 6CF0A54F, 6CF0A563
nkey <= EVP_MAX_KEY_LENGTH, xrefs: 6CF0A559
niv <= EVP_MAX_IV_LENGTH, xrefs: 6CF0A545

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memset
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\evp_key.c$niv <= EVP_MAX_IV_LENGTH$nkey <= EVP_MAX_KEY_LENGTH
API String ID: 2221118986-2789405989
Opcode ID: 9dc77d9e606763fd2c6aa9f5deb72516e45e1de07613b217f55cf5e1e54b78db
Instruction ID: 2fa992674190244ea24b358fd4d210a46fbd1f9cec68e6c868605e6d2650a9ee
Opcode Fuzzy Hash: 9dc77d9e606763fd2c6aa9f5deb72516e45e1de07613b217f55cf5e1e54b78db
Instruction Fuzzy Hash: 25518E79F012098BDB10CFA998946AEB7B5BF44708F20412ED859EBB45DB31E905CB90

Function 6CF45CF0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 178COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(?,?,?), ref: 6CF45E9F

Strings

ctx->digest->md_size <= EVP_MAX_MD_SIZE, xrefs: 6CF45EB9
C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\evp_lib.c, xrefs: 6CF45D3E
C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\digest.c, xrefs: 6CF45EC3

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memcpy
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\digest.c$C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\evp_lib.c$ctx->digest->md_size <= EVP_MAX_MD_SIZE
API String ID: 3510742995-2315790322
Opcode ID: 5ca56ba8b062f71e5be564abc1fea64cb51e7661379c4abce513e536823c35ee
Instruction ID: ebcb58a1546d8ac0cd8724574ff472c29b4585c47b77a9d0b7111d6504cabfc4
Opcode Fuzzy Hash: 5ca56ba8b062f71e5be564abc1fea64cb51e7661379c4abce513e536823c35ee
Instruction Fuzzy Hash: 23514E75E003089BDB14DFE9C884ADEBBF5AF45304F25812DD819AB746E730E90ACB91

Function 6CF5E570 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 177COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(?,?,?), ref: 6CF5E65E
memset.MSVCR90 ref: 6CF5E687

Strings

j <= (int)sizeof(ctx->key), xrefs: 6CF5E691
C:\build27\cpython\externals\openssl-1.0.2t\crypto\hmac\hmac.c, xrefs: 6CF5E69B

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memcpymemset
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\hmac\hmac.c$j <= (int)sizeof(ctx->key)
API String ID: 1297977491-3336659946
Opcode ID: 8a11277eb889734b2deaa399fca4630f0ffbec7f945f2146ceddfd9c1993697e
Instruction ID: 9727884d69278fdfc964dd28a46d4da20384fcd4e06ffa18f8721e7e175ee649
Opcode Fuzzy Hash: 8a11277eb889734b2deaa399fca4630f0ffbec7f945f2146ceddfd9c1993697e
Instruction Fuzzy Hash: 9451C5716011059BEF08CF24DC80BAA7779EF55318F5040A8EE49DB786EB39E959CBE0

Function 6CEC2470 Relevance: 6.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

APIs

PyList_New.PYTHON27(00000000), ref: 6CEC24F8
PyUnicodeUCS2_FromStringAndSize.PYTHON27(?), ref: 6CEC2579
PyList_Append.PYTHON27(00000000,00000000), ref: 6CEC258A
PyList_AsTuple.PYTHON27(00000000), ref: 6CEC25E1

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: List_$AppendFromSizeStringTupleUnicode
String ID:
API String ID: 1097641754-0
Opcode ID: 3cfb1aef0b621fa8a4c12daec12d6a89c77ceb8cbaba4dc85b4f3c13c17f2403
Instruction ID: 8c99448cf85cf4da5aa9546128e435f44ebcce9c191612da45ad8c48716392be
Opcode Fuzzy Hash: 3cfb1aef0b621fa8a4c12daec12d6a89c77ceb8cbaba4dc85b4f3c13c17f2403
Instruction Fuzzy Hash: 8E51D171B042128BD710CF29CA88A4BB3F0FF95328F24966DE86487750E735E806CB93

Function 6CF0AD40 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

b <= sizeof(ctx->final), xrefs: 6CF0AE91
C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\evp_enc.c, xrefs: 6CF0AD5D, 6CF0AE9B

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\evp\evp_enc.c$b <= sizeof(ctx->final)
API String ID: 0-2581419725
Opcode ID: d28882f5c57eb689c3da945ac94c6314836e1861823fa971ff471aab7407644b
Instruction ID: 7bdae4c0ff8c0ff029becb0c46b2c7cfb22ac56faf6021fa5855b6f5a3f9ad91
Opcode Fuzzy Hash: d28882f5c57eb689c3da945ac94c6314836e1861823fa971ff471aab7407644b
Instruction Fuzzy Hash: 4741E372701204AFE710CE59EC91BEA73E8EB85729F10416AFC0C8BB40E776E956D791

Function 6CED8E80 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

issuer, xrefs: 6CED8EF1
C:\build27\cpython\externals\openssl-1.0.2t\crypto\x509v3\v3_alt.c, xrefs: 6CED8E9F
copy, xrefs: 6CED8F23

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\x509v3\v3_alt.c$copy$issuer
API String ID: 0-1358652360
Opcode ID: 014b79873ea4c8be605afa90d6dbc4ff4d6a543d2c59f2bf9e035370ec80cf1d
Instruction ID: cb676acf76075f76935949847e1c25a5028b10f3d49ade69a8f05431d2f82a5c
Opcode Fuzzy Hash: 014b79873ea4c8be605afa90d6dbc4ff4d6a543d2c59f2bf9e035370ec80cf1d
Instruction Fuzzy Hash: B3412A717042099BD720CF699C81B9A73B69B4121CF3A15ABEC148BB41E732F90BC7D2

Function 6CEEA360 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

memset.MSVCR90 ref: 6CEEA37E
memset.MSVCR90 ref: 6CEEA3A4

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\buffer\buffer.c, xrefs: 6CEEA3C8, 6CEEA400, 6CEEA417, 6CEEA437

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memset
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\buffer\buffer.c
API String ID: 2221118986-430455864
Opcode ID: 1e460318f64d2cf2fcc185724b2238e16db54aa4ee609cfda6a66efdb9b573bb
Instruction ID: 68a96fddde758167a22df85d915411d1608dd76a37ae69484553102370e5076a
Opcode Fuzzy Hash: 1e460318f64d2cf2fcc185724b2238e16db54aa4ee609cfda6a66efdb9b573bb
Instruction Fuzzy Hash: B83198727442016FE7049E18ECC1B99B7A5EB84368F24823EF90CCBB80E775AD198794

Function 6CEC2DA0 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af19fd6e9a074f58dc7ec58e8567cdd99bbf101001199f3e4f13cb5a9b02238a
Instruction ID: 458106fd2a47de040c503b1f14a6f9308b6175d3667fa9fdc5b9884f9e3c2c15
Opcode Fuzzy Hash: af19fd6e9a074f58dc7ec58e8567cdd99bbf101001199f3e4f13cb5a9b02238a
Instruction Fuzzy Hash: 2F219E31B006018FE705CF69EA88A9733F8FB59329B14113AE929C7B10E722E901DB56

Function 00404ED0 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00404F1C
wcslen.MSVCRT ref: 00404F2A
malloc.MSVCRT ref: 00404F35
WideCharToMultiByte.KERNEL32 ref: 00404F6F

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: ByteCharMultiWide$mallocwcslen
String ID:
API String ID: 173459892-0
Opcode ID: b8f3b471f5fe2ad09f2d1377ec18e4edcebd2fdfdbb0d7f6aa1095d11fa209f3
Instruction ID: 9744097a12f8b822ab610269ec99efc9aea7c821b864e54a547139bda5badfde
Opcode Fuzzy Hash: b8f3b471f5fe2ad09f2d1377ec18e4edcebd2fdfdbb0d7f6aa1095d11fa209f3
Instruction Fuzzy Hash: 2321F7B15083019FD300EF66D48431BBBE4AB84368F01893EE9985B2C1D7B985498BD7

Function 004096E0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 00409705
__dllonexit.MSVCRT ref: 00409743
_unlock.MSVCRT ref: 00409773
_onexit.MSVCRT ref: 00409787

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: __dllonexit_lock_onexit_unlock
String ID:
API String ID: 209411981-0
Opcode ID: e72dbf5e36769850f66dedf14dbdfcd0cf83797c3aff72795d0b5d1688932a61
Instruction ID: 94322562d448f61ab5e389db5415b64235926ac514306a4d16e9030116057e7b
Opcode Fuzzy Hash: e72dbf5e36769850f66dedf14dbdfcd0cf83797c3aff72795d0b5d1688932a61
Instruction Fuzzy Hash: C91183F49197018FC700EF76D48555EBBE0AB98314F818D3EF8D497392E63998948B86

Function 00402CDC Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 00402D00

Part of subcall function 00402B60: strlen.MSVCRT ref: 00402BA5
Part of subcall function 00402B60: strncpy.MSVCRT ref: 00402BB5
Part of subcall function 00402B60: strlen.MSVCRT ref: 00402BBD
Part of subcall function 00402B60: strlen.MSVCRT ref: 00402BD5
Part of subcall function 00402B60: strcat.MSVCRT(?,?,?,00002068,00000000,00000000,004026D6), ref: 00402BE8

strchr.MSVCRT ref: 00402D33
strncpy.MSVCRT ref: 00402D4D

Strings

;, xrefs: 00402D28

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: strlenstrncpy$strcatstrchr
String ID: ;
API String ID: 1837988602-1661535913
Opcode ID: 8fc9b7576c0a419203d23bf9b58d9aab0d32351923dc3836b5ccfaade7827991
Instruction ID: cafbc012400062e9836ad638cb34517f3ac44faff61307575af338ded75cce7e
Opcode Fuzzy Hash: 8fc9b7576c0a419203d23bf9b58d9aab0d32351923dc3836b5ccfaade7827991
Instruction Fuzzy Hash: EB11DEB16083419FD710AF69C1C429EBBE0EF84784F008C2EF5C8D7341D3B999818B46

Function 00402669 Relevance: 6.0, APIs: 4, Instructions: 17COMMON

Download Yara Rule

APIs

Py_DecRef.PYTHON27 ref: 00402621
Py_DecRef.PYTHON27 ref: 0040262A
PyErr_Print.PYTHON27 ref: 00402630
PyErr_Clear.PYTHON27 ref: 00402636

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: Err_$ClearPrint
String ID:
API String ID: 2841865782-0
Opcode ID: c8a4119b7f5f103bff413d06edf0b36ad86028411efbad5513ac0c91e0875dc0
Instruction ID: d1536409d56c44e0e682c25b7688d9f7611cd5652ed609ed71c29ab179a6128f
Opcode Fuzzy Hash: c8a4119b7f5f103bff413d06edf0b36ad86028411efbad5513ac0c91e0875dc0
Instruction Fuzzy Hash: EFD0C2361045108FC3102F38FD4C289BF61FB88321F05473DE65AD21B0C6700556CB8A

Function 0040267C Relevance: 6.0, APIs: 4, Instructions: 16COMMON

Download Yara Rule

APIs

Py_DecRef.PYTHON27 ref: 00402621
Py_DecRef.PYTHON27 ref: 0040262A
PyErr_Print.PYTHON27 ref: 00402630
PyErr_Clear.PYTHON27 ref: 00402636

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: Err_$ClearPrint
String ID:
API String ID: 2841865782-0
Opcode ID: c8da6cc03c9e6287cfd1277d6b72ccdf8d55770795fdabe836d4b21bb57a759e
Instruction ID: 181f7cc08fe0b32babf9f34fdf93a5d565f36803c1d22e9caf565b6c92bb6d29
Opcode Fuzzy Hash: c8da6cc03c9e6287cfd1277d6b72ccdf8d55770795fdabe836d4b21bb57a759e
Instruction Fuzzy Hash: 6CD012765045108FC2502F28FD4C0997F61FA882257154739E65AD21B0C6715556CB8A

Function 00402689 Relevance: 6.0, APIs: 4, Instructions: 15COMMON

Download Yara Rule

APIs

Py_DecRef.PYTHON27 ref: 00402621
Py_DecRef.PYTHON27 ref: 0040262A
PyErr_Print.PYTHON27 ref: 00402630
PyErr_Clear.PYTHON27 ref: 00402636

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: Err_$ClearPrint
String ID:
API String ID: 2841865782-0
Opcode ID: cf52dce186dfb3fb698a26fa1dcd9770811d94c250a69313f54f9de9a22c5693
Instruction ID: 72ddaba1c59c873d25fe0bf91ec31d4e9daf0aed9a0c842b1247e831217dccea
Opcode Fuzzy Hash: cf52dce186dfb3fb698a26fa1dcd9770811d94c250a69313f54f9de9a22c5693
Instruction Fuzzy Hash: EAD012791045108FC2502F28FD482987F21FB84321F154739E65AD21B0C6715556CA4A

Function 6CF9EF20 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 380COMMON

Download Yara Rule

Strings

%s%c%08lx.%s%d, xrefs: 6CF9F14E
C:\build27\cpython\externals\openssl-1.0.2t\crypto\x509\by_dir.c, xrefs: 6CF9EFDE, 6CF9F0BD, 6CF9F11A, 6CF9F1BA, 6CF9F21E, 6CF9F244, 6CF9F297, 6CF9F2E1, 6CF9F31D, 6CF9F348, 6CF9F367, 6CF9F37A, 6CF9F3B0

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID: %s%c%08lx.%s%d$C:\build27\cpython\externals\openssl-1.0.2t\crypto\x509\by_dir.c
API String ID: 0-3102404680
Opcode ID: 13bedda219724dc8d29ed042ab73016fc54196af1ea017775f2dfd5f9ebaf7bb
Instruction ID: 871c7e8cbc872994097155e28de4cd9462fad98813e425bdb14862fb29623127
Opcode Fuzzy Hash: 13bedda219724dc8d29ed042ab73016fc54196af1ea017775f2dfd5f9ebaf7bb
Instruction Fuzzy Hash: E3E1AD346083029BEB14CF25C881B5BB7F0BB89718F148A1DF9689B790D771E9068B92

Function 6CF363B0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 275COMMON

Download Yara Rule

APIs

_time64.MSVCR90 ref: 6CF364AA
__aullrem.LIBCMT ref: 6CF36636

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\bn\bn_rand.c, xrefs: 6CF3645F, 6CF36470, 6CF36491, 6CF366B1

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: __aullrem_time64
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\bn\bn_rand.c
API String ID: 3772048222-1199490170
Opcode ID: d6f39e09649616a2af2f723d36ec16a4303db20ceda17b1a7e9be1d419529e09
Instruction ID: 88e017dff731fc9e273b55aba455c3a6ac1c278c277279332b79c39a2515a700
Opcode Fuzzy Hash: d6f39e09649616a2af2f723d36ec16a4303db20ceda17b1a7e9be1d419529e09
Instruction Fuzzy Hash: F791E071B49221ABDB148B28D881B6B77B4BF86348F04523DF859CBB80D735D505CBE6

Function 6CF34420 Relevance: 5.4, APIs: 4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9cd25a472d7b6cbcba056ef5eee9ba53387e4f10d971ac1bdc4995a95e59ad0
Instruction ID: 9aac520717d1b6dad4bcc118e452eaa075f4db1f274a75cdcb3ce240fa9fc172
Opcode Fuzzy Hash: f9cd25a472d7b6cbcba056ef5eee9ba53387e4f10d971ac1bdc4995a95e59ad0
Instruction Fuzzy Hash: DDE149B5A00119BFDB14CFA8CC94EEF7BB9EF88304F148518F90997744E631AE158BA0

Function 6CF64DC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

isupper.MSVCR90 ref: 6CF64DFC
tolower.MSVCR90 ref: 6CF64E06

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\asn1\asn_mime.c, xrefs: 6CF64E7F, 6CF64E91, 6CF64EB3

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: isuppertolower
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\asn1\asn_mime.c
API String ID: 2435887076-673838732
Opcode ID: 8aff5350c9729c227c4589b08797aa9b691ee0fdfdf65cff613a1c77f21dda7b
Instruction ID: 2b45b452a0f6976ad362656fbf71ce0fd7fee3c65d812a5fc1269e4ff36ccbe7
Opcode Fuzzy Hash: 8aff5350c9729c227c4589b08797aa9b691ee0fdfdf65cff613a1c77f21dda7b
Instruction Fuzzy Hash: 1D316B72A00241AFEB10DF9A9CD07AA7BF8EB55318F24817DFD9497E00D6335E4987A1

Function 6CF05D30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101stringCOMMON

Download Yara Rule

APIs

strtoul.MSVCR90 ref: 6CF05D47

Strings

C:\build27\cpython\externals\openssl-1.0.2t\crypto\asn1\asn1_gen.c, xrefs: 6CF05D71, 6CF05DFD
Char=, xrefs: 6CF05E17

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: strtoul
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\asn1\asn1_gen.c$Char=
API String ID: 3805803174-1255923820
Opcode ID: 41ada6117fd1bd9b1698f7d6f71661beade58ca1472fdbd0b2726ba95e30b2ea
Instruction ID: e64624735ccf74f3425bde932348684732c7ec448f237b6b058e352a4698e4e4
Opcode Fuzzy Hash: 41ada6117fd1bd9b1698f7d6f71661beade58ca1472fdbd0b2726ba95e30b2ea
Instruction Fuzzy Hash: 6F21283670A2545BEB108A58EC657ED77A8CB42715F1401FBED08CBBC1E7E69905C3D2

Function 6CF7E040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCR90 ref: 6CF7E0E7
_time64.MSVCR90 ref: 6CF7E10E

Strings

C:\build27\cpython\externals\openssl-1.0.2t\ssl\ssl_sess.c, xrefs: 6CF7E070, 6CF7E085, 6CF7E0AA, 6CF7E0C8

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: _time64memset
String ID: C:\build27\cpython\externals\openssl-1.0.2t\ssl\ssl_sess.c
API String ID: 899224009-1237407967
Opcode ID: cfd498967c2b4ee96007dafd8a5a23faa6fdfd16890985c99e104df66cddb4ba
Instruction ID: 7d71fa9b889b23784576bcfd7d7f69ce181d25792abd4738285b84a923c35cd0
Opcode Fuzzy Hash: cfd498967c2b4ee96007dafd8a5a23faa6fdfd16890985c99e104df66cddb4ba
Instruction Fuzzy Hash: B931EDB0A01701AEE2319F69DC02F93BAF4FB81718F10052FE66A97680DBB110058B62

Function 6CEF2490 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 6CEF24DF

Part of subcall function 6CF1B330: _gmtime64_s.MSVCR90 ref: 6CF1B35F

__aullrem.LIBCMT ref: 6CEF2518

Strings

%.14s.%03dZ, xrefs: 6CEF2522

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: __aulldvrm__aullrem_gmtime64_s
String ID: %.14s.%03dZ
API String ID: 1602601563-1077646249
Opcode ID: ebbd8f9ceaa8bce513b2fbfdde52f28e257c0ae1d37b446332c4717f86568590
Instruction ID: b40b0d24a21e6cefd23e24c599adb01d1add86ce785b2e239fcebc1e4e69dcb0
Opcode Fuzzy Hash: ebbd8f9ceaa8bce513b2fbfdde52f28e257c0ae1d37b446332c4717f86568590
Instruction Fuzzy Hash: B92181B1B002086BDB04DF69DC41BEF77B8AF88304F448419F508A7781DB75AD198B91

Function 6CF66050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?), ref: 6CF660B4

Strings

symname(, xrefs: 6CF660DD
C:\build27\cpython\externals\openssl-1.0.2t\crypto\dso\dso_win32.c, xrefs: 6CF660C8, 6CF660FB

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: AddressProc
String ID: C:\build27\cpython\externals\openssl-1.0.2t\crypto\dso\dso_win32.c$symname(
API String ID: 190572456-2663281677
Opcode ID: bdf1b6902297763f36eac808177feb1e6d5fb567dd8ed6875c2add481b77ab56
Instruction ID: 399ce3debc0b08c176ea681db53ee66d3fc2caa250709fe5f44e3e425c51d0ba
Opcode Fuzzy Hash: bdf1b6902297763f36eac808177feb1e6d5fb567dd8ed6875c2add481b77ab56
Instruction Fuzzy Hash: 0F11E3713492057BEB149A1ACC55F873364DF01754F144278FE59DBED2DB32E9018681

Function 6CEC2FC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON27(?,6D00E8B8), ref: 6CEC2FD7
PyErr_SetString.PYTHON27(?,The value must be a SSLContext), ref: 6CEC2FF1

Strings

The value must be a SSLContext, xrefs: 6CEC2FEB

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: Err_StringSubtypeType_
String ID: The value must be a SSLContext
API String ID: 468607378-677980480
Opcode ID: 1e31c02df83b4ba7f6c2a489b933e369c7e69daede52d41b569a46321b9cf003
Instruction ID: 3958297560e79bf680c0a67ba4353021932b063108392f08cfd7c18ce6fe61d2
Opcode Fuzzy Hash: 1e31c02df83b4ba7f6c2a489b933e369c7e69daede52d41b569a46321b9cf003
Instruction Fuzzy Hash: 26017175700501ABE700DF59E984992B7B9EF452393144625E828C7781D332F951CBA2

Function 00403AEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

_fileno.MSVCRT ref: 00403A44
_setmode.MSVCRT ref: 00403A5A
_fileno.MSVCRT ref: 00403A67
_setmode.MSVCRT ref: 00403A77
fflush.MSVCRT ref: 00403A84
fflush.MSVCRT ref: 00403A94
setbuf.MSVCRT ref: 00403AA9
setbuf.MSVCRT ref: 00403AC1
setbuf.MSVCRT ref: 00403AD9
mbstowcs.MSVCRT ref: 00403B06
PySys_AddWarnOption.PYTHON27(?,?,?,00000000,00000000,00403EA6), ref: 00403B17

Part of subcall function 004015D0: ntohl.WS2_32(?,?,00000000,?,0040235F), ref: 004015E2

Strings

pyi-, xrefs: 004039CF

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: setbuf$_fileno_setmodefflush$OptionSys_Warnmbstowcsntohl
String ID: pyi-
API String ID: 4193053745-3770392772
Opcode ID: 11cbf90a08825acd13ace0c03f197a080f4ab3790cf3c7c2105d72725abef362
Instruction ID: e36c829b6a0d97d2367c992e2002adacd36deb20f16e6952a0cc159506fc5f2c
Opcode Fuzzy Hash: 11cbf90a08825acd13ace0c03f197a080f4ab3790cf3c7c2105d72725abef362
Instruction Fuzzy Hash: CB0171B44086458ACB14CF24C68026B7FE4AB44315F4189BBE986AB3D1D3BCDA55DB4A

Function 00402B00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00402B18
strrchr.MSVCRT ref: 00402B4B

Strings

/, xrefs: 00402B40

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: strrchr
String ID: /
API String ID: 3418686817-2043925204
Opcode ID: 0cfd4f32b849586b70a7353986d77b0206b4deb400bbcf53468c15147e581287
Instruction ID: d17ca4ae87394f5675dde1efdaccee299bc168ef5c4884823c421eedceabe6da
Opcode Fuzzy Hash: 0cfd4f32b849586b70a7353986d77b0206b4deb400bbcf53468c15147e581287
Instruction Fuzzy Hash: C8E039B04083008BD300AF158A8855BFBF4BF48348F45497EA98927382D379D908CB6B

Function 00404E70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405155), ref: 00404E73
FormatMessageA.KERNEL32 ref: 00404EB4

Strings

FormatMessage failed., xrefs: 00404EBD

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID: FormatMessage failed.
API String ID: 3479602957-2374551320
Opcode ID: e3e88c1ca8d9d908ac7fb40ebe42d6c5ba71c6a0b71db535dbf4255836295caf
Instruction ID: 95bcd40d16130ee153334ec2c51760062741ad72a3ca2a6fd624054d12426a6e
Opcode Fuzzy Hash: e3e88c1ca8d9d908ac7fb40ebe42d6c5ba71c6a0b71db535dbf4255836295caf
Instruction Fuzzy Hash: 69F045B45083018FD300EF69C55934BBBE0BF88349F40C96DE8989B254D3B9864A8F97

Function 6CF50790 Relevance: 5.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(?,?,?,?,?,?,?,?,6CF2A175,?), ref: 6CF507DC
memcpy.MSVCR90(?,?,00000040,?,?,?,?,?,6CF2A175,?), ref: 6CF50801
memset.MSVCR90 ref: 6CF5082C
memcpy.MSVCR90(?,?,?,?,?,?,?,?,6CF2A175,?), ref: 6CF50863

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 316610f0ad9a54ae572b68d4a84eac42c8a2284bb7c4cd8ab728122eff8e51ad
Instruction ID: 40a410b3b92147822b40f7fe813726a6c300b9e6fa498cbebd8a3e844cbb5c89
Opcode Fuzzy Hash: 316610f0ad9a54ae572b68d4a84eac42c8a2284bb7c4cd8ab728122eff8e51ad
Instruction Fuzzy Hash: A221DCB2A007056FD720CE59D880E9BB7FDEB9431CF10426DE90587B04EBB5EA1987D1

Function 6CF50A20 Relevance: 5.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

memcpy.MSVCR90(?,?,?,?,?,?,?,?,6CF2A205,?), ref: 6CF50A6C
memcpy.MSVCR90(?,?,00000040,?,?,?,?,?,6CF2A205,?), ref: 6CF50A91
memset.MSVCR90 ref: 6CF50ABB
memcpy.MSVCR90(?,?,?,?,?,?,?,?,6CF2A205,?), ref: 6CF50AF1

Memory Dump Source

Source File: 00000002.00000002.2195703679.000000006CEC1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEC0000, based on PE: true

Associated: 00000002.00000002.2195688110.000000006CEC0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195799500.000000006CFC2000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195846572.000000006D004000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195867613.000000006D005000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195896581.000000006D008000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195910917.000000006D009000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195925707.000000006D00B000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195941931.000000006D00D000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195958730.000000006D00E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.2195974841.000000006D012000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6cec0000_main.jbxd

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 85263cbe145a771239ca3c8e3c8903dcc60e255da38b66339311f01e6a4a5465
Instruction ID: a93dbb9ac59ff84e0dd52da17728a8021c6c376fd11c976e0651eabac9befa74
Opcode Fuzzy Hash: 85263cbe145a771239ca3c8e3c8903dcc60e255da38b66339311f01e6a4a5465
Instruction Fuzzy Hash: D021F5B6600705ABD334CE59D880E9BB3FDEFA031CF50062EE90587A00E7B1EA198791

Function 0040A160 Relevance: 5.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0040A187
free.MSVCRT ref: 0040A1D1
LeaveCriticalSection.KERNEL32 ref: 0040A1DD

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 5a6a9aecb08d4dbab69b272cecf5a8e366ddeead7f89e3dbb92cf09a74704c7f
Instruction ID: 205ad730fa9d849b6dcd85aca9a8edb478e236a23f6659a9e29df5da5504daa6
Opcode Fuzzy Hash: 5a6a9aecb08d4dbab69b272cecf5a8e366ddeead7f89e3dbb92cf09a74704c7f
Instruction Fuzzy Hash: 79015B747002028FD700EF79D98545ABBE0BB64304B988A7AE845DB351E738EC95CB4B

Function 0040A050 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0040A060
TlsGetValue.KERNEL32 ref: 0040A085
GetLastError.KERNEL32 ref: 0040A090
LeaveCriticalSection.KERNEL32 ref: 0040A0B0

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: deaaa24b9fa4b4d1e7b522dcaef3998b3bbfd73c4541e91bdd6be517b23479c5
Instruction ID: 1d3ce6b71eab003d7cf42bd7384e75d6cbe8db24f84eea3f059a5883f4db0426
Opcode Fuzzy Hash: deaaa24b9fa4b4d1e7b522dcaef3998b3bbfd73c4541e91bdd6be517b23479c5
Instruction Fuzzy Hash: 08F0DC7A5007048BCB00BFBAE94828ABBF4FB94310F454539DC9893310D739A829CACB

Function 00401C20 Relevance: 5.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(?,?,?,00401CB0,0040284B), ref: 00401C38
strcat.MSVCRT(?,?,?,00401CB0,0040284B), ref: 00401C54
strcpy.MSVCRT(?,?,?,00401CB0,0040284B), ref: 00401C60
strcpy.MSVCRT ref: 00401C76

Memory Dump Source

Source File: 00000002.00000002.2194757293.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2194743246.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194773005.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194787099.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000562000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000564000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000566000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2194816278.0000000000568000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_main.jbxd

Similarity

API ID: strcpy$strcat
String ID:
API String ID: 3927648046-0
Opcode ID: 6c814ddd8a824b4bd2636785863bacbba6574ce59f97f3a803a5a9257da0b1bd
Instruction ID: 9c2cac98e7d877e8ae7db83d823dbc52851c1e70b87a1bb4017c5684ab7af4db
Opcode Fuzzy Hash: 6c814ddd8a824b4bd2636785863bacbba6574ce59f97f3a803a5a9257da0b1bd
Instruction Fuzzy Hash: 7FF01DB28193109BD700BF29D98114EBBE8EF84758F41896EF8C867346C3749556CB97

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report main.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI10802\_hashlib.pyd

C:\Users\user\AppData\Local\Temp\_MEI10802\_socket.pyd

C:\Users\user\AppData\Local\Temp\_MEI10802\_ssl.pyd

C:\Users\user\AppData\Local\Temp\_MEI10802\bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI10802\data.exe.manifest

C:\Users\user\AppData\Local\Temp\_MEI10802\microsoft.vc90.crt.manifest

C:\Users\user\AppData\Local\Temp\_MEI10802\msvcm90.dll

C:\Users\user\AppData\Local\Temp\_MEI10802\msvcp90.dll

C:\Users\user\AppData\Local\Temp\_MEI10802\msvcr90.dll

C:\Users\user\AppData\Local\Temp\_MEI10802\python27.dll

C:\Users\user\AppData\Local\Temp\_MEI10802\select.pyd

C:\Users\user\AppData\Local\Temp\_MEI10802\unicodedata.pyd

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
main.exe

Function 00401910 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 192
COMMON

Function 00401610 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 145
COMMON

Function 00401179 Relevance: 16.7, APIs: 11, Instructions: 205
sleepCOMMON

Function 00401850 Relevance: 6.1, APIs: 4, Instructions: 58
fileCOMMON

Function 00404C80 Relevance: 22.6, APIs: 15, Instructions: 101
processsynchronizationCOMMON

Function 004046D0 Relevance: 12.1, APIs: 8, Instructions: 55
stringCOMMON

Function 00404800 Relevance: 10.6, APIs: 7, Instructions: 70
stringCOMMON

Function 0040A620 Relevance: 9.2, APIs: 6, Instructions: 158
stringCOMMON

Function 004048FC Relevance: 7.5, APIs: 5, Instructions: 43
stringCOMMON

Function 00401550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMON

Function 00404899 Relevance: 4.5, APIs: 3, Instructions: 26
COMMON

Function 00404930 Relevance: 3.0, APIs: 2, Instructions: 43
stringCOMMON

Function 00404E29 Relevance: 3.0, APIs: 2, Instructions: 18
synchronizationCOMMON

Function 0040A76C Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 00402E70 Relevance: 1.5, APIs: 1, Instructions: 22
COMMON