Edit tour

Windows Analysis Report
zapret.exe

Overview

General Information

Sample name:	zapret.exe
Analysis ID:	1577920
MD5:	45bc44427d305237d57849356227056a
SHA1:	5e50dd554abf2530275fd66f29973d0c578bf0cf
SHA256:	39fe3d80771b4bc7408b56c801c2da4ffb7f9f6a982aa5b1104084c98d5701c6
Tags:	CoinMinerexegeofencedRUSuser-sa6ta6ni6c
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contains functionality to infect the boot sector

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

zapret.exe (PID: 5004 cmdline: "C:\Users\user\Desktop\zapret.exe" MD5: 45BC44427D305237D57849356227056A)

zapret.exe (PID: 6844 cmdline: "C:\Users\user\Desktop\zapret.exe" MD5: 45BC44427D305237D57849356227056A)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.8% probability

Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FA43A0 PyCFunction_NewEx,CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,clock,clock,clock,clock,CryptReleaseContext,	2_2_66FA43A0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8732FD0 ERR_put_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,	2_2_00007FF8A8732FD0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87344C0 X509_VERIFY_PARAM_free,CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,ENGINE_finish,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FF8A87344C0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871FDB0 EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,strncmp,strncmp,strncmp,strncmp,strncmp,	2_2_00007FF8A871FDB0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87489D0 EVP_MD_size,EVP_MD_CTX_new,EVP_DigestInit_ex,EVP_DigestFinal_ex,EVP_DigestInit_ex,BIO_ctrl,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key,EVP_DigestSignInit,EVP_DigestUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free,	2_2_00007FF8A87489D0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A876E910 EVP_PKEY_CTX_new,X509_get0_pubkey,ERR_clear_error,EVP_PKEY_decrypt,EVP_PKEY_CTX_ctrl,EVP_PKEY_CTX_free,	2_2_00007FF8A876E910
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711BEF ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,OPENSSL_LH_new,OPENSSL_sk_num,EVP_get_digestbyname,EVP_get_digestbyname,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,RAND_bytes,RAND_priv_bytes,RAND_priv_bytes,RAND_priv_bytes,	2_2_00007FF8A8711BEF
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A875A940 X509_get0_pubkey,CRYPTO_malloc,RAND_bytes,EVP_PKEY_CTX_new,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_PKEY_CTX_free,	2_2_00007FF8A875A940
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871EA80 EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,	2_2_00007FF8A871EA80
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8744AD0 CRYPTO_malloc,CRYPTO_THREAD_lock_new,CRYPTO_new_ex_data,X509_up_ref,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,ERR_put_error,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,	2_2_00007FF8A8744AD0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87124BE CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A87124BE
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8718AF0 CRYPTO_free,	2_2_00007FF8A8718AF0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8770AF0 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A8770AF0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711B54 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FF8A8711B54
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A875CA20 CRYPTO_free,CRYPTO_free,	2_2_00007FF8A875CA20
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A872EA40 CRYPTO_THREAD_run_once,OPENSSL_sk_find,OPENSSL_sk_value,EVP_CIPHER_flags,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,	2_2_00007FF8A872EA40
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A874EA60 CRYPTO_realloc,	2_2_00007FF8A874EA60
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87123D3 CRYPTO_free,CRYPTO_malloc,memcmp,CRYPTO_memdup,	2_2_00007FF8A87123D3
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8756A70 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A8756A70
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8712063 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset,	2_2_00007FF8A8712063
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8742BA0 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,	2_2_00007FF8A8742BA0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711848 CRYPTO_zalloc,CRYPTO_free,	2_2_00007FF8A8711848
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A876CBB0 OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,memcmp,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,memcpy,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,CRYPTO_memcmp,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A876CBB0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8726B53 CRYPTO_free,CRYPTO_strdup,ERR_put_error,ERR_put_error,	2_2_00007FF8A8726B53
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A876EC80 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,	2_2_00007FF8A876EC80
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A874ECA0 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A874ECA0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A875ACC0 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A875ACC0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871179E CRYPTO_free,	2_2_00007FF8A871179E
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871191A ERR_put_error,memcpy,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_new_reserve,OPENSSL_sk_value,CRYPTO_dup_ex_data,BIO_ctrl,BIO_ctrl,BIO_up_ref,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,	2_2_00007FF8A871191A
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8746CF0 CRYPTO_free,CRYPTO_free,	2_2_00007FF8A8746CF0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871212B EVP_MD_CTX_new,EVP_MD_CTX_copy_ex,CRYPTO_memcmp,memcpy,memcpy,	2_2_00007FF8A871212B
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711253 CRYPTO_free,	2_2_00007FF8A8711253
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8726C53 ERR_put_error,CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A8726C53
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8746C50 CRYPTO_free,	2_2_00007FF8A8746C50
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87123C4 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A87123C4
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8738D80 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,	2_2_00007FF8A8738D80
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8712301 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A8712301
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8762DB0 CRYPTO_malloc,memcpy,	2_2_00007FF8A8762DB0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711028 EVP_PKEY_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_new,RSA_pkey_ctx_ctrl,CRYPTO_free,EVP_MD_CTX_free,EVP_MD_CTX_free,	2_2_00007FF8A8711028
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8756D00 CRYPTO_free,CRYPTO_strndup,	2_2_00007FF8A8756D00
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87118B6 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset,	2_2_00007FF8A87118B6
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A873CD70 CRYPTO_malloc,CRYPTO_clear_free,	2_2_00007FF8A873CD70
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8746EB0 CRYPTO_free,	2_2_00007FF8A8746EB0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A876AEB0 CRYPTO_memcmp,	2_2_00007FF8A876AEB0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8718E00 CRYPTO_malloc,ERR_put_error,	2_2_00007FF8A8718E00
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8746E40 CRYPTO_free,	2_2_00007FF8A8746E40
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A877AE40 memset,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_put_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,memset,	2_2_00007FF8A877AE40
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871141F EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FF8A871141F
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711A05 EVP_MD_size,EVP_CIPHER_iv_length,EVP_CIPHER_key_length,CRYPTO_clear_free,CRYPTO_malloc,	2_2_00007FF8A8711A05
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A876EF80 EVP_PKEY_get0_RSA,RSA_size,RSA_size,CRYPTO_malloc,RAND_priv_bytes,CRYPTO_free,	2_2_00007FF8A876EF80
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8738FE0 ERR_put_error,ERR_put_error,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_free,ERR_put_error,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data,	2_2_00007FF8A8738FE0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8760F00 CRYPTO_free,	2_2_00007FF8A8760F00
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87118C0 ERR_put_error,CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A87118C0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8776F30 CRYPTO_free,CRYPTO_malloc,ERR_put_error,	2_2_00007FF8A8776F30
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871242D CRYPTO_free,CRYPTO_memdup,ERR_put_error,	2_2_00007FF8A871242D
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711ACD CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_new_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FF8A8711ACD
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A873F0E0 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FF8A873F0E0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8719020 CRYPTO_zalloc,ERR_put_error,	2_2_00007FF8A8719020
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8712275 CRYPTO_free,	2_2_00007FF8A8712275
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8729040 ERR_put_error,ASN1_item_free,memcpy,_time64,X509_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ASN1_item_free,	2_2_00007FF8A8729040
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8712496 CRYPTO_free,CRYPTO_malloc,memcpy,	2_2_00007FF8A8712496
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A875A190 EVP_DigestUpdate,EVP_MD_CTX_free,EVP_PKEY_CTX_free,EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,	2_2_00007FF8A875A190
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87581AE CRYPTO_free,CRYPTO_free,	2_2_00007FF8A87581AE
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8712130 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error,	2_2_00007FF8A8712130
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87120FB CRYPTO_malloc,	2_2_00007FF8A87120FB
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711B9F CRYPTO_free,CRYPTO_malloc,	2_2_00007FF8A8711B9F
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8762110 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,memcpy,memcpy,	2_2_00007FF8A8762110
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711EA1 CRYPTO_strdup,CRYPTO_free,	2_2_00007FF8A8711EA1
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711E97 memchr,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,CRYPTO_memcmp,	2_2_00007FF8A8711E97
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87119E7 CRYPTO_malloc,ERR_put_error,CRYPTO_free,	2_2_00007FF8A87119E7
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A873C290 CRYPTO_free,CRYPTO_free,	2_2_00007FF8A873C290
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87119B5 CRYPTO_malloc,	2_2_00007FF8A87119B5
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711C1C EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,	2_2_00007FF8A8711C1C
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A873C380 ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,ERR_put_error,	2_2_00007FF8A873C380
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87763A0 CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A87763A0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871150F CRYPTO_free,	2_2_00007FF8A871150F
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87118CA CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A87118CA
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711357 memcmp,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,memcmp,memcmp,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A8711357
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8712239 BIO_s_file,BIO_new,BIO_ctrl,strncmp,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,	2_2_00007FF8A8712239
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711EEC EVP_MD_CTX_new,X509_get0_pubkey,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_id,EVP_PKEY_size,EVP_DigestVerifyInit,EVP_PKEY_id,CRYPTO_malloc,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestVerify,BIO_free,EVP_MD_CTX_free,CRYPTO_free,	2_2_00007FF8A8711EEC
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8714407 CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_set_data,BIO_clear_flags,	2_2_00007FF8A8714407
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8728430 CRYPTO_malloc,memset,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,OPENSSL_cleanse,	2_2_00007FF8A8728430
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87124F5 CRYPTO_free,	2_2_00007FF8A87124F5
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A875A5D0 memset,CRYPTO_strdup,CRYPTO_free,CRYPTO_free,OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,	2_2_00007FF8A875A5D0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A872A530 CRYPTO_THREAD_run_once,	2_2_00007FF8A872A530
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711230 memcpy,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,memcmp,_time64,	2_2_00007FF8A8711230
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A873C540 ERR_put_error,ERR_put_error,ERR_put_error,EVP_MD_size,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_malloc,ERR_put_error,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,ERR_put_error,EVP_PKEY_free,X509_get0_pubkey,X509_free,OPENSSL_sk_push,ERR_put_error,X509_free,ERR_put_error,	2_2_00007FF8A873C540
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8718560 CRYPTO_zalloc,ERR_put_error,	2_2_00007FF8A8718560
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87117B2 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FF8A87117B2
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8718610 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,	2_2_00007FF8A8718610
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8742620 CRYPTO_THREAD_write_lock,OPENSSL_LH_insert,OPENSSL_LH_retrieve,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	2_2_00007FF8A8742620
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8714630 BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,	2_2_00007FF8A8714630
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711F82 CRYPTO_free,BIO_clear_flags,BIO_set_flags,BIO_snprintf,ERR_add_error_data,memcpy,	2_2_00007FF8A8711F82
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711FA0 BN_bin2bn,BN_is_zero,CRYPTO_free,CRYPTO_strdup,CRYPTO_clear_free,	2_2_00007FF8A8711FA0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87122C5 ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A87122C5
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711726 CRYPTO_free,CRYPTO_strndup,	2_2_00007FF8A8711726
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87607E0 CRYPTO_malloc,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,CRYPTO_free,	2_2_00007FF8A87607E0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8746700 CRYPTO_free,	2_2_00007FF8A8746700
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A872C710 CRYPTO_get_ex_new_index,	2_2_00007FF8A872C710
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871184D CRYPTO_free,	2_2_00007FF8A871184D
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8760740 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A8760740
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A872C770 i2d_X509_NAME,i2d_X509_NAME,memcmp,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A872C770
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8746770 CRYPTO_free,CRYPTO_strdup,CRYPTO_free,	2_2_00007FF8A8746770
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711B40 CRYPTO_THREAD_write_lock,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,	2_2_00007FF8A8711B40
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871252C CRYPTO_malloc,ERR_put_error,BIO_snprintf,	2_2_00007FF8A871252C
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711D9D CONF_parse_list,ERR_put_error,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A8711D9D
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8733900 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A8733900
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87116E0 CRYPTO_zalloc,	2_2_00007FF8A87116E0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A872D940 CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,	2_2_00007FF8A872D940
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A872F960 strncmp,strncmp,strncmp,strncmp,ERR_put_error,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,ERR_put_error,strncmp,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_free,	2_2_00007FF8A872F960
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8761960 EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,	2_2_00007FF8A8761960
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87121AD memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,	2_2_00007FF8A87121AD
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711EF1 CRYPTO_malloc,memcpy,memcpy,memcmp,memcmp,memcmp,ERR_put_error,CRYPTO_clear_free,	2_2_00007FF8A8711EF1
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8767AE0 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A8767AE0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711CC6 CRYPTO_malloc,COMP_expand_block,	2_2_00007FF8A8711CC6
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A872DA30 COMP_zlib,CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,	2_2_00007FF8A872DA30
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8749A30 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	2_2_00007FF8A8749A30
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87117CB CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,	2_2_00007FF8A87117CB
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A874FA50 CRYPTO_memcmp,	2_2_00007FF8A874FA50
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711D43 BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,	2_2_00007FF8A8711D43
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871109B CRYPTO_free,CRYPTO_memdup,CRYPTO_memdup,	2_2_00007FF8A871109B
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8717BA0 CRYPTO_free,	2_2_00007FF8A8717BA0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871DBE0 CRYPTO_free,	2_2_00007FF8A871DBE0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87116B3 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,OPENSSL_sk_push,CRYPTO_free,ERR_clear_error,OPENSSL_sk_value,X509_get0_pubkey,EVP_PKEY_missing_parameters,X509_free,X509_up_ref,X509_free,OPENSSL_sk_pop_free,	2_2_00007FF8A87116B3
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A872BB70 CRYPTO_zalloc,ERR_put_error,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,	2_2_00007FF8A872BB70
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8729B70 CRYPTO_free,CRYPTO_strndup,	2_2_00007FF8A8729B70
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8743C80 OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	2_2_00007FF8A8743C80
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871DC90 CRYPTO_free,	2_2_00007FF8A871DC90
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87122F7 CRYPTO_free,	2_2_00007FF8A87122F7
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87117D0 CRYPTO_malloc,memcpy,	2_2_00007FF8A87117D0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8769CDC CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A8769CDC
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711E4C CRYPTO_clear_free,	2_2_00007FF8A8711E4C
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8717CF0 CRYPTO_free,	2_2_00007FF8A8717CF0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871DCF0 CRYPTO_free,	2_2_00007FF8A871DCF0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A872DC70 CRYPTO_THREAD_run_once,	2_2_00007FF8A872DC70
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A874FD80 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A874FD80
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871DDA0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,	2_2_00007FF8A871DDA0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8747DD0 CRYPTO_zalloc,CRYPTO_free,	2_2_00007FF8A8747DD0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8717DF0 CRYPTO_zalloc,ERR_put_error,	2_2_00007FF8A8717DF0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8767D00 CRYPTO_free,CRYPTO_strndup,	2_2_00007FF8A8767D00
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8727D40 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A8727D40
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8735D50 ERR_put_error,CRYPTO_free,ERR_put_error,BUF_MEM_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,	2_2_00007FF8A8735D50
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711E56 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,CRYPTO_free,	2_2_00007FF8A8711E56
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711CD5 CRYPTO_free,CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A8711CD5
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711208 CRYPTO_zalloc,memcpy,memcpy,memcpy,CRYPTO_free,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A8711208
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A875BEF0 EVP_CIPHER_CTX_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A875BEF0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8743E40 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,	2_2_00007FF8A8743E40
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8757E6F CRYPTO_malloc,	2_2_00007FF8A8757E6F
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8725E70 CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A8725E70
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711AB4 CRYPTO_free,	2_2_00007FF8A8711AB4
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8725FAA CRYPTO_free,	2_2_00007FF8A8725FAA
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8719FC0 CRYPTO_malloc,memset,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A8719FC0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8767FC0 CRYPTO_malloc,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,RAND_bytes,EVP_sha256,EVP_EncryptUpdate,EVP_EncryptFinal,HMAC_Update,HMAC_Final,	2_2_00007FF8A8767FC0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8759FC0 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,	2_2_00007FF8A8759FC0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8727FE0 EVP_PKEY_CTX_new,EVP_PKEY_derive_init,EVP_PKEY_derive_set_peer,EVP_PKEY_derive,CRYPTO_malloc,EVP_PKEY_derive,CRYPTO_clear_free,EVP_PKEY_CTX_free,	2_2_00007FF8A8727FE0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871DFE0 CRYPTO_malloc,	2_2_00007FF8A871DFE0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87114FB CRYPTO_free,CRYPTO_memdup,ERR_put_error,	2_2_00007FF8A87114FB
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711B8B CRYPTO_free,CRYPTO_malloc,	2_2_00007FF8A8711B8B
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8717F50 CRYPTO_zalloc,ERR_put_error,	2_2_00007FF8A8717F50
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A874FF70 CRYPTO_free,CRYPTO_strndup,	2_2_00007FF8A874FF70
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87240B0 CRYPTO_clear_free,	2_2_00007FF8A87240B0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711249 CRYPTO_zalloc,ERR_put_error,_time64,CRYPTO_THREAD_lock_new,ERR_put_error,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,memcpy,	2_2_00007FF8A8711249
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711F5F CRYPTO_strdup,	2_2_00007FF8A8711F5F
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711B0E memset,OPENSSL_cleanse,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,CRYPTO_memcmp,	2_2_00007FF8A8711B0E
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A873C0F0 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,	2_2_00007FF8A873C0F0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871210D HMAC_CTX_new,EVP_CIPHER_CTX_new,EVP_sha256,HMAC_Init_ex,EVP_aes_256_cbc,HMAC_size,EVP_CIPHER_CTX_iv_length,HMAC_Update,HMAC_Final,CRYPTO_memcmp,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_CTX_iv_length,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,memcpy,ERR_clear_error,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,	2_2_00007FF8A871210D
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8732010 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,	2_2_00007FF8A8732010
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87115C8 EVP_MD_CTX_new,EVP_PKEY_new,EVP_PKEY_assign,DH_free,EVP_PKEY_security_bits,EVP_PKEY_get0_DH,EVP_PKEY_free,DH_get0_key,EVP_PKEY_get1_tls_encodedpoint,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,BN_num_bits,BN_num_bits,memset,BN_num_bits,BN_bn2bin,CRYPTO_free,EVP_PKEY_size,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestSign,CRYPTO_free,EVP_MD_CTX_free,	2_2_00007FF8A87115C8
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871402B BIO_get_data,BIO_get_shutdown,BIO_get_init,BIO_clear_flags,BIO_set_init,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,BIO_set_init,BIO_clear_flags,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,	2_2_00007FF8A871402B
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8712243 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,	2_2_00007FF8A8712243
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711AFF CRYPTO_malloc,CRYPTO_mem_ctrl,OPENSSL_sk_find,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,OPENSSL_sk_push,CRYPTO_mem_ctrl,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,	2_2_00007FF8A8711AFF
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711C3A X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,	2_2_00007FF8A8711C3A
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8747150 CRYPTO_free,	2_2_00007FF8A8747150
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87110A5 CRYPTO_zalloc,ERR_put_error,ERR_put_error,CRYPTO_free,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,ERR_put_error,EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,	2_2_00007FF8A87110A5
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8727290 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,	2_2_00007FF8A8727290
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871165E CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A871165E
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711D7F BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,BN_copy,BN_free,BN_dup,CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A8711D7F
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8712176 EVP_MD_CTX_new,EVP_PKEY_size,CRYPTO_malloc,EVP_DigestSignInit,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestSignFinal,EVP_DigestSign,BUF_reverse,CRYPTO_free,EVP_MD_CTX_free,CRYPTO_free,EVP_MD_CTX_free,	2_2_00007FF8A8712176
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8712144 CRYPTO_free,CRYPTO_malloc,RAND_bytes,	2_2_00007FF8A8712144
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711F55 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A8711F55
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A872D3E0 CRYPTO_THREAD_run_once,	2_2_00007FF8A872D3E0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711C03 CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A8711C03
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711005 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,	2_2_00007FF8A8711005
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711690 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FF8A8711690
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711681 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A8711681
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871207C CRYPTO_free,_time64,CRYPTO_free,CRYPTO_malloc,EVP_sha256,EVP_Digest,EVP_MD_size,CRYPTO_free,	2_2_00007FF8A871207C
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A876F4A0 BN_bin2bn,BN_ucmp,BN_is_zero,CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A876F4A0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A874F4D0 CRYPTO_memdup,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A874F4D0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871125D BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FF8A871125D
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871101E EVP_PKEY_free,BN_num_bits,BN_bn2bin,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_clear_free,	2_2_00007FF8A871101E
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8753440 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,_time64,memcpy,OPENSSL_cleanse,OPENSSL_cleanse,EVP_MD_size,	2_2_00007FF8A8753440
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A873546A CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	2_2_00007FF8A873546A
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871186B CRYPTO_free,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A871186B
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711AB9 CONF_parse_list,CRYPTO_malloc,ERR_put_error,memcpy,CRYPTO_free,CRYPTO_free,	2_2_00007FF8A8711AB9
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8719510 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memset,CRYPTO_free,	2_2_00007FF8A8719510
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8749570 CRYPTO_memcmp,	2_2_00007FF8A8749570
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87124B9 OPENSSL_sk_new_null,d2i_X509,CRYPTO_free,OPENSSL_sk_push,OPENSSL_sk_num,CRYPTO_memcmp,CRYPTO_free,X509_free,OPENSSL_sk_pop_free,OPENSSL_sk_value,X509_get0_pubkey,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free,	2_2_00007FF8A87124B9
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A872F6F0 CRYPTO_zalloc,ERR_put_error,CRYPTO_free,	2_2_00007FF8A872F6F0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87120DB CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,	2_2_00007FF8A87120DB
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87112E4 EVP_MD_size,RAND_bytes,_time64,CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A87112E4
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A875F640 CRYPTO_free,CRYPTO_free,CRYPTO_strndup,	2_2_00007FF8A875F640
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8731790 CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A8731790
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A874F7A0 CRYPTO_free,CRYPTO_free,	2_2_00007FF8A874F7A0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A877B7A0 SRP_Calc_u,BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,CRYPTO_clear_free,BN_clear_free,	2_2_00007FF8A877B7A0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711F0F CRYPTO_free,CRYPTO_malloc,memcpy,	2_2_00007FF8A8711F0F
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711505 CRYPTO_free,CRYPTO_malloc,ERR_put_error,memcpy,	2_2_00007FF8A8711505
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8767720 CRYPTO_memcmp,	2_2_00007FF8A8767720
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8719770 CRYPTO_malloc,ERR_put_error,CRYPTO_free,	2_2_00007FF8A8719770
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87578A7 CRYPTO_clear_free,	2_2_00007FF8A87578A7
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711104 EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	2_2_00007FF8A8711104
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87122B1 ERR_put_error,CRYPTO_free,CRYPTO_strdup,	2_2_00007FF8A87122B1
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8749810 CRYPTO_free,CRYPTO_memdup,	2_2_00007FF8A8749810

Source: zapret.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32trace.pdb source: zapret.exe, 00000000.00000003.2068985818.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, win32trace.pyd.0.dr
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdb source: mfc140u.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2135720032.00007FF8B8B24000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32ui.pdb source: win32ui.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_ssl.pdb source: zapret.exe, 00000002.00000002.2132556960.00007FF8B7E0D000.00000002.00000001.01000000.00000011.sdmp, _ssl.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\pythoncom.pdb}},GCTL source: zapret.exe, 00000002.00000002.2131916780.00007FF8A934C000.00000002.00000001.01000000.0000000C.sdmp, pythoncom38.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2132763758.00007FF8B7E29000.00000002.00000001.01000000.0000000F.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\python3.pdb source: zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2134235567.00007FF8B8792000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2136392190.00007FF8B8CB5000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: zapret.exe, 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32api.pdb source: zapret.exe, 00000002.00000002.2133818741.00007FF8B7E53000.00000002.00000001.01000000.0000000D.sdmp, win32api.pyd.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: zapret.exe, 00000002.00000002.2130097533.00007FF8A8A03000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\_win32sysloader.pdb source: zapret.exe, 00000000.00000003.2060688642.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\python38.pdb source: zapret.exe, 00000002.00000002.2131071431.00007FF8A8DFD000.00000002.00000001.01000000.00000004.sdmp, python38.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: zapret.exe, 00000002.00000002.2136778868.00007FF8B93D1000.00000002.00000001.01000000.00000006.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2135720032.00007FF8B8B24000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32api.pdb!! source: zapret.exe, 00000002.00000002.2133818741.00007FF8B7E53000.00000002.00000001.01000000.0000000D.sdmp, win32api.pyd.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: zapret.exe, 00000000.00000003.2058908075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2138050250.00007FF8BA4F5000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2136072058.00007FF8B8B3E000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdbGCTL source: mfc140u.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_queue.pdb source: zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2136204551.00007FF8B8C13000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: zapret.exe, 00000000.00000003.2058767862.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2137773328.00007FF8BA24E000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_elementtree.pdb source: zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\pywintypes.pdb source: zapret.exe, 00000002.00000002.2136533457.00007FF8B8F81000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32ui.pdbOO source: win32ui.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\pywintypes.pdb** source: zapret.exe, 00000002.00000002.2136533457.00007FF8B8F81000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: zapret.exe, 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: zapret.exe, 00000002.00000002.2130097533.00007FF8A8A03000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\select.pdb source: zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2137471577.00007FF8B9843000.00000002.00000001.01000000.00000010.sdmp, select.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: zapret.exe, 00000000.00000003.2068218816.000001DB34C18000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2128922469.00007FF8A8705000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: vcruntime140.amd64.pdb source: zapret.exe, 00000000.00000003.2058767862.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2137773328.00007FF8BA24E000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: zapret.exe, 00000000.00000003.2058908075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2138050250.00007FF8BA4F5000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\pythoncom.pdb source: zapret.exe, 00000002.00000002.2131916780.00007FF8A934C000.00000002.00000001.01000000.0000000C.sdmp, pythoncom38.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\pyexpat.pdb source: pyexpat.pyd.0.dr

Source: C:\Users\user\Desktop\zapret.exe	Code function: 0_2_00007FF6304885E0 FindFirstFileExW,FindClose,		0_2_00007FF6304885E0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF6304885E0 FindFirstFileExW,FindClose,		2_2_00007FF6304885E0

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\zapret.exe

Code function: 2_2_66F93330 strchr,WSAStartup,gethostbyname,socket,htons,ioctlsocket,ioctlsocket,connect,ioctlsocket,send,send,WSAGetLastError,closesocket,WSACleanup,SetLastError,recv,recv,closesocket,WSACleanup,strstr,toupper,strstr,toupper,toupper,toupper,toupper,strstr,memcmp,memcmp,_mktime64,gethostbyname,WSAGetLastError,WSAGetLastError,ioctlsocket,WSAGetLastError,WSAGetLastError,WSACleanup,SetLastError,WSAGetLastError,select,ioctlsocket,

2_2_66F93330

Source: global traffic

DNS traffic detected: DNS query: brave.com

Source: zapret.exe, 00000002.00000002.2128151843.000001B217EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062710904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2066329192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065651216.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059170479.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060539075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068218816.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2061873424.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062710904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2066329192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065651216.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059170479.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060539075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068218816.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2061873424.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: zapret.exe, 00000002.00000003.2121640690.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120750010.000001B217BA0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120830021.000001B217BC8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121094715.000001B217BB7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121333304.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121333304.000001B217BC7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217BA1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127875259.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: zapret.exe, 00000002.00000003.2123891130.000001B217B02000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120853906.000001B217AF3000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123456075.000001B217AF4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120142523.000001B217AF2000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127656236.000001B217B03000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119368226.000001B217236000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120465381.000001B217239000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125209053.000001B21723D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: zapret.exe, 00000002.00000003.2118095231.000001B2172D8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121004271.000001B217B56000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121403944.000001B2172E3000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120673174.000001B217B50000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118170221.000001B2172DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121004271.000001B217B56000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120673174.000001B217B50000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crlz
Source: zapret.exe, 00000002.00000003.2121640690.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120750010.000001B217BA0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120830021.000001B217BC8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121094715.000001B217BB7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121333304.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121333304.000001B217BC7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217BA1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127875259.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: zapret.exe, 00000002.00000003.2121640690.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120750010.000001B217BA0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120830021.000001B217BC8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121333304.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127875259.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl=
Source: zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120750010.000001B217BA0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121094715.000001B217BB7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121333304.000001B217BC7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217BA1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlq(
Source: zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlv
Source: zapret.exe, 00000002.00000003.2118170221.000001B2172DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: zapret.exe, 00000002.00000003.2119595020.000001B21765E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122959940.000001B217689000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118988390.000001B217651000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119867143.000001B217664000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120579423.000001B217665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: zapret.exe, 00000002.00000003.2118095231.000001B2172D8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118627914.000001B2172FA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122349642.000001B217328000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125603066.000001B217328000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118515360.000001B2172F5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119493651.000001B217325000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119327364.000001B21730A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118680164.000001B217309000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118203320.000001B2172F4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118170221.000001B2172DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: zapret.exe, 00000002.00000003.2119595020.000001B21765E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122959940.000001B217689000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118988390.000001B217651000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119867143.000001B217664000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120579423.000001B217665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062710904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2066329192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065651216.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059170479.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060539075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068218816.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2061873424.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: zapret.exe, 00000002.00000003.2118095231.000001B2172D8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118627914.000001B2172FA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122349642.000001B217328000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125603066.000001B217328000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118515360.000001B2172F5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119493651.000001B217325000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119327364.000001B21730A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118680164.000001B217309000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118203320.000001B2172F4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118170221.000001B2172DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: zapret.exe, 00000002.00000003.2120853906.000001B217AF3000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118095231.000001B2172D8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118627914.000001B2172FA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123456075.000001B217AF4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120142523.000001B217AF2000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122349642.000001B217328000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125603066.000001B217328000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118515360.000001B2172F5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119493651.000001B217325000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119327364.000001B21730A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118680164.000001B217309000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118203320.000001B2172F4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118170221.000001B2172DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062710904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2066329192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065651216.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059170479.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060539075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068218816.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2061873424.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062710904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2066329192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065651216.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059170479.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060539075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068218816.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2061873424.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062710904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2066329192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065651216.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059170479.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060539075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068218816.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2061873424.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062710904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2066329192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065651216.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059170479.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060539075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068218816.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2061873424.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: zapret.exe, 00000002.00000002.2128151843.000001B217EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: zapret.exe, 00000002.00000002.2128426869.000001B218070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl.
Source: zapret.exe, 00000002.00000003.2122431522.000001B2175D4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122286661.000001B2175BE000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122018070.000001B2175BE000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119113492.000001B2175B9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118361208.000001B2175B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: zapret.exe, 00000002.00000003.2122446223.000001B217287000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119368226.000001B217236000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120465381.000001B217239000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122882692.000001B217288000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: zapret.exe, 00000002.00000003.2118095231.000001B2172D8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118627914.000001B2172FA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125624193.000001B21732E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118515360.000001B2172F5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119493651.000001B217325000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120161558.000001B21732D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119327364.000001B21730A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121987899.000001B21732E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118680164.000001B217309000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118203320.000001B2172F4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118170221.000001B2172DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: zapret.exe, 00000002.00000003.2118820827.000001B2151A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://json.org
Source: zapret.exe, 00000002.00000002.2128394120.000001B218030000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: zapret.exe, 00000002.00000003.2119368226.000001B217236000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120465381.000001B217239000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125209053.000001B21723D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120782500.000001B217B7A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217B7B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062710904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2066329192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065651216.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059170479.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060539075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068218816.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2061873424.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062710904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2066329192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065651216.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059170479.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060539075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068218816.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2061873424.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062710904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2066329192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065651216.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059170479.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060539075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068218816.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2061873424.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: python38.dll.0.dr	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124535097.000001B215182000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127588435.000001B217AC4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120673174.000001B217B50000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122936495.000001B217AC1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124300041.000001B2150D0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118650744.000001B215181000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124535097.000001B215182000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118650744.000001B215181000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/lj
Source: zapret.exe, 00000002.00000002.2127210645.000001B217A00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062710904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2066329192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065651216.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059170479.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060539075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068218816.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2061873424.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062710904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2066329192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065651216.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059170479.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060539075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068218816.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2061873424.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062710904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2066329192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065651216.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059170479.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060539075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068218816.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2061873424.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120782500.000001B217B7A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119368226.000001B217236000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120465381.000001B217239000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217B7B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125209053.000001B21723D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: zapret.exe, 00000002.00000003.2118095231.000001B2172D8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118627914.000001B2172FA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123406285.000001B217310000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121874022.000001B217310000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122610963.000001B217310000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119894716.000001B21730E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120629377.000001B21730F000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118515360.000001B2172F5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119327364.000001B21730A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119842010.000001B21730A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118680164.000001B217309000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125574803.000001B217311000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118203320.000001B2172F4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118170221.000001B2172DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120782500.000001B217B7A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217B7B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: zapret.exe, 00000002.00000003.2123891130.000001B217B02000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120853906.000001B217AF3000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123456075.000001B217AF4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120142523.000001B217AF2000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127656236.000001B217B03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120782500.000001B217B7A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217B7B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: zapret.exe, 00000002.00000003.2123891130.000001B217B02000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120853906.000001B217AF3000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123456075.000001B217AF4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120142523.000001B217AF2000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127656236.000001B217B03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htmW
Source: zapret.exe, 00000002.00000003.2123891130.000001B217B02000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120853906.000001B217AF3000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123456075.000001B217AF4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120142523.000001B217AF2000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127656236.000001B217B03000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120782500.000001B217B7A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217B7B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: zapret.exe, 00000002.00000003.2119547324.000001B215148000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217BA1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: zapret.exe, 00000002.00000003.2120046156.000001B217BD1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217B89000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120615987.000001B217BE0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120212797.000001B217BD2000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120782500.000001B217B7A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121182830.000001B217B9A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120801442.000001B217B88000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: zapret.exe, 00000002.00000003.2118095231.000001B2172D8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118627914.000001B2172FA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122349642.000001B217328000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125603066.000001B217328000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118515360.000001B2172F5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119493651.000001B217325000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119327364.000001B21730A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118680164.000001B217309000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118203320.000001B2172F4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118170221.000001B2172DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: zapret.exe, 00000002.00000003.2076082087.000001B2151A6000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122804476.000001B2176B5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121968842.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121372374.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2074773023.000001B215162000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118151744.000001B21769C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121999586.000001B2176B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/
Source: zapret.exe, 00000000.00000003.2069561192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125807314.000001B2173F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: zapret.exe, 00000002.00000003.2073203885.000001B21519E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124909881.000001B217170000.00000004.00001000.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2073678374.000001B21519E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: zapret.exe, 00000002.00000003.2122413044.000001B2176B8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121968842.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121372374.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2126547748.000001B2176BD000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122804476.000001B2176B9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118151744.000001B21769C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123803434.000001B2176BA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121999586.000001B2176B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: zapret.exe, 00000002.00000003.2120853906.000001B217AF3000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123456075.000001B217AF4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120142523.000001B217AF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: zapret.exe, 00000002.00000003.2119595020.000001B21765E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118988390.000001B217651000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119867143.000001B217664000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122304666.000001B217699000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120579423.000001B217665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: zapret.exe, 00000002.00000002.2128495657.000001B218110000.00000004.00001000.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2126566572.000001B2176C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://brave.com/api/webhooks/123
Source: zapret.exe, 00000002.00000002.2128495657.000001B218110000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://brave.com/api/webhooks/12309
Source: zapret.exe, 00000002.00000002.2128495657.000001B218110000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://brave.com/api/webhooks/123p5
Source: zapret.exe, 00000002.00000002.2126566572.000001B2176C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://brave.com/api/webhooks/123te
Source: zapret.exe, 00000002.00000002.2126756760.000001B217780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: zapret.exe, 00000002.00000003.2122804476.000001B2176B5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121968842.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121372374.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118151744.000001B21769C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121999586.000001B2176B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124535097.000001B215182000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119511426.000001B215133000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123787336.000001B215172000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072991572.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124514532.000001B215175000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122898532.000001B21515D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072664727.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118780373.000001B215132000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2074773023.000001B215162000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072452190.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119547324.000001B215148000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2076222294.000001B216971000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2071365647.000001B216975000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072855859.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122461721.000001B21515C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2071432636.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118650744.000001B215181000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072024414.000001B215185000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: zapret.exe, 00000002.00000003.2119595020.000001B21765E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123732026.000001B217665000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118988390.000001B217651000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119867143.000001B217664000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2126443084.000001B217668000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120579423.000001B217665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/gi1
Source: zapret.exe, 00000002.00000002.2128426869.000001B218070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: zapret.exe, zapret.exe, 00000002.00000002.2132102018.00007FF8A9394000.00000002.00000001.01000000.0000000C.sdmp, zapret.exe, 00000002.00000002.2134028049.00007FF8B7E61000.00000002.00000001.01000000.0000000D.sdmp, zapret.exe, 00000002.00000002.2136679841.00007FF8B8F92000.00000002.00000001.01000000.00000008.sdmp, win32api.pyd.0.dr, pythoncom38.dll.0.dr, win32trace.pyd.0.dr, win32ui.pyd.0.dr	String found in binary or memory: https://github.com/mhammond/pywin32
Source: zapret.exe, 00000002.00000002.2128253840.000001B217F70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: zapret.exe, 00000002.00000002.2124753096.000001B216DF0000.00000004.00001000.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2071365647.000001B216975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: zapret.exe, 00000002.00000003.2072024414.000001B215185000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124535097.000001B215182000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119511426.000001B215133000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123787336.000001B215172000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072991572.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124514532.000001B215175000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122898532.000001B21515D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072664727.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118780373.000001B215132000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2074773023.000001B215162000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072452190.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119547324.000001B215148000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2076222294.000001B216971000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2071365647.000001B216975000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072855859.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122461721.000001B21515C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2071432636.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118650744.000001B215181000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072024414.000001B215185000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124535097.000001B215182000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119511426.000001B215133000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123787336.000001B215172000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072991572.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124514532.000001B215175000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122898532.000001B21515D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072664727.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118780373.000001B215132000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2074773023.000001B215162000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072452190.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119547324.000001B215148000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2076222294.000001B216971000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2071365647.000001B216975000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072855859.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122461721.000001B21515C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2071432636.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118650744.000001B215181000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072024414.000001B215185000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: zapret.exe, 00000002.00000002.2126756760.000001B217780000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: zapret.exe, 00000002.00000003.2122446223.000001B217287000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119368226.000001B217236000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120465381.000001B217239000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: zapret.exe, 00000002.00000002.2127178605.000001B2179C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: zapret.exe, 00000002.00000002.2127146360.000001B217980000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: zapret.exe, 00000002.00000002.2127146360.000001B217980000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290p2
Source: zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121372374.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118780373.000001B215132000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118988390.000001B217651000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121847296.000001B2175F7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119547324.000001B215148000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119867143.000001B217664000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118361208.000001B2175F0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2126443084.000001B217668000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118151744.000001B21769C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120882083.000001B2175F1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119113492.000001B2175F0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120579423.000001B217665000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121999586.000001B2176B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119595020.000001B21765E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119511426.000001B215133000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123732026.000001B217665000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122898532.000001B21514C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118780373.000001B215132000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118988390.000001B217651000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119547324.000001B215148000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119867143.000001B217664000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2126443084.000001B217668000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120579423.000001B217665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: zapret.exe, 00000002.00000003.2120465381.000001B217239000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119995573.000001B2151BB000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118604541.000001B215196000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118762022.000001B2151A0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118699130.000001B21519D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119629833.000001B2151A8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118820827.000001B2151A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: zapret.exe, 00000002.00000003.2121999586.000001B2176B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: zapret.exe, 00000002.00000002.2126756760.000001B217780000.00000004.00001000.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122375388.000001B21762E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: zapret.exe, 00000002.00000002.2125948130.000001B2174D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: zapret.exe, 00000002.00000003.2076082087.000001B2151A6000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122804476.000001B2176B5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121968842.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121372374.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2074773023.000001B215162000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118151744.000001B21769C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121999586.000001B2176B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: zapret.exe, 00000002.00000002.2127178605.000001B2179C0000.00000004.00001000.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127146360.000001B217980000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: zapret.exe, 00000002.00000002.2126566572.000001B2176C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/gabjohn3/nb/main/12kav.json
Source: zapret.exe, 00000002.00000002.2125948130.000001B2174D3000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2128253840.000001B217F70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: zapret.exe, 00000002.00000002.2128426869.000001B218070000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119995573.000001B2151BB000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118604541.000001B215196000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118762022.000001B2151A0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118699130.000001B21519D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119629833.000001B2151A8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118820827.000001B2151A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: zapret.exe, 00000002.00000003.2121968842.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121434501.000001B2175F2000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121372374.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121847296.000001B2175F7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118361208.000001B2175F0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118151744.000001B21769C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120882083.000001B2175F1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119113492.000001B2175F0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121999586.000001B2176B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: zapret.exe, 00000002.00000002.2127082201.000001B2178E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: zapret.exe, 00000002.00000002.2127009582.000001B217890000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062710904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2066329192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065651216.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059170479.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060539075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068218816.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2061873424.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmp, zapret.exe, 00000002.00000002.2130566931.00007FF8A8AF9000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: zapret.exe, 00000002.00000002.2125948130.000001B2174D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: zapret.exe, 00000002.00000003.2123474620.000001B2175FA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121434501.000001B2175F2000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2126358713.000001B2175FA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121847296.000001B2175F7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118361208.000001B2175F0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120882083.000001B2175F1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119113492.000001B2175F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120750010.000001B217BA0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121169001.000001B217BAF000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217BA1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: zapret.exe, 00000002.00000003.2121640690.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120750010.000001B217BA0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120830021.000001B217BC8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121333304.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127875259.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120750010.000001B217BA0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121169001.000001B217BAF000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217BA1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/?
Source: zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119595020.000001B21765E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119511426.000001B215133000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123732026.000001B217665000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122898532.000001B21514C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118780373.000001B215132000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118988390.000001B217651000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119547324.000001B215148000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119867143.000001B217664000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2126443084.000001B217668000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120579423.000001B217665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: C:\Users\user\Desktop\zapret.exe

Code function: 2_2_66F93050 WSAStartup,gethostbyname,socket,setsockopt,setsockopt,setsockopt,htons,sendto,sendto,recvfrom,recvfrom,ntohl,ntohl,ntohl,closesocket,WSACleanup,WSAGetLastError,closesocket,WSACleanup,SetLastError,WSAGetLastError,WSACleanup,SetLastError,

2_2_66F93050

Source: C:\Users\user\Desktop\zapret.exe

Code function: 2_2_66F92240: memset,wsprintfA,CreateFileA,memset,DeviceIoControl,CloseHandle,isxdigit,isxdigit,isxdigit,isprint,memcpy,CloseHandle,strlen,memcpy,

2_2_66F92240

Source: C:\Users\user\Desktop\zapret.exe	Code function: 0_2_00007FF630488C60	0_2_00007FF630488C60
Source: C:\Users\user\Desktop\zapret.exe	Code function: 0_2_00007FF630482560	0_2_00007FF630482560
Source: C:\Users\user\Desktop\zapret.exe	Code function: 0_2_00007FF63048BE20	0_2_00007FF63048BE20
Source: C:\Users\user\Desktop\zapret.exe	Code function: 0_2_00007FF63048B2A0	0_2_00007FF63048B2A0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 0_2_00007FF630489640	0_2_00007FF630489640
Source: C:\Users\user\Desktop\zapret.exe	Code function: 0_2_00007FF630489660	0_2_00007FF630489660
Source: C:\Users\user\Desktop\zapret.exe	Code function: 0_2_00007FF63049508A	0_2_00007FF63049508A
Source: C:\Users\user\Desktop\zapret.exe	Code function: 0_2_00007FF630489458	0_2_00007FF630489458
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F87560	2_2_66F87560
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F86560	2_2_66F86560
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F93B90	2_2_66F93B90
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FA36F0	2_2_66FA36F0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FD96A0	2_2_66FD96A0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FE7650	2_2_66FE7650
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FA6640	2_2_66FA6640
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FAC620	2_2_66FAC620
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FD74F5	2_2_66FD74F5
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FD6450	2_2_66FD6450
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F945C0	2_2_66F945C0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FA05A0	2_2_66FA05A0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FA9560	2_2_66FA9560
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FA4520	2_2_66FA4520
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FAE230	2_2_66FAE230
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F953B0	2_2_66F953B0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F97370	2_2_66F97370
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FA80E0	2_2_66FA80E0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F971D0	2_2_66F971D0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F9B170	2_2_66F9B170
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FE7170	2_2_66FE7170
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FA9140	2_2_66FA9140
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F81E10	2_2_66F81E10
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FAAFE0	2_2_66FAAFE0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FADFB0	2_2_66FADFB0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FD7F10	2_2_66FD7F10
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F9FCE0	2_2_66F9FCE0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FFECA0	2_2_66FFECA0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F89C60	2_2_66F89C60
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FC1C50	2_2_66FC1C50
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FD6C10	2_2_66FD6C10
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FE7D70	2_2_66FE7D70
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F87D60	2_2_66F87D60
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F93D10	2_2_66F93D10
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F83AC1	2_2_66F83AC1
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F89AA0	2_2_66F89AA0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FD8A30	2_2_66FD8A30
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FC8A20	2_2_66FC8A20
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FA7BF0	2_2_66FA7BF0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F838D6	2_2_66F838D6
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FC18C2	2_2_66FC18C2
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F97890	2_2_66F97890
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F90832	2_2_66F90832
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_670009D0	2_2_670009D0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66F96810	2_2_66F96810
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FA7800	2_2_66FA7800
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FE09F0	2_2_66FE09F0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF63048B2A0	2_2_00007FF63048B2A0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF630488C60	2_2_00007FF630488C60
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF630489458	2_2_00007FF630489458
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF630482560	2_2_00007FF630482560
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF63048BE20	2_2_00007FF63048BE20
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF630489640	2_2_00007FF630489640
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF630489660	2_2_00007FF630489660
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF63049508A	2_2_00007FF63049508A
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A86012C0	2_2_00007FF8A86012C0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8603758	2_2_00007FF8A8603758
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A86018F0	2_2_00007FF8A86018F0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871FDB0	2_2_00007FF8A871FDB0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87489D0	2_2_00007FF8A87489D0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8722910	2_2_00007FF8A8722910
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871191F	2_2_00007FF8A871191F
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87112B2	2_2_00007FF8A87112B2
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A877CDB4	2_2_00007FF8A877CDB4
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8716D00	2_2_00007FF8A8716D00
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A876EF80	2_2_00007FF8A876EF80
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711BB3	2_2_00007FF8A8711BB3
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A872EFC0	2_2_00007FF8A872EFC0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711E6F	2_2_00007FF8A8711E6F
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711357	2_2_00007FF8A8711357
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8712478	2_2_00007FF8A8712478
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8742620	2_2_00007FF8A8742620
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711BF9	2_2_00007FF8A8711BF9
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871210D	2_2_00007FF8A871210D
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87115C8	2_2_00007FF8A87115C8
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711E6A	2_2_00007FF8A8711E6A
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871B4F0	2_2_00007FF8A871B4F0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8725540	2_2_00007FF8A8725540
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A871F695	2_2_00007FF8A871F695
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87124B9	2_2_00007FF8A87124B9
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87123DD	2_2_00007FF8A87123DD
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87112E4	2_2_00007FF8A87112E4
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C1EB0	2_2_00007FF8A87C1EB0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C1AE1	2_2_00007FF8A87C1AE1
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C1F73	2_2_00007FF8A87C1F73
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A895A910	2_2_00007FF8A895A910
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C2112	2_2_00007FF8A87C2112
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C69F6	2_2_00007FF8A87C69F6
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C5204	2_2_00007FF8A87C5204
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C60D7	2_2_00007FF8A87C60D7
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C6717	2_2_00007FF8A87C6717
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C12A8	2_2_00007FF8A87C12A8
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C3EA4	2_2_00007FF8A87C3EA4
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A88FEDB0	2_2_00007FF8A88FEDB0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C1BC7	2_2_00007FF8A87C1BC7
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A88EEE80	2_2_00007FF8A88EEE80
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87DEF00	2_2_00007FF8A87DEF00
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C60DC	2_2_00007FF8A87C60DC
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C51D7	2_2_00007FF8A87C51D7
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C34AE	2_2_00007FF8A87C34AE
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C3EB3	2_2_00007FF8A87C3EB3
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C2671	2_2_00007FF8A87C2671
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87DF060	2_2_00007FF8A87DF060
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C4421	2_2_00007FF8A87C4421
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C3099	2_2_00007FF8A87C3099
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C2D60	2_2_00007FF8A87C2D60
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C24AA	2_2_00007FF8A87C24AA
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C6915	2_2_00007FF8A87C6915
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C4DA4	2_2_00007FF8A87C4DA4
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A88A2410	2_2_00007FF8A88A2410
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C2B2B	2_2_00007FF8A87C2B2B
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C654B	2_2_00007FF8A87C654B
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C6000	2_2_00007FF8A87C6000
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C258B	2_2_00007FF8A87C258B
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C4E7B	2_2_00007FF8A87C4E7B
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A88F6710	2_2_00007FF8A88F6710
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C4129	2_2_00007FF8A87C4129
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C105F	2_2_00007FF8A87C105F
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C6596	2_2_00007FF8A87C6596
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C19D8	2_2_00007FF8A87C19D8
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A88AA870	2_2_00007FF8A88AA870

Source: C:\Users\user\Desktop\zapret.exe	Code function: String function: 00007FF8A87C1055 appears 402 times
Source: C:\Users\user\Desktop\zapret.exe	Code function: String function: 00007FF8A87C4688 appears 44 times
Source: C:\Users\user\Desktop\zapret.exe	Code function: String function: 67022C70 appears 48 times
Source: C:\Users\user\Desktop\zapret.exe	Code function: String function: 00007FF8A8711023 appears 576 times
Source: C:\Users\user\Desktop\zapret.exe	Code function: String function: 00007FF8A877BE25 appears 103 times
Source: C:\Users\user\Desktop\zapret.exe	Code function: String function: 67022C28 appears 65 times
Source: C:\Users\user\Desktop\zapret.exe	Code function: String function: 66F9D070 appears 235 times
Source: C:\Users\user\Desktop\zapret.exe	Code function: String function: 00007FF8A87C40F7 appears 129 times
Source: C:\Users\user\Desktop\zapret.exe	Code function: String function: 00007FF8A87C5DDA appears 192 times
Source: C:\Users\user\Desktop\zapret.exe	Code function: String function: 00007FF8A877BD8F appears 195 times
Source: C:\Users\user\Desktop\zapret.exe	Code function: String function: 00007FF8A87C206D appears 35 times
Source: C:\Users\user\Desktop\zapret.exe	Code function: String function: 00007FF630482CD0 appears 92 times
Source: C:\Users\user\Desktop\zapret.exe	Code function: String function: 00007FF630482DB0 appears 200 times
Source: C:\Users\user\Desktop\zapret.exe	Code function: String function: 00007FF8A87C1C08 appears 32 times
Source: C:\Users\user\Desktop\zapret.exe	Code function: String function: 00007FF630482E50 appears 34 times

Source: pyarmor_runtime.pyd.0.dr	Static PE information: Number of sections : 11 > 10
Source: zapret.exe	Static PE information: Number of sections : 12 > 10

Source: python3.dll.0.dr

Static PE information: No import functions for PE file found

Source: zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_elementtree.pyd. vs zapret.exe
Source: zapret.exe, 00000000.00000003.2067894518.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepywintypes38.dll0 vs zapret.exe
Source: zapret.exe, 00000000.00000003.2069175476.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32ui.pyd0 vs zapret.exe
Source: zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs zapret.exe
Source: zapret.exe, 00000000.00000003.2060688642.000001DB34C1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs zapret.exe
Source: zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ha vs zapret.exe
Source: zapret.exe, 00000000.00000003.2066329192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython38.dll. vs zapret.exe
Source: zapret.exe, 00000000.00000003.2065651216.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs zapret.exe
Source: zapret.exe, 00000000.00000003.2059170479.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs zapret.exe
Source: zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs zapret.exe
Source: zapret.exe, 00000000.00000003.2060539075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs zapret.exe
Source: zapret.exe, 00000000.00000003.2058767862.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs zapret.exe
Source: zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs zapret.exe
Source: zapret.exe, 00000000.00000003.2068985818.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32trace.pyd0 vs zapret.exe
Source: zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs zapret.exe
Source: zapret.exe, 00000000.00000003.2068849676.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs zapret.exe
Source: zapret.exe, 00000000.00000003.2068218816.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs zapret.exe
Source: zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs zapret.exe
Source: zapret.exe, 00000000.00000003.2060722403.000001DB34C1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs zapret.exe
Source: zapret.exe, 00000000.00000003.2067602689.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepythoncom38.dll0 vs zapret.exe
Source: zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs zapret.exe
Source: zapret.exe, 00000000.00000003.2058908075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs zapret.exe
Source: zapret.exe, 00000000.00000003.2060688642.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs zapret.exe
Source: zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs zapret.exe
Source: zapret.exe	Binary or memory string: OriginalFilename vs zapret.exe
Source: zapret.exe, 00000002.00000002.2138107994.00007FF8BA4F9000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs zapret.exe
Source: zapret.exe, 00000002.00000002.2136854239.00007FF8B93DC000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs zapret.exe
Source: zapret.exe, 00000002.00000002.2132102018.00007FF8A9394000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenamepythoncom38.dll0 vs zapret.exe
Source: zapret.exe, 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilenamelibsslH vs zapret.exe
Source: zapret.exe, 00000002.00000002.2132812301.00007FF8B7E33000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs zapret.exe
Source: zapret.exe, 00000002.00000002.2132654006.00007FF8B7E1C000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs zapret.exe
Source: zapret.exe, 00000002.00000002.2131656032.00007FF8A8F0F000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython38.dll. vs zapret.exe
Source: zapret.exe, 00000002.00000002.2136122881.00007FF8B8B44000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs zapret.exe
Source: zapret.exe, 00000002.00000002.2137869137.00007FF8BA253000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs zapret.exe
Source: zapret.exe, 00000002.00000002.2137590553.00007FF8B9846000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs zapret.exe
Source: zapret.exe, 00000002.00000002.2136447303.00007FF8B8CBA000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs zapret.exe
Source: zapret.exe, 00000002.00000002.2134028049.00007FF8B7E61000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs zapret.exe
Source: zapret.exe, 00000002.00000002.2135924074.00007FF8B8B2C000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs zapret.exe
Source: zapret.exe, 00000002.00000002.2130566931.00007FF8A8AF9000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs zapret.exe
Source: zapret.exe, 00000002.00000002.2134235567.00007FF8B8792000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs zapret.exe
Source: zapret.exe, 00000002.00000002.2129328730.00007FF8A870B000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs zapret.exe
Source: zapret.exe, 00000002.00000002.2136252598.00007FF8B8C16000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs zapret.exe
Source: zapret.exe, 00000002.00000002.2136679841.00007FF8B8F92000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamepywintypes38.dll0 vs zapret.exe

Source: classification engine

Classification label: mal48.winEXE@3/34@1/1

Source: C:\Users\user\Desktop\zapret.exe

Code function: 0_2_00007FF630487E50 FormatMessageW,WideCharToMultiByte,GetLastError,

0_2_00007FF630487E50

Source: C:\Users\user\Desktop\zapret.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI50042

Jump to behavior

Source: zapret.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\zapret.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\zapret.exe

File read: C:\Users\user\Desktop\zapret.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\zapret.exe "C:\Users\user\Desktop\zapret.exe"
Source: C:\Users\user\Desktop\zapret.exe	Process created: C:\Users\user\Desktop\zapret.exe "C:\Users\user\Desktop\zapret.exe"
Source: C:\Users\user\Desktop\zapret.exe	Process created: C:\Users\user\Desktop\zapret.exe "C:\Users\user\Desktop\zapret.exe"	Jump to behavior

Source: C:\Users\user\Desktop\zapret.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\zapret.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: zapret.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: zapret.exe

Static file information: File size 10374715 > 1048576

Source: zapret.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32trace.pdb source: zapret.exe, 00000000.00000003.2068985818.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, win32trace.pyd.0.dr
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdb source: mfc140u.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2135720032.00007FF8B8B24000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32ui.pdb source: win32ui.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_ssl.pdb source: zapret.exe, 00000002.00000002.2132556960.00007FF8B7E0D000.00000002.00000001.01000000.00000011.sdmp, _ssl.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\pythoncom.pdb}},GCTL source: zapret.exe, 00000002.00000002.2131916780.00007FF8A934C000.00000002.00000001.01000000.0000000C.sdmp, pythoncom38.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2132763758.00007FF8B7E29000.00000002.00000001.01000000.0000000F.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\python3.pdb source: zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2134235567.00007FF8B8792000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2136392190.00007FF8B8CB5000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: zapret.exe, 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32api.pdb source: zapret.exe, 00000002.00000002.2133818741.00007FF8B7E53000.00000002.00000001.01000000.0000000D.sdmp, win32api.pyd.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: zapret.exe, 00000002.00000002.2130097533.00007FF8A8A03000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\_win32sysloader.pdb source: zapret.exe, 00000000.00000003.2060688642.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\python38.pdb source: zapret.exe, 00000002.00000002.2131071431.00007FF8A8DFD000.00000002.00000001.01000000.00000004.sdmp, python38.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: zapret.exe, 00000002.00000002.2136778868.00007FF8B93D1000.00000002.00000001.01000000.00000006.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2135720032.00007FF8B8B24000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32api.pdb!! source: zapret.exe, 00000002.00000002.2133818741.00007FF8B7E53000.00000002.00000001.01000000.0000000D.sdmp, win32api.pyd.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: zapret.exe, 00000000.00000003.2058908075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2138050250.00007FF8BA4F5000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2136072058.00007FF8B8B3E000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdbGCTL source: mfc140u.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_queue.pdb source: zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2136204551.00007FF8B8C13000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: zapret.exe, 00000000.00000003.2058767862.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2137773328.00007FF8BA24E000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_elementtree.pdb source: zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\pywintypes.pdb source: zapret.exe, 00000002.00000002.2136533457.00007FF8B8F81000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32ui.pdbOO source: win32ui.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\pywintypes.pdb** source: zapret.exe, 00000002.00000002.2136533457.00007FF8B8F81000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: zapret.exe, 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: zapret.exe, 00000002.00000002.2130097533.00007FF8A8A03000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\select.pdb source: zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2137471577.00007FF8B9843000.00000002.00000001.01000000.00000010.sdmp, select.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: zapret.exe, 00000000.00000003.2068218816.000001DB34C18000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2128922469.00007FF8A8705000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: vcruntime140.amd64.pdb source: zapret.exe, 00000000.00000003.2058767862.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2137773328.00007FF8BA24E000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: zapret.exe, 00000000.00000003.2058908075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2138050250.00007FF8BA4F5000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\pythoncom.pdb source: zapret.exe, 00000002.00000002.2131916780.00007FF8A934C000.00000002.00000001.01000000.0000000C.sdmp, pythoncom38.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\pyexpat.pdb source: pyexpat.pyd.0.dr

Source: VCRUNTIME140_1.dll.0.dr

Static PE information: 0xFAEA9D3D [Sun May 27 03:27:57 2103 UTC]

Source: C:\Users\user\Desktop\zapret.exe

Code function: 0_2_00007FF6304815E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF6304815E0

Source: md__mypyc.cp38-win_amd64.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x25d58
Source: _win32sysloader.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xb07b
Source: win32trace.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x145f4
Source: pyarmor_runtime.pyd.0.dr	Static PE information: real checksum: 0xa7ade should be: 0xa0c10
Source: md.cp38-win_amd64.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xb550
Source: win32api.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x30505
Source: pythoncom38.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xb0750
Source: _psutil_windows.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1f645
Source: pywintypes38.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x27641
Source: win32ui.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x11b4b8

Source: zapret.exe	Static PE information: section name: /4
Source: zapret.exe	Static PE information: section name: .xdata
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: mfc140u.dll.0.dr	Static PE information: section name: .didat
Source: pyarmor_runtime.pyd.0.dr	Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_670230A0 push rsp; ret	2_2_670230BA
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_670230A8 push rsp; ret	2_2_670230BA
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_67022C28 push rax; ret	2_2_67022BE2
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_67022BA8 push rax; ret	2_2_67022BE2
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_67022BD0 push rax; ret	2_2_67022BE2
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_67022BD8 push rax; ret	2_2_67022BE2
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A872CD28 pushfq ; retf 0001h	2_2_00007FF8A872CD29
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A872CD2C push rbp; retf 0001h	2_2_00007FF8A872CD2D
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8733C39 push 28C48348h; ret	2_2_00007FF8A8733C47
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8755561 push rcx; ret	2_2_00007FF8A8755562

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\zapret.exe	Code function: memset,wsprintfA,CreateFileA,memset,DeviceIoControl,CloseHandle,isxdigit,isxdigit,isxdigit,isprint,memcpy,CloseHandle,strlen,memcpy, \\.\PhysicalDrive%d		2_2_66F92240
Source: C:\Users\user\Desktop\zapret.exe	Code function: _snprintf,_snprintf,CreateFileA,CreateFileA,GlobalAlloc,DeviceIoControl,GlobalFree,_snprintf,CreateFileA,GlobalAlloc,GlobalAlloc,GlobalAlloc,DeviceIoControl,GlobalFree,GlobalFree,GlobalFree,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle, \\.\PhysicalDrive%d		2_2_66F91E90

Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md__mypyc.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\pyarmor_runtime_000000\pyarmor_runtime.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32\pywintypes38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32\pythoncom38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI50042\win32api.pyd	Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\zapret.exe	Code function: memset,wsprintfA,CreateFileA,memset,DeviceIoControl,CloseHandle,isxdigit,isxdigit,isxdigit,isprint,memcpy,CloseHandle,strlen,memcpy, \\.\PhysicalDrive%d		2_2_66F92240
Source: C:\Users\user\Desktop\zapret.exe	Code function: _snprintf,_snprintf,CreateFileA,CreateFileA,GlobalAlloc,DeviceIoControl,GlobalFree,_snprintf,CreateFileA,GlobalAlloc,GlobalAlloc,GlobalAlloc,DeviceIoControl,GlobalFree,GlobalFree,GlobalFree,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle, \\.\PhysicalDrive%d		2_2_66F91E90

Source: C:\Users\user\Desktop\zapret.exe

Code function: 0_2_00007FF630484410 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF630484410

Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md__mypyc.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\pyarmor_runtime_000000\pyarmor_runtime.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32\pywintypes38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\zapret.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32\pythoncom38.dll	Jump to dropped file

Source: C:\Users\user\Desktop\zapret.exe

API coverage: 2.3 %

Source: C:\Users\user\Desktop\zapret.exe	Code function: 0_2_00007FF6304885E0 FindFirstFileExW,FindClose,		0_2_00007FF6304885E0
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF6304885E0 FindFirstFileExW,FindClose,		2_2_00007FF6304885E0

Source: zapret.exe, 00000000.00000003.2069907232.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, cacert.pem.0.dr	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119511426.000001B215133000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123787336.000001B215172000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122898532.000001B21515D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118780373.000001B215132000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119547324.000001B215148000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122461721.000001B21515C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: cacert.pem.0.dr	Binary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd

Source: C:\Users\user\Desktop\zapret.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\zapret.exe

Code function: 2_2_66F82C80 PyEval_GetGlobals,PyFunction_NewWithQualName,_PyObject_CallFunction_SizeT,_Py_Dealloc,PyExc_RuntimeError,PyErr_Format,GetProcAddress,strlen,IsDebuggerPresent,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,PyExc_RuntimeError,PyErr_Format,PyExc_RuntimeError,PyErr_Format,PyExc_RuntimeError,PyErr_Format,PyExc_SystemExit,PyExc_SystemExit,PyExc_SystemExit,_errno,_errno,_errno,PyExc_SystemExit,_errno,_errno,_Py_Dealloc,_Py_Dealloc,

2_2_66F82C80

Source: C:\Users\user\Desktop\zapret.exe

Code function: 0_2_00007FF6304815E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF6304815E0

Source: C:\Users\user\Desktop\zapret.exe

Code function: 2_2_66F945C0 GetComputerNameA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetAdaptersAddresses,HeapFree,strlen,GetProcessHeap,HeapFree,malloc,GetAdaptersAddresses,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersAddresses,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersAddresses,RegOpenKeyExA,RegEnumKeyExA,RegEnumKeyExA,RegGetValueA,strlen,memcmp,RegGetValueA,RegCloseKey,

2_2_66F945C0

Source: C:\Users\user\Desktop\zapret.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\zapret.exe	Code function: 0_2_00007FF630481154 Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,exit,_cexit,	0_2_00007FF630481154
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_66FFF770 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	2_2_66FFF770
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF630481154 Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,exit,_cexit,	2_2_00007FF630481154
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8602A48 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8A8602A48
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8603484 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8A8603484
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A860366C SetUnhandledExceptionFilter,	2_2_00007FF8A860366C
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A8711D66 __scrt_fastfail,IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8A8711D66
Source: C:\Users\user\Desktop\zapret.exe	Code function: 2_2_00007FF8A87C4FDE __scrt_fastfail,IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8A87C4FDE

Source: C:\Users\user\Desktop\zapret.exe

Process created: C:\Users\user\Desktop\zapret.exe "C:\Users\user\Desktop\zapret.exe"

Jump to behavior

Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32\pywintypes38.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\6m52a7vx VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmpt3ztn0zp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32\pythoncom38.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\win32api.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pyarmor_runtime_000000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pyarmor_runtime_000000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pyarmor_runtime_000000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pyarmor_runtime_000000\pyarmor_runtime.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md.cp38-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md__mypyc.cp38-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\certifi\cacert.pem VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmpt3ztn0zp VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmpt3ztn0zp\gen_py\__init__.py VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmpt3ztn0zp\gen_py\dicts.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI50042\psutil\_psutil_windows.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\Desktop\zapret.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zapret.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmpt3ztn0zp VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\zapret.exe

Code function: 2_2_66FFF690 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_66FFF690

Source: C:\Users\user\Desktop\zapret.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Bootkit	11 Process Injection	11 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Bootkit	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
zapret.exe	8%	ReversingLabs	Win64.Infostealer.Generic

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI50042\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\_elementtree.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\_win32sysloader.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md.cp38-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md__mypyc.cp38-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\libffi-7.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\mfc140u.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\psutil\_psutil_windows.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\pyarmor_runtime_000000\pyarmor_runtime.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\pyexpat.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\python3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\python38.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32\pythoncom38.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32\pywintypes38.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\win32api.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\win32trace.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI50042\win32ui.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://repository.swisssign.com/lj	0%	Avira URL Cloud	safe
https://wwww.certigna.fr/autorites/?	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
brave.com	18.66.161.26	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://google.com/	zapret.exe, 00000002.00000003.2122431522.000001B2175D4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122286661.000001B2175BE000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122018070.000001B2175BE000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119113492.000001B2175B9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118361208.000001B2175B6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://brave.com/api/webhooks/123p5	zapret.exe, 00000002.00000002.2128495657.000001B218110000.00000004.00001000.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	zapret.exe, 00000002.00000003.2076082087.000001B2151A6000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122804476.000001B2176B5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121968842.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121372374.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2074773023.000001B215162000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118151744.000001B21769C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121999586.000001B2176B4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl	zapret.exe, 00000002.00000003.2118170221.000001B2172DD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/giampaolo/psutil/issues/875.	zapret.exe, 00000002.00000002.2128426869.000001B218070000.00000004.00001000.00020000.00000000.sdmp	false		high
http://.../back.jpeg	zapret.exe, 00000002.00000002.2128151843.000001B217EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.python.org/	zapret.exe, 00000002.00000003.2076082087.000001B2151A6000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122804476.000001B2176B5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121968842.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121372374.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2074773023.000001B215162000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118151744.000001B21769C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121999586.000001B2176B4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/mhammond/pywin32	zapret.exe, zapret.exe, 00000002.00000002.2132102018.00007FF8A9394000.00000002.00000001.01000000.0000000C.sdmp, zapret.exe, 00000002.00000002.2134028049.00007FF8B7E61000.00000002.00000001.01000000.0000000D.sdmp, zapret.exe, 00000002.00000002.2136679841.00007FF8B8F92000.00000002.00000001.01000000.00000008.sdmp, win32api.pyd.0.dr, pythoncom38.dll.0.dr, win32trace.pyd.0.dr, win32ui.pyd.0.dr	false		high
https://httpbin.org/post	zapret.exe, 00000002.00000002.2125948130.000001B2174D3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/?	zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120750010.000001B217BA0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121169001.000001B217BAF000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217BA1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Ousret/charset_normalizer	zapret.exe, 00000002.00000003.2122804476.000001B2176B5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121968842.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121372374.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118151744.000001B21769C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121999586.000001B2176B4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.firmaprofesional.com/cps0	zapret.exe, 00000002.00000003.2120046156.000001B217BD1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217B89000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120615987.000001B217BE0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120212797.000001B217BD2000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120782500.000001B217B7A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121182830.000001B217B9A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120801442.000001B217B88000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124535097.000001B215182000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119511426.000001B215133000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123787336.000001B215172000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072991572.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124514532.000001B215175000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122898532.000001B21515D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072664727.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118780373.000001B215132000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2074773023.000001B215162000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072452190.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119547324.000001B215148000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2076222294.000001B216971000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2071365647.000001B216975000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072855859.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122461721.000001B21515C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2071432636.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118650744.000001B215181000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072024414.000001B215185000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2920	zapret.exe, 00000002.00000002.2127178605.000001B2179C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl0	zapret.exe, 00000002.00000003.2119595020.000001B21765E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122959940.000001B217689000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118988390.000001B217651000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119867143.000001B217664000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120579423.000001B217665000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl=	zapret.exe, 00000002.00000003.2121640690.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120750010.000001B217BA0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120830021.000001B217BC8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121333304.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127875259.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.python.org/download/releases/2.3/mro/.	zapret.exe, 00000002.00000003.2073203885.000001B21519E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124909881.000001B217170000.00000004.00001000.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2073678374.000001B21519E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://yahoo.com/	zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119595020.000001B21765E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119511426.000001B215133000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123732026.000001B217665000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122898532.000001B21514C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118780373.000001B215132000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118988390.000001B217651000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119547324.000001B215148000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119867143.000001B217664000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2126443084.000001B217668000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120579423.000001B217665000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	zapret.exe, 00000002.00000003.2119595020.000001B21765E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122959940.000001B217689000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118988390.000001B217651000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119867143.000001B217664000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120579423.000001B217665000.00000004.00000020.00020000.00000000.sdmp	false		high
http://goo.gl/zeJZl.	zapret.exe, 00000002.00000002.2128426869.000001B218070000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119995573.000001B2151BB000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118604541.000001B215196000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118762022.000001B2151A0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118699130.000001B21519D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119629833.000001B2151A8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118820827.000001B2151A7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/lj	zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124535097.000001B215182000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118650744.000001B215181000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	zapret.exe, 00000002.00000003.2118095231.000001B2172D8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118627914.000001B2172FA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122349642.000001B217328000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125603066.000001B217328000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118515360.000001B2172F5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119493651.000001B217325000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119327364.000001B21730A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118680164.000001B217309000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118203320.000001B2172F4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118170221.000001B2172DD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062710904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2066329192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065651216.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059170479.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060539075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068218816.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2061873424.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	false		high
https://html.spec.whatwg.org/multipage/	zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119995573.000001B2151BB000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118604541.000001B215196000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118762022.000001B2151A0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118699130.000001B21519D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119629833.000001B2151A8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118820827.000001B2151A7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	zapret.exe, 00000002.00000003.2120853906.000001B217AF3000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123456075.000001B217AF4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120142523.000001B217AF2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl	zapret.exe, 00000002.00000003.2118095231.000001B2172D8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118627914.000001B2172FA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123406285.000001B217310000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121874022.000001B217310000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122610963.000001B217310000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119894716.000001B21730E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120629377.000001B21730F000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118515360.000001B2172F5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119327364.000001B21730A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119842010.000001B21730A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118680164.000001B217309000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125574803.000001B217311000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118203320.000001B2172F4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118170221.000001B2172DD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	zapret.exe, 00000002.00000002.2127009582.000001B217890000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0	zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120782500.000001B217B7A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217B7B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	zapret.exe, 00000002.00000003.2123474620.000001B2175FA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121434501.000001B2175F2000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2126358713.000001B2175FA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121847296.000001B2175F7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118361208.000001B2175F0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120882083.000001B2175F1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119113492.000001B2175F0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htmW	zapret.exe, 00000002.00000003.2123891130.000001B217B02000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120853906.000001B217AF3000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123456075.000001B217AF4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120142523.000001B217AF2000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127656236.000001B217B03000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	zapret.exe, 00000002.00000002.2126756760.000001B217780000.00000004.00001000.00020000.00000000.sdmp	false		high
https://brave.com/api/webhooks/123	zapret.exe, 00000002.00000002.2128495657.000001B218110000.00000004.00001000.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2126566572.000001B2176C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://requests.readthedocs.io	zapret.exe, 00000002.00000002.2125948130.000001B2174D3000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2128253840.000001B217F70000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	zapret.exe, 00000002.00000003.2121640690.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120750010.000001B217BA0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120830021.000001B217BC8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121094715.000001B217BB7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121333304.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121333304.000001B217BC7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217BA1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127875259.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curl.haxx.se/rfc/cookie_spec.html	zapret.exe, 00000002.00000002.2128151843.000001B217EF0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.accv.es	zapret.exe, 00000002.00000003.2119368226.000001B217236000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120465381.000001B217239000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125209053.000001B21723D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.python.org/dev/peps/pep-0205/	zapret.exe, 00000000.00000003.2069561192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125807314.000001B2173F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/gi1	zapret.exe, 00000002.00000003.2119595020.000001B21765E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123732026.000001B217665000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118988390.000001B217651000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119867143.000001B217664000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2126443084.000001B217668000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120579423.000001B217665000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/	zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124535097.000001B215182000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127588435.000001B217AC4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120673174.000001B217B50000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122936495.000001B217AC1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124300041.000001B2150D0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118650744.000001B215181000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://json.org	zapret.exe, 00000002.00000003.2118820827.000001B2151A7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	zapret.exe, 00000002.00000002.2127082201.000001B2178E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	zapret.exe, 00000002.00000002.2124753096.000001B216DF0000.00000004.00001000.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2071365647.000001B216975000.00000004.00000020.00020000.00000000.sdmp	false		high
http://python.org/dev/peps/pep-0263/	python38.dll.0.dr	false		high
https://httpbin.org/get	zapret.exe, 00000002.00000002.2126756760.000001B217780000.00000004.00001000.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122375388.000001B21762E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl	zapret.exe, 00000002.00000003.2118095231.000001B2172D8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118627914.000001B2172FA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122349642.000001B217328000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125603066.000001B217328000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118515360.000001B2172F5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119493651.000001B217325000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119327364.000001B21730A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118680164.000001B217309000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118203320.000001B2172F4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118170221.000001B2172DD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crlq(	zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120750010.000001B217BA0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121094715.000001B217BB7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121333304.000001B217BC7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217BA1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org	zapret.exe, 00000002.00000002.2125948130.000001B2174D3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm0U	zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120782500.000001B217B7A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217B7B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	zapret.exe, 00000002.00000003.2121640690.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120750010.000001B217BA0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120830021.000001B217BC8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121333304.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127875259.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.accv.es0	zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120782500.000001B217B7A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217B7B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	zapret.exe, 00000000.00000003.2059337123.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062710904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060223770.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059512795.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2066329192.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065651216.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059170479.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059837904.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060539075.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2065850638.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068218816.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2060352681.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2068036959.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2061873424.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000000.00000003.2059030531.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	false		high
https://brave.com/api/webhooks/12309	zapret.exe, 00000002.00000002.2128495657.000001B218110000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124535097.000001B215182000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119511426.000001B215133000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123787336.000001B215172000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072991572.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124514532.000001B215175000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122898532.000001B21515D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072664727.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118780373.000001B215132000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2074773023.000001B215162000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072452190.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119547324.000001B215148000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2076222294.000001B216971000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2071365647.000001B216975000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072855859.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122461721.000001B21515C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2071432636.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118650744.000001B215181000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072024414.000001B215185000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crlv	zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	zapret.exe, 00000002.00000002.2128394120.000001B218030000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/	zapret.exe, 00000002.00000003.2121999586.000001B2176B4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/	zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120750010.000001B217BA0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121169001.000001B217BAF000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217BA1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://twitter.com/	zapret.exe, 00000002.00000003.2121968842.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121434501.000001B2175F2000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121372374.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121847296.000001B2175F7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118361208.000001B2175F0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118151744.000001B21769C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120882083.000001B2175F1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119113492.000001B2175F0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121999586.000001B2176B4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://stackoverflow.com/questions/4457745#4457745.	zapret.exe, 00000002.00000002.2128426869.000001B218070000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps	zapret.exe, 00000002.00000003.2122413044.000001B2176B8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121968842.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121372374.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2126547748.000001B2176BD000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122804476.000001B2176B9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118151744.000001B21769C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123803434.000001B2176BA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121999586.000001B2176B4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	zapret.exe, 00000002.00000003.2118095231.000001B2172D8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118627914.000001B2172FA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125624193.000001B21732E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118515360.000001B2172F5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119493651.000001B217325000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120161558.000001B21732D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119327364.000001B21730A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121987899.000001B21732E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118680164.000001B217309000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118203320.000001B2172F4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118170221.000001B2172DD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124535097.000001B215182000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119511426.000001B215133000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123787336.000001B215172000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072991572.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2124514532.000001B215175000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122898532.000001B21515D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072664727.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118780373.000001B215132000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2074773023.000001B215162000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072452190.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119547324.000001B215148000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2076222294.000001B216971000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2071365647.000001B216975000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072855859.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122461721.000001B21515C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2071432636.000001B215185000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118650744.000001B215181000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2072024414.000001B215185000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/	zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121372374.000001B21769E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118780373.000001B215132000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118988390.000001B217651000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121847296.000001B2175F7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119547324.000001B215148000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119867143.000001B217664000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118361208.000001B2175F0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2126443084.000001B217668000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118151744.000001B21769C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120882083.000001B2175F1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119113492.000001B2175F0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120579423.000001B217665000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121999586.000001B2176B4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail/	zapret.exe, 00000002.00000003.2120465381.000001B217239000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/mail/	zapret.exe, 00000002.00000003.2122446223.000001B217287000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119368226.000001B217236000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120465381.000001B217239000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122882692.000001B217288000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	zapret.exe, 00000002.00000003.2118095231.000001B2172D8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118627914.000001B2172FA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122349642.000001B217328000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125603066.000001B217328000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118515360.000001B2172F5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119493651.000001B217325000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119327364.000001B21730A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118680164.000001B217309000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118203320.000001B2172F4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118170221.000001B2172DD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wwwsearch.sf.net/):	zapret.exe, 00000002.00000003.2119595020.000001B21765E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118988390.000001B217651000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119867143.000001B217664000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122304666.000001B217699000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120579423.000001B217665000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/3290	zapret.exe, 00000002.00000002.2127146360.000001B217980000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120782500.000001B217B7A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119368226.000001B217236000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120465381.000001B217239000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217B7B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125209053.000001B21723D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm	zapret.exe, 00000002.00000003.2123891130.000001B217B02000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120853906.000001B217AF3000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123456075.000001B217AF4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120142523.000001B217AF2000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127656236.000001B217B03000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	zapret.exe, 00000002.00000002.2127210645.000001B217A00000.00000004.00001000.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/gabjohn3/nb/main/12kav.json	zapret.exe, 00000002.00000002.2126566572.000001B2176C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	zapret.exe, 00000002.00000003.2120853906.000001B217AF3000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118095231.000001B2172D8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118627914.000001B2172FA000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123456075.000001B217AF4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120142523.000001B217AF2000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122349642.000001B217328000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2125603066.000001B217328000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118515360.000001B2172F5000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119493651.000001B217325000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119327364.000001B21730A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118680164.000001B217309000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118203320.000001B2172F4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118170221.000001B2172DD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.openssl.org/H	zapret.exe, 00000000.00000003.2062889137.000001DB34C11000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmp, zapret.exe, 00000002.00000002.2130566931.00007FF8A8AF9000.00000002.00000001.01000000.00000012.sdmp	false		high
http://crl.certigna.fr/certignarootca.crl01	zapret.exe, 00000002.00000003.2121640690.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120750010.000001B217BA0000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120830021.000001B217BC8000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121094715.000001B217BB7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121333304.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2121333304.000001B217BC7000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217BA1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127875259.000001B217BC9000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/	zapret.exe, 00000002.00000003.2119547324.000001B215148000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217BA1000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail	zapret.exe, 00000002.00000003.2118554995.000001B215126000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119595020.000001B21765E000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119511426.000001B215133000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123732026.000001B217665000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118246349.000001B215104000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2122898532.000001B21514C000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117974263.000001B217642000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118780373.000001B215132000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118988390.000001B217651000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119547324.000001B215148000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119867143.000001B217664000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2126443084.000001B217668000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120579423.000001B217665000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/specifications/entry-points/	zapret.exe, 00000002.00000002.2127178605.000001B2179C0000.00000004.00001000.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127146360.000001B217980000.00000004.00001000.00020000.00000000.sdmp	false		high
https://brave.com/api/webhooks/123te	zapret.exe, 00000002.00000002.2126566572.000001B2176C0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/3290p2	zapret.exe, 00000002.00000002.2127146360.000001B217980000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es00	zapret.exe, 00000002.00000003.2123891130.000001B217B02000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120853906.000001B217AF3000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2118860782.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2123456075.000001B217AF4000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120142523.000001B217AF2000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119708365.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000002.2127656236.000001B217B03000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120782500.000001B217B7A000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120512846.000001B217B6B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120930405.000001B217B7B000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2117756865.000001B217B4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	zapret.exe, 00000002.00000003.2072024414.000001B215185000.00000004.00000020.00020000.00000000.sdmp	false		high
https://foss.heptapod.net/pypy/pypy/-/issues/3539	zapret.exe, 00000002.00000002.2126756760.000001B217780000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	zapret.exe, 00000002.00000003.2122446223.000001B217287000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2119368226.000001B217236000.00000004.00000020.00020000.00000000.sdmp, zapret.exe, 00000002.00000003.2120465381.000001B217239000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/psf/requests/pull/6710	zapret.exe, 00000002.00000002.2128253840.000001B217F70000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
18.66.161.26	brave.com	United States		3	MIT-GATEWAYSUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577920
Start date and time:	2024-12-18 21:34:54 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	zapret.exe
Detection:	MAL
Classification:	mal48.winEXE@3/34@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 75% Number of executed functions: 68 Number of non-executed functions: 272
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: zapret.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
brave.com	https://t.co/dTm4CudfP0	Get hash	malicious	Unknown	Browse	18.173.233.74
	https://t.co/dTm4CudfP0	Get hash	malicious	Unknown	Browse	18.173.233.30
	03-13-2023-Invoice-Copy-pdf.html	Get hash	malicious	Unknown	Browse	13.225.78.110

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MIT-GATEWAYSUS	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	19.122.130.89
	QIo3SytSZA.exe	Get hash	malicious	Vidar	Browse	18.165.220.57
	https://em.navan.com/MDM3LUlLWi04NzEAAAGXecU3IyvXka_yOfm1UXs3oOmq7mq-S6uBgGscrsY0kWMgpLalbadmEIYbTEXYqyKQHEXyRQM=	Get hash	malicious	Unknown	Browse	18.66.161.14
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	18.67.71.46
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	19.156.197.86
	2.elf	Get hash	malicious	Unknown	Browse	19.32.199.151
	la.bot.sh4.elf	Get hash	malicious	Mirai	Browse	18.1.117.62
	http://files.playanext.com/v8/avast_secure_browser_setup.exe	Get hash	malicious	Unknown	Browse	18.66.161.21
	https://docs.zoom.us/doc/amQMYMv8RzCj0FS5-u7_7w?from=email	Get hash	malicious	Unknown	Browse	18.161.97.71
	arm5.nn-20241218-1651.elf	Get hash	malicious	Mirai, Okiru	Browse	19.151.81.186

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI50042\VCRUNTIME140.dll	uFVgJVXaEU.exe	Get hash	malicious	RedLine	Browse
	m5804Te9Uw.exe	Get hash	malicious	RedLine	Browse
	zapret.exe	Get hash	malicious	Unknown	Browse
	3Qv3xyyL5G.exe	Get hash	malicious	RedLine	Browse
	K6qneGSDSB.exe	Get hash	malicious	Babadeda, RedLine	Browse
	oKfMLwqaRZ.exe	Get hash	malicious	Unknown	Browse
	mggoBrtk9t.exe	Get hash	malicious	Amadey, RedLine	Browse
	yINR7uQlPr.exe	Get hash	malicious	Amadey, RedLine	Browse
	file.exe	Get hash	malicious	RedLine	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, RedLine, Stealc, Vidar	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\6m52a7vx

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:qn:qn
MD5:	3F1D1D8D87177D3D8D897D7E421F84D6
SHA1:	DD082D742A5CB751290F1DB2BD519C286AA86D95
SHA-256:	F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
SHA-512:	2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	blat

C:\Users\user\AppData\Local\Temp\_MEI50042\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	89752
Entropy (8bit):	6.5021374229557996
Encrypted:	false
SSDEEP:	1536:EFmmAQ77IPzHql9a2k+2v866Xc/0i+N1WtYil42TZiCvecbtjawN+o/J:EQmI+NnXertP42xvecbtjd+ox
MD5:	0E675D4A7A5B7CCD69013386793F68EB
SHA1:	6E5821DDD8FEA6681BDA4448816F39984A33596B
SHA-256:	BF5FF4603557C9959ACEC995653D052D9054AD4826DF967974EFD2F377C723D1
SHA-512:	CAE69A90F92936FEBDE67DACD6CE77647CB3B3ED82BB66463CD9047E90723F633AA2FC365489DE09FECDC510BE15808C183B12E6236B0893AF19633F6A670E66
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: uFVgJVXaEU.exe, Detection: malicious, Browse Filename: m5804Te9Uw.exe, Detection: malicious, Browse Filename: zapret.exe, Detection: malicious, Browse Filename: 3Qv3xyyL5G.exe, Detection: malicious, Browse Filename: K6qneGSDSB.exe, Detection: malicious, Browse Filename: oKfMLwqaRZ.exe, Detection: malicious, Browse Filename: mggoBrtk9t.exe, Detection: malicious, Browse Filename: yINR7uQlPr.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............x.D.x.D.x.D..AD.x.D..=D.x.D.x.D.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx.QD.x.Dx..E.x.DRich.x.D........PE..d....}.Y.........." .........T...............................................`.......Y....`A........................................p...4............@.......0..(.... ...>...P..p.......8...........................@................................................text...$........................... ..`.rdata...6.......8..................@..@.data...0.... ......................@....pdata..(....0......................@..@.rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	6.702924040492291
Encrypted:	false
SSDEEP:	768:qzzO6ujT3MbR3v0Cz6SKLq83yN+iRxw9zv6JmEpw9zF:3q/o1j3c+iIzv6JmEp4zF
MD5:	05052BE2C36166FF9646D7D00BB7413F
SHA1:	D8D7C4B322D76E3A7B591024C62F15934979FE40
SHA-256:	26E470B29BED3D873E0C328186E53F95E9EDBFE0B0FD0CDA44743A0B1A04A828
SHA-512:	0460CC66D06DF9A2941607473F3ECCFD909F2ADAB53A3328FADCEDD1B194B388ECA738C2C6C2E193DE33606925FBED1FE39EFA160015128E93F5E3A03C62170D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\..\..\...]..\...]..\..O\..\..\...\...]..\...]..\...]..\...]..\..#\..\...]..\Rich..\........PE..d...=............." ...*.<...8.......@..............................................U0....`A........................................pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text....;.......<.................. ..`.rdata.."#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84040
Entropy (8bit):	6.41469022264903
Encrypted:	false
SSDEEP:	1536:SSpo7/9ZwseNsUQJ8rbXis0WwOpcAE+8aoBnuRtApxbBVZIG4VJyI:SSW7lZws+bLwOpvEZa+uRWVVZIG4VF
MD5:	3DC8AF67E6EE06AF9EEC52FE985A7633
SHA1:	1451B8C598348A0C0E50AFC0EC91513C46FE3AF6
SHA-256:	C55821F5FDB0064C796B2C0B03B51971F073140BC210CBE6ED90387DB2BED929
SHA-512:	DA16BFBC66C8ABC078278D4D3CE1595A54C9EF43AE8837CEB35AE2F4757B930FE55E258827036EBA8218315C10AF5928E30CB22C60FF69159C8FE76327280087
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H.1.).b.).b.).b.Qib.).b.A.c.).bM.=b.).b.A.c.).b.A.c.).b.A.c.).bD@.c.).b.O.c.).b.).b.).bD@.c.).bD@.c.).bD@.b.).bD@.c.).bRich.).b................PE..d.....].........." .........f......t........................................p.......a....`.............................................H............P.......@..(.......H....`......p...T...............................................8............................text...>........................... ..`.rdata..~A.......B..................@..@.data........0......................@....pdata..(....@......................@..@.rsrc........P....... ..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123464
Entropy (8bit):	5.886703955852103
Encrypted:	false
SSDEEP:	3072:qpG85kJGmH3c+5M333KvUPzeENGLf3Tz4ccUZw1IGVPE:qDSGT+5+KMPzyLf3TEcKu
MD5:	F1E33A8F6F91C2ED93DC5049DD50D7B8
SHA1:	23C583DC98AA3F6B8B108DB5D90E65D3DD72E9B4
SHA-256:	9459D246DF7A3C638776305CF3683946BA8DB26A7DE90DF8B60E1BE0B27E53C4
SHA-512:	229896DA389D78CBDF2168753ED7FCC72D8E0E62C6607A3766D6D47842C0ABD519AC4F5D46607B15E7BA785280F9D27B482954E931645337A152B8A54467C6A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..4..4..4..L@..4..\..4..\..4..\..4..\..4..]..4..R..4..R..4..]..4..4.i4..]..4..]..4..],..4..]..4.Rich.4.........PE..d.....].........." .................]....................................................`..........................................`......$a..........................H...........0...T...............................................`............................text............................... ..`.rdata..0l.......n..................@..@.data....>.......:...l..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\_elementtree.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	176712
Entropy (8bit):	6.328697645521823
Encrypted:	false
SSDEEP:	3072:6ELu4rq1inmE50HKwCty09ZVz1pGFEH0HCo65Obfh69K+2WhJKP6mrxhM2buspI6:Vu/iCqdty09ZLpGmH4CSr0c+2WhJKP6+
MD5:	5240ABC89BB0822B4F1D830883A17578
SHA1:	1B4412454E35AC9AF9E1E13CF3A441F35E5C7A69
SHA-256:	DEC95E6D7AC0F15DAAC635F1ADDA13B4289BBE7175BA0B14494DC983601F0590
SHA-512:	215B1E807253826C17E9744F46D539C6ED0E0A5FA12FFA654603CEEB6252C64CEA6C931404203364575DE709FD2D964D0EE719F1CC881BD98C5B495885E63D29
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t.IA.z.A.z.A.z.Hm..M.z..}{.C.z..}..J.z..}~.I.z..}y.C.z..\|{.C.z.$s{.B.z.A.{...z..\|w.E.z..\|z.@.z..\|..@.z..\|x.@.z.RichA.z.................PE..d.....].........." ................X~..............................................1.....`.........................................0V..X....V..................0.......H.......X...`...T...............................................8............................text...C........................... ..`.rdata...z.......\|..................@..@.data........p.......^..............@....pdata..0............p..............@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45640
Entropy (8bit):	5.996546047346997
Encrypted:	false
SSDEEP:	768:8skeCps0iszzPFrGE/CBAdIPGV03ju774xxIGsIx7WDG4yw:81eCpLzDBZ+AdIPmYju7OxIGsIxWyw
MD5:	A6448BC5E5DA21A222DE164823ADD45C
SHA1:	6C26EB949D7EB97D19E42559B2E3713D7629F2F9
SHA-256:	3692FC8E70E6E29910032240080FC8109248CE9A996F0A70D69ACF1542FCA69A
SHA-512:	A3833C7E1CF0E4D181AC4DE95C5DFA685CF528DC39010BF0AC82864953106213ECCFF70785021CCB05395B5CF0DCB89404394327CD7E69F820D14DFA6FBA8CBA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2..&v.uv.uv.u...ur.u$..tt.u$..t}.u$..t~.u$..tt.u...tt.u.ts.uv.u..u.tw.u.tw.u.iuw.u.tw.uRichv.u................PE..d.....].........." .....@...Z......X2...............................................7....`..........................................u..P...@v..........................H............X..T...........................`X...............P...............................text....?.......@.................. ..`.rdata..p3...P...4...D..............@..@.data...h............x..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	252488
Entropy (8bit):	6.080982550390949
Encrypted:	false
SSDEEP:	6144:bkHDwqjhhwYbOqQNEkT/4OQhJwAbHoqLNvka/gOFhUw6b4qCNxkV/3OdhAWwPbGE:bd7/IbtSKOt
MD5:	37057C92F50391D0751F2C1D7AD25B02
SHA1:	A43C6835B11621663FA251DA421BE58D143D2AFB
SHA-256:	9442DC46829485670A6AC0C02EF83C54B401F1570D1D5D1D85C19C1587487764
SHA-512:	953DC856AD00C3AEC6AEAB3AFA2DEB24211B5B791C184598A2573B444761DB2D4D770B8B807EBBA00EE18725FF83157EC5FA2E3591A7756EB718EBA282491C7C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0d..^7..^7..^7..7..^7.._6..^7..[6..^7..Z6..^7..]6..^7Q._6..^7.._6..^7.._7..^7Q.S6..^7Q.^6..^7Q..7..^7Q.\6..^7Rich..^7........PE..d.....].........." .................6..............................................o*....`............................................L.......x.......................H.......$...@...T............................................... ............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	28232
Entropy (8bit):	6.051366978773049
Encrypted:	false
SSDEEP:	384:bp/aC60HGTPk/ltSA/6rCbCnA/cEXEz65D1IGqUrnYPLxDG4y8xxzzI:bH60HGw/b/6rCb9iKD1IGqUrWDG4yCI
MD5:	44B72E0AD8D1E1EC3D8722088B48C3C5
SHA1:	E0F41BF85978DD8F5ABB0112C26322B72C0D7770
SHA-256:	4AA1BBDE1621C49EDAB4376CF9A13C1AA00A9B0A9905D9640A2694EF92F77D5E
SHA-512:	05853F93C6D79D8F9C96519CE4C195B9204DF1255B01329DEAA65E29BD3E988D41454CD305E2199404F587E855737879C330638F2F07BFF11388A49E67BA896C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........k...k...k.......k......k......k......k......k..u....k......k...k..k..u....k..u....k..u.r..k..u....k..Rich.k..................PE..d.....].........." .........8............................................................`..........................................B..L...\B..d....p.......`.......T..H.......l... 3..T............................3...............0..(............................text............................... ..`.rdata.......0......."..............@..@.data........P.......>..............@....pdata.......`.......B..............@..@.rsrc........p.......F..............@..@.reloc..l............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	78920
Entropy (8bit):	6.061178831576516
Encrypted:	false
SSDEEP:	1536:KzMe79sDb+eGm08Vr5lcDAB9/s+7+pkaOz3CkNA9y1IGVwCyMPbi:de79u8/GFmAB9/se+pROz3jN1IGVw+Pm
MD5:	D6BAE4B430F349AB42553DC738699F0E
SHA1:	7E5EFC958E189C117ECCEF39EC16EBF00E7645A9
SHA-256:	587C4F3092B5F3E34F6B1E927ECC7127B3FE2F7FA84E8A3D0C41828583BD5CEF
SHA-512:	A8F8FED5EA88E8177E291B708E44B763D105907E9F8C9E046C4EEBB8684A1778383D1FBA6A5FA863CA37C42FD58ED977E9BB3A6B12C5B8D9AB6EF44DE75E3D1E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........1..._..._..._....._...^.._...Z..._...[..._...\.._.a.^.._...^.._...^.B._.a.R..._.a._..._.a..._.a.]..._.Rich.._.................PE..d.....].........." .....x..........h........................................`.......2....`.............................................P...0........@.......0..........H....P.........T...........................@................................................text....v.......x.................. ..`.rdata...v.......x...\|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	117832
Entropy (8bit):	6.052642675957794
Encrypted:	false
SSDEEP:	3072:x3xozhUCVgMUGSo5iY0nx2bsxSV3QilzQmxLZIG47HZ:p6zh72PGz0nxrmVG
MD5:	8EE827F2FE931163F078ACDC97107B64
SHA1:	149BB536F3492BC59BD7071A3DA7D1F974860641
SHA-256:	EAEEFA6722C45E486F48A67BA18B4ABB3FF0C29E5B30C23445C29A4D0B1CD3E4
SHA-512:	A6D24E72BF620EF695F08F5FFDE70EF93F42A3FA60F7C76EB0F521393C595717E05CCB7A61AE216C18FE41E95FB238D82637714CF5208EE8F1DD32AE405B5565
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0.u.0.u.0.u.9...6.u.b.t.2.u.b.p.<.u.b.q.8.u.b.v.2.u..t.6.u.U.t.7.u.0.t.C.u..x.2.u..u.1.u...1.u..w.1.u.Rich0.u.........PE..d.....].........." ................................................................K.....`..........................................S..d...4T..........................H...........`...T............................................................................text...Q........................... ..`.rdata.............................@..@.data...P4...........h..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\_win32sysloader.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.115421390329823
Encrypted:	false
SSDEEP:	192:xOCm72PEO1jIUs0YqEcPbF55UgCWV4rofnDPXRD0QpHvcqvn7ycIt/z/:xOardA0Bzx14r6nDZJhv+L/
MD5:	DC2B691495107A597281EECF8FE49258
SHA1:	B07F274B0C8120C8F9DEFC9C9E98CEEF02818FF1
SHA-256:	B155B2F3310E35F2AE40C89726453CBDBA48632A854192D78A9A7B634C310255
SHA-512:	1D12902BDA5645A92D2FABB93365E1A76FB1C30EF5865B17FD7A54A90FAAB61F4B238AF471C30A20080C8DDF06BEC983010FD9E10EFAE0C85BCB5B4A0ABECDF9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f...............................................................................................Rich............................PE..d...L..g.........." ......................................................................`..........................................;..`...p;..d....p..l....`..................@...\|2..T............................2..8............0..p............................text............................... ..`.rdata..4....0......................@..@.data........P......................@....pdata.......`.......0..............@..@.rsrc...l....p.......4..............@..@.reloc..@............8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1028082
Entropy (8bit):	5.501427098501224
Encrypted:	false
SSDEEP:	24576:fhidpNtosQNRs54PK4IMoVw59bfCEzXxTLEo0zR32w:fhidpNtosQNRs54PK4IM9pTLp0hH
MD5:	E16F9002B63FE3700891D9C164F971F0
SHA1:	FB683ACE0A9E17ED8A4C75B9FF21D98A9931DFA1
SHA-256:	258EFFCB73CFEB1DD3764DA30B0A3D2D15102720FF45FD653025143A746F63AA
SHA-512:	630418BA29A61C366A02E9DF835671CCCC933D83D760A745B54D6F1CFF187DFF600E1BF6AB3EC84D08F179582F68218153653A0338EF6F03E0FF6C92C783F100
Malicious:	false
Preview:	PK..........!...7............._bootlocale.pycU....................................@....z...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nJz.e.j...W.n4..e.k.rj......e.e.d...r\d.d.d...Z.n.d.d.d...Z.Y.n.X.d.d.d...Z.d.S.)...A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C........t.j.j.r.d.S.t.....d...S.).N..UTF-8.........sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r......_bootlocale.py..getpreferredencoding...............r......getandroidapilevelc....................C........d.S.).Nr....r....r....r....r....r....r...............c....................C........t.j.j.r.d.S.d.d.l.}.\|...\|...S.).Nr....r......r....r....r......localer......r....r....r....r....r....r.....................c....................C....6...\|.r.t...t.j.j.r.d.S.t...t.j...}.\|.s2t.j.d.k.r2d.}.\|.S.).Nr......darwin....A

C:\Users\user\AppData\Local\Temp\_MEI50042\certifi\cacert.pem

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md.cp38-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.82244276484902
Encrypted:	false
SSDEEP:	96:G03K74ACb0xx2uKynu10YLsgxwJiUNiL0U5IZsJFPGktCFVCVAZ0fcX6g8H4a81:SFCk2z1/t12iwU5usJFICC4cqgg
MD5:	19286C0938EE5B29D916B4035E539200
SHA1:	FA74A9047A3DFCFE3F4F305B8D61267FB16B0650
SHA-256:	CBCB25410A11775DF37DCF4809B6EC5D6F3AA1E997C8AC8CD3FAA2C155121693
SHA-512:	3B849F2D727FA902E92DBBD8D93254CF3D7E7410269E45334D935C7D3B7FD1480A658066F2550DA26AAC5D978D16E0B12BF39DC4FC7C10E4C3C169BD5963124F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...B...B...K.X.@...R...@.......@...R...A...R...J...R...I......A...B...d.......C.......C.....4.C.......C...RichB...........PE..d....".g.........." ...).....................................................p............`..........................................'..l...\(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md__mypyc.cp38-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120832
Entropy (8bit):	5.898330437655099
Encrypted:	false
SSDEEP:	3072:Wd/i8g30pUQTpLwNo80GYVqr5wfgB2e/amZB:WVoMrgoe/PZB
MD5:	D702A14B17BCD02C9AD1CE8137D925AA
SHA1:	7A26ED8CCC3EBA1F97DA7CCADA58B043945B7575
SHA-256:	98C04FDC308F1D6388BB129F0101F88EBB020AEB8116F280129E19CDCB832D8D
SHA-512:	02515C6128B2A7909D0B2E43B0D253E331BDBAEB3DF786C9692612703C7E9FD0F7B6CB8E13954F63A0DF6B671D83DD6C021C7F68C965E336A74BDF7057986E00
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......rQy.60..60..60..?H..>0..&...40..}H..40..&...50..&...>0..&...;0...D..50..60...0..~...70..~...70..~...70..~...70..Rich60..........PE..d....".g.........." ...).0...........3....................................... ............`.............................................`.......................@...................@y...............................x..@............@...............................text..../.......0.................. ..`.rdata..0Y...@...Z...4..............@..@.data....=.......0..................@....pdata..@...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3381792
Entropy (8bit):	6.094908167946797
Encrypted:	false
SSDEEP:	49152:Y4TKuk29SIU6i5fOjPWl+0rOh5PKToEGG9I+q4dNQbZQm9aGupuu9LoeiyPaRb84:YiV+CGQ4dtBMeiJRb8+1CPwDv3uFZjN
MD5:	BF83F8AD60CB9DB462CE62C73208A30D
SHA1:	F1BC7DBC1E5B00426A51878719196D78981674C4
SHA-256:	012866B68F458EC204B9BCE067AF8F4A488860774E7E17973C49E583B52B828D
SHA-512:	AE1BDDA1C174DDF4205AB19A25737FE523DCA6A9A339030CD8A95674C243D0011121067C007BE56DEF4EAEFFC40CBDADFDCBD1E61DF3404D6A3921D196DCD81E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3...3...3...K...3..[...3..[...3..[...3..[...3..U...3...3..{3..qZ...3..qZ..1..qZ...3..qZf..3..qZ...3..Rich.3..................PE..d....k.].........." ......$..........r....................................... 4.......4...`..............................................f...Z3.@.....3.\|.....1.......3. .....3..O..P-,.8............................-,..............P3..............................text...g.$.......$................. ..`.rdata.......0$.......$.............@..@.data...Ax....1..*....0.............@....pdata........1.......1.............@..@.idata...#...P3..$....2.............@..@.00cfg........3.......2.............@..@.rsrc...\|.....3.......2.............@..@.reloc...x....3..z....3.............@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\libffi-7.dll

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32792
Entropy (8bit):	6.372276555451265
Encrypted:	false
SSDEEP:	384:JYnlpDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYPoBhT/A4:JYe0Vn5Q28J8qsqMttktuTSTWDG4yhRe
MD5:	4424BAF6ED5340DF85482FA82B857B03
SHA1:	181B641BF21C810A486F855864CD4B8967C24C44
SHA-256:	8C1F7F64579D01FEDFDE07E0906B1F8E607C34D5E6424C87ABE431A2322EBA79
SHA-512:	8ADB94893ADA555DE2E82F006AB4D571FAD8A1B16AC19CA4D2EFC1065677F25D2DE5C981473FABD0398F6328C1BE1EBD4D36668EA67F8A5D25060F1980EE7E33
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3..{]A.{]A.{]A...A.{]A..\@.{]A..\@.{]A.{\A.{]A..X@.{]A..Y@.{]A..^@.{]A..Y@.{]A..^@.{]A..]@.{]A.._@.{]ARich.{]A........................PE..d.....\.........." .....F...$.......I...................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\libssl-1_1.dll

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	686112
Entropy (8bit):	5.528877787845415
Encrypted:	false
SSDEEP:	12288:3L6MSpHovlo4qL7a3ZV9CblMOoAXToRtrBZf3Fb85BO9K9pB3TLPDdOU2lvz8:wIAL7a3heSFZf2Pq63HJOU2lvz
MD5:	FE1F3632AF98E7B7A2799E3973BA03CF
SHA1:	353C7382E2DE3CCDD2A4911E9E158E7C78648496
SHA-256:	1CE7BA99E817C1C2D71BC88A1BDD6FCAD82AA5C3E519B91EBD56C96F22E3543B
SHA-512:	A0123DFE324D3EBF68A44AFAFCA7C6F33D918716F29B063C72C4A8BD2006B81FAEA6848F4F2423778D57296D7BF4F99A3638FC87B37520F0DCBEEFA3A2343DE0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8<..YRT.YRT.YRT.!.T.YRT.1SU.YRT.?SU.YRT.1WU.YRT.1VU.YRT.1QU.YRTf0SU.YRT.YST.XRTf0VU.YRTf0RU.YRTf0.T.YRTf0PU.YRTRich.YRT................PE..d....k.].........." ..... ...D.......$...............................................2....`..............................................N...%..........s........K...^.. .......D.......8........................... ................................................text...7........ .................. ..`.rdata...#...0...$...$..............@..@.data...1M...`...D...H..............@....pdata...S.......T..................@..@.idata..rV.......X..................@..@.00cfg.......p.......8..............@..@.rsrc...s............:..............@..@.reloc..!............B..............@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\mfc140u.dll

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5653536
Entropy (8bit):	6.729079283804055
Encrypted:	false
SSDEEP:	49152:ULnsrdZXUTQyJa9qgUUjlQNXkW8GCBTDgHsYogTYn3s3pQMqSj+vTCfEs7ATWYls:UoJUEUYS3zUQFLOAkGkzdnEVomFHKnP+
MD5:	CD1D99DF975EE5395174DF834E82B256
SHA1:	F395ADA2EFC6433B34D5FBC5948CB47C7073FA43
SHA-256:	D8CA1DEA862085F0204680230D29BFF4D168FFF675AB4700EEAF63704D995CB3
SHA-512:	397F725E79CA2C68799CF68DFB111A1570427F3D2175D740758C387BDAA508BC9014613E997B92FC96E884F66BB17F453F8AA035731AFD022D9A4E7095616F87
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.cu...&...&...&...'...&...'...&...'...&..&...&G..'...&G..'...&...'...&...&..&G..'...&G..'...&G..'...&G..'...&G..&...&G..'...&Rich...&................PE..d...9.:e.........." .....(-..X)......X,.......................................V.....&~V...`A..........................................:.....h.;.......?......`=..8....V. (...PU.0p..P.5.T...........................`...8............@-.P...(.:......................text....&-......(-................. ..`.rdata.......@-......,-.............@..@.data....6... <.......<.............@....pdata...8...`=..:....<.............@..@.didat..H.....?.......?.............@....rsrc.........?.......?.............@..@.reloc..0p...PU..r....T.............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.909456553599775
Encrypted:	false
SSDEEP:	1536:j3sHmR02IvVxv7WCyKm7c5Th4JBHTOvyyaZE:jnIvryCyKx5Th4J5OvyyO
MD5:	49AC12A1F10AB93FAFAB064FD0523A63
SHA1:	3AD6923AB0FB5D3DD9D22ED077DB15B42C2FBD4F
SHA-256:	BA033B79E858DBFCBA6BF8FB5AFE10DEFD1CB03957DBBC68E8E62E4DE6DF492D
SHA-512:	1BC0F50E0BB0A9D9DDDAD31390E5C73B0D11C2B0A8C5462065D477E93FF21F7EDC7AA2B2B36E478BE0A797A38F43E3FBEB6AAABEF0BADEC1D8D16EB73DF67255
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nT..5..5..5..#M2. 5..x@..(5..x@..&5..x@.."5..x@...5...k..(5..aM..;5..5...5...@..:5...@..+5...@^.+5...@..+5..Rich*5..................PE..d...._.g.........." .........h......\........................................@............`.........................................0...`.......@.... .......................0..(.......................................8............................................text...h........................... ..`.rdata..\I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\pyarmor_runtime_000000\pyarmor_runtime.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	630272
Entropy (8bit):	6.201290770366906
Encrypted:	false
SSDEEP:	12288:cs1ibNzQ0d7ctjdcg7fUoPpj50XnEYsk:ratctjdcg7fUoPpj50XnJ
MD5:	A6EF9022CC961C656718F15CEB3BA1EE
SHA1:	AB9B6D1757F202C1E64C019B78678477D2F90507
SHA-256:	D7DE93F6A44AAEFB797CDE9BFAC1CF196C92FF5506FEFB2AC3F32A29DF0A9B7D
SHA-512:	4BEA879D66DF60374D7DBE25E5375FC7665E4E94AA2D182D18961DA17DA75867685BEC4CF039213C9907E42914E04E6FDB2A573711587F141BF862ED0FE21A61
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".............h..0..........f.....................................z........ .........................................].... ..03...........@...$..........................................@...(...................(+...............................text...............................`.P`.data....F... ...H..................@.`..rdata.......p.......P..............@.`@.pdata...$...@...$..................@.0@.xdata...&...p...(...8..............@.0@.bss.....f............................`..edata..]............`..............@.0@.idata..03... ...4...b..............@.0..CRT....X....`......................@.@..tls.........p......................@.@..reloc..............................@.0B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\pyexpat.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	189512
Entropy (8bit):	6.306301919858534
Encrypted:	false
SSDEEP:	3072:X/QzNxXNH/aml0Ocp9V69g7eoipCRF0W4XOoKmpgMBUI3CnOnL5MlTe1NE1IGVhb:XIzrNH/a4+L69g7eoKoYXOPmpgMBewMZ
MD5:	E684792507FAF113474A6D1217AEEAAD
SHA1:	F9486048EC025A9F469F52C1788A74E70975B431
SHA-256:	1035C85C840C1007D5F5BB62CA7358D6C85B5E4BF15155FE0857C6A17453F18A
SHA-512:	1A50BC231963D405F25879EE3560EB90F7B18D51640B9B4D848F18CAA9FEF14907F8935A86F093478BE0EE0E1261E4BCC8C697B486BC0617C5F77370337D48C3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~..#:i.p:i.p:i.p3.Jp0i.ph..q8i.ph..q1i.ph..q2i.ph..q8i.p...q8i.p_..q9i.p:i.pTi.p...q>i.p...q;i.p..&p;i.p...q;i.pRich:i.p........................PE..d.....].........." .................................................................3....`.............................................P...P...........................H............4..T............................4............... ...............................text............................... ..`.rdata..2.... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\python3.dll

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58952
Entropy (8bit):	5.849953914987793
Encrypted:	false
SSDEEP:	768:oS99q+0o22ByfbEap+VCBQ53gUiT5pLFdBk4/yFi1nuVwWBjChtFyrUdmd9RSxDD:79xiEAnUvdK1IGV0QyrI
MD5:	7ACEC875D5672E7AA148B8C40DF9AA49
SHA1:	96B8CFABE0CFA3DF32995919AC77CFDEEC26F1F2
SHA-256:	D96858E433F45917499DBF5E052E56F079FF9AE259FD3CAA025C3B1DAF852891
SHA-512:	1208DA62FE82B779EC822AD702F9CA4321B34EE590C28E10EFE9A2DB6D582BFDCAE01AB2431C1A98714EF0C60434D64C58F3DB31BF5886EFBB943ADC70D6E975
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............d..d..d.N.l..d.N.d..d.N..d.N.f..d.Rich.d.........PE..d.....].........." .....................................................................`.........................................` ..@...............................H............ ..T............................................................................text............................... ..`.rdata..d.... ......................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\python38.dll

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4183112
Entropy (8bit):	6.420172758698049
Encrypted:	false
SSDEEP:	49152:wV6CJES/Za2BaobNruDPYRQYK8JCNNtkAz+/Q46VqNo9NYxwCFIInKHJCMjntPNj:MxB/aDUQNtufeNFIKHoMjzkDU
MD5:	D2A8A5E7380D5F4716016777818A32C5
SHA1:	FB12F31D1D0758FE3E056875461186056121ED0C
SHA-256:	59AB345C565304F638EFFA7C0236F26041FD06E35041A75988E13995CD28ACE9
SHA-512:	AD1269D1367F587809E3FBE44AF703C464A88FA3B2AE0BF2AD6544B8ED938E4265AAB7E308D999E6C8297C0C85C608E3160796325286DB3188A3EDF040A02AB7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................7[.........................................B............c...........Rich............................PE..d.....].........." .........."...............................................B.....f.@...`.........................................@I8.....X.9.\|.....B.......?.P.....?.H.....B. t..p. .T............................. .................X............................text...$........................... ..`.rdata..............................@..@.data........09......"9.............@....pdata..P.....?......2=.............@..@.rsrc.........B......8?.............@..@.reloc.. t....B..v...D?.............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32\pythoncom38.dll

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	673280
Entropy (8bit):	6.0419437910215255
Encrypted:	false
SSDEEP:	6144:Ve+P6+MWPDCpiqo/r/wm/tx61waoXe1a84TkOz4ApSVIHs4ppdUKsGZ7QXlf:VelBcDh/wmVw1ayoFPppdUl
MD5:	F0392A9234F19A7312749E32B7C2AABC
SHA1:	3A06EB7FE07F4F72C43D44C84B0E8D0CF45B6B7B
SHA-256:	3890C952D049677351D50B940793E82FB9F065AC77A97CD228C187616BE1687E
SHA-512:	B81E1DE6083123CFEBF360F0FEFD0DC18FC6B361BB2B4A8249D71D77B9BB2E275C854998142A2774200D1864D3CAFC706F5D0CA9238E0EC859B3578922FCB698
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R0.~.Q.-.Q.-.Q.-.).-.Q.-D$.,.Q.-D$.,.Q.-D$.,.Q.-D$.,.Q.-.$.,.Q.-]).,.Q.-.%.,.Q.-]).,.Q.-.Q.-BP.-.$.,GQ.-.$.,.Q.-.$.,.Q.-Rich.Q.-........PE..d...x..g.........." ......................................................................`.........................................@`...c..............\....@...z............... ......T........................... ...8............................................text...3........................... ..`.rdata..T/.......0..................@..@.data....L..........................@....pdata...z...@...\|..................@..@.rsrc...\............ ..............@..@.reloc... ......."...$..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\pywin32_system32\pywintypes38.dll

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	136192
Entropy (8bit):	5.993915222442933
Encrypted:	false
SSDEEP:	3072:cXt1g7xR7WsXCBcyohpY/rjYarWSbJm/fEJTdXSwd0Lxwp:cXXg7xNFXC8Y/rxbbJmnEVdXSuQ
MD5:	7F960B22965D51F44D3046F3930D3471
SHA1:	DEFC4A353F6A14E316C1FE4085180CECA9EE6CE0
SHA-256:	D2DF2F815AB392812399143D6CB661C807449FA8409FD126F39F656769B8A728
SHA-512:	FA4484DBFA3E13F0FA1C4F1CF1DA0C3F76DE157586B49165A400EADBF9A7EFFAF318AA33A7A222F927222531107977FB7BE7CD62E4623B31B111E21AC4EDFD0C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........YE+I8+xI8+xI8+x@@.xE8+x.MyM8+x/W.xH8+x.M.y]8+x.M/yA8+x.M(yJ8+x.@/yH8+x.LyK8+x.@yB8+xI8x.8+x.M"yD8+x.M+yH8+x.M)yH8+xRichI8+x........................PE..d...,..g.........." .........................................................`............`.............................................lB......,....@..d.... ...............P..0....b..T............................c..8............................................text...Y........................... ..`.rdata..............................@..@.data....-.......(..................@....pdata....... ......................@..@.rsrc...d....@......................@..@.reloc..0....P......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\select.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26696
Entropy (8bit):	6.101296746249305
Encrypted:	false
SSDEEP:	768:6kYtqIDCNdwhBfAqXuqzz5H1IGqGbWDG4y4:6TnDCNCh93X7zzR1IGqG2y4
MD5:	6AE54D103866AAD6F58E119D27552131
SHA1:	BC53A92A7667FD922CE29E98DFCF5F08F798A3D2
SHA-256:	63B81AF5D3576473C17AC929BEA0ADD5BF8D7EA95C946CAF66CBB9AD3F233A88
SHA-512:	FF23F3196A10892EA22B28AE929330C8B08AB64909937609B7AF7BFB1623CD2F02A041FD9FAB24E4BC1754276BDAFD02D832C2F642C8ECDCB233F639BDF66DD0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................)............................M................M......M......M.E....M......Rich...........PE..d.....].........." .........2......h...............................................a"....`..........................................?..L....@..x....p.......`.......N..H.......,....2..T............................3...............0...............................text...u........................... ..`.rdata.......0......."..............@..@.data........P.......:..............@....pdata.......`.......<..............@..@.rsrc........p.......@..............@..@.reloc..,............L..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1096264
Entropy (8bit):	5.343512979675051
Encrypted:	false
SSDEEP:	12288:EGe9qQOZ67191SnFRFotduNFBjCmN/XlyCAx9++bBlhJk93cgewrxEeBc0bB:EGe9GK4oYhCc/+9nbDhG2wrxc0bB
MD5:	4C0D43F1A31E76255CB592BB616683E7
SHA1:	0A9F3D77A6E064BAEBACACC780701117F09169AD
SHA-256:	0F84E9F0D0BF44D10527A9816FCAB495E3D797B09E7BBD1E6BD666CEB4B6C1A8
SHA-512:	B8176A180A441FE402E86F055AA5503356E7F49E984D70AB1060DEE4F5F17FCEC9C01F75BBFF75CE5F4EF212677A6525804BE53646CC0D7817B6ED5FD83FD778
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.0v..^%..^%..^%.f.%..^%Tv_$..^%Tv[$..^%TvZ$..^%Tv]$..^%.w_$..^%cx_$..^%.._%N.^%.wS$..^%.w^$..^%.w.%..^%.w\$..^%Rich..^%................PE..d.....].........." .....L...V.......*..............................................-.....`.........................................p...X..............................H........... )..T............................)...............`..p............................text...1J.......L.................. ..`.rdata..>-...`.......P..............@..@.data................~..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\win32api.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	133120
Entropy (8bit):	5.86120949149104
Encrypted:	false
SSDEEP:	3072:3wBdzUgdnhvjZXA2SRJzlRVFhLaNzvblJTqQvmP+0NfAdWe:3wsgdRjZXA2+tlRVgvZRqQ10Vy
MD5:	01196228998669ACFD2A4AA7E1E18A26
SHA1:	A7C3C59CB120EF75CA6F9A7A2E035783CD5933BB
SHA-256:	DA256A6EEB9C5512E869CA5452EC373A7C3AA8BE13AFEB76FD650738A5ADFBEC
SHA-512:	A2C627978B33A0FB8DDBEB7FF8C920F7BC357736D5C981A3F003ADF1CD8E6CB51B17FDF5847B98D024C3FF721550A5E8209B735E027110FF75ED56A10498C117
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V@m..@m..@m..I...Hm......Dm......Hm......Dm......Bm......Bm......Wm......Km..@m...l......Bm......Am......Am..Rich@m..................PE..d...O..g.........." ................8........................................P............`................................................d........0..T....................@..X....w..T............................<..8............0......d...@....................text...D........................... ..`.rdata.......0......................@..@.data...X(......."..................@....pdata..............................@..@.rsrc...T....0......................@..@.reloc..X....@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\win32trace.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.281734532194338
Encrypted:	false
SSDEEP:	384:tYGx6lLxGhN0H2So0JVPls+0T8DqqpqkW87P0bkZ5yn9g1BT:zl0WCaNkW87cSUuB
MD5:	3122A07137DEA2F663F0F5A57C68306A
SHA1:	9EA6A6DC321993F5EB1185F674B515BDF851718D
SHA-256:	B6AE09668425F318E2A56286F635EFC591B92C14870085A485A65A6E40F3A0C0
SHA-512:	98B2D850F79FCD4DF2D57C4692EFB08B550A20DDDB38C4A95CE794B78A1F84FD1AD7EA21A5845C364AC79523F668C4350628FDF7D7DABF4056DD07F25B67C6AE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r$(U6EF.6EF.6EF.?=..2EF.d0G.4EF.d0C.<EF.d0B.>EF.d0E.5EF..0G.4EF..1G.4EF.}=G.3EF.6EG.{EF..0O.7EF..0F.7EF..0D.7EF.Rich6EF.........PE..d...G..g.........." ................'....................................................`..........................................Q..T....Q..........\....p.......................G..T...........................PH..8............@...............................text....)......................... ..`.rdata.......@......................@..@.data...(....`.......L..............@....pdata.......p.......R..............@..@.rsrc...\............V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI50042\win32ui.pyd

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1146880
Entropy (8bit):	6.055737484366553
Encrypted:	false
SSDEEP:	12288:A8kQJhn+6cxX9KOcol6NRn2Ri0VRxRz5jAs7FYyk2+wwZ8Oq:ANP6c8oiRnP2RFUsRY2+V8
MD5:	0E754914E42F2220C530A0212293BF51
SHA1:	242220538FBE59D141B44895FC8054FDB1A8358D
SHA-256:	CDFAF61B88C03F8C35BC0476A5CB85365B591787EE1B2FFEF264BFC570C9524A
SHA-512:	CDF127981996C2AFA94E09E0D9CEDF5D6F3512EF3F2505C9616EBD21F5B0BA4E5A1E1069AED84D1111A400BBCA8AED904948F91D47B961076A50528DD02A1E7A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.K;...;...;...2a].1....l..9....m..9...pa..5...il..3...il..?...il..-...;...3...il..<....l.......l..:....l1.:....l..:...Rich;...................PE..d...E..g.........." .........t.............................................. ............`..........................................1...T......h...............................`\......T.......................(...@...8............ ...0...........................text...0........................... ..`.rdata....... ......................@..@.data...............................@....pdata...............r..............@..@.rsrc...............................@..@.reloc..`\.......^..."..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpt3ztn0zp\gen_py\init.py

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	176
Entropy (8bit):	4.713840781302666
Encrypted:	false
SSDEEP:	3:S3yE25MOWrYXtHVE/DRFrgm5/gvJgXDLAUDA+ERo6+aEYqVS1f6gq1WGgVSBn:S3mSOWWHVUDjrgmxgRgzLXDA6Va8VeuR
MD5:	8C7CA775CF482C6027B4A2D3DB0F6A31
SHA1:	E3596A87DD6E81BA7CF43B0E8E80DA5BC823EA1A
SHA-256:	52C72CF96B12AE74D84F6C049775DA045FAE47C007DC834CA4DAC607B6F518EA
SHA-512:	19C7D229723249885B125121B3CC86E8C571360C1FB7F2AF92B251E6354A297B4C2B9A28E708F2394CA58C35B20987F8B65D9BD6543370F063BBD59DB4A186AC
Malicious:	false
Preview:	# Generated file - this directory may be deleted to reset the COM cache.....import win32com..if __path__[:-1] != win32com.__gen_path__: __path__.append(win32com.__gen_path__)..

C:\Users\user\AppData\Local\Temp\tmpt3ztn0zp\gen_py\dicts.dat

Download File

Process:	C:\Users\user\Desktop\zapret.exe
File Type:	data
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.7219280948873625
Encrypted:	false
SSDEEP:	3:qW6:qW6
MD5:	2C7344F3031A5107275CE84AED227411
SHA1:	68ACAD72A154CBE8B2D597655FF84FD31D57C43B
SHA-256:	83CDA9FECC9C008B22C0C8E58CBCBFA577A3EF8EE9B2F983ED4A8659596D5C11
SHA-512:	F58362C70A2017875D231831AE5868DF22D0017B00098A28AACB5753432E8C4267AA7CBF6C5680FEB2DC9B7ABADE5654C3651685167CC26AA208A9EB71528BB6
Malicious:	false
Preview:	..K....}..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.996284797456956
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	zapret.exe
File size:	10'374'715 bytes
MD5:	45bc44427d305237d57849356227056a
SHA1:	5e50dd554abf2530275fd66f29973d0c578bf0cf
SHA256:	39fe3d80771b4bc7408b56c801c2da4ffb7f9f6a982aa5b1104084c98d5701c6
SHA512:	0849d18ded86a23d137b675eed015b5967468b5a260fbffa2fff2d61c54c848e609834ebb9f7d7cf8719d141ec828ad662ab329a5bed8b9be8a6a26bc75d1403
SSDEEP:	196608:nIguWJysVYvsOtV1Z2azjvj8p5drY+0XroyMxxvjDDAxB9GQHSv4rEO4+Wx:6WJeVlj87dq7oyMxtDDAxpH3rJ4X
TLSH:	D5A63377C2A2588AE5F90030D5A4A0B11661F9690F109C2B8AB59F397F57FF47FB88D0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...;.bg.@.............(.x...2.................@.....................................\|....`................................

File Icon


Icon Hash:	4a464cd47461e179

Static PE Info

General

Entrypoint:	0x1400010f6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6762DE3B [Wed Dec 18 14:37:47 2024 UTC]
TLS Callbacks:	0x4000ccc0, 0x1, 0x4000cd80, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2b762c3d5d512cd6bf5a5baf230d4a2e

Entrypoint Preview

Instruction
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
mov dword ptr [ebp-04h], 000000FFh
dec eax
mov eax, dword ptr [0001F854h]
mov dword ptr [eax], 00000001h
call 00007F3128539C82h
mov dword ptr [ebp-04h], eax
nop
nop
mov eax, dword ptr [ebp-04h]
dec eax
add esp, 30h
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
mov dword ptr [ebp-04h], 000000FFh
dec eax
mov eax, dword ptr [0001F825h]
mov dword ptr [eax], 00000000h
call 00007F3128539C53h
mov dword ptr [ebp-04h], eax
nop
nop
mov eax, dword ptr [ebp-04h]
dec eax
add esp, 30h
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 70h
dec eax
mov dword ptr [ebp-10h], 00000000h
mov dword ptr [ebp-1Ch], 00000030h
mov eax, dword ptr [ebp-1Ch]
dec eax
mov eax, dword ptr [eax]
dec eax
mov dword ptr [ebp-28h], eax
dec eax
mov eax, dword ptr [ebp-28h]
dec eax
mov eax, dword ptr [eax+08h]
dec eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-04h], 00000000h
jmp 00007F3128539C63h
dec eax
mov eax, dword ptr [ebp-10h]
dec eax
cmp eax, dword ptr [ebp-18h]
jne 00007F3128539C4Bh
mov dword ptr [ebp-04h], 00000001h
jmp 00007F3128539C87h
mov ecx, 000003E8h
dec eax
mov eax, dword ptr [00034536h]
call eax
dec eax
mov eax, dword ptr [0001F7FDh]
dec eax
mov dword ptr [ebp-30h], eax
dec eax
mov eax, dword ptr [ebp-18h]
dec eax
mov dword ptr [ebp+00h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x35000	0x15f0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x39000	0xf494	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x24000	0xf18	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x49000	0x154	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1fb40	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x35580	0x4f0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17698	0x17800	3162e04946f8d70363991ef77146f968	False	0.4406582446808511	data	6.151760427259421	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x19000	0x130	0x200	11b0fb1eb27a7b33f30f63c84010d98b	False	0.189453125	data	1.3374538668500189	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x1a000	0x8360	0x8400	90488b6a86573a6cc98f474860f95d61	False	0.4765920928030303	data	6.541956983892695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
/4	0x23000	0x4	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x24000	0xf18	0x1000	1d55bf60c7a95ecb39a7a169edbdf562	False	0.460205078125	data	4.949066468343522	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x25000	0xf30	0x1000	d536cede0a0b44ac8e685a7f15b04085	False	0.228515625	shared library	4.273158269466835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x26000	0xeff0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x35000	0x15f0	0x1600	dac35fc335ee1f745ab20fbc17d1616b	False	0.33061079545454547	data	4.455839108298774	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x37000	0x60	0x200	32b18f38c3c4ba3205e8c160ed8fa8ed	False	0.06640625	data	0.29046607431271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x38000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x39000	0xf494	0xf600	8f1e755314f9e1a2a5c307c4e4ca9fc1	False	0.8035600863821138	data	7.555503971609621	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x49000	0x154	0x200	3b590444fe5db0d8f4418a97264a915b	False	0.529296875	data	3.743194766435929	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x39208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.585820895522388
RT_ICON	0x3a0b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7360108303249098
RT_ICON	0x3a958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.755057803468208
RT_ICON	0x3aec0	0x952c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9975384937676757
RT_ICON	0x443ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.3887966804979253
RT_ICON	0x46994	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.49530956848030017
RT_ICON	0x47a3c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.7207446808510638
RT_GROUP_ICON	0x47ea4	0x68	data	0.7019230769230769
RT_MANIFEST	0x47f0c	0x586	XML 1.0 document, ASCII text, with CRLF line terminators	0.44554455445544555

Imports

DLL	Import
ADVAPI32.dll	ConvertSidToStringSidW, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetTokenInformation, OpenProcessToken
COMCTL32.dll	LoadIconMetric
GDI32.dll	CreateFontIndirectW, DeleteObject, SelectObject
KERNEL32.dll	CloseHandle, CreateDirectoryW, CreateProcessW, DeleteCriticalSection, EnterCriticalSection, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FormatMessageW, FreeLibrary, GetCommandLineW, GetCurrentProcess, GetEnvironmentVariableW, GetExitCodeProcess, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoW, GetTempPathW, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LocalFree, MulDiv, MultiByteToWideChar, SetConsoleCtrlHandler, SetDllDirectoryW, SetEnvironmentVariableW, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte, __C_specific_handler
msvcrt.dll	___lc_codepage_func, ___mb_cur_max_func, __argc, __iob_func, __set_app_type, __setusermatherr, __wargv, __wgetmainargs, __winitenv, _amsg_exit, _cexit, _commode, _errno, _filelengthi64, _fileno, _findclose, _fileno, _fmode, _get_osfhandle, _getpid, _initterm, _lock, _onexit, _setmode, _snwprintf, _stat64, _strdup, _unlock, _wcmdln, _wcsdup, _wcsdup, _wfindfirst64, _wfindnext64, _wfopen, _wfullpath, _wputenv_s, _wremove, _wrmdir, _wstat64, _wtempnam, abort, calloc, clearerr, exit, fclose, feof, ferror, fflush, fgetpos, fprintf, fputc, fputwc, fread, free, fsetpos, fwprintf, fwrite, iswctype, localeconv, malloc, mbstowcs, memcmp, memcpy, memset, perror, realloc, setbuf, setlocale, signal, strcat, strchr, strcmp, strcpy, strerror, strlen, strncat, strncmp, strncpy, strtok, vfprintf, wcscat, wcschr, wcscmp, wcscpy, wcslen, wcsncpy, wcstombs
USER32.dll	CreateWindowExW, DestroyIcon, DialogBoxIndirectParamW, DrawTextW, EndDialog, GetClientRect, GetDC, GetDialogBaseUnits, GetWindowLongPtrW, InvalidateRect, MessageBoxA, MessageBoxW, MoveWindow, ReleaseDC, SendMessageW, SetWindowLongPtrW, SystemParametersInfoW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 21:35:51.578260899 CET	49705	443	192.168.2.5	18.66.161.26
Dec 18, 2024 21:35:51.578315973 CET	443	49705	18.66.161.26	192.168.2.5
Dec 18, 2024 21:35:51.578382969 CET	49705	443	192.168.2.5	18.66.161.26
Dec 18, 2024 21:35:51.579137087 CET	49705	443	192.168.2.5	18.66.161.26
Dec 18, 2024 21:35:51.579150915 CET	443	49705	18.66.161.26	192.168.2.5
Dec 18, 2024 21:35:53.155077934 CET	443	49705	18.66.161.26	192.168.2.5
Dec 18, 2024 21:35:53.156043053 CET	49705	443	192.168.2.5	18.66.161.26
Dec 18, 2024 21:35:53.156091928 CET	443	49705	18.66.161.26	192.168.2.5
Dec 18, 2024 21:35:53.158183098 CET	443	49705	18.66.161.26	192.168.2.5
Dec 18, 2024 21:35:53.158277988 CET	49705	443	192.168.2.5	18.66.161.26
Dec 18, 2024 21:35:53.159248114 CET	49705	443	192.168.2.5	18.66.161.26
Dec 18, 2024 21:35:53.159398079 CET	49705	443	192.168.2.5	18.66.161.26
Dec 18, 2024 21:35:53.171221018 CET	49706	443	192.168.2.5	18.66.161.26
Dec 18, 2024 21:35:53.171277046 CET	443	49706	18.66.161.26	192.168.2.5
Dec 18, 2024 21:35:53.171356916 CET	49706	443	192.168.2.5	18.66.161.26
Dec 18, 2024 21:35:53.171689987 CET	49706	443	192.168.2.5	18.66.161.26
Dec 18, 2024 21:35:53.171705961 CET	443	49706	18.66.161.26	192.168.2.5
Dec 18, 2024 21:35:54.698518991 CET	443	49706	18.66.161.26	192.168.2.5
Dec 18, 2024 21:35:54.698955059 CET	49706	443	192.168.2.5	18.66.161.26
Dec 18, 2024 21:35:54.698992014 CET	443	49706	18.66.161.26	192.168.2.5
Dec 18, 2024 21:35:54.701997995 CET	443	49706	18.66.161.26	192.168.2.5
Dec 18, 2024 21:35:54.702083111 CET	49706	443	192.168.2.5	18.66.161.26
Dec 18, 2024 21:35:54.702431917 CET	49706	443	192.168.2.5	18.66.161.26
Dec 18, 2024 21:35:54.702563047 CET	49706	443	192.168.2.5	18.66.161.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 21:35:51.359996080 CET	56736	53	192.168.2.5	1.1.1.1
Dec 18, 2024 21:35:51.574440956 CET	53	56736	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 21:35:51.359996080 CET	192.168.2.5	1.1.1.1	0xfea8	Standard query (0)	brave.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 21:35:51.574440956 CET	1.1.1.1	192.168.2.5	0xfea8	No error (0)	brave.com	18.66.161.26	A (IP address)	IN (0x0001)	false
Dec 18, 2024 21:35:51.574440956 CET	1.1.1.1	192.168.2.5	0xfea8	No error (0)	brave.com	18.66.161.35	A (IP address)	IN (0x0001)	false
Dec 18, 2024 21:35:51.574440956 CET	1.1.1.1	192.168.2.5	0xfea8	No error (0)	brave.com	18.66.161.55	A (IP address)	IN (0x0001)	false
Dec 18, 2024 21:35:51.574440956 CET	1.1.1.1	192.168.2.5	0xfea8	No error (0)	brave.com	18.66.161.81	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	15:35:47
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\zapret.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\zapret.exe"
Imagebase:	0x7ff630480000
File size:	10'374'715 bytes
MD5 hash:	45BC44427D305237D57849356227056A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:35:49
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\zapret.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\zapret.exe"
Imagebase:	0x7ff630480000
File size:	10'374'715 bytes
MD5 hash:	45BC44427D305237D57849356227056A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.7%
Total number of Nodes:	1140
Total number of Limit Nodes:	20

Executed Functions

Function 00007FF630481154 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_amsg_exit.MSVCRT ref: 00007FF6304811F6
_initterm.MSVCRT ref: 00007FF63048122B
_initterm.MSVCRT ref: 00007FF63048125E
exit.MSVCRT ref: 00007FF630481358
_cexit.MSVCRT ref: 00007FF630481367

Strings

0, xrefs: 00007FF630481164

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: _initterm$_amsg_exit_cexitexit
String ID: 0
API String ID: 602970348-4108050209
Opcode ID: 6d6abd2140eb0b7f68bb3c504690dcf92132bdf22886463ef4a851639e3c59bc
Instruction ID: 1914f85ee9010db3cd5458c0f2d038a4a194d1c375d2177fc8faa05ebed1721c
Opcode Fuzzy Hash: 6d6abd2140eb0b7f68bb3c504690dcf92132bdf22886463ef4a851639e3c59bc
Instruction Fuzzy Hash: 5761D675F09B06E9FB00DB59E84036933A4BB48B88F524436DE0D977A6DF3DE648A740

Function 00007FF630488C60 Relevance: 6.9, Strings: 5, Instructions: 602COMMON

Download Yara Rule

Strings

invalid literal/length code, xrefs: 00007FF63048A372
incorrect data check, xrefs: 00007FF630488DA1
invalid block type, xrefs: 00007FF63048A1E0
too many length or distance symbols, xrefs: 00007FF6304899D6
invalid stored block lengths, xrefs: 00007FF630488F5E

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID:
String ID: incorrect data check$invalid block type$invalid literal/length code$invalid stored block lengths$too many length or distance symbols
API String ID: 0-817236767
Opcode ID: ad7465917ce0bd69c915d26ccdd0654c50e183496f1a9639a8706ff0dce767b6
Instruction ID: fbfda9bcd0acb6f49690f44883c30b254112bd2b9fb0e115e1385cff04145f1e
Opcode Fuzzy Hash: ad7465917ce0bd69c915d26ccdd0654c50e183496f1a9639a8706ff0dce767b6
Instruction Fuzzy Hash: 51420573E18692DBE3508F25D48893E77A5F744788F164538DA4AC3785DF39EA08EB80

Function 00007FF630489458 Relevance: 5.4, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

invalid bit length repeat, xrefs: 00007FF63048A851
invalid distances set, xrefs: 00007FF63048A93A
invalid literal/lengths set, xrefs: 00007FF63048A806
invalid code -- missing end-of-block, xrefs: 00007FF630489EAD

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid distances set$invalid literal/lengths set
API String ID: 0-1153561608
Opcode ID: 47164a0fb7dc88aad6f9100fbe571ed17c27b01c48b102c533af20c39b644f9d
Instruction ID: 0a97a8b648c67c9faab5f3550e277952a76d29a63be6d7f8ac9c83eab0d6c7c8
Opcode Fuzzy Hash: 47164a0fb7dc88aad6f9100fbe571ed17c27b01c48b102c533af20c39b644f9d
Instruction Fuzzy Hash: A7F1E433A18652DBE7558F14D488A3E77A4F744788F074539DA4A83781DF3AEE48EB80

Function 00007FF6304885E0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF630488605
FindClose.KERNEL32 ref: 00007FF630488614

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e52f2938a18a37d305d9bb5fab71544ce8426dd77b6bb2e1cf10f581b4471b50
Instruction ID: 313a6899fae757513372facdf28e07bd5cf60db52a5bb9a4d980afef3525a7aa
Opcode Fuzzy Hash: e52f2938a18a37d305d9bb5fab71544ce8426dd77b6bb2e1cf10f581b4471b50
Instruction Fuzzy Hash: 08F0A029A29241C2F7E09B60A0083696390E784378FC40734DABD817D5CFBC824D8B00

Function 00007FF630481C80 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6304876B0: strlen.MSVCRT ref: 00007FF630487723
Part of subcall function 00007FF6304876B0: strlen.MSVCRT ref: 00007FF630487753
Part of subcall function 00007FF6304876B0: strlen.MSVCRT ref: 00007FF630487769
Part of subcall function 00007FF6304876B0: strcpy.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF630481CB3), ref: 00007FF63048777A
Part of subcall function 00007FF6304876B0: strtok.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF630481CB3), ref: 00007FF630487784

malloc.MSVCRT ref: 00007FF630481CF0
fread.MSVCRT ref: 00007FF630481D51
free.MSVCRT ref: 00007FF630481D79
fclose.MSVCRT ref: 00007FF630481D9B
fclose.MSVCRT ref: 00007FF630481DAA

Strings

fopen, xrefs: 00007FF630481E42
fwrite, xrefs: 00007FF630481E0A
Failed to extract %s: failed to open archive file!, xrefs: 00007FF630481DE2
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF630481E5B
Failed to extract %s: failed to open target file!, xrefs: 00007FF630481E3B
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF630481E03
fseek, xrefs: 00007FF630481E2A
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF630481D5E
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF630481E23
malloc, xrefs: 00007FF630481E62
fread, xrefs: 00007FF630481D65

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: strlen$fclose$freadfreemallocstrcpystrtok
String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 790192563-666925554
Opcode ID: 855ea45448aef8cf5b312f3686994d652bcee22680b11e1d62b6e4d3b1aa903f
Instruction ID: 64a87a64f9179a635a73e9538bbb837c3a87c1a2aec9fce3aadc5a716124adb8
Opcode Fuzzy Hash: 855ea45448aef8cf5b312f3686994d652bcee22680b11e1d62b6e4d3b1aa903f
Instruction Fuzzy Hash: 4041B021A09603F1FA109B29DA507B912856F0579CF464936DD1DCB3E3EE2EB75DA380

Function 00007FF630487270 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wputenv_s.MSVCRT ref: 00007FF6304872C1
free.MSVCRT ref: 00007FF6304872CC
GetTempPathW.KERNEL32 ref: 00007FF6304872F0
_getpid.MSVCRT(?,?,?,00000000,?,00000012,00000000,00000000,00007FF63048746B), ref: 00007FF6304872F6
_wtempnam.MSVCRT ref: 00007FF63048731F
free.MSVCRT ref: 00007FF630487334
free.MSVCRT ref: 00007FF63048735E

Part of subcall function 00007FF630486FE0: GetEnvironmentVariableW.KERNEL32 ref: 00007FF63048700C

Part of subcall function 00007FF630487110: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF63048714B
Part of subcall function 00007FF630487110: free.MSVCRT ref: 00007FF630487156
Part of subcall function 00007FF630487110: _wfullpath.MSVCRT ref: 00007FF63048717E
Part of subcall function 00007FF630487110: wcschr.MSVCRT(?,?,?,00000000,00007FF6304872AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF63048746B), ref: 00007FF6304871AD
Part of subcall function 00007FF630487110: wcsncpy.MSVCRT ref: 00007FF6304871DB
Part of subcall function 00007FF630487110: CreateDirectoryW.KERNEL32(?,?,?,00000000,00007FF6304872AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF63048746B), ref: 00007FF6304871E5
Part of subcall function 00007FF630487110: wcschr.MSVCRT(?,?,?,00000000,00007FF6304872AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF63048746B), ref: 00007FF6304871F0
Part of subcall function 00007FF630487110: CreateDirectoryW.KERNEL32(?,?,?,00000000,00007FF6304872AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF63048746B), ref: 00007FF630487202

Strings

TMP, xrefs: 00007FF6304872B7
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF630487380
_MEI%d, xrefs: 00007FF6304872FB
TMP, xrefs: 00007FF630487294, 00007FF63048734C, 00007FF6304873B3, 00007FF6304873DD, 00007FF630487409

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: free$CreateDirectoryEnvironmentwcschr$ExpandPathStringsTempVariable_getpid_wfullpath_wputenv_s_wtempnamwcsncpy
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 2180377646-1116378104
Opcode ID: 5c4b10aed0aea61ccbc9035126b4b601bd2dedeeab183b41183b05d6da6e050d
Instruction ID: 9cf3d4ecffa74ed202d9c55813e777370895ff7a5636d81a3922cc7544343813
Opcode Fuzzy Hash: 5c4b10aed0aea61ccbc9035126b4b601bd2dedeeab183b41183b05d6da6e050d
Instruction Fuzzy Hash: 51416211E09513F2E955AB266A256BA42416F45BE8F474835EC0EC7793ED3EE60CB380

Function 00007FF630481710 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF630488AE0: malloc.MSVCRT ref: 00007FF630488A49

malloc.MSVCRT ref: 00007FF630481788
malloc.MSVCRT ref: 00007FF63048179E
fread.MSVCRT ref: 00007FF6304817CD
ferror.MSVCRT ref: 00007FF6304817DE
fwrite.MSVCRT ref: 00007FF630481867
ferror.MSVCRT ref: 00007FF630481882
free.MSVCRT ref: 00007FF630481905
free.MSVCRT ref: 00007FF63048190D

Strings

_MEIPASS2, xrefs: 00007FF630481712
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF630481A07
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF630481A5E
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6304818E9
malloc, xrefs: 00007FF630481A46, 00007FF630481A65
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF630481A3F
1.2.12, xrefs: 00007FF63048173F

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: malloc$ferrorfree$freadfwrite
String ID: 1.2.12$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$_MEIPASS2$malloc
API String ID: 1635854594-2461342963
Opcode ID: ca8c180e82fc02696001b4b772ca5b4f9595369572e3e3818e5851be8c36e41a
Instruction ID: c835b32ddf0354486e2931a3a379d445d7e857e0b2c92eb574db35e7fcbb68de
Opcode Fuzzy Hash: ca8c180e82fc02696001b4b772ca5b4f9595369572e3e3818e5851be8c36e41a
Instruction Fuzzy Hash: B281F732A0C682E1E6209F19E5403BA6394FB447A8F554532DECD837D6DF3DE689E780

Function 00007FF630488440 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF630488477
OpenProcessToken.ADVAPI32 ref: 00007FF630488488
free.MSVCRT ref: 00007FF6304884A0
CloseHandle.KERNEL32 ref: 00007FF6304884B0
_snwprintf.MSVCRT ref: 00007FF6304884D8
LocalFree.KERNEL32 ref: 00007FF6304884E1
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF630488507
CreateDirectoryW.KERNEL32 ref: 00007FF63048851B
GetTokenInformation.KERNELBASE(00000000,00000005(TokenIntegrityLevel),?,?,?,00007FF8C6BBC150,00007FF63048732D,?,?,?,00000000,?,00000012,00000000,00000000,00007FF63048746B), ref: 00007FF630488561
GetLastError.KERNEL32 ref: 00007FF630488567
calloc.MSVCRT ref: 00007FF630488582
GetTokenInformation.KERNELBASE(?,?,?,00007FF8C6BBC150,00007FF63048732D,?,?,?,00000000,?,00000012,00000000,00000000,00007FF63048746B), ref: 00007FF6304885A8
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6304885BD

Strings

S-1-3-4, xrefs: 00007FF6304884BB
D:(A;;FA;;;%s), xrefs: 00007FF6304884CA

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen_snwprintfcallocfree
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 1339360106-2855260032
Opcode ID: fe406d8fb547cea20d7bfb8102cc3596c6133abc484eadb2eb76a5d76b1726db
Instruction ID: 008e6e3cf6e39a20572a98cb1ec60f63ff6fc52dfd1749c43749267ee1df4bf6
Opcode Fuzzy Hash: fe406d8fb547cea20d7bfb8102cc3596c6133abc484eadb2eb76a5d76b1726db
Instruction Fuzzy Hash: 9B31E322608642E2E7609B11F8007AA6361FB85BA9F554635EE6D83BD6DF3DE60CD700

Function 00007FF63048E5E0 Relevance: 25.9, APIs: 17, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strdup.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF630484082,00000000,?,00007FF630482124), ref: 00007FF63048E616
setlocale.MSVCRT ref: 00007FF63048E62E
mbstowcs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF630484082,00000000,?,00007FF630482124), ref: 00007FF63048E665
mbstowcs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF630484082,00000000,?,00007FF630482124), ref: 00007FF63048E6D6
setlocale.MSVCRT ref: 00007FF63048E741
free.MSVCRT ref: 00007FF63048E74D
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF630484082,00000000,?,00007FF630482124), ref: 00007FF63048E981
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF630484082,00000000,?,00007FF630482124), ref: 00007FF63048E9F5
realloc.MSVCRT ref: 00007FF63048EA10
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF630484082,00000000,?,00007FF630482124), ref: 00007FF63048EA39
setlocale.MSVCRT ref: 00007FF63048EA4A
free.MSVCRT ref: 00007FF63048EA56
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF630484082,00000000,?,00007FF630482124), ref: 00007FF63048EA80
realloc.MSVCRT ref: 00007FF63048EA9B
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF630484082,00000000,?,00007FF630482124), ref: 00007FF63048EABF
setlocale.MSVCRT ref: 00007FF63048EAD0
free.MSVCRT ref: 00007FF63048EADC

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: wcstombs$setlocale$free$mbstowcsrealloc$_strdup
String ID:
API String ID: 918573998-0
Opcode ID: a83cf2a6e7cdc1dd5fd551beaeb6a114339be945ac12246f5548f53177ceeab4
Instruction ID: e207dfff509ff075729275fd07798f1be28d3e076d306dbf4d843eeda45bfb79
Opcode Fuzzy Hash: a83cf2a6e7cdc1dd5fd551beaeb6a114339be945ac12246f5548f53177ceeab4
Instruction Fuzzy Hash: 19F15866F04B15D8EB509BAAC4402BC37B0FB44B9CF814836DE4C977AAEF39D6459360

Function 00007FF630481E80 Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF630487D30: malloc.MSVCRT ref: 00007FF630487D4E
Part of subcall function 00007FF630487D30: free.MSVCRT ref: 00007FF630487E25

fread.MSVCRT ref: 00007FF630481EF3
malloc.MSVCRT ref: 00007FF630481F52
fread.MSVCRT ref: 00007FF630481F73
ferror.MSVCRT ref: 00007FF630481F90
fclose.MSVCRT ref: 00007FF630482000

Strings

Error on file., xrefs: 00007FF630482077
Cannot read Table of Contents., xrefs: 00007FF630481FA7
Failed to read cookie!, xrefs: 00007FF630482048
fseek, xrefs: 00007FF63048208C
malloc, xrefs: 00007FF6304820A1
Failed to seek to cookie position!, xrefs: 00007FF630482085
Could not allocate buffer for TOC!, xrefs: 00007FF63048209A
fread, xrefs: 00007FF63048204F, 00007FF630482069
Could not read full TOC!, xrefs: 00007FF630482062

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: freadmalloc$fcloseferrorfree
String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$fread$fseek$malloc
API String ID: 1320676746-1463511288
Opcode ID: 7404101327b7c696846e3b2d9a5f063e29a2d00f0411d25a276bbc31f9bf0887
Instruction ID: af990ebc1fe356c263488590670a398f90d66796149099124d840837a8d6f15d
Opcode Fuzzy Hash: 7404101327b7c696846e3b2d9a5f063e29a2d00f0411d25a276bbc31f9bf0887
Instruction Fuzzy Hash: E2516071B09602E6EA14CB19D64027923A0BF49748F468835DB0DC7792DF3DF669D780

Function 00007FF6304879C0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 89
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF630488210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF630482E40), ref: 00007FF630488246

SetConsoleCtrlHandler.KERNEL32 ref: 00007FF630487A06
GetStartupInfoW.KERNEL32 ref: 00007FF630487A28
_fileno.MSVCRT ref: 00007FF630487A6C
_get_osfhandle.MSVCRT ref: 00007FF630487A7A
_fileno.MSVCRT ref: 00007FF630487A8E
_get_osfhandle.MSVCRT ref: 00007FF630487A95
_fileno.MSVCRT ref: 00007FF630487AA9
_get_osfhandle.MSVCRT ref: 00007FF630487AB0
GetCommandLineW.KERNEL32 ref: 00007FF630487ABA
CreateProcessW.KERNEL32 ref: 00007FF630487B02
WaitForSingleObject.KERNEL32 ref: 00007FF630487B19
GetExitCodeProcess.KERNEL32 ref: 00007FF630487B2C

Strings

CreateProcessW, xrefs: 00007FF630487B4F
Error creating child process!, xrefs: 00007FF630487B48

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: _fileno_get_osfhandle$Process$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 1833775142-3524285272
Opcode ID: 8ef660b42063669becf1bd41f8a29df173ea005990595a1a776f16ce8dcaa147
Instruction ID: cb45f2d6bca3498a132ae63978d3bd31b1a4702b82415d05e4dcc27ee4e9f1a7
Opcode Fuzzy Hash: 8ef660b42063669becf1bd41f8a29df173ea005990595a1a776f16ce8dcaa147
Instruction Fuzzy Hash: 68418232A08782D6EB209B64F8143EEB3A0FB85798F414135DA8D87796DF7DD148DB40

Function 00007FF6304816D0 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 285
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF630488160: free.MSVCRT ref: 00007FF6304881C7
Part of subcall function 00007FF630488160: free.MSVCRT ref: 00007FF6304881D4

Part of subcall function 00007FF6304821B0: calloc.MSVCRT ref: 00007FF6304821BE

Part of subcall function 00007FF6304842F0: GetModuleFileNameW.KERNEL32 ref: 00007FF630484312

Part of subcall function 00007FF630486FE0: GetEnvironmentVariableW.KERNEL32 ref: 00007FF63048700C

free.MSVCRT ref: 00007FF630483C27

Part of subcall function 00007FF6304870D0: SetEnvironmentVariableW.KERNEL32 ref: 00007FF6304870EB
Part of subcall function 00007FF6304870D0: free.MSVCRT ref: 00007FF6304870F6

SetDllDirectoryW.KERNEL32 ref: 00007FF630483C93
strcmp.MSVCRT ref: 00007FF630483CBF
strcpy.MSVCRT ref: 00007FF630483D05

Strings

_MEIPASS2, xrefs: 00007FF630483BD8
_PYI_ONEDIR_MODE, xrefs: 00007FF630483BF3, 00007FF630483C2C
Error opening archive ZNdewcHn8K from executable (%s) or external archive (%s), xrefs: 00007FF630483F2C
Failed to convert DLL search path!, xrefs: 00007FF630483FF7
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF630483FA9

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: free$EnvironmentVariable$DirectoryFileModuleNamecallocstrcmpstrcpy
String ID: Cannot side-load external archive %s (code %d)!$Error opening archive ZNdewcHn8K from executable (%s) or external archive (%s)$Failed to convert DLL search path!$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 4056350997-3668766296
Opcode ID: 8037da94f03f8b8fec9e8aa24b1861a1d75888de2a0157cbc5161594d342ec19
Instruction ID: e342230e470222f09d203457e7aca121d210a38f4b74f24eaac1719b0cbee0d6
Opcode Fuzzy Hash: 8037da94f03f8b8fec9e8aa24b1861a1d75888de2a0157cbc5161594d342ec19
Instruction Fuzzy Hash: CDC18421A1C642E0FA50AB2598111BA5264AF84BCDF464831EE4DC77D7EE2DE70DA7C4

Function 00007FF630487490 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF630488210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF630482E40), ref: 00007FF630488246

wcslen.MSVCRT ref: 00007FF6304874E0
wcscat.MSVCRT ref: 00007FF63048750E
_wrmdir.MSVCRT ref: 00007FF63048752C
wcscat.MSVCRT ref: 00007FF63048755E

Strings

_MEIPASS2, xrefs: 00007FF630487497

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: wcscat$ByteCharMultiWide_wrmdirwcslen
String ID: _MEIPASS2
API String ID: 3789554339-3944641314
Opcode ID: 3889d0a8454738bdc02ac1a27fcd313a3c6fda00dcb1aeb9c18716f4fec953fa
Instruction ID: 351537eb6ad64c309825077d8c0f20aaa3711e143388944f57b8b18fc3869d4c
Opcode Fuzzy Hash: 3889d0a8454738bdc02ac1a27fcd313a3c6fda00dcb1aeb9c18716f4fec953fa
Instruction Fuzzy Hash: 5D214311B08012F1EA10A613AD142BB5240BB85BE8FC68931EE1D87BC7ED3DE64DE340

Function 00007FF6304876B0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 102
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF630487723
strlen.MSVCRT ref: 00007FF630487753
strlen.MSVCRT ref: 00007FF630487769
strcpy.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF630481CB3), ref: 00007FF63048777A
strtok.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF630481CB3), ref: 00007FF630487784

Part of subcall function 00007FF630488210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF630482E40), ref: 00007FF630488246

Part of subcall function 00007FF63048F1BB: free.MSVCRT ref: 00007FF63048F1FF
Part of subcall function 00007FF63048F1BB: memset.MSVCRT ref: 00007FF63048F21C

Strings

WARNING: file already exists but should not: %s, xrefs: 00007FF63048782B

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: strlen$ByteCharMultiWidefreememsetstrcpystrtok
String ID: WARNING: file already exists but should not: %s
API String ID: 901113649-146164175
Opcode ID: ca36de477079e4f6f74a1a54eff721585967ac0d888d48a75a9c58833b9c770e
Instruction ID: 4c4cb878edadceec8b408a436ba04fd3eb1ff789abf1a1f87f119ecdc6af3d35
Opcode Fuzzy Hash: ca36de477079e4f6f74a1a54eff721585967ac0d888d48a75a9c58833b9c770e
Instruction Fuzzy Hash: 8C318F12B08552F5FA21A612A9153FB42415F85BD8F8A4832ED0DC7787DE2DE74DE380

Function 00007FF6304875D0 Relevance: 9.1, APIs: 6, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcscmp.MSVCRT ref: 00007FF63048761A
wcscat.MSVCRT ref: 00007FF630487630

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: wcscatwcscmp
String ID:
API String ID: 3846154227-0
Opcode ID: d9fc9803e7bfdff9322b61788698340c51d4f1b4d93720d135f91fe10f214957
Instruction ID: d037b9394050800d71ef89813770ecd3ee6e3ad44902edb9d0599172781fa13c
Opcode Fuzzy Hash: d9fc9803e7bfdff9322b61788698340c51d4f1b4d93720d135f91fe10f214957
Instruction Fuzzy Hash: 9A11B610B0C513F5FA55AB2A9A203BA12805F45BECF4A4430DD0DD6393FE1EE70D6350

Function 00007FF6304886B0 Relevance: 5.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF63048870E
malloc.MSVCRT ref: 00007FF630488784

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: mallocmemcpy
String ID:
API String ID: 4276657696-0
Opcode ID: 61eaa1ab35641a1ad6f539a3031d6a572ba3cd1bcdd971e16e585366fc5a0095
Instruction ID: 667c95e0a71ffe83b6ce0fa24efdd23cdd673b57cd228f1707fb8fb28f7bcde1
Opcode Fuzzy Hash: 61eaa1ab35641a1ad6f539a3031d6a572ba3cd1bcdd971e16e585366fc5a0095
Instruction Fuzzy Hash: DB31E432B21101DBD7608B2AE88066AA2E1FB84B88F155438CB4EC7F41EE3DF5489B40

Function 00007FF630487D30 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF630487D4E
free.MSVCRT ref: 00007FF630487E25

Strings

_MEIPASS2, xrefs: 00007FF630487D32

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: freemalloc
String ID: _MEIPASS2
API String ID: 3061335427-3944641314
Opcode ID: 3b9bd6a0f163d2da26dd4c279a8002867e4894d35b47054a5e813b7ebfdd3df8
Instruction ID: eb7bc4a58ea577eb1bda751b02c4d97d7d9e9a46909d83ec9e71a2d0beb168cc
Opcode Fuzzy Hash: 3b9bd6a0f163d2da26dd4c279a8002867e4894d35b47054a5e813b7ebfdd3df8
Instruction Fuzzy Hash: E5210812718122A1FE119A129A147BB86456F45BDCF8A0875EF0DCB7C3EE3EE749D340

Function 00007FF630486170 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.MSVCRT ref: 00007FF63048617E

Strings

Cannot allocate memory for SPLASH_STATUS., xrefs: 00007FF63048618D
calloc, xrefs: 00007FF630486194

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: calloc
String ID: Cannot allocate memory for SPLASH_STATUS.$calloc
API String ID: 2635317215-799113134
Opcode ID: daeeb61d3e57278251d27ce958a3713753ff428d5e00cabe7585f6002fde9d4c
Instruction ID: 450db84e6eed056a6d01f2d776e83a19bad242dd9cc4527dc7c22b404475bd2c
Opcode Fuzzy Hash: daeeb61d3e57278251d27ce958a3713753ff428d5e00cabe7585f6002fde9d4c
Instruction Fuzzy Hash: BEE01261E0C60BF1EA646B04D6411B92751DF8434CFD64438D90C867A7DD3DE71DA784

Function 00007FF63048F300 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

fsetpos.MSVCRT ref: 00007FF63048F3A5

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: fsetpos
String ID:
API String ID: 850078086-0
Opcode ID: 1b41710901f17b2eeca1497c090281577d230925116f41a5d4b4f06b87e02d06
Instruction ID: fe797871b14e01c40288d3bab86045f002ea573d15d90a6722c7522a03e28d60
Opcode Fuzzy Hash: 1b41710901f17b2eeca1497c090281577d230925116f41a5d4b4f06b87e02d06
Instruction Fuzzy Hash: 0C116372E04B06EAEF109F7985410BC23A0AB0579CF510E35EE1D87B9ADF39D2549340

Function 00007FF6304820B0 Relevance: 3.0, APIs: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00007FF630482138
fclose.MSVCRT ref: 00007FF630482158

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: fclosestrcpy
String ID:
API String ID: 3396940900-0
Opcode ID: 971efec496ac2d361f2b672ee238c628acabd71029eeb8cfc9f8320c43482ae7
Instruction ID: 9edb42243c4dcd0eeea20b32e61f6345385a472ac9762e38d7d6c63103129d21
Opcode Fuzzy Hash: 971efec496ac2d361f2b672ee238c628acabd71029eeb8cfc9f8320c43482ae7
Instruction Fuzzy Hash: C411AC21B08142E0FB909A75EA553F912419F84BCCF558532DE0DC77CBDD2DAA8DE380

Function 00007FF63048F1BB Relevance: 2.6, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63048EFD0: wcslen.MSVCRT ref: 00007FF63048F006

free.MSVCRT ref: 00007FF63048F1FF
memset.MSVCRT ref: 00007FF63048F21C

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: freememsetwcslen
String ID:
API String ID: 2332356550-0
Opcode ID: 16ca566369b86500749d9f98ec16c1cf0d74b93f9dbbc66e3a29c3db3259c6e1
Instruction ID: 04fe6c36213df78efec313e6bbbc43e9f126cd90aec9ce7e43e721ed8e8776b8
Opcode Fuzzy Hash: 16ca566369b86500749d9f98ec16c1cf0d74b93f9dbbc66e3a29c3db3259c6e1
Instruction Fuzzy Hash: D131D966B00B14D9DB10CF7AD48109C3BB1FB58BA8B118526EE1C53B69EB34C591C790

Function 00007FF63048EE10 Relevance: 2.5, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF63048EE67
memcpy.MSVCRT ref: 00007FF63048EEDA

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 28245664c572555644c21b5e65988328f64a065fd9a3e6ebb93e0ea27bb1dba2
Instruction ID: 5012d3c46e2f7edc886c93f603c059c0f7214552bb300ea276cb08f1abf33d04
Opcode Fuzzy Hash: 28245664c572555644c21b5e65988328f64a065fd9a3e6ebb93e0ea27bb1dba2
Instruction Fuzzy Hash: F221E776A40B8A89DB60CF6AD8843ED23A1E749BACF114225CE3C5BB99DE34C2448340

Function 00007FF63048EEF0 Relevance: 2.5, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF63048EF45
memcpy.MSVCRT ref: 00007FF63048EFB6

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 3e7cd3d59118b199465456136e8bc5aa6b3bf50dbcff2041c2c4c44bafb46f53
Instruction ID: 52f8c46d30f25063774685d1db759da9b5d59c5e84ada5b8a1cb1d1d32eed47e
Opcode Fuzzy Hash: 3e7cd3d59118b199465456136e8bc5aa6b3bf50dbcff2041c2c4c44bafb46f53
Instruction Fuzzy Hash: 6821F976B40B8689DB20CF6AD8843ED37A1F749B9CF118135CE2C5BB59DE34C6448740

Function 00007FF6304843B0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF630488210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF630482E40), ref: 00007FF630488246

_wfopen.MSVCRT ref: 00007FF6304843F5

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: ByteCharMultiWide_wfopen
String ID:
API String ID: 372205238-0
Opcode ID: e249028c2137e21c272be09ebad8c35b62695eafe249120916a556fd3ad7a81d
Instruction ID: 307caf3fbde2dc61c8f1c0c5966dcbcf50b240c0f679cecd81eac7dfa3669ec4
Opcode Fuzzy Hash: e249028c2137e21c272be09ebad8c35b62695eafe249120916a556fd3ad7a81d
Instruction Fuzzy Hash: C1E0D85170C21092F9147253B9047E98216AF4AFD4F408430EF0C9BB9BCD1EE3478B41

Function 00007FF630489330 Relevance: 1.4, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF63048936E

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8ecaa912455c69dac76f6531f9098773f1cfe53416ab283d50a917500fe93d8f
Instruction ID: 31ff22bc29f12135c1262e6dd4055d5a95750e635865a3ff80f3bdd51810beac
Opcode Fuzzy Hash: 8ecaa912455c69dac76f6531f9098773f1cfe53416ab283d50a917500fe93d8f
Instruction Fuzzy Hash: 4E510937A18642CBE3618E15E48892F77E4FB40798F168438DA4693B85CF39DD48EB40

Function 00007FF63048CBA0 Relevance: 1.3, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF63048CC5A

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 623919cd236f253b3d7bc4f578d470e9102edac5acaca204977424f4e3dbef8b
Instruction ID: 67dfe31b562cb8fa8700722f7507c9d5c28f636c4435e6df3ee79c8ab8fc9703
Opcode Fuzzy Hash: 623919cd236f253b3d7bc4f578d470e9102edac5acaca204977424f4e3dbef8b
Instruction Fuzzy Hash: 46312726F04B15E9F7108B65D4403BC37B0A700B8CF918876DE8CA3B99DF399699A790

Function 00007FF630488AE0 Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF630488A49

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 0fc86e8ee51b5bdc1f5f7082c9320d3be715a44251d05dfd6912ed91f5c13a9f
Instruction ID: 88f501d83823e5970e16ae672bb6e6facb2be1897ece1e86c6c6e2a3d592cb8e
Opcode Fuzzy Hash: 0fc86e8ee51b5bdc1f5f7082c9320d3be715a44251d05dfd6912ed91f5c13a9f
Instruction Fuzzy Hash: 94219831609B02D7F7694B15D4403392695BB84BDCF2A453ACD1D877D2DF3EDA86A380

Non-executed Functions

Function 00007FF630484410 Relevance: 291.1, APIs: 55, Strings: 111, Instructions: 566libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00000000,?,00007FF630483AAD), ref: 00007FF63048442A
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484446
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484462
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF63048447E
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF63048449A
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304844B6
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304844D2
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304844EE
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF63048450A
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484532
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF63048454E
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF63048456A
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484586
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304845A2
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304845BE
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304845DA
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304845F6
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484612
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF63048462E
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF63048464A
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484666
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484682
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF63048469E
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304846BA
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304846D6
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304846F2
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF63048470E
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF63048472A
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484746
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484762
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF63048477E
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF63048479A
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304847B6
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304847D2
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304847EE
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF63048480A
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484826
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484842
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF63048485E
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF63048487A
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484896
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304848B2
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304848CE
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304848EA
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484906
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484922
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF63048493E
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF63048495A
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484976
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484992
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304849AE
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304849CA
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF6304849E6
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484A02
GetProcAddress.KERNEL32(?,00007FF630483AAD), ref: 00007FF630484A2A

Strings

PyUnicode_DecodeFSDefault, xrefs: 00007FF6304849A4
Py_NoSiteFlag, xrefs: 00007FF630484490
PySys_SetArgvEx, xrefs: 00007FF630484870
PyList_New, xrefs: 00007FF630484758
PyErr_Fetch, xrefs: 00007FF630484694
Failed to get address for Py_NoSiteFlag, xrefs: 00007FF630484AD8
Failed to get address for Py_BuildValue, xrefs: 00007FF630484B50
Failed to get address for Py_GetPath, xrefs: 00007FF630484B80
Py_DecodeLocale, xrefs: 00007FF630484934
Failed to get address for PyUnicode_FromString, xrefs: 00007FF630484E20
PyMem_RawFree, xrefs: 00007FF630484950
Py_SetPath, xrefs: 00007FF6304845B4
Failed to get address for Py_Initialize, xrefs: 00007FF630484BB0
PyImport_ExecCodeModule, xrefs: 00007FF630484704
Py_UnbufferedStdioFlag, xrefs: 00007FF630484500
PyObject_GetAttrString, xrefs: 00007FF630484800
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF630484C70
PyObject_CallFunction, xrefs: 00007FF6304847AC
Failed to get address for PyUnicode_Replace, xrefs: 00007FF630484F40
PyErr_Restore, xrefs: 00007FF6304846B0
PyUnicode_FromFormat, xrefs: 00007FF63048496C
Py_FrozenFlag, xrefs: 00007FF630484458
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF630484D48
Failed to get address for Py_DecodeLocale, xrefs: 00007FF630484E08
PyObject_CallFunctionObjArgs, xrefs: 00007FF6304847C8
Py_VerboseFlag, xrefs: 00007FF6304844E4
PyErr_Print, xrefs: 00007FF630484678
PyUnicode_Join, xrefs: 00007FF6304849DC
Failed to get address for PyObject_CallFunction, xrefs: 00007FF630484D18
PyErr_Occurred, xrefs: 00007FF63048465C
Failed to get address for Py_SetProgramName, xrefs: 00007FF630484B68
Failed to get address for PyModule_GetDict, xrefs: 00007FF630484D30
PyRun_SimpleStringFlags, xrefs: 00007FF630484838
Failed to get address for PySys_SetObject, xrefs: 00007FF630484E80
Failed to get address for Py_DecRef, xrefs: 00007FF630484B38
Failed to get address for PySys_AddWarnOption, xrefs: 00007FF630484DD8
PySys_GetObject, xrefs: 00007FF63048488C
Failed to get address for PyErr_Print, xrefs: 00007FF630484C58
PySys_AddWarnOption, xrefs: 00007FF630484854
Failed to get address for PyErr_Clear, xrefs: 00007FF630484C10
Failed to get address for Py_DontWriteBytecodeFlag, xrefs: 00007FF630484A81
Failed to get address for Py_SetPath, xrefs: 00007FF630484B98
PyList_Append, xrefs: 00007FF63048473C
Failed to get address for Py_IgnoreEnvironmentFlag, xrefs: 00007FF630484AF0
Failed to get address for PyDict_GetItemString, xrefs: 00007FF630484BC8
PyUnicode_Decode, xrefs: 00007FF630484988
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF630484D90
Failed to get address for PyUnicode_Decode, xrefs: 00007FF630484EE0
Failed to get address for PyImport_AddModule, xrefs: 00007FF630484CE8
Py_SetProgramName, xrefs: 00007FF6304845EC
Failed to get address for PyErr_Fetch, xrefs: 00007FF630484C40
Failed to get address for PyEval_EvalCode, xrefs: 00007FF630484E50
Py_UTF8Mode, xrefs: 00007FF630484A20
PySys_SetPath, xrefs: 00007FF6304848C4
PySys_SetObject, xrefs: 00007FF6304848A8
Failed to get address for Py_FileSystemDefaultEncoding, xrefs: 00007FF630484A6C
Failed to get address for PyUnicode_Join, xrefs: 00007FF630484E98
Failed to get address for PyList_New, xrefs: 00007FF630484C88
Failed to get address for PyList_Append, xrefs: 00007FF630484CA0
Failed to get address for Py_SetPythonHome, xrefs: 00007FF630484BE0
PyImport_ImportModule, xrefs: 00007FF630484720
Failed to get address for PyErr_Restore, xrefs: 00007FF630484C28
PyLong_AsLong, xrefs: 00007FF630484774
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF630484DF0
Py_NoUserSiteDirectory, xrefs: 00007FF6304844AC
Failed to get address for PyErr_Occurred, xrefs: 00007FF630484BF8
Failed to get address for Py_IncRef, xrefs: 00007FF630484B08
PyEval_EvalCode, xrefs: 00007FF6304848E0
Failed to get address for PyLong_AsLong, xrefs: 00007FF630484D00
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF630484EF8
Failed to get address for PyMem_RawFree, xrefs: 00007FF630484F10
Failed to get address for PySys_SetPath, xrefs: 00007FF630484E68
Py_DecRef, xrefs: 00007FF630484544
Failed to get address for Py_UTF8Mode, xrefs: 00007FF630484A3C
Py_GetPath, xrefs: 00007FF6304845D0
PyUnicode_Replace, xrefs: 00007FF6304849F8
Failed to get address for Py_UnbufferedStdioFlag, xrefs: 00007FF630484F28
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF630484CD0
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF630484D60
Py_FileSystemDefaultEncoding, xrefs: 00007FF63048443C
Py_IncRef, xrefs: 00007FF63048457C
Failed to get address for PyImport_ImportModule, xrefs: 00007FF630484CB8
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF630484EB0
PyUnicode_AsUTF8, xrefs: 00007FF6304849C0
Py_BuildValue, xrefs: 00007FF630484528
PyErr_NormalizeException, xrefs: 00007FF6304846CC
Py_OptimizeFlag, xrefs: 00007FF6304844C8
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF630484E38
PyMarshal_ReadObjectFromString, xrefs: 00007FF6304848FC
Py_IgnoreEnvironmentFlag, xrefs: 00007FF630484474
Failed to get address for Py_OptimizeFlag, xrefs: 00007FF630484AAB
Py_SetPythonHome, xrefs: 00007FF630484608
GetProcAddress, xrefs: 00007FF630484A43, 00007FF630484A5E, 00007FF630484A73, 00007FF630484A88, 00007FF630484A9D, 00007FF630484AB2, 00007FF630484AC7, 00007FF630484ADF, 00007FF630484AF7, 00007FF630484B0F, 00007FF630484B27, 00007FF630484B3F, 00007FF630484B57, 00007FF630484B6F, 00007FF630484B87, 00007FF630484B9F, 00007FF630484BB7, 00007FF630484BCF, 00007FF630484BE7, 00007FF630484BFF, 00007FF630484C17, 00007FF630484C2F, 00007FF630484C47, 00007FF630484C5F, 00007FF630484C77, 00007FF630484C8F, 00007FF630484CA7, 00007FF630484CBF, 00007FF630484CD7, 00007FF630484CEF, 00007FF630484D07, 00007FF630484D1F, 00007FF630484D37, 00007FF630484D4F, 00007FF630484D67, 00007FF630484D7F, 00007FF630484D97, 00007FF630484DAF, 00007FF630484DC7, 00007FF630484DDF, 00007FF630484DF7, 00007FF630484E0F, 00007FF630484E27, 00007FF630484E3F, 00007FF630484E57, 00007FF630484E6F, 00007FF630484E87, 00007FF630484E9F, 00007FF630484EB7, 00007FF630484ECF, 00007FF630484EE7, 00007FF630484EFF, 00007FF630484F17, 00007FF630484F2F, 00007FF630484F47
Py_DontWriteBytecodeFlag, xrefs: 00007FF630484423
PyUnicode_FromString, xrefs: 00007FF630484918
PyImport_AddModule, xrefs: 00007FF6304846E8
Failed to get address for PySys_SetArgvEx, xrefs: 00007FF630484DC0
Py_Finalize, xrefs: 00007FF630484560
PyErr_Clear, xrefs: 00007FF630484640
Failed to get address for Py_Finalize, xrefs: 00007FF630484B20
PyObject_SetAttrString, xrefs: 00007FF6304847E4
PyModule_GetDict, xrefs: 00007FF630484790
Failed to get address for Py_VerboseFlag, xrefs: 00007FF630484A96
PyDict_GetItemString, xrefs: 00007FF630484624
PyObject_Str, xrefs: 00007FF63048481C
Failed to get address for PySys_GetObject, xrefs: 00007FF630484DA8
Py_Initialize, xrefs: 00007FF630484598
Failed to get address for Py_FrozenFlag, xrefs: 00007FF630484A57
Failed to get address for PyObject_Str, xrefs: 00007FF630484D78
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF630484EC8
Failed to get address for Py_NoUserSiteDirectory, xrefs: 00007FF630484AC0

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
API String ID: 190572456-3109299426
Opcode ID: 4916de274225d75524e548f11a2fa4b69452b516a84e6ab57919398c0b26c71a
Instruction ID: 032de95491ae8340ffa16153d2db9dd8dc9830da7b53e2f0b4e8c236a406c7f8
Opcode Fuzzy Hash: 4916de274225d75524e548f11a2fa4b69452b516a84e6ab57919398c0b26c71a
Instruction Fuzzy Hash: F752C660A5EB03F0E945DB14FA901B427A5AF8034CB975932C40E867A7EE6DF71DE390

Function 00007FF630482560 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 00007FF630482593
MulDiv.KERNEL32 ref: 00007FF6304825B0
MulDiv.KERNEL32 ref: 00007FF6304825C9
SystemParametersInfoW.USER32 ref: 00007FF63048260F
LoadIconMetric.COMCTL32 ref: 00007FF630482643
CreateWindowExW.USER32 ref: 00007FF6304826A1
CreateWindowExW.USER32 ref: 00007FF6304826FB
CreateWindowExW.USER32 ref: 00007FF63048275C
CreateWindowExW.USER32 ref: 00007FF6304827BE
SendMessageW.USER32 ref: 00007FF6304827E1
SendMessageW.USER32 ref: 00007FF6304827F9
SendMessageW.USER32 ref: 00007FF630482814
SendMessageW.USER32 ref: 00007FF630482831
SendMessageW.USER32 ref: 00007FF63048284C
SendMessageW.USER32 ref: 00007FF630482867
SendMessageW.USER32 ref: 00007FF630482882
SendMessageW.USER32 ref: 00007FF630482896
SendMessageW.USER32 ref: 00007FF6304828AB
GetClientRect.USER32 ref: 00007FF6304828B6
CreateFontIndirectW.GDI32 ref: 00007FF6304828D8

Strings

BUTTON, xrefs: 00007FF630482774
STATIC, xrefs: 00007FF63048263C
Failed to vqmkBiYr script '%ls' due to unhandled exception: %ls, xrefs: 00007FF63048256B
Close, xrefs: 00007FF630482764
EDIT, xrefs: 00007FF630482712
, xrefs: 00007FF6304825FD

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: MessageSend$Create$Window$BaseClientDialogFontIconIndirectInfoLoadMetricParametersRectSystemUnits
String ID: $BUTTON$Close$EDIT$Failed to vqmkBiYr script '%ls' due to unhandled exception: %ls$STATIC
API String ID: 3223904152-2049099994
Opcode ID: f946fc37740113d1f7e6e8a1de48a3746edf2e82bfe78e13903bb1f18fd90df2
Instruction ID: 17001862176c3a0a5370a32b191c156f872d5909ff7eba19e08bba9142d8fd35
Opcode Fuzzy Hash: f946fc37740113d1f7e6e8a1de48a3746edf2e82bfe78e13903bb1f18fd90df2
Instruction Fuzzy Hash: F091AC76218B91C2E7508F61E45479EB760F788B98F14413AEE8C4BB99CF7EC189CB50

Function 00007FF630487E50 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00007FF630487E92
WideCharToMultiByte.KERNEL32 ref: 00007FF630487ED2
GetLastError.KERNEL32 ref: 00007FF630487F18

Strings

PyInstaller: FormatMessageW failed., xrefs: 00007FF630487F03
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF630487F43
WideCharToMultiByte, xrefs: 00007FF630487E56, 00007FF630487F37
No error messages generated., xrefs: 00007FF630487EF0
Failed to encode wchar_t as UTF-8., xrefs: 00007FF630487F30
FormatMessageW, xrefs: 00007FF630487EF7

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: ByteCharErrorFormatLastMessageMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 1653872744-2573406579
Opcode ID: cbdb8eea67fde94177a7de486669295192c3b68fd3ad581342b718ce3b64fd12
Instruction ID: a648d7f33f75b800f7d872f68acb526765495380826ef42ea95c4f51d2652b07
Opcode Fuzzy Hash: cbdb8eea67fde94177a7de486669295192c3b68fd3ad581342b718ce3b64fd12
Instruction Fuzzy Hash: 3D21C031A18A03E1F7609B15F9503B622A1EF8539CF468534E68D827A6DF3DD74DE740

Function 00007FF6304815E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6304815F7
LoadLibraryA.KERNEL32 ref: 00007FF630481608
GetProcAddress.KERNEL32 ref: 00007FF630481626
GetProcAddress.KERNEL32 ref: 00007FF630481635

Strings

__register_frame_info, xrefs: 00007FF630481615
libgcc_s_dw2-1.dll, xrefs: 00007FF6304815ED
__deregister_frame_info, xrefs: 00007FF630481628

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: e6b7f3097ed1fa55bbfab8c2ac934be5e0bcb191cc89f52011f527b87621e30f
Instruction ID: 5c80173ac104729aa757285132f328dbd198150f2240c8e6fdebf8266b3f10b8
Opcode Fuzzy Hash: e6b7f3097ed1fa55bbfab8c2ac934be5e0bcb191cc89f52011f527b87621e30f
Instruction Fuzzy Hash: 5D01CC24A0AA17F1E9119F09B9001B463A4BF4878CF8A4532CC4E93766EF2CE75EE340

Function 00007FF63049508A Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 1364COMMON

Download Yara Rule

Strings

NaN, xrefs: 00007FF6304951BE
Infinity, xrefs: 00007FF63049518D

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID:
String ID: Infinity$NaN
API String ID: 0-4285296124
Opcode ID: ec4959e25b3a233c40df6fe2cbcd1797900df63c317f93c6ae3b59cfffbb73f8
Instruction ID: 9a973799362a3c402ace3780a74dc438193c72396113154a206742c9e6b1eadf
Opcode Fuzzy Hash: ec4959e25b3a233c40df6fe2cbcd1797900df63c317f93c6ae3b59cfffbb73f8
Instruction Fuzzy Hash: 6BE21532A04B85DEE751CF78C5442AC37A1FB4578CF218235EA0D9BB5ADF38E5899B40

Function 00007FF630489640 Relevance: 3.9, Strings: 3, Instructions: 138COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF63048A772
incorrect header check, xrefs: 00007FF63048A3CB
unknown compression method, xrefs: 00007FF63048A179

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size$unknown compression method
API String ID: 0-1186847913
Opcode ID: d51e19eb2a5d66987ad539d3f96753dfa09b1ab6df977b44f91825f4f2a35776
Instruction ID: 0cf460706e2992d95b6c7cd5198e12f5400f18d142687db1f81493f8dc32c789
Opcode Fuzzy Hash: d51e19eb2a5d66987ad539d3f96753dfa09b1ab6df977b44f91825f4f2a35776
Instruction Fuzzy Hash: 5C51E372A18612DBF7548E24948C53E36A5FB44348F128938DB0AC7782DF7DEA18F784

Function 00007FF630489660 Relevance: 1.5, APIs: 1, Instructions: 253COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF630489820

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: ab0a6b18e32699958ec78ff02d5a0d2387750140b9c869829991cde5e5795802
Instruction ID: ab07b2c3fd61fbbffb49f39b8aceb9f25ca7b0c5e494a209da906ca8991af19e
Opcode Fuzzy Hash: ab0a6b18e32699958ec78ff02d5a0d2387750140b9c869829991cde5e5795802
Instruction Fuzzy Hash: C4B1EA72E18751DAE7658F159048B3E3A95FB45788F0A4538DF4A83B81DF3AED04DB80

Function 00007FF63048B2A0 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db726857f4e012455a8f3608d8def5699ee7c479c0fb5f7e8890c9e2af20ea6
Instruction ID: fadd6bedf49d243a76e7c2b03b5146f35597146dc2200ef710cf3b7d874bd482
Opcode Fuzzy Hash: 3db726857f4e012455a8f3608d8def5699ee7c479c0fb5f7e8890c9e2af20ea6
Instruction Fuzzy Hash: 6BD1F533A0C692DAD7258F14E00037E77A0FB84748F454535EA9A93B95EF3EDA48DB80

Function 00007FF63048BE20 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ac91676b8285db99ac092ed0f9aacb70baec7d96c70589df18768542e35690
Instruction ID: 89a0d5f953554df34828fa2e447d4ae1493b9855d17e745c77f0d1636b80d0be
Opcode Fuzzy Hash: 58ac91676b8285db99ac092ed0f9aacb70baec7d96c70589df18768542e35690
Instruction Fuzzy Hash: 45A15873B241A097EA50CB2AD85467E77A2F74A7C0F85D631DF8843B89CA3DE909D740

Function 00007FF630486100 Relevance: 166.6, APIs: 31, Strings: 64, Instructions: 348libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF630487950: LoadLibraryExW.KERNEL32 ref: 00007FF630487971
Part of subcall function 00007FF630487950: free.MSVCRT ref: 00007FF63048797D

GetProcAddress.KERNEL32 ref: 00007FF63048680B
GetProcAddress.KERNEL32 ref: 00007FF630486827
GetProcAddress.KERNEL32 ref: 00007FF630486843
GetProcAddress.KERNEL32 ref: 00007FF63048685F
GetProcAddress.KERNEL32 ref: 00007FF63048687B
GetProcAddress.KERNEL32 ref: 00007FF630486897
GetProcAddress.KERNEL32 ref: 00007FF6304868B3
GetProcAddress.KERNEL32 ref: 00007FF6304868CF
GetProcAddress.KERNEL32 ref: 00007FF6304868EB
GetProcAddress.KERNEL32 ref: 00007FF630486907
GetProcAddress.KERNEL32 ref: 00007FF630486923
GetProcAddress.KERNEL32 ref: 00007FF63048693F
GetProcAddress.KERNEL32 ref: 00007FF63048695B
GetProcAddress.KERNEL32 ref: 00007FF630486977
GetProcAddress.KERNEL32 ref: 00007FF630486993
GetProcAddress.KERNEL32 ref: 00007FF6304869AF
GetProcAddress.KERNEL32 ref: 00007FF6304869CB
GetProcAddress.KERNEL32 ref: 00007FF6304869E7
GetProcAddress.KERNEL32 ref: 00007FF630486A03
GetProcAddress.KERNEL32 ref: 00007FF630486A1F
GetProcAddress.KERNEL32 ref: 00007FF630486A3B
GetProcAddress.KERNEL32 ref: 00007FF630486A57
GetProcAddress.KERNEL32 ref: 00007FF630486A73
GetProcAddress.KERNEL32 ref: 00007FF630486A8F
GetProcAddress.KERNEL32 ref: 00007FF630486AAB
GetProcAddress.KERNEL32 ref: 00007FF630486AC7
GetProcAddress.KERNEL32 ref: 00007FF630486AE3
GetProcAddress.KERNEL32 ref: 00007FF630486AFF
GetProcAddress.KERNEL32 ref: 00007FF630486B1B
GetProcAddress.KERNEL32 ref: 00007FF630486B37
GetProcAddress.KERNEL32 ref: 00007FF630486B53

Strings

Failed to get address for Tcl_CreateThread, xrefs: 00007FF630486BE3
Tcl_Free, xrefs: 00007FF630486B11
Tcl_MutexUnlock, xrefs: 00007FF630486919
Tcl_ThreadAlert, xrefs: 00007FF6304869A5
Tcl_CreateObjCommand, xrefs: 00007FF6304869F9
Failed to get address for Tcl_SetVar2, xrefs: 00007FF630486D00
Failed to get address for Tcl_Free, xrefs: 00007FF630486DC0
Tcl_GetVar2, xrefs: 00007FF6304869C1
Tcl_EvalEx, xrefs: 00007FF630486ABD
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF630486CB8
Tcl_GetString, xrefs: 00007FF630486A15
Tcl_GetObjResult, xrefs: 00007FF630486A85
Tcl_NewStringObj, xrefs: 00007FF630486A31
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF630486BCE
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF630486D78
Tcl_EvalObjv, xrefs: 00007FF630486AD9
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF630486B8F
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF630486C28
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF630486C58
LOADER: Failed to load tcl/tk libraries, xrefs: 00007FF630486150
Tcl_SetVar2Ex, xrefs: 00007FF630486A69
Tcl_CreateInterp, xrefs: 00007FF63048681D
Tcl_DeleteInterp, xrefs: 00007FF6304868A9
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF630486C70
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF630486DF0
Failed to get address for Tk_Init, xrefs: 00007FF630486E20
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF630486CE8
Failed to get address for Tcl_GetString, xrefs: 00007FF630486D48
Tcl_ConditionWait, xrefs: 00007FF63048696D
Tcl_EvalFile, xrefs: 00007FF630486AA1
Failed to get address for Tcl_EvalFile, xrefs: 00007FF630486DA8
Failed to get address for Tcl_Init, xrefs: 00007FF630486B6F
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF630486C10
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF630486D60
Tcl_FinalizeThread, xrefs: 00007FF63048688D
Tcl_Alloc, xrefs: 00007FF630486AF5
Tcl_ConditionNotify, xrefs: 00007FF630486951
Tk_Init, xrefs: 00007FF630486B2D
Tcl_ThreadQueueEvent, xrefs: 00007FF630486989
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF630486D90
Failed to get address for Tcl_Finalize, xrefs: 00007FF630486BB9
Tcl_Finalize, xrefs: 00007FF630486871
Tcl_SetVar2, xrefs: 00007FF6304869DD
Tcl_NewByteArrayObj, xrefs: 00007FF630486A4D
Tcl_GetCurrentThread, xrefs: 00007FF6304868E1
Tcl_Init, xrefs: 00007FF630486804
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF630486BA4
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF630486BF8
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF630486E38
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF630486D30
Failed to get address for Tcl_GetVar2, xrefs: 00007FF630486CA0
Tcl_FindExecutable, xrefs: 00007FF630486839
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF630486C40
Failed to get address for Tcl_Alloc, xrefs: 00007FF630486DD8
Tk_GetNumMainWindows, xrefs: 00007FF630486B49
Tcl_MutexLock, xrefs: 00007FF6304868FD
Tcl_ConditionFinalize, xrefs: 00007FF630486935
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF630486D18
Failed to get address for Tcl_MutexLock, xrefs: 00007FF630486C88
Tcl_DoOneEvent, xrefs: 00007FF630486855
Failed to get address for Tcl_EvalEx, xrefs: 00007FF630486E08
GetProcAddress, xrefs: 00007FF630486B76, 00007FF630486B96, 00007FF630486BAB, 00007FF630486BC0, 00007FF630486BD5, 00007FF630486BEA, 00007FF630486BFF, 00007FF630486C17, 00007FF630486C2F, 00007FF630486C47, 00007FF630486C5F, 00007FF630486C77, 00007FF630486C8F, 00007FF630486CA7, 00007FF630486CBF, 00007FF630486CD7, 00007FF630486CEF, 00007FF630486D07, 00007FF630486D1F, 00007FF630486D37, 00007FF630486D4F, 00007FF630486D67, 00007FF630486D7F, 00007FF630486D97, 00007FF630486DAF, 00007FF630486DC7, 00007FF630486DDF, 00007FF630486DF7, 00007FF630486E0F, 00007FF630486E27, 00007FF630486E3F
Tcl_CreateThread, xrefs: 00007FF6304868C5
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF630486CD0

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: AddressProc$LibraryLoadfree
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$LOADER: Failed to load tcl/tk libraries$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 4213687213-1453502826
Opcode ID: 12046f0df8fa877728ee4941feaf5612ec9e4b955045cb1a8f9a13e301cd7c08
Instruction ID: d6312b1a8c91d7dcc46b74442918b0b405c0b51e0274231e3adf71635dcca82b
Opcode Fuzzy Hash: 12046f0df8fa877728ee4941feaf5612ec9e4b955045cb1a8f9a13e301cd7c08
Instruction Fuzzy Hash: 2B02E760A09B17F0EE95DB14EA510B427A5AF4438CB865936C84DC63A7EE6DF30DB380

Function 00007FF630483680 Relevance: 33.5, APIs: 6, Strings: 13, Instructions: 254COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF6304837C4

Strings

format_exception, xrefs: 00007FF630483948
Traceback is disabled via bootloader option., xrefs: 00007FF630483899
__main__, xrefs: 00007FF6304836A7
Could not get __main__ module's dict., xrefs: 00007FF630483902
Absolute path to script exceeds PATH_MAX, xrefs: 00007FF6304837E6
Failed to unmarshal code object for %s, xrefs: 00007FF6304837FC
Could not get __main__ module., xrefs: 00007FF6304838F1
traceback, xrefs: 00007FF63048391F
_pyi_main_co, xrefs: 00007FF63048379D
pyi-disable-windowed-traceback, xrefs: 00007FF630483882
\, xrefs: 00007FF630483731
%s%c%s.py, xrefs: 00007FF630483739
__file__, xrefs: 00007FF630483764

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: free
String ID: %s%c%s.py$Absolute path to script exceeds PATH_MAX$Could not get __main__ module's dict.$Could not get __main__ module.$Failed to unmarshal code object for %s$Traceback is disabled via bootloader option.$\$__file__$__main__$_pyi_main_co$format_exception$pyi-disable-windowed-traceback$traceback
API String ID: 1294909896-4198433784
Opcode ID: 3a04efc8f6b0c85cf8dfc67f3231cc18b95e8f3610fca39b876c7c2b14a4cb32
Instruction ID: 2cbe40d0088a088b22e2bfbf053bbe5c3f90f0a476f77ae3c284fa24e7ac9973
Opcode Fuzzy Hash: 3a04efc8f6b0c85cf8dfc67f3231cc18b95e8f3610fca39b876c7c2b14a4cb32
Instruction Fuzzy Hash: 26B14065A09B06E5EA04DB16E85417923A0FF89FC9F564432DD0E877B2EE3CE60DE340

Function 00007FF63048E270 Relevance: 25.7, APIs: 17, Instructions: 223COMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00007FF63048E28F
_strdup.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF6304840C0), ref: 00007FF63048E2A6
setlocale.MSVCRT ref: 00007FF63048E2BE
mbstowcs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF6304840C0), ref: 00007FF63048E2F5
mbstowcs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF6304840C0), ref: 00007FF63048E366
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF6304840C0), ref: 00007FF63048E46D
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF6304840C0), ref: 00007FF63048E4A6
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF6304840C0), ref: 00007FF63048E4D5
realloc.MSVCRT ref: 00007FF63048E4F0
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF6304840C0), ref: 00007FF63048E51C
setlocale.MSVCRT ref: 00007FF63048E52D
free.MSVCRT ref: 00007FF63048E539
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF6304840C0), ref: 00007FF63048E562
realloc.MSVCRT ref: 00007FF63048E57D
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF6304840C0), ref: 00007FF63048E5A1
setlocale.MSVCRT ref: 00007FF63048E5B2
free.MSVCRT ref: 00007FF63048E5BE

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: wcstombs$setlocale$freembstowcsrealloc$_strdup
String ID:
API String ID: 1093732947-0
Opcode ID: 18a3bf99bbea6804c92c0b9e4b21d59020ad17d25526b3b34f8233c8396aa3f0
Instruction ID: b627e8367cdc6f7741177d0542ecc3c37c372c434b50e7da534352fcd0737cd6
Opcode Fuzzy Hash: 18a3bf99bbea6804c92c0b9e4b21d59020ad17d25526b3b34f8233c8396aa3f0
Instruction Fuzzy Hash: 41A14D66B04B25E9EB409BAAD8403BC23B0FB48B9CF414835DE4C9779AEF3DD5059350

Function 00007FF630485550 Relevance: 25.6, APIs: 2, Strings: 15, Instructions: 140COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF630486FE0: GetEnvironmentVariableW.KERNEL32 ref: 00007FF63048700C

free.MSVCRT ref: 00007FF630485720
free.MSVCRT ref: 00007FF630485735

Strings

base_library.zip, xrefs: 00007FF630485634
Failed to convert progname to wchar_t, xrefs: 00007FF63048579C
PYTHONUTF8, xrefs: 00007FF63048555A
lib-dynload, xrefs: 00007FF630485622
%s%c%s%c%s%c%s%c%s, xrefs: 00007FF63048563B
Error detected starting Python VM., xrefs: 00007FF630485764
\, xrefs: 00007FF630485654
Failed to convert argv to wchar_t, xrefs: 00007FF63048578E
\, xrefs: 00007FF63048566E
Invalid value for PYTHONUTF8=%s; disabling utf-8 mode!, xrefs: 00007FF630485753
sys.path (based on %s) exceeds buffer[%d] space, xrefs: 00007FF630485780
Failed to convert pyhome to wchar_t, xrefs: 00007FF6304857B8
;, xrefs: 00007FF63048564C
;, xrefs: 00007FF630485661
Failed to convert pypath to wchar_t, xrefs: 00007FF6304857AA

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: free$EnvironmentVariable
String ID: %s%c%s%c%s%c%s%c%s$;$;$Error detected starting Python VM.$Failed to convert argv to wchar_t$Failed to convert progname to wchar_t$Failed to convert pyhome to wchar_t$Failed to convert pypath to wchar_t$Invalid value for PYTHONUTF8=%s; disabling utf-8 mode!$PYTHONUTF8$\$\$base_library.zip$lib-dynload$sys.path (based on %s) exceeds buffer[%d] space
API String ID: 471908985-2552457735
Opcode ID: c48456801aa9cd7d8cc58aca705c0cba2a25958533fc06219b0b3206e7b935ed
Instruction ID: dccd085917e81bce158b8c558bab486bfff363b5286273a0f5d42f8ef04cf109
Opcode Fuzzy Hash: c48456801aa9cd7d8cc58aca705c0cba2a25958533fc06219b0b3206e7b935ed
Instruction Fuzzy Hash: AE615025A1DA06E1FA109B11E95027D2360AF84B8CF964436DA0E877A7DF2DE74DE780

Function 00007FF6304831B0 Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 202stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF630483140: strcpy.MSVCRT(?,?,_MEIPASS2,?,00007FF63048362C), ref: 00007FF630483183

strcmp.MSVCRT ref: 00007FF63048333C
strcmp.MSVCRT ref: 00007FF63048335F

Part of subcall function 00007FF630487840: fread.MSVCRT ref: 00007FF6304878B1
Part of subcall function 00007FF630487840: ferror.MSVCRT ref: 00007FF6304878C1
Part of subcall function 00007FF630487840: clearerr.MSVCRT(?,00000000,?,00007FF630483267,?,00000000,?,00000000,?,?,_MEIPASS2,?,00007FF63048362C), ref: 00007FF6304878CD
Part of subcall function 00007FF630487840: fclose.MSVCRT ref: 00007FF630487909
Part of subcall function 00007FF630487840: fclose.MSVCRT ref: 00007FF630487911

Strings

%s%s%s.pkg, xrefs: 00007FF6304832D8
_MEIPASS2, xrefs: 00007FF6304831B7
malloc, xrefs: 00007FF6304834E8
Archive not found: %s, xrefs: 00007FF6304834B7
%s%s%s%s%s, xrefs: 00007FF63048322C
%s%s%s.exe, xrefs: 00007FF6304833A6
%s%s%s, xrefs: 00007FF6304833C8
Error opening archive %s, xrefs: 00007FF6304834E1
Error extracting %s, xrefs: 00007FF630483501
Archive path exceeds PATH_MAX, xrefs: 00007FF6304834A0
Error copying %s, xrefs: 00007FF6304834D0
%s%s%s%s%s%s%s, xrefs: 00007FF6304832AA

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: fclosestrcmp$clearerrferrorfreadstrcpy
String ID: %s%s%s$%s%s%s%s%s$%s%s%s%s%s%s%s$%s%s%s.exe$%s%s%s.pkg$Archive not found: %s$Archive path exceeds PATH_MAX$Error copying %s$Error extracting %s$Error opening archive %s$_MEIPASS2$malloc
API String ID: 2929065527-1083822304
Opcode ID: 1bf022133e02d134ef5717c222b468332fb72b96faf3dfb86209f937b62aaa32
Instruction ID: c1ad8e8997fa0ead23459ecf194483d616a251c4a0eb5cdcf4610572d2560328
Opcode Fuzzy Hash: 1bf022133e02d134ef5717c222b468332fb72b96faf3dfb86209f937b62aaa32
Instruction Fuzzy Hash: 20818121A08A42F1FA109B25E9401BA6254AF40BDDF464932EE4DC77D7EE3DE74DE384

Function 00007FF630484FB0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 138stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 00007FF63048506F
mbstowcs.MSVCRT(00000000,00004078,00000000,?,?,?,_MEIPASS2,00007FF6304856C4), ref: 00007FF63048509F

Strings

_MEIPASS2, xrefs: 00007FF630484FB0
Failed to convert Wflag %s using mbstowcs (invalid multibyte string), xrefs: 00007FF6304851B9
pyi-, xrefs: 00007FF63048503C

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: mbstowcsstrncmp
String ID: Failed to convert Wflag %s using mbstowcs (invalid multibyte string)$_MEIPASS2$pyi-
API String ID: 1807066385-1485234868
Opcode ID: 4cd6353d8287d9ebdc7f42e50edfcd29b2454bf44d82fac0beb1f5a7f2d26726
Instruction ID: 9cd2e516a3238b1551634829b6b960a047c8b0e8c13247b94a614d533993c33a
Opcode Fuzzy Hash: 4cd6353d8287d9ebdc7f42e50edfcd29b2454bf44d82fac0beb1f5a7f2d26726
Instruction Fuzzy Hash: 28517321A08606E1FB149B2AD8543792351BF85B9CF564435CD0E873E3DE7EE649B380

Function 00007FF630487110 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF630488210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF630482E40), ref: 00007FF630488246

ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF63048714B
free.MSVCRT ref: 00007FF630487156

Part of subcall function 00007FF630488650: wcslen.MSVCRT ref: 00007FF630488659

_wfullpath.MSVCRT ref: 00007FF63048717E
wcschr.MSVCRT(?,?,?,00000000,00007FF6304872AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF63048746B), ref: 00007FF6304871AD
wcsncpy.MSVCRT ref: 00007FF6304871DB
CreateDirectoryW.KERNEL32(?,?,?,00000000,00007FF6304872AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF63048746B), ref: 00007FF6304871E5
wcschr.MSVCRT(?,?,?,00000000,00007FF6304872AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF63048746B), ref: 00007FF6304871F0
CreateDirectoryW.KERNEL32(?,?,?,00000000,00007FF6304872AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF63048746B), ref: 00007FF630487202
_wcsdup.MSVCRT ref: 00007FF63048721B

Strings

LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF630487230
LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF630487250
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF630487260

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: CreateDirectorywcschr$ByteCharEnvironmentExpandMultiStringsWide_wcsdup_wfullpathfreewcslenwcsncpy
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 274989731-3498232454
Opcode ID: d414b3e691f8c4d26ce76b45fbcb3174c9ed9ce5588de55e0f29948b1c7c796a
Instruction ID: b2700e025174b3d4202440241284bc3ecfb3473ffec030ddca61ceb90fa5bfaf
Opcode Fuzzy Hash: d414b3e691f8c4d26ce76b45fbcb3174c9ed9ce5588de55e0f29948b1c7c796a
Instruction Fuzzy Hash: F631E911B09652E9F961AB656A243BA51819F48BD8F8B4834DD0DCB7C3ED2DE20D6390

Function 00007FF630481AF0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 103COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF630481B2E
fread.MSVCRT ref: 00007FF630481B7C
free.MSVCRT ref: 00007FF630481BA1
fclose.MSVCRT ref: 00007FF630481BB2

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF630481C5A
Failed to extract %s: failed to open archive file!, xrefs: 00007FF630481C15
fseek, xrefs: 00007FF630481C44
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF630481B8B
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF630481C3D
malloc, xrefs: 00007FF630481C61
fread, xrefs: 00007FF630481B92

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: fclosefreadfreemalloc
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 3295367466-3659356012
Opcode ID: 2284e013fc614de97862ccc42346afe1d6402f182448251fbfc1c9cb20bac8ae
Instruction ID: 49591d4682b5dbef77626cae3850d76aeae4ad92f4684808b19b5cfe2d9009f3
Opcode Fuzzy Hash: 2284e013fc614de97862ccc42346afe1d6402f182448251fbfc1c9cb20bac8ae
Instruction Fuzzy Hash: FC31C022B0A653F5FA059B19D9146BA1254AF007DCF864833DD0D867A3EE2DE74DE380

Function 00007FF630485410 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00007FF63048542B
_strdup.MSVCRT ref: 00007FF630485433
calloc.MSVCRT ref: 00007FF630485457
setlocale.MSVCRT ref: 00007FF630485479
free.MSVCRT ref: 00007FF6304854C0
free.MSVCRT ref: 00007FF6304854D7
free.MSVCRT ref: 00007FF6304854DF
setlocale.MSVCRT ref: 00007FF630485509
free.MSVCRT ref: 00007FF630485511

Strings

Fatal error: unable to decode the command line argument #%i, xrefs: 00007FF6304854E6
out of memory, xrefs: 00007FF630485528

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: free$setlocale$_strdupcalloc
String ID: Fatal error: unable to decode the command line argument #%i$out of memory
API String ID: 3058678114-3355598041
Opcode ID: b3a94ae4ac6b4f6312338ae72a3d926f4a238985db292fd2604171276d9b9414
Instruction ID: c95f647d1c7f088b625e3d534e3124bbd82288586e4ffa65b6e1f7d2cda9d3e3
Opcode Fuzzy Hash: b3a94ae4ac6b4f6312338ae72a3d926f4a238985db292fd2604171276d9b9414
Instruction Fuzzy Hash: AC21B611F0A502F2FA15EB199A1137D5641AF84B9CF878838DD0D8B387EE3DEA4DA340

Function 00007FF6304829E0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF630482A08
memset.MSVCRT ref: 00007FF630482A56
_wcsdup.MSVCRT ref: 00007FF630482A76
_wcsdup.MSVCRT ref: 00007FF630482A86
DialogBoxIndirectParamW.USER32 ref: 00007FF630482AA8
free.MSVCRT ref: 00007FF630482AB8
free.MSVCRT ref: 00007FF630482AC5
free.MSVCRT ref: 00007FF630482AD2
DeleteObject.GDI32 ref: 00007FF630482AE4
DestroyIcon.USER32 ref: 00007FF630482AF7

Strings

Unhandled exception in script, xrefs: 00007FF630482A18

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: free$_wcsdup$DeleteDestroyDialogHandleIconIndirectModuleObjectParammemset
String ID: Unhandled exception in script
API String ID: 2803985813-2699770090
Opcode ID: f526219bed773062a0d0eb333ccd5c88dea8aa0be73e6a7d34a87cd471690584
Instruction ID: eac21ca1280d90cb162995ff848e38bc67816d7678a06cb92d45035316c77cb7
Opcode Fuzzy Hash: f526219bed773062a0d0eb333ccd5c88dea8aa0be73e6a7d34a87cd471690584
Instruction Fuzzy Hash: 83219331B09A82E2EA259B65F9546EE6360FF85B98F810435EE4D83B46DE3CD2099700

Function 00007FF630485EE0 Relevance: 18.1, APIs: 9, Strings: 3, Instructions: 131stringCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF630485F09
memcpy.MSVCRT ref: 00007FF630485F4D
strlen.MSVCRT ref: 00007FF630485F67
strlen.MSVCRT ref: 00007FF630485F74
strlen.MSVCRT ref: 00007FF630485FA0
free.MSVCRT ref: 00007FF630485FF3
strncpy.MSVCRT ref: 00007FF63048604D
strncpy.MSVCRT ref: 00007FF63048607A
strncpy.MSVCRT ref: 00007FF6304860E9

Strings

_MEIPASS2, xrefs: 00007FF630485EE7
SPLASH: Cannot find requirement %s in archive., xrefs: 00007FF630485FDF
SPLASH: Cannot extract requirement %s., xrefs: 00007FF6304860B3

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: strlenstrncpy$callocfreememcpy
String ID: SPLASH: Cannot extract requirement %s.$SPLASH: Cannot find requirement %s in archive.$_MEIPASS2
API String ID: 4189425833-927121926
Opcode ID: e6d1f26a4508f2d6b54d28664a714fd9177c36a59f672facb49a808df95541a7
Instruction ID: 28c45574236b240e63014ed1aa82f215254113b6627e67b18c4a1fbb17c0caaf
Opcode Fuzzy Hash: e6d1f26a4508f2d6b54d28664a714fd9177c36a59f672facb49a808df95541a7
Instruction Fuzzy Hash: E441D451B08642F6EA14EA2295102FA5254BB85BDCF864535EF0D87787DE2DE34DE380

Function 00007FF630482350 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF630482371
SelectObject.GDI32 ref: 00007FF6304823C8
DrawTextW.USER32 ref: 00007FF6304823EB
SelectObject.GDI32 ref: 00007FF630482401
ReleaseDC.USER32 ref: 00007FF630482411
MoveWindow.USER32 ref: 00007FF63048245D
MoveWindow.USER32 ref: 00007FF63048249C
MoveWindow.USER32 ref: 00007FF6304824ED
MoveWindow.USER32 ref: 00007FF63048252A

Strings

P%, xrefs: 00007FF6304823D1

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: fea85488d9d1cac119e4a29d1ca9f633e5fae16107e641c76dad77d3c19cf46f
Instruction ID: 4f6dbde53c432008664b7bd5fecae1c723fbd3c4fb8e57f30726314f7ee1bc6a
Opcode Fuzzy Hash: fea85488d9d1cac119e4a29d1ca9f633e5fae16107e641c76dad77d3c19cf46f
Instruction Fuzzy Hash: BE4175762146A186D7608F36E408769B7A1F788F9DF084231EE8987B59DF3CD149DB20

Function 00007FF630485CC0 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 124stringCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 00007FF630485D08
strncpy.MSVCRT ref: 00007FF630485D1E

Part of subcall function 00007FF6304840E0: strlen.MSVCRT ref: 00007FF63048412F
Part of subcall function 00007FF6304840E0: strncat.MSVCRT ref: 00007FF630484149

calloc.MSVCRT ref: 00007FF630485D59
malloc.MSVCRT ref: 00007FF630485D79
malloc.MSVCRT ref: 00007FF630485D99
memcpy.MSVCRT ref: 00007FF630485DD7
memcpy.MSVCRT ref: 00007FF630485DEC
memcpy.MSVCRT ref: 00007FF630485E01
free.MSVCRT ref: 00007FF630485E23

Strings

_MEIPASS2, xrefs: 00007FF630485CC2
Cannot allocate memory for necessary files., xrefs: 00007FF630485E6F

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: memcpy$mallocstrncpy$callocfreestrlenstrncat
String ID: Cannot allocate memory for necessary files.$_MEIPASS2
API String ID: 257583877-1389504347
Opcode ID: 3bb8c8111f3117a67a20ab620bc2b59a0c8817dcbebb759f212a3c23a2c28dbc
Instruction ID: 8cf972b49dcc964c96eb2ae842d30399728ce728baaa03c3be2bbca9985e560f
Opcode Fuzzy Hash: 3bb8c8111f3117a67a20ab620bc2b59a0c8817dcbebb759f212a3c23a2c28dbc
Instruction Fuzzy Hash: 1641F372B05241E7EA289B26DA401BD6792FF447D8F464431CF0E83786EE3DE349A340

Function 00007FF630487840 Relevance: 15.1, APIs: 10, Instructions: 75fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6304843B0: _wfopen.MSVCRT ref: 00007FF6304843F5

Part of subcall function 00007FF6304876B0: strlen.MSVCRT ref: 00007FF630487723
Part of subcall function 00007FF6304876B0: strlen.MSVCRT ref: 00007FF630487753
Part of subcall function 00007FF6304876B0: strlen.MSVCRT ref: 00007FF630487769
Part of subcall function 00007FF6304876B0: strcpy.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF630481CB3), ref: 00007FF63048777A
Part of subcall function 00007FF6304876B0: strtok.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF630481CB3), ref: 00007FF630487784

fread.MSVCRT ref: 00007FF6304878B1
ferror.MSVCRT ref: 00007FF6304878C1
clearerr.MSVCRT(?,00000000,?,00007FF630483267,?,00000000,?,00000000,?,?,_MEIPASS2,?,00007FF63048362C), ref: 00007FF6304878CD
fwrite.MSVCRT ref: 00007FF6304878E3
ferror.MSVCRT ref: 00007FF6304878F0
clearerr.MSVCRT(?,00000000,?,00007FF630483267,?,00000000,?,00000000,?,?,_MEIPASS2,?,00007FF63048362C), ref: 00007FF6304878FC
fclose.MSVCRT ref: 00007FF630487909
fclose.MSVCRT ref: 00007FF630487911
fclose.MSVCRT ref: 00007FF630487934
fclose.MSVCRT ref: 00007FF630487941

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: fclose$strlen$clearerrferror$_wfopenfreadfwritestrcpystrtok
String ID:
API String ID: 4076046571-0
Opcode ID: 66eaf6115f00770fdaf54dc94ed29b1f7162dcf97e56a77bd725569914621a69
Instruction ID: 8d7f59dbcdc428a3547ea4eac491c86b7b193ea646763abe4b22f2256d9827dd
Opcode Fuzzy Hash: 66eaf6115f00770fdaf54dc94ed29b1f7162dcf97e56a77bd725569914621a69
Instruction Fuzzy Hash: 8B210950F0D263A2F915762A5B213BA41850F56BECF0A1934ED1EDB7C7FD1EEA096380

Function 00007FF63049207B Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 176stringCOMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF63049211E
fwprintf.MSVCRT ref: 00007FF630492153
memset.MSVCRT ref: 00007FF63049223A
strlen.MSVCRT ref: 00007FF630492252

Part of subcall function 00007FF63049814E: ___mb_cur_max_func.MSVCRT ref: 00007FF630498184
Part of subcall function 00007FF63049814E: ___lc_codepage_func.MSVCRT ref: 00007FF63049818B

fwprintf.MSVCRT ref: 00007FF63049217B

Part of subcall function 00007FF630491FF0: fputwc.MSVCRT ref: 00007FF630492040

Strings

%.*S, xrefs: 00007FF630492171
%*.*S, xrefs: 00007FF630492114
%-*.*S, xrefs: 00007FF630492149

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: fwprintf$___lc_codepage_func___mb_cur_max_funcfputwcmemsetstrlen
String ID: %*.*S$%-*.*S$%.*S
API String ID: 1485978544-2115465065
Opcode ID: c93050da29d2b53cde75ff4ecec3a5117cbc28d906d175e1e5974c7ea21a5eeb
Instruction ID: 1f66023606225ccfe1f2246d713049120e4c76fc1a8225c8ba839725abeba332
Opcode Fuzzy Hash: c93050da29d2b53cde75ff4ecec3a5117cbc28d906d175e1e5974c7ea21a5eeb
Instruction Fuzzy Hash: 3D810976A04B49DAEB50CF2AC9816AC37E0F748B9CB028536EE4C83B59DF38D554DB40

Function 00007FF630488040 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF630488088
WideCharToMultiByte.KERNEL32 ref: 00007FF6304880DA
calloc.MSVCRT ref: 00007FF6304880F0

Strings

Failed to get UTF-8 buffer size., xrefs: 00007FF630488140
WideCharToMultiByte, xrefs: 00007FF630488127, 00007FF630488147
Out of memory., xrefs: 00007FF630488101
Failed to encode wchar_t as UTF-8., xrefs: 00007FF630488120
win32_utils_to_utf8, xrefs: 00007FF630488108

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: ByteCharMultiWide$calloc
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 1374691127-27947307
Opcode ID: ea88749d0a14f64099691da4aeb15603b84fc63f6c062682654e53545a88106d
Instruction ID: de5ce6fd3967e39031674791cf123541e962b918b4a473ffec48d5176c3ef512
Opcode Fuzzy Hash: ea88749d0a14f64099691da4aeb15603b84fc63f6c062682654e53545a88106d
Instruction Fuzzy Hash: 9421B321A08B02E5FA50DB65E9503766691EF4539CF4A8539DA4D8A7D3DF3DD20CA340

Function 00007FF630487F50 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF630487F92
calloc.MSVCRT ref: 00007FF630487FA2
WideCharToMultiByte.KERNEL32 ref: 00007FF630487FD7

Strings

WideCharToMultiByte, xrefs: 00007FF630487FF7, 00007FF630488017
Failed to get ANSI buffer size., xrefs: 00007FF630487FF0
Out of memory., xrefs: 00007FF630488027
win32_wcs_to_mbs, xrefs: 00007FF63048802E
Failed to encode filename as ANSI., xrefs: 00007FF630488010

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: ByteCharMultiWide$calloc
String ID: Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$Out of memory.$WideCharToMultiByte$win32_wcs_to_mbs
API String ID: 1374691127-3831141058
Opcode ID: c974b491895e7bda57dd440c625f49c5a3727ada228be6d7fc02953d331cde25
Instruction ID: f14fdc8263323ce4c4e662622ddf9582b5b95978644fcd7aa4e500596fb5fc7c
Opcode Fuzzy Hash: c974b491895e7bda57dd440c625f49c5a3727ada228be6d7fc02953d331cde25
Instruction Fuzzy Hash: 7B21F321A1C703E5E7509B55E96037A6690EF4539CF468139EA4D873D7DF3DD20CA740

Function 00007FF630487B70 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 57stringCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF630487B8B
_strdup.MSVCRT ref: 00007FF630487BBC
_errno.MSVCRT ref: 00007FF630487BF0
strerror.MSVCRT ref: 00007FF630487BF8
_errno.MSVCRT ref: 00007FF630487C15
strerror.MSVCRT ref: 00007FF630487C1D

Strings

LOADER: failed to strdup argv[%d]: %s, xrefs: 00007FF630487BFF
LOADER: failed to allocate argv_pyi: %s, xrefs: 00007FF630487C22

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: _errnostrerror$_strdupcalloc
String ID: LOADER: failed to allocate argv_pyi: %s$LOADER: failed to strdup argv[%d]: %s
API String ID: 4278403329-2782260415
Opcode ID: 945d6d8d56f37cfe0361321e39814a85846aa9c2cc1a836560a03a797768b115
Instruction ID: fe606b3fcee1ed0cc94dda8a9a965ebf98432e19e472ccc1163b8e75bdcc358d
Opcode Fuzzy Hash: 945d6d8d56f37cfe0361321e39814a85846aa9c2cc1a836560a03a797768b115
Instruction Fuzzy Hash: 1F11BE22A1A602FAE6119B15EA502BA2291EF4475DF964538CD0DC7393EE3DF64CE340

Function 00007FF630488210 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF630482E40), ref: 00007FF630488246
MultiByteToWideChar.KERNEL32 ref: 00007FF630488288
calloc.MSVCRT ref: 00007FF63048829E

Strings

Failed to get wchar_t buffer size., xrefs: 00007FF6304882E8
Failed to decode wchar_t from UTF-8, xrefs: 00007FF6304882C8
Out of memory., xrefs: 00007FF6304882AB
MultiByteToWideChar, xrefs: 00007FF6304882CF, 00007FF6304882EF
%s%s: %s, xrefs: 00007FF630488210
win32_utils_from_utf8, xrefs: 00007FF6304882B2

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: ByteCharMultiWide$calloc
String ID: %s%s: %s$Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 1374691127-2292745976
Opcode ID: e25d75c4397cd3946ce71200e75b93b7a887f4a347cf1552ce9ec0bda547e504
Instruction ID: 3f74e5e990c2ab6c3519815eb748a4310a70bcfb50bdbcb770597b2b06200076
Opcode Fuzzy Hash: e25d75c4397cd3946ce71200e75b93b7a887f4a347cf1552ce9ec0bda547e504
Instruction Fuzzy Hash: 9B110A20B09A03E5FA60EB65A91037552919F493ACF8A8639CD0CC77D3EE3CE30CA340

Function 00007FF6304857D0 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6304857EB
free.MSVCRT ref: 00007FF6304858BC

Strings

_MEIPASS2, xrefs: 00007FF6304857D0
_MEIPASS, xrefs: 00007FF630485820
Module object for %s is NULL!, xrefs: 00007FF6304858CB
strict, xrefs: 00007FF6304857F0
Failed to get _MEIPASS as PyObject., xrefs: 00007FF6304858F1
utf-8, xrefs: 00007FF6304857F7

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: freestrlen
String ID: Failed to get _MEIPASS as PyObject.$Module object for %s is NULL!$_MEIPASS$_MEIPASS2$strict$utf-8
API String ID: 322734593-568040347
Opcode ID: 6d413cf45324b08ffd4bc974ac5a2fa952e0ec21fb8adde832674f877a8c338b
Instruction ID: 1f8595e35395807204613a5f7d85bd9b678119d7dcf7f0e8186e3a3d001655a0
Opcode Fuzzy Hash: 6d413cf45324b08ffd4bc974ac5a2fa952e0ec21fb8adde832674f877a8c338b
Instruction Fuzzy Hash: 3F315211A09A46F1EE15AB16D9440792360BF48BD8F5A4832DD0EC73A3DE3DE64DE380

Function 00007FF630486520 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 157COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF6304866A9

Strings

tcl_findLibrary, xrefs: 00007FF63048659D
tclInit, xrefs: 00007FF63048657B
_image_data, xrefs: 00007FF630486687
rename ::source ::_source, xrefs: 00007FF6304865F0
source, xrefs: 00007FF630486619
exit, xrefs: 00007FF6304865D2

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: free
String ID: _image_data$exit$rename ::source ::_source$source$tclInit$tcl_findLibrary
API String ID: 1294909896-1126984729
Opcode ID: f715ec876722e12cdb0f662df770872b06380997f3a1ed7aba2766a90e7ae60b
Instruction ID: 3bbceae65fdab94529c81d0e2ca748b81a675aa0abb88c7355d3526f7d0837b1
Opcode Fuzzy Hash: f715ec876722e12cdb0f662df770872b06380997f3a1ed7aba2766a90e7ae60b
Instruction Fuzzy Hash: 8371D62A608A46E5EB109F26E85436923A0FB48F89F464536DE4E87365DF7CE608D780

Function 00007FF630485910 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 56stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF630485925

Strings

%U?%llu, xrefs: 00007FF63048594A
strict, xrefs: 00007FF63048592A
Failed to append to sys.path, xrefs: 00007FF6304859A0
path, xrefs: 00007FF630485976
utf-8, xrefs: 00007FF630485934
Installing PYZ: Could not get sys.path, xrefs: 00007FF6304859BC

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: strlen
String ID: %U?%llu$Failed to append to sys.path$Installing PYZ: Could not get sys.path$path$strict$utf-8
API String ID: 39653677-2762566162
Opcode ID: d933acb19d688c888bbabfb13c8229aa91e53fac741f948bdaf742cd5b545c31
Instruction ID: a8c351ae55150d4ee66ebe2ddd9f08104f284807cf74316d9008aa1f0a60bbbd
Opcode Fuzzy Hash: d933acb19d688c888bbabfb13c8229aa91e53fac741f948bdaf742cd5b545c31
Instruction Fuzzy Hash: B0113366A09A16E1EA009B19E9100B86360BF48FDCB564535DD1DC3766EE3CE74EE740

Function 00007FF630492378 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF63049241B
fwprintf.MSVCRT ref: 00007FF630492450

Part of subcall function 00007FF630491FF0: fputwc.MSVCRT ref: 00007FF630492040

Strings

%-*.*s, xrefs: 00007FF630492446
%*.*s, xrefs: 00007FF630492411
%.*s, xrefs: 00007FF63049246E

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: fwprintf$fputwc
String ID: %*.*s$%-*.*s$%.*s
API String ID: 2988249585-4054516066
Opcode ID: b02ba0fa6d73b1136932df1615eabb89f2fc48cd2a4aa50ad3fcf4feca9b3b31
Instruction ID: 0051e822c39be34e8b9fb62c7fc97ab9b92e4b308967298c59e741a16a3dabee
Opcode Fuzzy Hash: b02ba0fa6d73b1136932df1615eabb89f2fc48cd2a4aa50ad3fcf4feca9b3b31
Instruction Fuzzy Hash: FE71DA76A04B8ADBDB60CF2AC5815AC77E0F748B9CB028536EE4C87759DF38D5149B40

Function 00007FF630486F10 Relevance: 8.8, APIs: 7, Instructions: 67stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF630486F30
strlen.MSVCRT ref: 00007FF630486F47
strlen.MSVCRT ref: 00007FF630486F5C
malloc.MSVCRT ref: 00007FF630486F6A

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: strlen$malloc
String ID:
API String ID: 3157260142-0
Opcode ID: b55e16029522fecb1b93b6b8568f11f36e77bc886cc5cb275ce0ddd000ea1ea0
Instruction ID: e0df70ef06d04fa0b678fdb980d88076d5454b9b80ce5c8442d3cb45b886c68b
Opcode Fuzzy Hash: b55e16029522fecb1b93b6b8568f11f36e77bc886cc5cb275ce0ddd000ea1ea0
Instruction Fuzzy Hash: 9E11A701B0A156F9FC9A6A57261067A45811F45BDCD4F4834EF0D8A783FD2DE64E6380

Function 00007FF630482920 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF630482949
EndDialog.USER32 ref: 00007FF630482978
GetWindowLongPtrW.USER32 ref: 00007FF630482985
InvalidateRect.USER32 ref: 00007FF6304829A5
SetWindowLongPtrW.USER32 ref: 00007FF6304829C4

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: DialogLongWindow$InvalidateRect
String ID:
API String ID: 1200242243-0
Opcode ID: 89cb7d82cb1b40587ec4d78b90bde32f8ec055dd5bdbf5a296f83f89b3663874
Instruction ID: 2216c47cbae5bb6a333d3432d5dbe9a5c1d66e76136dfd4ccc9e95cfd81f6c52
Opcode Fuzzy Hash: 89cb7d82cb1b40587ec4d78b90bde32f8ec055dd5bdbf5a296f83f89b3663874
Instruction Fuzzy Hash: F50126A0F1C527E2F6542326AA802BC5181EF9C718F5A4830C94ED1BD7CC2E6AC93340

Function 00007FF63048D850 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

CCG , xrefs: 00007FF63048D878

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: a2009b416c13826995d1c9318a92a1b9d2e4341e694bba52663129bfcb9c8ac9
Instruction ID: df5e8eaa45d3a428ce44f334c3c12ea94ce82f7fb29e904b449354889ec8e8d9
Opcode Fuzzy Hash: a2009b416c13826995d1c9318a92a1b9d2e4341e694bba52663129bfcb9c8ac9
Instruction Fuzzy Hash: 90414573A0A606EAF7288B68C44437C2361AB4575CF224E35CA2DC77D6DE3DD749A380

Function 00007FF630482C10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF630488210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF630482E40), ref: 00007FF630488246

MessageBoxW.USER32 ref: 00007FF630482C93
MessageBoxA.USER32 ref: 00007FF630482CBB

Strings

Failed to get UTF-8 buffer size., xrefs: 00007FF630482C16
WideCharToMultiByte, xrefs: 00007FF630482C18

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Failed to get UTF-8 buffer size.$WideCharToMultiByte
API String ID: 1878133881-785100509
Opcode ID: f8b2052244f997f8cf142d2b4763022da063b563fc09b0a30e2edc3fc9052039
Instruction ID: 4f65eb9b894e495981b1a11cfe652a1867948c46c85660260a9c7d2bc8b0f11e
Opcode Fuzzy Hash: f8b2052244f997f8cf142d2b4763022da063b563fc09b0a30e2edc3fc9052039
Instruction Fuzzy Hash: A401283275878091FB301B62F8047EAA280B749FD8F888434CE8D67BC6CD3DD6898B40

Function 00007FF6304842F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF630484312

Part of subcall function 00007FF630488040: WideCharToMultiByte.KERNEL32 ref: 00007FF630488088

Strings

Failed to get executable path., xrefs: 00007FF630484348
Failed to convert executable path to UTF-8., xrefs: 00007FF630484360
GetModuleFileNameW, xrefs: 00007FF63048434F

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: ByteCharFileModuleMultiNameWide
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 1532159127-1977442011
Opcode ID: f4bf1276b97d64210b6653597ec094bb76e5d053494305fba7f19c3c38b4cda7
Instruction ID: 4dae0c42686357db5263df68e28d967a8e73988d1c2dc9ac00c9782576742d8b
Opcode Fuzzy Hash: f4bf1276b97d64210b6653597ec094bb76e5d053494305fba7f19c3c38b4cda7
Instruction Fuzzy Hash: 40F0A961B2C203E1FA91B625BD053B90290AF947CCF424831EC0EC6787ED0EE74EA380

Function 00007FF630482B10 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF630482B78
free.MSVCRT ref: 00007FF630482B80
free.MSVCRT ref: 00007FF630482B88

Part of subcall function 00007FF630488210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF630482E40), ref: 00007FF630488246

Strings

Failed to obtain/convert traceback!, xrefs: 00007FF630482BA2

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: free$ByteCharMultiWide
String ID: Failed to obtain/convert traceback!
API String ID: 3219091393-982972847
Opcode ID: 8df6a8358dac60a212556b377cd368c0f9cc8a804325971415c7063dd2af1f98
Instruction ID: 18edeec16d4486cf43b6812ea54bfde892756a2c730ea96bef4039c06cd5d6a7
Opcode Fuzzy Hash: 8df6a8358dac60a212556b377cd368c0f9cc8a804325971415c7063dd2af1f98
Instruction Fuzzy Hash: AE01D811B1B652B6FD192DA60A225BA41410F45BE8D4E4C34DD0ECBB83EC2DF6492380

Function 00007FF63048CDD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF63048CECE

Strings

Unknown error, xrefs: 00007FF63048CE6A
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF63048CEC4

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 4b8c868c6939ec88d1abe8f8504a39c26f50d9ef9e938201b9fa1182f5e26e6d
Instruction ID: 2bca55abcbb2c508d64128ad2735bf190dfaadcba304fe1e5bfc286f4a8a0568
Opcode Fuzzy Hash: 4b8c868c6939ec88d1abe8f8504a39c26f50d9ef9e938201b9fa1182f5e26e6d
Instruction Fuzzy Hash: 57215E26A04F88DAD7118F68D8413EA7371FF59798F458622EE8C57725EF38D259C300

Function 00007FF630482E50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF630482E97

Part of subcall function 00007FF630482C10: MessageBoxW.USER32 ref: 00007FF630482C93

Strings

%s%s: %s, xrefs: 00007FF630482EB4
Fatal error detected, xrefs: 00007FF630482ECB

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: Message_errno
String ID: %s%s: %s$Fatal error detected
API String ID: 1796756983-2410924014
Opcode ID: 80f6f717bb9969ece7152c8fde9cb11b8c043fce6b7f1340054d38df66cc8f43
Instruction ID: 38d4c558e74f4fb5c177ffed782ed874ebf219b3ae62e9c81fa7f066f4e9103e
Opcode Fuzzy Hash: 80f6f717bb9969ece7152c8fde9cb11b8c043fce6b7f1340054d38df66cc8f43
Instruction Fuzzy Hash: 2A01A22271C780E1E2209B11F9007EA6364FB84BC8F914131EF8C53B5A8E3CD21ACB40

Function 00007FF63048CE29 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF63048CECE

Strings

Argument singularity (SIGN), xrefs: 00007FF63048CE29
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF63048CEC4

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 50bb6e3b89c3acdd8da2640c7def1cf69755cc37c592828175fc8adef2d15e3e
Instruction ID: 529ad43566436d0bc988fbb3d086103e863d5076cb30d08334caaa22e3e311be
Opcode Fuzzy Hash: 50bb6e3b89c3acdd8da2640c7def1cf69755cc37c592828175fc8adef2d15e3e
Instruction Fuzzy Hash: A8014826A04F88DAD7118F69D8402AA7764FB5D79CF058726EF8D27766DF28D288D300

Function 00007FF63048CE1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF63048CECE

Strings

Argument domain error (DOMAIN), xrefs: 00007FF63048CE1C
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF63048CEC4

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 3ea1ec97f37694b9006fc54621547460099b2c1b8ca40b1c9d9b39adf94a092d
Instruction ID: 2593cfedcc48e846d4be01551625c1e9d3b392c3986fa088fe7818f54b837a45
Opcode Fuzzy Hash: 3ea1ec97f37694b9006fc54621547460099b2c1b8ca40b1c9d9b39adf94a092d
Instruction Fuzzy Hash: FF014826A04F88DAD7118F69D8402AA7764FB9D798F058726EE8D27765DF28D248D300

Function 00007FF63048CE50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF63048CECE

Strings

Total loss of significance (TLOSS), xrefs: 00007FF63048CE50
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF63048CEC4

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 48690192945bf7f32f1c5466faad3cff15a9c142b134f494af273dc6dbb7eaa3
Instruction ID: 5ef0d97c35ca2a4f409da67898ef49a2b596a1f7fc7191dc4d7a354d08616214
Opcode Fuzzy Hash: 48690192945bf7f32f1c5466faad3cff15a9c142b134f494af273dc6dbb7eaa3
Instruction Fuzzy Hash: 64014826A04F88DAD7118F69D8402AA7764FB5D798F058726EE8D27765DF28C289D300

Function 00007FF63048CE43 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF63048CECE

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF63048CE43
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF63048CEC4

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 671409083fba1ed317bee3cf4e306283cdb16a53cc92c70d1fd336fd5438df01
Instruction ID: 34fd6f6fe23ffe6b7741b3197df752f1fa4db856d6b88509aa9b272201f16bde
Opcode Fuzzy Hash: 671409083fba1ed317bee3cf4e306283cdb16a53cc92c70d1fd336fd5438df01
Instruction Fuzzy Hash: D5014826A04F88DAD7118F69D8402AA7764FB5D798F058726EE8D27765DF28D248D300

Function 00007FF63048CE36 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF63048CECE

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF63048CE36
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF63048CEC4

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 74916eb7a76916125411d7b1f6d0d259c89befd042e1e24e2dfbcfe61768ada9
Instruction ID: fdf6aa2f484f39190f8e87966b6ad2f63665fe70a0c4acaaf1bbf04c927433b7
Opcode Fuzzy Hash: 74916eb7a76916125411d7b1f6d0d259c89befd042e1e24e2dfbcfe61768ada9
Instruction Fuzzy Hash: DF014826A04F88DAD7118F69D8402AA7774FB5D798F058726EE8D27765DF28D248D300

Function 00007FF63048CE5D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF63048CECE

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF63048CE5D
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF63048CEC4

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 828440ead5f24b7a3bcef289b9b0c651ba51a82a4e2612c4078c08dbf4f376dd
Instruction ID: e3f18fc64cbee9574fd53eff567b608c2774bd2c906ae1e46420be0e99ffcb59
Opcode Fuzzy Hash: 828440ead5f24b7a3bcef289b9b0c651ba51a82a4e2612c4078c08dbf4f376dd
Instruction Fuzzy Hash: 13014826A04F88DAD7118F69D8402AA7764FB5D79CF058726EE8D27765DF28C249D300

Function 00007FF6304861B0 Relevance: 5.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF6304861CD
free.MSVCRT ref: 00007FF6304861DE
free.MSVCRT ref: 00007FF6304861EF
free.MSVCRT ref: 00007FF6304861F7

Memory Dump Source

Source File: 00000000.00000002.2139028036.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000000.00000002.2138979161.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139087750.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139132437.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139177198.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139200341.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139231478.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2139252669.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff630480000_zapret.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: af07cd424250413d133a4ab32c21d85a647da0b60d227f0190338946df3b41f5
Instruction ID: e791d99cebd1d8bfa79bef6e1fcfa6f2e1feb402e6ab5baca58bf02a93dc46c3
Opcode Fuzzy Hash: af07cd424250413d133a4ab32c21d85a647da0b60d227f0190338946df3b41f5
Instruction Fuzzy Hash: 64F0A011F1B516E2FD99AE66A8117BC16106F41B58F474938CF0EA7783CE3DE64A6300

Analysis Process: zapret.exePID: 6844, Parent PID: 5004COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.9%
Total number of Nodes:	1123
Total number of Limit Nodes:	90

Executed Functions

Function 66F86560 Relevance: 118.2, APIs: 51, Strings: 16, Instructions: 911librarystringloaderCOMMON

Download Yara Rule

APIs

PySys_GetObject.PYTHON38 ref: 66F86581
PyTuple_GetItem.PYTHON38 ref: 66F8659B
PyLong_AsLong.PYTHON38 ref: 66F865B0
PyTuple_GetItem.PYTHON38 ref: 66F865C0
PyLong_AsLong.PYTHON38 ref: 66F865CE
PySys_GetObject.PYTHON38 ref: 66F865DD
PyLong_AsVoidPtr.PYTHON38 ref: 66F865E9
GetProcAddress.KERNEL32 ref: 66F8660E
GetProcAddress.KERNEL32 ref: 66F8662C
GetProcAddress.KERNEL32 ref: 66F8664A
PyModule_Create2.PYTHON38 ref: 66F86674
PyModule_GetName.PYTHON38 ref: 66F86689
strrchr.MSVCRT ref: 66F866AE
malloc.MSVCRT ref: 66F866C4
memcpy.MSVCRT ref: 66F866DE
PyBytes_FromStringAndSize.PYTHON38 ref: 66F86731
PyBytes_AsString.PYTHON38 ref: 66F8674B
malloc.MSVCRT ref: 66F8675F
PyCFunction_NewEx.PYTHON38 ref: 66F867AA
PyCFunction_NewEx.PYTHON38 ref: 66F867ED
PyCFunction_NewEx.PYTHON38 ref: 66F86830
PyBytes_FromStringAndSize.PYTHON38 ref: 66F8685A
PyBytes_AsString.PYTHON38 ref: 66F86870
_time64.MSVCRT ref: 66F8694D
srand.MSVCRT ref: 66F86955
strstr.MSVCRT ref: 66F86AFC
strncmp.MSVCRT ref: 66F86B38
PyErr_Format.PYTHON38 ref: 66F86BAB
_Py_Dealloc.PYTHON38 ref: 66F86BDA
_Py_Dealloc.PYTHON38 ref: 66F86BE9
malloc.MSVCRT ref: 66F86C0A
free.MSVCRT ref: 66F86C74
malloc.MSVCRT ref: 66F86C80
memcpy.MSVCRT ref: 66F86CA3
free.MSVCRT ref: 66F86CD2
malloc.MSVCRT ref: 66F86CDE
memcpy.MSVCRT ref: 66F86D01
PyErr_Format.PYTHON38 ref: 66F87348

Part of subcall function 66F9D940: memcmp.MSVCRT ref: 66F9D973
Part of subcall function 66F9D940: memcmp.MSVCRT ref: 66F9D990
Part of subcall function 66F9D940: memcmp.MSVCRT ref: 66F9D9B2
Part of subcall function 66F9D940: memcmp.MSVCRT ref: 66F9D9D2
Part of subcall function 66F9D940: memcmp.MSVCRT ref: 66F9D9F2
Part of subcall function 66F9D940: memcmp.MSVCRT ref: 66F9DA12
Part of subcall function 66F9D940: memcmp.MSVCRT ref: 66F9DA32
Part of subcall function 66F9D940: memcmp.MSVCRT ref: 66F9DA52

Part of subcall function 66F9D6B0: memcmp.MSVCRT ref: 66F9D6E3
Part of subcall function 66F9D6B0: memcmp.MSVCRT ref: 66F9D703
Part of subcall function 66F9D6B0: memcmp.MSVCRT ref: 66F9D725
Part of subcall function 66F9D6B0: memcmp.MSVCRT ref: 66F9D745
Part of subcall function 66F9D6B0: memcmp.MSVCRT ref: 66F9D765
Part of subcall function 66F9D6B0: memcmp.MSVCRT ref: 66F9D785
Part of subcall function 66F9D6B0: memcmp.MSVCRT ref: 66F9D7A5
Part of subcall function 66F9D6B0: memcmp.MSVCRT ref: 66F9D7C5

Part of subcall function 66F9D0E0: strcmp.MSVCRT ref: 66F9D10B
Part of subcall function 66F9D0E0: strcmp.MSVCRT ref: 66F9D135
Part of subcall function 66F9D0E0: strcmp.MSVCRT ref: 66F9D154
Part of subcall function 66F9D0E0: strcmp.MSVCRT ref: 66F9D173
Part of subcall function 66F9D0E0: strcmp.MSVCRT ref: 66F9D192
Part of subcall function 66F9D0E0: strcmp.MSVCRT ref: 66F9D1AD
Part of subcall function 66F9D0E0: strcmp.MSVCRT ref: 66F9D1C8
Part of subcall function 66F9D0E0: strcmp.MSVCRT ref: 66F9D1E3

Part of subcall function 66F9D380: strcmp.MSVCRT ref: 66F9D3AB
Part of subcall function 66F9D380: strcmp.MSVCRT ref: 66F9D3CF
Part of subcall function 66F9D380: strcmp.MSVCRT ref: 66F9D3EB
Part of subcall function 66F9D380: strcmp.MSVCRT ref: 66F9D40A
Part of subcall function 66F9D380: strcmp.MSVCRT ref: 66F9D429
Part of subcall function 66F9D380: strcmp.MSVCRT ref: 66F9D444
Part of subcall function 66F9D380: strcmp.MSVCRT ref: 66F9D45F
Part of subcall function 66F9D380: strcmp.MSVCRT ref: 66F9D47A

Part of subcall function 66F9D230: strcmp.MSVCRT ref: 66F9D25B
Part of subcall function 66F9D230: strcmp.MSVCRT ref: 66F9D285
Part of subcall function 66F9D230: strcmp.MSVCRT ref: 66F9D2A4
Part of subcall function 66F9D230: strcmp.MSVCRT ref: 66F9D2C3
Part of subcall function 66F9D230: strcmp.MSVCRT ref: 66F9D2E2
Part of subcall function 66F9D230: strcmp.MSVCRT ref: 66F9D2FD
Part of subcall function 66F9D230: strcmp.MSVCRT ref: 66F9D318
Part of subcall function 66F9D230: strcmp.MSVCRT ref: 66F9D333

PyBytes_AsStringAndSize.PYTHON38 ref: 66F86E78

Strings

dllhandle, xrefs: 66F865D0
.pyarmor.ikey, xrefs: 66F86E50
000000, xrefs: 66F86B2B
C_LEAVE_CO_OBJECT_INDEX, xrefs: 66F86808
aes, xrefs: 66F869B8
,*, xrefs: 66F87333
version_info, xrefs: 66F86573
sha256, xrefs: 66F869EC
PyCell_New, xrefs: 66F86613
C_ASSERT_ARMORED_INDEX, xrefs: 66F86774
pyarmor_runtime_, xrefs: 66F86AF0, 66F86B0C
%s (%d:%d), xrefs: 66F86BA4, 66F86DC5, 66F86E34, 66F86FA5, 66F872DD, 66F87341
PyCell_Set, xrefs: 66F86631
sprng, xrefs: 66F869D2
PyCell_Get, xrefs: 66F86607
C_ENTER_CO_OBJECT_INDEX, xrefs: 66F867C5

Memory Dump Source

Source File: 00000002.00000002.2123971355.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000002.00000002.2123954260.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124016633.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124033600.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124048394.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124068028.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124083589.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124098619.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124114974.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66f80000_zapret.jbxd

Similarity

API ID: strcmp$memcmp$Bytes_Stringmalloc$AddressFunction_Long_ProcSizememcpy$DeallocErr_FormatFromItemLongModule_ObjectSys_Tuple_free$Create2NameVoid_time64srandstrncmpstrrchrstrstr
String ID: %s (%d:%d)$,*$.pyarmor.ikey$000000$C_ASSERT_ARMORED_INDEX$C_ENTER_CO_OBJECT_INDEX$C_LEAVE_CO_OBJECT_INDEX$PyCell_Get$PyCell_New$PyCell_Set$aes$dllhandle$pyarmor_runtime_$sha256$sprng$version_info
API String ID: 1610873308-3717260241
Opcode ID: 8ace705db764757fec76ecfa4cca4fd90099bd285529a006ed0375af6e3566cd
Instruction ID: ba0671170f199a6fcd344bc9cd6982eca266d08f77bade4080d707d4ab4488c4
Opcode Fuzzy Hash: 8ace705db764757fec76ecfa4cca4fd90099bd285529a006ed0375af6e3566cd
Instruction Fuzzy Hash: 9E820F72719B84C2EB01CB26E84435D3BB2FB49B88F8580AAEE5D0B794DF39E555C350

Function 00007FF8A871FDB0 Relevance: 46.3, APIs: 18, Strings: 8, Instructions: 787COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1 ref: 00007FF8A87201E8
EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 00007FF8A87201F0
EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 00007FF8A87203C9
EVP_MD_size.LIBCRYPTO-1_1 ref: 00007FF8A87203D1
CRYPTO_memcmp.LIBCRYPTO-1_1 ref: 00007FF8A872044A

Strings

, xrefs: 00007FF8A8720350
CONNE, xrefs: 00007FF8A8720AA8
GET , xrefs: 00007FF8A8720A34
..\s\ssl\record\ssl3_record.c, xrefs: 00007FF8A872026D, 00007FF8A8720AC8, 00007FF8A8720B70
@, xrefs: 00007FF8A87205AA
HEAD , xrefs: 00007FF8A8720A75
PUT , xrefs: 00007FF8A8720A94
POST , xrefs: 00007FF8A8720A57

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: D_sizeO_memcmpR_flagsX_cipherX_md
String ID: $..\s\ssl\record\ssl3_record.c$@$CONNE$GET $HEAD $POST $PUT
API String ID: 2456506815-352295518
Opcode ID: 84683dc052a228b3af1e7c9e7017a012159acb7c1af7fe9e1f8007fe0f155df1
Instruction ID: 447b90e00e3df95c7ff1e21f48986c4d9ea06b565962e604c040914eb3aae2f5
Opcode Fuzzy Hash: 84683dc052a228b3af1e7c9e7017a012159acb7c1af7fe9e1f8007fe0f155df1
Instruction Fuzzy Hash: 4172AE32E4A68296FB208E11D4447BA67E0FB44BD8F184135DA8D4BB94EF7DD581CB38

Function 00007FF8A8711BEF Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A873497D
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A87349CF
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A87349F4

Strings

ssl3-sha1, xrefs: 00007FF8A8734BBF
ALL:!COMPLEMENTOFDEFAULT:!eNULL, xrefs: 00007FF8A8734B57
ssl3-md5, xrefs: 00007FF8A8734B97
..\s\ssl\ssl_lib.c, xrefs: 00007FF8A8734973, 00007FF8A87349BF, 00007FF8A87349DF, 00007FF8A8734A1E, 00007FF8A8734A7E, 00007FF8A8734AA4, 00007FF8A8734C33
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256, xrefs: 00007FF8A8734B25

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error
String ID: ..\s\ssl\ssl_lib.c$ALL:!COMPLEMENTOFDEFAULT:!eNULL$TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256$ssl3-md5$ssl3-sha1
API String ID: 1767461275-1115027282
Opcode ID: 5b24c21af44ccb3aa0e60b64ae7794df50e2a31ff5bc3ffaaef7f139b0997e92
Instruction ID: ae9255507c3b091ab037e4e4ceb99b318b8086c016afd469dd505d21d7e35749
Opcode Fuzzy Hash: 5b24c21af44ccb3aa0e60b64ae7794df50e2a31ff5bc3ffaaef7f139b0997e92
Instruction Fuzzy Hash: EFA16A32A8BB52A1FB55DB21E4543B832A0FF95B88F444035DA8C4A796EF3CE554C339

Function 00007FF8A87344C0 Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

X509_VERIFY_PARAM_free.LIBCRYPTO-1_1 ref: 00007FF8A87344F7
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8734510
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8734534
CRYPTO_free_ex_data.LIBCRYPTO-1_1 ref: 00007FF8A873456B
OPENSSL_LH_free.LIBCRYPTO-1_1 ref: 00007FF8A8734574
X509_STORE_free.LIBCRYPTO-1_1 ref: 00007FF8A873457D
CTLOG_STORE_free.LIBCRYPTO-1_1 ref: 00007FF8A8734589
OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 00007FF8A8734592
OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 00007FF8A873459B
OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 00007FF8A87345A4
OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 00007FF8A87345C3
OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 00007FF8A87345D6
OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 00007FF8A87345E9
OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 00007FF8A8734600
ENGINE_finish.LIBCRYPTO-1_1 ref: 00007FF8A8734614
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A873462D
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8734646
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A873465F
CRYPTO_secure_free.LIBCRYPTO-1_1 ref: 00007FF8A8734678
CRYPTO_THREAD_lock_free.LIBCRYPTO-1_1 ref: 00007FF8A8734684
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8734699

Part of subcall function 00007FF8A8711B40: CRYPTO_THREAD_write_lock.LIBCRYPTO-1_1 ref: 00007FF8A87428F5
Part of subcall function 00007FF8A8711B40: OPENSSL_LH_set_down_load.LIBCRYPTO-1_1 ref: 00007FF8A874292C
Part of subcall function 00007FF8A8711B40: CRYPTO_THREAD_unlock.LIBCRYPTO-1_1 ref: 00007FF8A8742938

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A8734503, 00007FF8A873451C, 00007FF8A8734620, 00007FF8A8734639, 00007FF8A8734652, 00007FF8A873466B, 00007FF8A873468F

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$L_sk_free$L_sk_pop_free$E_freeX509_$D_lock_freeD_unlockD_write_lockE_finishH_freeH_set_down_loadM_freeO_free_ex_dataO_secure_free
String ID: ..\s\ssl\ssl_lib.c
API String ID: 1978915437-1080266419
Opcode ID: 3074cc76507357f614cec7ce68b8fd44f851b7d8821df7436865e7dd758a2e13
Instruction ID: deea18acf43151975cff6a0cf9a72075d49d02c3cd8228e27a673dffd61ede4e
Opcode Fuzzy Hash: 3074cc76507357f614cec7ce68b8fd44f851b7d8821df7436865e7dd758a2e13
Instruction Fuzzy Hash: 9841EE65A8BA42A0EB51AF25D8917F82320EF85FC8F044131EE1D4B2AACF6DD545C375

Function 66F87560 Relevance: 28.5, APIs: 15, Strings: 1, Instructions: 467
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 66F875D0
PyErr_Format.PYTHON38 ref: 66F87945
PyErr_Format.PYTHON38 ref: 66F879AD
PyErr_Format.PYTHON38 ref: 66F87A7D

Strings

%s (%d:%d), xrefs: 66F87866, 66F8793B, 66F879A3, 66F87A73, 66F87AE3, 66F87B63, 66F87BEF, 66F87CC0

Memory Dump Source

Source File: 00000002.00000002.2123971355.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000002.00000002.2123954260.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124016633.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124033600.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124048394.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124068028.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124083589.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124098619.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124114974.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66f80000_zapret.jbxd

Similarity

API ID: Err_Format$malloc
String ID: %s (%d:%d)
API String ID: 1817594650-1595188566
Opcode ID: 4ac074a4df80c3886279f237d81a6164cce285b2daffb49a8b902e7caa7da149
Instruction ID: 96287a0bb9e6e5ee956589da3d6ccc4c4a0de0d61f7620510b31cfad1f860c96
Opcode Fuzzy Hash: 4ac074a4df80c3886279f237d81a6164cce285b2daffb49a8b902e7caa7da149
Instruction Fuzzy Hash: 0E0299B2B19B4082FF15CB2AD48472D3772EB56B88F94459ACE2D0B7A1DF39E150C760

Function 00007FF8A87116B3 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 00007FF8A875DB58
d2i_X509.LIBCRYPTO-1_1 ref: 00007FF8A875DC7B
X509_free.LIBCRYPTO-1_1 ref: 00007FF8A875E0A2
OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 00007FF8A875E0B1

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A875DC18, 00007FF8A875E07D

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_sk_new_nullL_sk_pop_freeX509X509_freed2i_
String ID: ..\s\ssl\statem\statem_clnt.c
API String ID: 1068509327-1507966698
Opcode ID: ea8542e2d0c08ec1af4a690b0d1237013d2363aebc7463c8f440753958b20a8b
Instruction ID: 50ba9883a56d6bc2852487969a561afad3312b70f66e97cfafbd2b2984d0370e
Opcode Fuzzy Hash: ea8542e2d0c08ec1af4a690b0d1237013d2363aebc7463c8f440753958b20a8b
Instruction Fuzzy Hash: 18E1FE32B4A681A6E724DF16D4407AE3BA0EB84BC8F545035DE9C4BB95CF3DE541CB28

Function 00007FF630481154 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

_amsg_exit.MSVCRT ref: 00007FF6304811F6
_initterm.MSVCRT ref: 00007FF63048122B
_initterm.MSVCRT ref: 00007FF63048125E
exit.MSVCRT ref: 00007FF630481358
_cexit.MSVCRT ref: 00007FF630481367

Strings

0, xrefs: 00007FF630481164

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: _initterm$_amsg_exit_cexitexit
String ID: 0
API String ID: 602970348-4108050209
Opcode ID: 6d6abd2140eb0b7f68bb3c504690dcf92132bdf22886463ef4a851639e3c59bc
Instruction ID: 1914f85ee9010db3cd5458c0f2d038a4a194d1c375d2177fc8faa05ebed1721c
Opcode Fuzzy Hash: 6d6abd2140eb0b7f68bb3c504690dcf92132bdf22886463ef4a851639e3c59bc
Instruction Fuzzy Hash: 5761D675F09B06E9FB00DB59E84036933A4BB48B88F524436DE0D977A6DF3DE648A740

Function 00007FF8A8732FD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A873301A
CRYPTO_THREAD_run_once.LIBCRYPTO-1_1 ref: 00007FF8A8733059
CRYPTO_THREAD_run_once.LIBCRYPTO-1_1 ref: 00007FF8A8733084
CRYPTO_THREAD_run_once.LIBCRYPTO-1_1 ref: 00007FF8A87330AD

Strings

..\s\ssl\ssl_init.c, xrefs: 00007FF8A8732FF5

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: D_run_once$R_put_error
String ID: ..\s\ssl\ssl_init.c
API String ID: 511881677-1166085723
Opcode ID: fe05e79c5c57bd95c8ace985101a7b17bc9b30eee2c6856c821f6cf3fc72d99c
Instruction ID: 745899fc8ff9f83cd7b5d59a851b0f79a2a3d908eb3dff3440dc3f06c7a950bc
Opcode Fuzzy Hash: fe05e79c5c57bd95c8ace985101a7b17bc9b30eee2c6856c821f6cf3fc72d99c
Instruction Fuzzy Hash: 19213D25E8B603A6FB60DB25E8403B5A2A2EF843C4F445134D91D432A6EF2DE945D72D

Function 66F85850 Relevance: 63.3, APIs: 30, Strings: 6, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyEval_GetFrame.PYTHON38 ref: 66F854C2
PyUnicode_FromFormat.PYTHON38 ref: 66F854DF
Py_DecRef.PYTHON38 ref: 66F854F3
PyUnicode_AsUTF8.PYTHON38 ref: 66F85904
PyImport_GetModuleDict.PYTHON38 ref: 66F85938
PyDict_GetItem.PYTHON38 ref: 66F85946
PyModule_GetDict.PYTHON38 ref: 66F85957
PyDict_GetItemString.PYTHON38 ref: 66F8596A
PyImport_ExecCodeModuleObject.PYTHON38 ref: 66F8598D
PyErr_Occurred.PYTHON38 ref: 66F85996

Part of subcall function 66F8F750: VirtualAlloc.KERNEL32 ref: 66F8F7A9
Part of subcall function 66F8F750: memcpy.MSVCRT ref: 66F8F7CC

Strings

__mp_main__, xrefs: 66F8591E
%s (%d:%d), xrefs: 66F861CC
__main__, xrefs: 66F858F8
<frozen %U>, xrefs: 66F854D8, 66F85523
__spec__, xrefs: 66F8595D
, xrefs: 66F8587B

Memory Dump Source

Source File: 00000002.00000002.2123971355.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000002.00000002.2123954260.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124016633.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124033600.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124048394.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124068028.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124083589.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124098619.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124114974.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66f80000_zapret.jbxd

Similarity

API ID: DictDict_Import_ItemModuleUnicode_$AllocCodeErr_Eval_ExecFormatFrameFromModule_ObjectOccurredStringVirtualmemcpy
String ID: $%s (%d:%d)$<frozen %U>$__main__$__mp_main__$__spec__
API String ID: 3240200909-2782528897
Opcode ID: db3bbc8ce2dc25059c250b18394c3a52027a2ee373e96a4f4f185882a6659b56
Instruction ID: 94d5e87fc850224974b9346cbd144078ae336d07e205854aaf8dd14c89593fa8
Opcode Fuzzy Hash: db3bbc8ce2dc25059c250b18394c3a52027a2ee373e96a4f4f185882a6659b56
Instruction Fuzzy Hash: 5CD1AA32B1AB80C6FF058F66E8643687771FB89F99F0845AADA6E07725DF29C054C350

Function 00007FF630483680 Relevance: 33.5, APIs: 6, Strings: 13, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00007FF6304837C4

Strings

%s%c%s.py, xrefs: 00007FF630483739
__main__, xrefs: 00007FF6304836A7
pyi-disable-windowed-traceback, xrefs: 00007FF630483882
_pyi_main_co, xrefs: 00007FF63048379D
Traceback is disabled via bootloader option., xrefs: 00007FF630483899
traceback, xrefs: 00007FF63048391F
\, xrefs: 00007FF630483731
Absolute path to script exceeds PATH_MAX, xrefs: 00007FF6304837E6
format_exception, xrefs: 00007FF630483948
Could not get __main__ module., xrefs: 00007FF6304838F1
__file__, xrefs: 00007FF630483764
Failed to unmarshal code object for %s, xrefs: 00007FF6304837FC
Could not get __main__ module's dict., xrefs: 00007FF630483902

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: free
String ID: %s%c%s.py$Absolute path to script exceeds PATH_MAX$Could not get __main__ module's dict.$Could not get __main__ module.$Failed to unmarshal code object for %s$Traceback is disabled via bootloader option.$\$__file__$__main__$_pyi_main_co$format_exception$pyi-disable-windowed-traceback$traceback
API String ID: 1294909896-4198433784
Opcode ID: 12c52ad3206ff2ca4a686c2b5d6f2d74fd5d28bb8a815d9899b5b4b4f58fce32
Instruction ID: 2cbe40d0088a088b22e2bfbf053bbe5c3f90f0a476f77ae3c284fa24e7ac9973
Opcode Fuzzy Hash: 12c52ad3206ff2ca4a686c2b5d6f2d74fd5d28bb8a815d9899b5b4b4f58fce32
Instruction Fuzzy Hash: 26B14065A09B06E5EA04DB16E85417923A0FF89FC9F564432DD0E877B2EE3CE60DE340

Function 66F85861 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyUnicode_AsUTF8.PYTHON38 ref: 66F85904
PyImport_GetModuleDict.PYTHON38 ref: 66F85938
PyDict_GetItem.PYTHON38 ref: 66F85946
PyModule_GetDict.PYTHON38 ref: 66F85957
PyDict_GetItemString.PYTHON38 ref: 66F8596A
PyImport_ExecCodeModuleObject.PYTHON38 ref: 66F8598D
PyErr_Occurred.PYTHON38 ref: 66F85996

Strings

%s (%d:%d), xrefs: 66F85EAC
__mp_main__, xrefs: 66F8591E
__main__, xrefs: 66F858F8
__spec__, xrefs: 66F8595D
, xrefs: 66F8587B

Memory Dump Source

Source File: 00000002.00000002.2123971355.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000002.00000002.2123954260.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124016633.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124033600.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124048394.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124068028.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124083589.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124098619.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124114974.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66f80000_zapret.jbxd

Similarity

API ID: DictDict_Import_ItemModule$CodeErr_ExecModule_ObjectOccurredStringUnicode_
String ID: $%s (%d:%d)$__main__$__mp_main__$__spec__
API String ID: 4088344453-4025645406
Opcode ID: 9dbca92b45b22755f182dd9fd9453eae78080b2a8cd5e8e99871cdfe5034526d
Instruction ID: 91b9f1b8619ca420024f8a307cfd60020474cd34f91eac12201592baaf686658
Opcode Fuzzy Hash: 9dbca92b45b22755f182dd9fd9453eae78080b2a8cd5e8e99871cdfe5034526d
Instruction Fuzzy Hash: BC81AC32B16B8086FF55CF66E8A03697371EB85B99F4845AADE6E07B15DF29C041C310

Function 00007FF630485550 Relevance: 28.6, APIs: 2, Strings: 17, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF630486FE0: GetEnvironmentVariableW.KERNEL32 ref: 00007FF63048700C

free.MSVCRT ref: 00007FF630485720
free.MSVCRT ref: 00007FF630485735

Strings

Invalid value for PYTHONUTF8=%s; disabling utf-8 mode!, xrefs: 00007FF630485753
%s%c%s%c%s%c%s%c%s, xrefs: 00007FF63048563B
;, xrefs: 00007FF63048564C
Failed to convert pypath to wchar_t, xrefs: 00007FF6304857AA
base_library.zip, xrefs: 00007FF630485634
sys.path (based on %s) exceeds buffer[%d] space, xrefs: 00007FF630485780
PYTHONUTF8, xrefs: 00007FF63048555A
C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI50042\lib-dynload;C:\Users\al, xrefs: 00007FF630485686
Failed to convert progname to wchar_t, xrefs: 00007FF63048579C
Failed to convert pyhome to wchar_t, xrefs: 00007FF6304857B8
Error detected starting Python VM., xrefs: 00007FF630485764
lib-dynload, xrefs: 00007FF630485622
C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI50042\lib-dynload;C:\Users\user\AppData\Local\Temp\_MEI50042, xrefs: 00007FF630485619
\, xrefs: 00007FF630485654
\, xrefs: 00007FF63048566E
Failed to convert argv to wchar_t, xrefs: 00007FF63048578E
;, xrefs: 00007FF630485661

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: free$EnvironmentVariable
String ID: %s%c%s%c%s%c%s%c%s$;$;$C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI50042\lib-dynload;C:\Users\al$C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI50042\lib-dynload;C:\Users\user\AppData\Local\Temp\_MEI50042$Error detected starting Python VM.$Failed to convert argv to wchar_t$Failed to convert progname to wchar_t$Failed to convert pyhome to wchar_t$Failed to convert pypath to wchar_t$Invalid value for PYTHONUTF8=%s; disabling utf-8 mode!$PYTHONUTF8$\$\$base_library.zip$lib-dynload$sys.path (based on %s) exceeds buffer[%d] space
API String ID: 471908985-1888546901
Opcode ID: c48456801aa9cd7d8cc58aca705c0cba2a25958533fc06219b0b3206e7b935ed
Instruction ID: dccd085917e81bce158b8c558bab486bfff363b5286273a0f5d42f8ef04cf109
Opcode Fuzzy Hash: c48456801aa9cd7d8cc58aca705c0cba2a25958533fc06219b0b3206e7b935ed
Instruction Fuzzy Hash: AE615025A1DA06E1FA109B11E95027D2360AF84B8CF964436DA0E877A7DF2DE74DE780

Function 00007FF630481710 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF630488AE0: malloc.MSVCRT ref: 00007FF630488A49

malloc.MSVCRT ref: 00007FF630481788
malloc.MSVCRT ref: 00007FF63048179E
fread.MSVCRT ref: 00007FF6304817CD
ferror.MSVCRT ref: 00007FF6304817DE
fwrite.MSVCRT ref: 00007FF630481867
ferror.MSVCRT ref: 00007FF630481882
free.MSVCRT ref: 00007FF630481905
free.MSVCRT ref: 00007FF63048190D

Strings

Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6304818E9
1.2.12, xrefs: 00007FF63048173F
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF630481A07
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF630481A3F
_MEIPASS2, xrefs: 00007FF630481712
malloc, xrefs: 00007FF630481A46, 00007FF630481A65
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF630481A5E

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: malloc$ferrorfree$freadfwrite
String ID: 1.2.12$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$_MEIPASS2$malloc
API String ID: 1635854594-2461342963
Opcode ID: 5d83aac17ced31a7c1805e244f49a19b62b07cc991f9975bd614b182ebb2c88a
Instruction ID: c835b32ddf0354486e2931a3a379d445d7e857e0b2c92eb574db35e7fcbb68de
Opcode Fuzzy Hash: 5d83aac17ced31a7c1805e244f49a19b62b07cc991f9975bd614b182ebb2c88a
Instruction Fuzzy Hash: B281F732A0C682E1E6209F19E5403BA6394FB447A8F554532DECD837D6DF3DE689E780

Function 00007FF63048E5E0 Relevance: 25.9, APIs: 17, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strdup.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF630484082,00000000,?,00007FF630482124), ref: 00007FF63048E616
setlocale.MSVCRT ref: 00007FF63048E62E
mbstowcs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF630484082,00000000,?,00007FF630482124), ref: 00007FF63048E665
mbstowcs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF630484082,00000000,?,00007FF630482124), ref: 00007FF63048E6D6
setlocale.MSVCRT ref: 00007FF63048E741
free.MSVCRT ref: 00007FF63048E74D
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF630484082,00000000,?,00007FF630482124), ref: 00007FF63048E981
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF630484082,00000000,?,00007FF630482124), ref: 00007FF63048E9F5
realloc.MSVCRT ref: 00007FF63048EA10
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF630484082,00000000,?,00007FF630482124), ref: 00007FF63048EA39
setlocale.MSVCRT ref: 00007FF63048EA4A
free.MSVCRT ref: 00007FF63048EA56
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF630484082,00000000,?,00007FF630482124), ref: 00007FF63048EA80
realloc.MSVCRT ref: 00007FF63048EA9B
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF630484082,00000000,?,00007FF630482124), ref: 00007FF63048EABF
setlocale.MSVCRT ref: 00007FF63048EAD0
free.MSVCRT ref: 00007FF63048EADC

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: wcstombs$setlocale$free$mbstowcsrealloc$_strdup
String ID:
API String ID: 918573998-0
Opcode ID: a83cf2a6e7cdc1dd5fd551beaeb6a114339be945ac12246f5548f53177ceeab4
Instruction ID: e207dfff509ff075729275fd07798f1be28d3e076d306dbf4d843eeda45bfb79
Opcode Fuzzy Hash: a83cf2a6e7cdc1dd5fd551beaeb6a114339be945ac12246f5548f53177ceeab4
Instruction Fuzzy Hash: 19F15866F04B15D8EB509BAAC4402BC37B0FB44B9CF814836DE4C977AAEF39D6459360

Function 00007FF630481E80 Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF630487D30: malloc.MSVCRT ref: 00007FF630487D4E
Part of subcall function 00007FF630487D30: free.MSVCRT ref: 00007FF630487E25

fread.MSVCRT ref: 00007FF630481EF3
malloc.MSVCRT ref: 00007FF630481F52
fread.MSVCRT ref: 00007FF630481F73
ferror.MSVCRT ref: 00007FF630481F90
fclose.MSVCRT ref: 00007FF630482000

Strings

fseek, xrefs: 00007FF63048208C
Could not read full TOC!, xrefs: 00007FF630482062
fread, xrefs: 00007FF63048204F, 00007FF630482069
Failed to read cookie!, xrefs: 00007FF630482048
Cannot read Table of Contents., xrefs: 00007FF630481FA7
Error on file., xrefs: 00007FF630482077
Failed to seek to cookie position!, xrefs: 00007FF630482085
malloc, xrefs: 00007FF6304820A1
Could not allocate buffer for TOC!, xrefs: 00007FF63048209A

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: freadmalloc$fcloseferrorfree
String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$fread$fseek$malloc
API String ID: 1320676746-1463511288
Opcode ID: 19dcc9d848cb798bf0ed1bfc39bbe01b3329b6dea2929fda1e637dd1503b3bd6
Instruction ID: af990ebc1fe356c263488590670a398f90d66796149099124d840837a8d6f15d
Opcode Fuzzy Hash: 19dcc9d848cb798bf0ed1bfc39bbe01b3329b6dea2929fda1e637dd1503b3bd6
Instruction Fuzzy Hash: E2516071B09602E6EA14CB19D64027923A0BF49748F468835DB0DC7792DF3DF669D780

Function 66FFF2C0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 123
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.MSVCRT ref: 66FFF31E
CreateFileMappingA.KERNEL32 ref: 66FFF375
MapViewOfFile.KERNEL32 ref: 66FFF3A1
CloseHandle.KERNEL32 ref: 66FFF3AD
GetLastError.KERNEL32 ref: 66FFF3B8
_errno.MSVCRT ref: 66FFF3C0

Strings

@, xrefs: 66FFF424
, xrefs: 66FFF2FC
@, xrefs: 66FFF47D

Memory Dump Source

Source File: 00000002.00000002.2123971355.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000002.00000002.2123954260.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124016633.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124033600.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124048394.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124068028.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124083589.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124098619.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124114974.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66f80000_zapret.jbxd

Similarity

API ID: File_errno$CloseCreateErrorHandleLastMappingView
String ID: $@$@
API String ID: 896588047-3743272326
Opcode ID: 8bce634052248ac0fe09119566a57010313dbdf8e4743f0df6502e78c6b4aa78
Instruction ID: e52eec593fddd049e3133b1fc536c989496648b384d660d646d9b8e591064491
Opcode Fuzzy Hash: 8bce634052248ac0fe09119566a57010313dbdf8e4743f0df6502e78c6b4aa78
Instruction Fuzzy Hash: 64412073E3665086F7914B26EC0174AA151BB8ABB8F490322DE79177F0EB3CC842C341

Function 00007FF630481AF0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF630481B2E
fread.MSVCRT ref: 00007FF630481B7C
free.MSVCRT ref: 00007FF630481BA1
fclose.MSVCRT ref: 00007FF630481BB2

Strings

fseek, xrefs: 00007FF630481C44
Failed to extract %s: failed to open archive file!, xrefs: 00007FF630481C15
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF630481C5A
fread, xrefs: 00007FF630481B92
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF630481C3D
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF630481B8B
malloc, xrefs: 00007FF630481C61

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: fclosefreadfreemalloc
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 3295367466-3659356012
Opcode ID: ac8388ead6e3bcfe763450b17e0ef30528a73e2e0ac24da44bb334a18c26175b
Instruction ID: 49591d4682b5dbef77626cae3850d76aeae4ad92f4684808b19b5cfe2d9009f3
Opcode Fuzzy Hash: ac8388ead6e3bcfe763450b17e0ef30528a73e2e0ac24da44bb334a18c26175b
Instruction Fuzzy Hash: FC31C022B0A653F5FA059B19D9146BA1254AF007DCF864833DD0D867A3EE2DE74DE380

Function 00007FF6304816D0 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 285
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF630488160: free.MSVCRT ref: 00007FF6304881C7
Part of subcall function 00007FF630488160: free.MSVCRT ref: 00007FF6304881D4

Part of subcall function 00007FF6304821B0: calloc.MSVCRT ref: 00007FF6304821BE

Part of subcall function 00007FF6304842F0: GetModuleFileNameW.KERNEL32 ref: 00007FF630484312

Part of subcall function 00007FF630486FE0: GetEnvironmentVariableW.KERNEL32 ref: 00007FF63048700C

free.MSVCRT ref: 00007FF630483C27

Part of subcall function 00007FF6304870D0: SetEnvironmentVariableW.KERNEL32 ref: 00007FF6304870EB
Part of subcall function 00007FF6304870D0: free.MSVCRT ref: 00007FF6304870F6

SetDllDirectoryW.KERNEL32 ref: 00007FF630483C93
strcmp.MSVCRT ref: 00007FF630483CBF
strcpy.MSVCRT ref: 00007FF630483D05

Strings

Cannot side-load external archive %s (code %d)!, xrefs: 00007FF630483FA9
Failed to convert DLL search path!, xrefs: 00007FF630483FF7
Error opening archive ZNdewcHn8K from executable (%s) or external archive (%s), xrefs: 00007FF630483F2C
_MEIPASS2, xrefs: 00007FF630483BD8
_PYI_ONEDIR_MODE, xrefs: 00007FF630483BF3, 00007FF630483C2C

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: free$EnvironmentVariable$DirectoryFileModuleNamecallocstrcmpstrcpy
String ID: Cannot side-load external archive %s (code %d)!$Error opening archive ZNdewcHn8K from executable (%s) or external archive (%s)$Failed to convert DLL search path!$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 4056350997-3668766296
Opcode ID: 9ab94f93fd9a23215b0dc628b7aa1a3357c569d797d6c235b1780b007e8df911
Instruction ID: e342230e470222f09d203457e7aca121d210a38f4b74f24eaac1719b0cbee0d6
Opcode Fuzzy Hash: 9ab94f93fd9a23215b0dc628b7aa1a3357c569d797d6c235b1780b007e8df911
Instruction Fuzzy Hash: CDC18421A1C642E0FA50AB2598111BA5264AF84BCDF464831EE4DC77D7EE2DE70DA7C4

Function 00007FF8A8711A0A Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ERR_clear_error.LIBCRYPTO-1_1 ref: 00007FF8A8755ADA
SetLastError.KERNEL32 ref: 00007FF8A8755AE1
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8755BE8
BUF_MEM_grow.LIBCRYPTO-1_1 ref: 00007FF8A8755C73
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8755CBA
BUF_MEM_free.LIBCRYPTO-1_1 ref: 00007FF8A8755DC2
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8755E26
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8755E79

Part of subcall function 00007FF8A8756060: ERR_put_error.LIBCRYPTO-1_1(?,?,00000000,?,00007FF8A8755D8E), ref: 00007FF8A87563FD

Strings

..\s\ssl\statem\statem.c, xrefs: 00007FF8A8755BD8, 00007FF8A8755CAA, 00007FF8A8755E16, 00007FF8A8755E69

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error$ErrorLastM_freeM_growR_clear_error
String ID: ..\s\ssl\statem\statem.c
API String ID: 2562538362-2512360314
Opcode ID: c5ec9d6da75d60e59cec8800915c942c7923d53dd8deea7d1b1bc2a2b65e181d
Instruction ID: 2cdcaba2615a7d5d73efa0edbb818ca0f8771a2f28567df36e8c496749e86ef2
Opcode Fuzzy Hash: c5ec9d6da75d60e59cec8800915c942c7923d53dd8deea7d1b1bc2a2b65e181d
Instruction Fuzzy Hash: E5B18132A4E742A6F7689F15C4843BD33E1EB40B88F145035DA4C46799CF7EE885CB68

Function 00007FF8A87115D2 Relevance: 14.6, APIs: 6, Strings: 2, Instructions: 570COMMON

Download Yara Rule

APIs

BIO_clear_flags.LIBCRYPTO-1_1 ref: 00007FF8A871C9B5
BIO_set_flags.LIBCRYPTO-1_1 ref: 00007FF8A871C9C2
memcpy.VCRUNTIME140 ref: 00007FF8A871CA05
memcpy.VCRUNTIME140 ref: 00007FF8A871CBA0

Strings

..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FF8A871C5A9, 00007FF8A871CCBE
SSL alert number , xrefs: 00007FF8A871CCF2

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: memcpy$O_clear_flagsO_set_flags
String ID: ..\s\ssl\record\rec_layer_s3.c$SSL alert number
API String ID: 1692547093-34800109
Opcode ID: 218e4fe239caa055c8f9a09eb3c10c9947b384fed5d68d776e866426d8813317
Instruction ID: 41bae557f6c1bc723fd1a21759795bfd9f4f486e51412f9a859f0668c8d73dd4
Opcode Fuzzy Hash: 218e4fe239caa055c8f9a09eb3c10c9947b384fed5d68d776e866426d8813317
Instruction Fuzzy Hash: 8342CB32B8A682A6EB74CA51D1447BD27A5FB91BC4F184135CA4D47FA0CF3DE891C728

Function 00007FF6304857D0 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF6304857EB
free.MSVCRT ref: 00007FF6304858BC

Strings

strict, xrefs: 00007FF6304857F0
_MEIPASS, xrefs: 00007FF630485820
Failed to get _MEIPASS as PyObject., xrefs: 00007FF6304858F1
Module object for %s is NULL!, xrefs: 00007FF6304858CB
_MEIPASS2, xrefs: 00007FF6304857D0
utf-8, xrefs: 00007FF6304857F7

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: freestrlen
String ID: Failed to get _MEIPASS as PyObject.$Module object for %s is NULL!$_MEIPASS$_MEIPASS2$strict$utf-8
API String ID: 322734593-568040347
Opcode ID: 9e845a276c51c4464c120e7fb7b1e0ba1285ac3300ef2d75e6443f80687ba065
Instruction ID: 1f8595e35395807204613a5f7d85bd9b678119d7dcf7f0e8186e3a3d001655a0
Opcode Fuzzy Hash: 9e845a276c51c4464c120e7fb7b1e0ba1285ac3300ef2d75e6443f80687ba065
Instruction Fuzzy Hash: 3F315211A09A46F1EE15AB16D9440792360BF48BD8F5A4832DD0EC73A3DE3DE64DE380

Function 00007FF8A871240F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF8A871D1C7
memcpy.VCRUNTIME140 ref: 00007FF8A871D22D
SetLastError.KERNEL32 ref: 00007FF8A871D325
BIO_read.LIBCRYPTO-1_1 ref: 00007FF8A871D34C

Strings

..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FF8A871D2D6, 00007FF8A871D3C5

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: memcpy$ErrorLastO_read
String ID: ..\s\ssl\record\rec_layer_s3.c
API String ID: 1958097105-2209325370
Opcode ID: 4188784b089c0aef524afabbd84599c193d976197fb088fa5096f07a4c300196
Instruction ID: 3fa77c1458f5e20c75b6274ba230df54e9a50f7bd2f51f682db6b6bd77bb7bd9
Opcode Fuzzy Hash: 4188784b089c0aef524afabbd84599c193d976197fb088fa5096f07a4c300196
Instruction Fuzzy Hash: 14819132A4AA9591EB50DF25D4443A96BA0FB44FC8F188135DE9C0BFA8DF3CD485CB64

Function 00007FF8A87555C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 223COMMON

Download Yara Rule

APIs

BUF_MEM_grow_clean.LIBCRYPTO-1_1(?,?,?,00000000,?,-00000031,00007FF8A8755D72), ref: 00007FF8A8755774
ERR_put_error.LIBCRYPTO-1_1(?,?,?,00000000,?,-00000031,00007FF8A8755D72), ref: 00007FF8A875588C
ERR_put_error.LIBCRYPTO-1_1(?,?,?,00000000,?,-00000031,00007FF8A8755D72), ref: 00007FF8A8755952

Strings

..\s\ssl\statem\statem.c, xrefs: 00007FF8A875587B, 00007FF8A8755933

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error$M_grow_clean
String ID: ..\s\ssl\statem\statem.c
API String ID: 1147295381-2512360314
Opcode ID: 5f176698e27fcd32c145e642f59c1ffc7f7fcf19b059238bddaa937a1f498d97
Instruction ID: edb2d195c2dac5ba5c1fbd41b9f96f31cf67f9f755f5912c51e12d509a6882ef
Opcode Fuzzy Hash: 5f176698e27fcd32c145e642f59c1ffc7f7fcf19b059238bddaa937a1f498d97
Instruction Fuzzy Hash: AFA1C232A4A682A5FB688F25D44437937A0FB40BD8F185135CA5D4BBE4CF3EE485C724

Function 00007FF8A87114C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8736C29
ASYNC_get_current_job.LIBCRYPTO-1_1 ref: 00007FF8A8736C76

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A8736C10

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: C_get_current_jobR_put_error
String ID: ..\s\ssl\ssl_lib.c
API String ID: 4281227279-1080266419
Opcode ID: 3c78fabd672594b1f123496dd180e95c5cf271f2b730e2afc5d90a2ea75cc958
Instruction ID: 47c710ae18a4febe5b73f9d853e490323a47d6d21e181bb4b67b8c3e9599574f
Opcode Fuzzy Hash: 3c78fabd672594b1f123496dd180e95c5cf271f2b730e2afc5d90a2ea75cc958
Instruction Fuzzy Hash: 5E21C332B4A642A2EB40DB25E4007AD23A0EF88BC4F585130EE4D47796DF3CE4558A24

Function 00007FF630487D30 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF630487D4E
free.MSVCRT ref: 00007FF630487E25

Strings

_MEIPASS2, xrefs: 00007FF630487D32

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: freemalloc
String ID: _MEIPASS2
API String ID: 3061335427-3944641314
Opcode ID: bb0eff94d4dba1cb2c86a0a43b1d8236c94a90db0d743f657a1eabc715f4bc7e
Instruction ID: eb7bc4a58ea577eb1bda751b02c4d97d7d9e9a46909d83ec9e71a2d0beb168cc
Opcode Fuzzy Hash: bb0eff94d4dba1cb2c86a0a43b1d8236c94a90db0d743f657a1eabc715f4bc7e
Instruction Fuzzy Hash: E5210812718122A1FE119A129A147BB86456F45BDCF8A0875EF0DCB7C3EE3EE749D340

Function 00007FF630486170 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF63048617E

Strings

Cannot allocate memory for SPLASH_STATUS., xrefs: 00007FF63048618D
calloc, xrefs: 00007FF630486194

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: calloc
String ID: Cannot allocate memory for SPLASH_STATUS.$calloc
API String ID: 2635317215-799113134
Opcode ID: daeeb61d3e57278251d27ce958a3713753ff428d5e00cabe7585f6002fde9d4c
Instruction ID: 450db84e6eed056a6d01f2d776e83a19bad242dd9cc4527dc7c22b404475bd2c
Opcode Fuzzy Hash: daeeb61d3e57278251d27ce958a3713753ff428d5e00cabe7585f6002fde9d4c
Instruction Fuzzy Hash: BEE01261E0C60BF1EA646B04D6411B92751DF8434CFD64438D90C867A7DD3DE71DA784

Function 00007FF8A8756060 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1(?,?,00000000,?,00007FF8A8755D8E), ref: 00007FF8A87563FD

Strings

..\s\ssl\statem\statem.c, xrefs: 00007FF8A87563EC

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error
String ID: ..\s\ssl\statem\statem.c
API String ID: 1767461275-2512360314
Opcode ID: 286396ca9c874b9dfc3071c4ae9c9e66dfc5672bc1137bd36060fe4fb40a9dbf
Instruction ID: 9ace6de01d230b56bf251d5378c170f03f8e8632b7cbae1b917a0e9f0fe2d5f8
Opcode Fuzzy Hash: 286396ca9c874b9dfc3071c4ae9c9e66dfc5672bc1137bd36060fe4fb40a9dbf
Instruction Fuzzy Hash: 9FB1C432A4A642E6EB688F25C454B7D33A0FF40BC8F545135CA4D47AA4DF3DE985CB28

Function 00007FF63048F300 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

fsetpos.MSVCRT ref: 00007FF63048F3A5

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: fsetpos
String ID:
API String ID: 850078086-0
Opcode ID: 1b41710901f17b2eeca1497c090281577d230925116f41a5d4b4f06b87e02d06
Instruction ID: fe797871b14e01c40288d3bab86045f002ea573d15d90a6722c7522a03e28d60
Opcode Fuzzy Hash: 1b41710901f17b2eeca1497c090281577d230925116f41a5d4b4f06b87e02d06
Instruction Fuzzy Hash: 0C116372E04B06EAEF109F7985410BC23A0AB0579CF510E35EE1D87B9ADF39D2549340

Function 00007FF6304820B0 Relevance: 3.0, APIs: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00007FF630482138
fclose.MSVCRT ref: 00007FF630482158

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: fclosestrcpy
String ID:
API String ID: 3396940900-0
Opcode ID: 895a6b6c714a899f9991e10034d45c35d60b5dc000e3fba6163b4ec63685fad1
Instruction ID: 9edb42243c4dcd0eeea20b32e61f6345385a472ac9762e38d7d6c63103129d21
Opcode Fuzzy Hash: 895a6b6c714a899f9991e10034d45c35d60b5dc000e3fba6163b4ec63685fad1
Instruction Fuzzy Hash: C411AC21B08142E0FB909A75EA553F912419F84BCCF558532DE0DC77CBDD2DAA8DE380

Function 00007FF630487950 Relevance: 3.0, APIs: 2, Instructions: 20libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF630488210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF630482E40), ref: 00007FF630488246

LoadLibraryExW.KERNEL32 ref: 00007FF630487971
free.MSVCRT ref: 00007FF63048797D

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWidefree
String ID:
API String ID: 3231889924-0
Opcode ID: ac1678f2e02d1b72cbc567d5e7bac802729ecc80d491b3a74ede665a07012b31
Instruction ID: cf36b7ddb7569f57f7d9decc6ccb504bf7ec24a3c57b8a537baf9c4c74033fcb
Opcode Fuzzy Hash: ac1678f2e02d1b72cbc567d5e7bac802729ecc80d491b3a74ede665a07012b31
Instruction Fuzzy Hash: 00D02B01F2617552ED88B6772C0566901001F49FD4EC98438CC0D87702DC2CD24A0700

Function 00007FF63048F1BB Relevance: 2.6, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63048EFD0: wcslen.MSVCRT ref: 00007FF63048F006

free.MSVCRT ref: 00007FF63048F1FF
memset.MSVCRT ref: 00007FF63048F21C

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: freememsetwcslen
String ID:
API String ID: 2332356550-0
Opcode ID: 16ca566369b86500749d9f98ec16c1cf0d74b93f9dbbc66e3a29c3db3259c6e1
Instruction ID: 04fe6c36213df78efec313e6bbbc43e9f126cd90aec9ce7e43e721ed8e8776b8
Opcode Fuzzy Hash: 16ca566369b86500749d9f98ec16c1cf0d74b93f9dbbc66e3a29c3db3259c6e1
Instruction Fuzzy Hash: D131D966B00B14D9DB10CF7AD48109C3BB1FB58BA8B118526EE1C53B69EB34C591C790

Function 00007FF8A87117C1 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A8728CC3

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_ctrl
String ID:
API String ID: 3605655398-0
Opcode ID: 93ac2850b5d2f13ae9b54a5dd82942a09dfe8bb811652b166735949098b463b3
Instruction ID: 96b32949d4837fa270439d7a513bd81fdac3d9232efceb2918ec02daf2d35676
Opcode Fuzzy Hash: 93ac2850b5d2f13ae9b54a5dd82942a09dfe8bb811652b166735949098b463b3
Instruction Fuzzy Hash: D0318D33609B8586D750CF65E440BED77A0F789B88F084136EE8C4BB59DF79C1998B24

Function 67000940 Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 6700097E

Memory Dump Source

Source File: 00000002.00000002.2123971355.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000002.00000002.2123954260.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124016633.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124033600.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124048394.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124068028.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124083589.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124098619.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124114974.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66f80000_zapret.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fe5837323282d315a15794c740daf0bac631d7c30206fff776a4dc5a47e3ca90
Instruction ID: cd783cb35b1c5ccd56b387b9dc9809c4c0e09b979c626c1b103b450ba26739f9
Opcode Fuzzy Hash: fe5837323282d315a15794c740daf0bac631d7c30206fff776a4dc5a47e3ca90
Instruction Fuzzy Hash: 43F01C7237D52085F6310D29D600FAA7594575BBF0E94811699BC0ABF4D55FC6818F22

Function 00007FF8A8755460 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8755496

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error
String ID:
API String ID: 1767461275-0
Opcode ID: dfae5811a408f5906231ea143e286c5f2096b5f567c064c5227843b7cad87cf8
Instruction ID: 78c36018e7f8af04b070878c7701d9902aeb40d60fa4dfd6d3ad852ee4426410
Opcode Fuzzy Hash: dfae5811a408f5906231ea143e286c5f2096b5f567c064c5227843b7cad87cf8
Instruction Fuzzy Hash: 0301D132A4924186E7A88E29E00437962A0FB84BCCF141035EA5C07BE9DB7EE880CF14

Function 00007FF6304843B0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF630488210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF630482E40), ref: 00007FF630488246

_wfopen.MSVCRT ref: 00007FF6304843F5

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: ByteCharMultiWide_wfopen
String ID:
API String ID: 372205238-0
Opcode ID: e249028c2137e21c272be09ebad8c35b62695eafe249120916a556fd3ad7a81d
Instruction ID: 307caf3fbde2dc61c8f1c0c5966dcbcf50b240c0f679cecd81eac7dfa3669ec4
Opcode Fuzzy Hash: e249028c2137e21c272be09ebad8c35b62695eafe249120916a556fd3ad7a81d
Instruction Fuzzy Hash: C1E0D85170C21092F9147253B9047E98216AF4AFD4F408430EF0C9BB9BCD1EE3478B41

Function 00007FF8A87114C4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A8756026

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_ctrl
String ID:
API String ID: 3605655398-0
Opcode ID: 6085142ac8421f32a635a0c22734978378be42a22e6ff1485fbb386f4c50a3f8
Instruction ID: 14bb342ebd35586dabff832727420a853e1623b86ef22e0eacf2d96e4a29b216
Opcode Fuzzy Hash: 6085142ac8421f32a635a0c22734978378be42a22e6ff1485fbb386f4c50a3f8
Instruction Fuzzy Hash: F5E080F3F4610256F7255775D846F791390EB4C754F641030DA1C8AB82EBADE8D28B18

Function 66FFD980 Relevance: 1.5, APIs: 1, Instructions: 213COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 66FFDC22

Memory Dump Source

Source File: 00000002.00000002.2123971355.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000002.00000002.2123954260.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124016633.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124033600.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124048394.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124068028.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124083589.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124098619.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124114974.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66f80000_zapret.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 87d80e122543ab82afe693d9a7a50df2d0bf7f3205f6cf244ec925fd0e59c24c
Instruction ID: cc6605d32a8233596066b01f0e67003fd64ba0751052047c5fa452c7b4720335
Opcode Fuzzy Hash: 87d80e122543ab82afe693d9a7a50df2d0bf7f3205f6cf244ec925fd0e59c24c
Instruction Fuzzy Hash: 1E9197B2A29B9486EB558F26D45035D3BA0F745FECF18411ACF9D1B3A9DB38C496C380

Function 00007FF63048CBA0 Relevance: 1.3, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF63048CC5A

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 623919cd236f253b3d7bc4f578d470e9102edac5acaca204977424f4e3dbef8b
Instruction ID: 67dfe31b562cb8fa8700722f7507c9d5c28f636c4435e6df3ee79c8ab8fc9703
Opcode Fuzzy Hash: 623919cd236f253b3d7bc4f578d470e9102edac5acaca204977424f4e3dbef8b
Instruction Fuzzy Hash: 46312726F04B15E9F7108B65D4403BC37B0A700B8CF918876DE8CA3B99DF399699A790

Function 00007FF630488AE0 Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF630488A49

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 0fc86e8ee51b5bdc1f5f7082c9320d3be715a44251d05dfd6912ed91f5c13a9f
Instruction ID: 88f501d83823e5970e16ae672bb6e6facb2be1897ece1e86c6c6e2a3d592cb8e
Opcode Fuzzy Hash: 0fc86e8ee51b5bdc1f5f7082c9320d3be715a44251d05dfd6912ed91f5c13a9f
Instruction Fuzzy Hash: 94219831609B02D7F7694B15D4403392695BB84BDCF2A453ACD1D877D2DF3EDA86A380

Function 00007FF63048A970 Relevance: 1.3, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF63048A998

Memory Dump Source

Source File: 00000002.00000002.2128618247.00007FF630481000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF630480000, based on PE: true

Associated: 00000002.00000002.2128537945.00007FF630480000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128668780.00007FF630499000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128706316.00007FF63049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128727788.00007FF6304A4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128761616.00007FF6304B5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128840599.00007FF6304B6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2128859184.00007FF6304B9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff630480000_zapret.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 91393a4a38c2f9ca34023a88416337a771a7b0123113a7f946b122cb324d8598
Instruction ID: 40a1557327a553d67dc3cf23c32816c1a83813508fb3a581a0975ad9afd86660
Opcode Fuzzy Hash: 91393a4a38c2f9ca34023a88416337a771a7b0123113a7f946b122cb324d8598
Instruction Fuzzy Hash: 72F012A2A09911D2EB519B2AD8403592260EB48FACF161931CD4D87395EE25DC95D380

Function 66FFDE00 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

malloc.MSVCRT(?,?,00000000,?,66FE0C70,00000000,?,?,66F93BB6,?,?,?,?,?,?), ref: 66FFDE0F

Memory Dump Source

Source File: 00000002.00000002.2123971355.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000002.00000002.2123954260.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124016633.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124033600.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124048394.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124068028.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124083589.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124098619.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000002.00000002.2124114974.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66f80000_zapret.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 1bf828e095ce4e9032b00840eccc91d5e23d29e85e168ad2e099bbb74118d7cc
Instruction ID: 8f0ba91d47a1758a7b6ac7e434d4990a1de01463283f716b81bd24b7a461b6f6
Opcode Fuzzy Hash: 1bf828e095ce4e9032b00840eccc91d5e23d29e85e168ad2e099bbb74118d7cc
Instruction Fuzzy Hash: 34D01266B9BA5581E50D9B573C5039895576B5EBF1F4CC0308E4D97315FC2844D34310

Non-executed Functions

Function 00007FF8A87110A5 Relevance: 61.5, APIs: 32, Strings: 3, Instructions: 276COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 00007FF8A872B2A3
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872B2CB
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872B343
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A872B358

Strings

gfffffff, xrefs: 00007FF8A872B2E3
~, xrefs: 00007FF8A872B60C
..\s\ssl\ssl_cert.c, xrefs: 00007FF8A872B29C, 00007FF8A872B2B0, 00007FF8A872B328, 00007FF8A872B34E, 00007FF8A872B3FD, 00007FF8A872B45B, 00007FF8A872B4B5, 00007FF8A872B51F, 00007FF8A872B54D, 00007FF8A872B566, 00007FF8A872B57F, 00007FF8A872B5BC, 00007FF8A872B5E0, 00007FF8A872B630, 00007FF8A872B698, 00007FF8A872B77D

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error$O_freeO_zalloc
String ID: ..\s\ssl\ssl_cert.c$gfffffff$~
API String ID: 3565116557-3298543876
Opcode ID: f305aeb28f7a18fd0a1c6c4e00bb75f3199cec8b2b7e99697efe69e1ba939d70
Instruction ID: 15c6ea98b06e97f0cb1e0dc5775ed4f883543d60c614fe4e97ba4e03e14ca92d
Opcode Fuzzy Hash: f305aeb28f7a18fd0a1c6c4e00bb75f3199cec8b2b7e99697efe69e1ba939d70
Instruction Fuzzy Hash: 4ED16932A4AB82A6EB59DB25E4903F963A0FF48B84F404436CB9D47795DF3CE160C324

Function 00007FF8A872F960 Relevance: 57.1, APIs: 22, Strings: 10, Instructions: 1068stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A872F9C9
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A872FA08
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872FAD7
CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A872FB75
CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A8730432
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8730451
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8730473
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A8730614
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A87306A8
OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 00007FF8A87306B9
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A87306D8
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A87306ED
OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 00007FF8A87306FB
OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 00007FF8A8730706
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A8730718
OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 00007FF8A873073C
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8730760
OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 00007FF8A8730784
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A87307A6
OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 00007FF8A87307AE

Strings

SUITEB128ONLY, xrefs: 00007FF8A872F9C0
ECDHE-ECDSA-AES128-GCM-SHA256, xrefs: 00007FF8A872FB1F
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 00007FF8A872FB02
DEFAULT, xrefs: 00007FF8A8730607
SUITEB128C2, xrefs: 00007FF8A872F9FE
SUITEB192, xrefs: 00007FF8A872FA66
ALL:!COMPLEMENTOFDEFAULT:!eNULL, xrefs: 00007FF8A8730638
..\s\ssl\ssl_ciph.c, xrefs: 00007FF8A872FAB8, 00007FF8A872FB6A, 00007FF8A873041C, 00007FF8A8730444, 00007FF8A8730463, 00007FF8A873069E, 00007FF8A87306D1, 00007FF8A8730753, 00007FF8A8730799
ECDHE-ECDSA-AES256-GCM-SHA384, xrefs: 00007FF8A872FB09, 00007FF8A872FB16
SUITEB128, xrefs: 00007FF8A872FA33

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$strncmp$L_sk_freeL_sk_numL_sk_pushO_mallocR_put_error$L_sk_new_nullL_sk_value
String ID: ..\s\ssl\ssl_ciph.c$ALL:!COMPLEMENTOFDEFAULT:!eNULL$DEFAULT$ECDHE-ECDSA-AES128-GCM-SHA256$ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384$ECDHE-ECDSA-AES256-GCM-SHA384$SUITEB128$SUITEB128C2$SUITEB128ONLY$SUITEB192
API String ID: 3367745429-3030769715
Opcode ID: 0757d5fb305cc7fbd74bb3cb46e42215229c3689a2ecd6931d1c378fb8281c27
Instruction ID: 2551641787aa8f73ce5e90dfc26b9030177c5ffa8c9ca0f829834b9a462a0724
Opcode Fuzzy Hash: 0757d5fb305cc7fbd74bb3cb46e42215229c3689a2ecd6931d1c378fb8281c27
Instruction Fuzzy Hash: 76A2A872A4AB46A2EB69CB06D4506B827E4FB14FC4F288036DE4C47790EF3CD981C765

Function 00007FF8A8711E6A Relevance: 56.4, APIs: 30, Strings: 2, Instructions: 380COMMON

Download Yara Rule

APIs

COMP_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A8771401
COMP_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A8771416
EVP_CIPHER_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A8771510
EVP_CIPHER_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A87713AF

Part of subcall function 00007FF8A8711D2A: EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A873E46C
Part of subcall function 00007FF8A8711D2A: EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A873E478
Part of subcall function 00007FF8A8711D2A: EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 00007FF8A873E493

EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A87714F2
EVP_CIPHER_CTX_reset.LIBCRYPTO-1_1 ref: 00007FF8A87715E7
EVP_CIPHER_key_length.LIBCRYPTO-1_1 ref: 00007FF8A8771607
EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 00007FF8A8771619

Strings

x, xrefs: 00007FF8A87713C0
..\s\ssl\t1_enc.c, xrefs: 00007FF8A87718F0

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: X_new$X_free$DigestInit_exR_flagsR_key_lengthX_reset
String ID: ..\s\ssl\t1_enc.c$x
API String ID: 2151083367-3671953471
Opcode ID: b7c4a1afce9972076094333b5344805b1c2a865642606e0bc6a5c75d9446d4a7
Instruction ID: d4c8b09802c575b236a0e9e5b16c69f483fa49889cd267781dbb5085993f9d5c
Opcode Fuzzy Hash: b7c4a1afce9972076094333b5344805b1c2a865642606e0bc6a5c75d9446d4a7
Instruction Fuzzy Hash: 03F1BE32B4B78295EB60DB26D0507B927A0EB85BD8F484035DE8D4BB95EF3CE445C728

Function 00007FF8A876CBB0 Relevance: 53.2, APIs: 27, Strings: 3, Instructions: 731COMMON

Download Yara Rule

APIs

OPENSSL_sk_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,00007FF8A876DF8C), ref: 00007FF8A876CC55
OPENSSL_sk_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,00007FF8A876DF8C), ref: 00007FF8A876CC5E
CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,00007FF8A876DF8C), ref: 00007FF8A876CC73
CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,00007FF8A876DF8C), ref: 00007FF8A876CC88
memcmp.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF8A876DF8C), ref: 00007FF8A876CE9B
OPENSSL_sk_num.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,00007FF8A876DF8C), ref: 00007FF8A876CF64
OPENSSL_sk_value.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,00007FF8A876DF8C), ref: 00007FF8A876CF76
OPENSSL_sk_num.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,?,?,00007FF8A876DF8C), ref: 00007FF8A876CFD2

Strings

@, xrefs: 00007FF8A876D284
..\s\ssl\statem\statem_srvr.c, xrefs: 00007FF8A876CBD4, 00007FF8A876D827
P, xrefs: 00007FF8A876CBE5

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_sk_freeL_sk_numO_free$L_sk_valuememcmp
String ID: ..\s\ssl\statem\statem_srvr.c$@$P
API String ID: 1579232405-1224705267
Opcode ID: 82dae07ff3711130da00d59c695202ddd9335452390dcaa59f9b9850c2fea917
Instruction ID: ff0ef1696c30b69c9e9e112d2477aa7a8275d4e7a2c4ba1b613efe0fe8910925
Opcode Fuzzy Hash: 82dae07ff3711130da00d59c695202ddd9335452390dcaa59f9b9850c2fea917
Instruction Fuzzy Hash: BC72BE32A4A68296EB64DF25D4403B93BA1FB84BD8F188135DE4D4B795CF3DE580C728

Function 00007FF8A871191F Relevance: 44.0, APIs: 19, Strings: 6, Instructions: 207COMMON

Download Yara Rule

APIs

OBJ_nid2sn.LIBCRYPTO-1_1 ref: 00007FF8A8730C31
OBJ_nid2sn.LIBCRYPTO-1_1 ref: 00007FF8A8730C77
EVP_get_digestbyname.LIBCRYPTO-1_1 ref: 00007FF8A8730C7F
EVP_MD_size.LIBCRYPTO-1_1 ref: 00007FF8A8730C9E
EVP_PKEY_asn1_find_str.LIBCRYPTO-1_1 ref: 00007FF8A8730D01
EVP_PKEY_asn1_get0_info.LIBCRYPTO-1_1 ref: 00007FF8A8730D21
ENGINE_finish.LIBCRYPTO-1_1 ref: 00007FF8A8730D35
EVP_PKEY_asn1_find_str.LIBCRYPTO-1_1 ref: 00007FF8A8730D73
EVP_PKEY_asn1_get0_info.LIBCRYPTO-1_1 ref: 00007FF8A8730D93
ENGINE_finish.LIBCRYPTO-1_1 ref: 00007FF8A8730DA7
EVP_PKEY_asn1_find_str.LIBCRYPTO-1_1 ref: 00007FF8A8730DE8
EVP_PKEY_asn1_get0_info.LIBCRYPTO-1_1 ref: 00007FF8A8730E08
ENGINE_finish.LIBCRYPTO-1_1 ref: 00007FF8A8730E1C
EVP_PKEY_asn1_find_str.LIBCRYPTO-1_1 ref: 00007FF8A8730E48
EVP_PKEY_asn1_get0_info.LIBCRYPTO-1_1 ref: 00007FF8A8730E68
ENGINE_finish.LIBCRYPTO-1_1 ref: 00007FF8A8730E7C
EVP_PKEY_asn1_find_str.LIBCRYPTO-1_1 ref: 00007FF8A8730EA8
EVP_PKEY_asn1_get0_info.LIBCRYPTO-1_1 ref: 00007FF8A8730EC8
ENGINE_finish.LIBCRYPTO-1_1 ref: 00007FF8A8730EDC

Strings

`, xrefs: 00007FF8A8730CBD
gost2012_512, xrefs: 00007FF8A8730E9A
gost-mac, xrefs: 00007FF8A8730CE9
gost2001, xrefs: 00007FF8A8730DDA
gost2012_256, xrefs: 00007FF8A8730E3A
gost-mac-12, xrefs: 00007FF8A8730D65

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: E_finishY_asn1_find_strY_asn1_get0_info$J_nid2sn$D_sizeP_get_digestbyname
String ID: `$gost-mac$gost-mac-12$gost2001$gost2012_256$gost2012_512
API String ID: 910905907-344903700
Opcode ID: af73907f379c61c419f78347b2f9e02f059c7134e5e93dcff582a9889ef48c39
Instruction ID: dfbe774f1db507bcc05c7ca89c3e0f05d944fca51fc46744fed4233069d83ade
Opcode Fuzzy Hash: af73907f379c61c419f78347b2f9e02f059c7134e5e93dcff582a9889ef48c39
Instruction Fuzzy Hash: 8AA18272E4B752AAE7209F24E8506B977A4FB887D8F014235F64D83A94DF3CE041C768

Function 00007FF8A877AE40 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF8A877AE81
BN_dup.LIBCRYPTO-1_1 ref: 00007FF8A877AED6
BN_dup.LIBCRYPTO-1_1 ref: 00007FF8A877AEF7
BN_dup.LIBCRYPTO-1_1 ref: 00007FF8A877AF18
BN_dup.LIBCRYPTO-1_1 ref: 00007FF8A877AF39
BN_dup.LIBCRYPTO-1_1 ref: 00007FF8A877AF56
BN_dup.LIBCRYPTO-1_1 ref: 00007FF8A877AF73
BN_dup.LIBCRYPTO-1_1 ref: 00007FF8A877AF90
BN_dup.LIBCRYPTO-1_1 ref: 00007FF8A877AFAD
CRYPTO_strdup.LIBCRYPTO-1_1 ref: 00007FF8A877AFE2
CRYPTO_strdup.LIBCRYPTO-1_1 ref: 00007FF8A877B017
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A877B04C
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A877B065
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A877B07E
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877B08A
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877B096
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877B0A2
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877B0AE
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877B0BA
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877B0C6
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877B0D2
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877B0DE
memset.VCRUNTIME140 ref: 00007FF8A877B0F0

Strings

..\s\ssl\tls_srp.c, xrefs: 00007FF8A877AFDB, 00007FF8A877B010, 00007FF8A877B037, 00007FF8A877B058, 00007FF8A877B071

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: N_dupN_free$O_freeO_strdupmemset$R_put_error
String ID: ..\s\ssl\tls_srp.c
API String ID: 945879394-1778748169
Opcode ID: a1abc2eb0a4d8886b6cbc02950fa32dd319b988c6aa721c3170f52038b589eb1
Instruction ID: 2d8aca8ba4dc048ea823aeb4b93a8a659d7601bf6563891bcee550961c18d8c8
Opcode Fuzzy Hash: a1abc2eb0a4d8886b6cbc02950fa32dd319b988c6aa721c3170f52038b589eb1
Instruction Fuzzy Hash: AE714D21B8BB82A5FB99EF25D5503B863A4FF84B84F080435DA5C4B796DF2CE460C764

Function 00007FF8A871210D Relevance: 37.1, APIs: 20, Strings: 1, Instructions: 335COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A87783D9
HMAC_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A87783E1

Strings

..\s\ssl\t1_lib.c, xrefs: 00007FF8A877827D, 00007FF8A87782E4, 00007FF8A8778323, 00007FF8A87783AC

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: X_free
String ID: ..\s\ssl\t1_lib.c
API String ID: 2268491255-1643863364
Opcode ID: b6a072bbe8cd616997d02666d9f596f400f5ce3df73637a2234094b670465238
Instruction ID: 4fda0cbc1727f3bc177d8bc180cfbf07aee3de6dc83f60e7ff13e3a793c12873
Opcode Fuzzy Hash: b6a072bbe8cd616997d02666d9f596f400f5ce3df73637a2234094b670465238
Instruction Fuzzy Hash: 07D1AF22B8B642A6EB649B26D4903BD6390FB48BC8F440435DE4D4B795DF7CE560C72C

Function 00007FF8A87489D0 Relevance: 37.1, APIs: 18, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

EVP_MD_size.LIBCRYPTO-1_1 ref: 00007FF8A8748A37
EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A8748B1A
EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 00007FF8A8748B34
EVP_DigestFinal_ex.LIBCRYPTO-1_1 ref: 00007FF8A8748B4B
EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 00007FF8A8748BC7
OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 00007FF8A8748EB4
OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 00007FF8A8748EC2
EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A8748ECC
EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A8748ED4

Strings

res binder, xrefs: 00007FF8A8748AC8
ext binder, xrefs: 00007FF8A8748ACF
..\s\ssl\statem\extensions.c, xrefs: 00007FF8A8748A4A, 00007FF8A8748E79

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: Digest$Init_exL_cleanse$D_sizeFinal_exX_freeX_newY_free
String ID: ..\s\ssl\statem\extensions.c$ext binder$res binder
API String ID: 3409567581-999040457
Opcode ID: a4979e3a0ad0778d4b645f9e93d246452461826069706869946054950c1e6b54
Instruction ID: 4da92b2bc2901f1873cee1c0ea90854e0b0f2bf72ac7684cac3a15d574269b17
Opcode Fuzzy Hash: a4979e3a0ad0778d4b645f9e93d246452461826069706869946054950c1e6b54
Instruction Fuzzy Hash: 0ED1C232A4AB9695EB20CBA5E8403BE77A1FB847D4F440135EE9C46BA8DF7CD150CB14

Function 00007FF8A8711EEC Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 328COMMON

Download Yara Rule

APIs

EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A8766523
X509_get0_pubkey.LIBCRYPTO-1_1 ref: 00007FF8A8766583
BIO_free.LIBCRYPTO-1_1 ref: 00007FF8A87669EE
EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A8766A08
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8766A19

Strings

..\s\ssl\statem\statem_lib.c, xrefs: 00007FF8A8766530, 00007FF8A8766561, 00007FF8A87667B2, 00007FF8A87667F9, 00007FF8A8766983, 00007FF8A87669B5, 00007FF8A87669D1

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$X509_get0_pubkeyX_freeX_new
String ID: ..\s\ssl\statem\statem_lib.c
API String ID: 1476775391-2839845709
Opcode ID: 77db3d01e97d2f8a9dec24185974b109a607d4baf2ef0163f91dc2a5ffd2b9cc
Instruction ID: 95db339d003245bcb68eddd35891435410d76fc78caa91d3f7f0dc2addc4fa58
Opcode Fuzzy Hash: 77db3d01e97d2f8a9dec24185974b109a607d4baf2ef0163f91dc2a5ffd2b9cc
Instruction Fuzzy Hash: BAE1B132A4E742A6EB648B12D440BBE37A0EB85BC4F444135DE8D47B95DF3CE541C728

Function 00007FF8A871402B Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

BIO_get_data.LIBCRYPTO-1_1 ref: 00007FF8A871403C
BIO_get_shutdown.LIBCRYPTO-1_1 ref: 00007FF8A8714054
BIO_get_init.LIBCRYPTO-1_1 ref: 00007FF8A8714060
BIO_clear_flags.LIBCRYPTO-1_1 ref: 00007FF8A8714079
BIO_set_init.LIBCRYPTO-1_1 ref: 00007FF8A8714083
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8714098
CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 00007FF8A87140AE
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A87140D4
BIO_set_init.LIBCRYPTO-1_1 ref: 00007FF8A87140E5
BIO_clear_flags.LIBCRYPTO-1_1 ref: 00007FF8A87140FD

Part of subcall function 00007FF8A8711203: ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A873ADDB

BIO_set_shutdown.LIBCRYPTO-1_1 ref: 00007FF8A8714107
BIO_push.LIBCRYPTO-1_1 ref: 00007FF8A871412B
BIO_set_next.LIBCRYPTO-1_1 ref: 00007FF8A8714136
BIO_up_ref.LIBCRYPTO-1_1 ref: 00007FF8A871413E
BIO_set_init.LIBCRYPTO-1_1 ref: 00007FF8A8714148

Strings

..\s\ssl\bio_ssl.c, xrefs: 00007FF8A871408E, 00007FF8A87140A3, 00007FF8A87140BB
=, xrefs: 00007FF8A87140C2

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_set_init$O_clear_flagsR_put_error$O_freeO_get_dataO_get_initO_get_shutdownO_pushO_set_nextO_set_shutdownO_up_refO_zalloc
String ID: ..\s\ssl\bio_ssl.c$=
API String ID: 3205778585-3341019427
Opcode ID: 48324da22b30eb2a03910716d4b020fa1a256ca486406138269771141a6602a8
Instruction ID: 136989efe1425d8989aab47f9de7e9126590a2b4442b0f8b362f86c64839a074
Opcode Fuzzy Hash: 48324da22b30eb2a03910716d4b020fa1a256ca486406138269771141a6602a8
Instruction Fuzzy Hash: BF317A11B8F62262FB06EA2695112BD5282EF81FD0F444031ED1D0BBE6EF2CE543832D

Function 00007FF8A8738FE0 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 262COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8739012
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8739042

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A8739004, 00007FF8A8739032, 00007FF8A8739054, 00007FF8A873909F, 00007FF8A87390C7, 00007FF8A8739369, 00007FF8A87393AC, 00007FF8A87393FD

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error
String ID: ..\s\ssl\ssl_lib.c
API String ID: 1767461275-1080266419
Opcode ID: 55b96a3dd205bf37366373ac7fb6cb63c00a7a8e0b1a3690861fcf297dbba5b8
Instruction ID: 7f8f2eeb971a535598b1e0ffcb7986f5a79eb9003cc332fbd747630c3727a9e8
Opcode Fuzzy Hash: 55b96a3dd205bf37366373ac7fb6cb63c00a7a8e0b1a3690861fcf297dbba5b8
Instruction Fuzzy Hash: F8E13B36646B81A6EB88CF25D9803E973A4FB49B84F08413ADF5C4B355DF39E0A0C764

Function 00007FF8A8744AD0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A8744B08
CRYPTO_THREAD_lock_new.LIBCRYPTO-1_1 ref: 00007FF8A8744C36
CRYPTO_new_ex_data.LIBCRYPTO-1_1 ref: 00007FF8A8744C59
X509_up_ref.LIBCRYPTO-1_1 ref: 00007FF8A8744C72
X509_chain_up_ref.LIBCRYPTO-1_1 ref: 00007FF8A8744C99
CRYPTO_strdup.LIBCRYPTO-1_1 ref: 00007FF8A8744CC7
CRYPTO_strdup.LIBCRYPTO-1_1 ref: 00007FF8A8744CF5
CRYPTO_dup_ex_data.LIBCRYPTO-1_1 ref: 00007FF8A8744D19
CRYPTO_strdup.LIBCRYPTO-1_1 ref: 00007FF8A8744D3B
CRYPTO_memdup.LIBCRYPTO-1_1 ref: 00007FF8A8744D70
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8744D9E
CRYPTO_memdup.LIBCRYPTO-1_1 ref: 00007FF8A8744DF6
CRYPTO_strdup.LIBCRYPTO-1_1 ref: 00007FF8A8744E24
CRYPTO_memdup.LIBCRYPTO-1_1 ref: 00007FF8A8744E59

Strings

..\s\ssl\ssl_sess.c, xrefs: 00007FF8A8744AFC, 00007FF8A8744CC0, 00007FF8A8744CEE, 00007FF8A8744D34, 00007FF8A8744D63, 00007FF8A8744D8E, 00007FF8A8744DE9, 00007FF8A8744E1D, 00007FF8A8744E4C

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_strdup$O_memdup$D_lock_newO_dup_ex_dataO_mallocO_new_ex_dataR_put_errorX509_chain_up_refX509_up_ref
String ID: ..\s\ssl\ssl_sess.c
API String ID: 3017714891-2868363209
Opcode ID: fbecbd865664d95c43988a5c7de16e0e2927971e8aefb9cfc2c71dbe7649cea4
Instruction ID: c22bbbdf3b7515be7a512cab87a15bbaf8db17221b6c835c32663933a683cf7b
Opcode Fuzzy Hash: fbecbd865664d95c43988a5c7de16e0e2927971e8aefb9cfc2c71dbe7649cea4
Instruction Fuzzy Hash: AFA18B22A4BB92A2EB85CF64D5403F833A4FF58B84F085635DF9D16652EF38E194D324

Function 00007FF8A8711D7F Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

BN_copy.LIBCRYPTO-1_1 ref: 00007FF8A877B2F9
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877B30A
BN_dup.LIBCRYPTO-1_1 ref: 00007FF8A877B31B
BN_copy.LIBCRYPTO-1_1 ref: 00007FF8A877B33B
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877B34C
BN_dup.LIBCRYPTO-1_1 ref: 00007FF8A877B35D
BN_copy.LIBCRYPTO-1_1 ref: 00007FF8A877B37D
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877B38E
BN_dup.LIBCRYPTO-1_1 ref: 00007FF8A877B39F
BN_copy.LIBCRYPTO-1_1 ref: 00007FF8A877B3C7
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877B3D8
BN_dup.LIBCRYPTO-1_1 ref: 00007FF8A877B3E6
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A877B415
CRYPTO_strdup.LIBCRYPTO-1_1 ref: 00007FF8A877B42A

Strings

..\s\ssl\tls_srp.c, xrefs: 00007FF8A877B40E, 00007FF8A877B420

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: N_copyN_dupN_free$O_freeO_strdup
String ID: ..\s\ssl\tls_srp.c
API String ID: 3726006556-1778748169
Opcode ID: bc46111eaa5c0d2eee9a4f116bbacdad95b66885ca9a0fa629ea1e3bf33a3169
Instruction ID: ffd8780ec10a8958f3c1d912ec5c5bf8711b673c9b59a0004af03e68a8852356
Opcode Fuzzy Hash: bc46111eaa5c0d2eee9a4f116bbacdad95b66885ca9a0fa629ea1e3bf33a3169
Instruction Fuzzy Hash: BC413F21A4FB8290EF96EE2595403BC22D4EF88FC8F1C4535D94D4A799DF2CE481C768

Function 00007FF8A8742BA0 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

CRYPTO_free_ex_data.LIBCRYPTO-1_1 ref: 00007FF8A8742BDF
OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 00007FF8A8742BED
OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 00007FF8A8742BFE
X509_free.LIBCRYPTO-1_1 ref: 00007FF8A8742C0A
OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 00007FF8A8742C1D
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8742C36
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8742C4F
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8742C68
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8742C81
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8742C9A
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8742CB3
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8742CCC
CRYPTO_THREAD_lock_free.LIBCRYPTO-1_1 ref: 00007FF8A8742CD8
CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 00007FF8A8742CF2

Strings

..\s\ssl\ssl_sess.c, xrefs: 00007FF8A8742C29, 00007FF8A8742C42, 00007FF8A8742C5B, 00007FF8A8742C74, 00007FF8A8742C8D, 00007FF8A8742CA6, 00007FF8A8742CBF, 00007FF8A8742CE3

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$L_cleanse$D_lock_freeL_sk_pop_freeO_clear_freeO_free_ex_dataX509_free
String ID: ..\s\ssl\ssl_sess.c
API String ID: 4155952050-2868363209
Opcode ID: 7c8cca9d635726069df7663c57bf553fef2a5c5473d0a9e7b06b4a8216e8fd98
Instruction ID: 230705dbf04b82f030bdf036df27dadfcd7dc0d4f0b122a5b5bcec74d6125d5f
Opcode Fuzzy Hash: 7c8cca9d635726069df7663c57bf553fef2a5c5473d0a9e7b06b4a8216e8fd98
Instruction Fuzzy Hash: 25312925B8BA43A1EB41EB65C8957F82311EF89BD8F441032DD1C4B2A6DF2CE245C778

Function 00007FF8A8767FC0 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 351COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1(?,?,?,?,..\s\ssl\statem\statem_srvr.c,?,?,?,00007FF8A876B9E3), ref: 00007FF8A8768050
CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,..\s\ssl\statem\statem_srvr.c,?,?,?,00007FF8A876B9E3), ref: 00007FF8A87680FD
EVP_CIPHER_CTX_free.LIBCRYPTO-1_1(?,?,?,?,..\s\ssl\statem\statem_srvr.c,?,?,?,00007FF8A876B9E3), ref: 00007FF8A8768105
HMAC_CTX_free.LIBCRYPTO-1_1(?,?,?,?,..\s\ssl\statem\statem_srvr.c,?,?,?,00007FF8A876B9E3), ref: 00007FF8A876810D
CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,..\s\ssl\statem\statem_srvr.c,?,?,?,00007FF8A876B9E3), ref: 00007FF8A8768238
EVP_CIPHER_CTX_free.LIBCRYPTO-1_1(?,?,?,?,..\s\ssl\statem\statem_srvr.c,?,?,?,00007FF8A876B9E3), ref: 00007FF8A8768240
HMAC_CTX_free.LIBCRYPTO-1_1(?,?,?,?,..\s\ssl\statem\statem_srvr.c,?,?,?,00007FF8A876B9E3), ref: 00007FF8A8768248
RAND_bytes.LIBCRYPTO-1_1(?,?,?,?,..\s\ssl\statem\statem_srvr.c,?,?,?,00007FF8A876B9E3), ref: 00007FF8A87682C1
EVP_sha256.LIBCRYPTO-1_1(?,?,?,?,..\s\ssl\statem\statem_srvr.c,?,?,?,00007FF8A876B9E3), ref: 00007FF8A87682F9

Part of subcall function 00007FF8A87110CD: BUF_MEM_grow.LIBCRYPTO-1_1 ref: 00007FF8A8718073
Part of subcall function 00007FF8A87110CD: memcpy.VCRUNTIME140 ref: 00007FF8A87180A5

EVP_EncryptUpdate.LIBCRYPTO-1_1(?,?,?,?,..\s\ssl\statem\statem_srvr.c,?,?,?,00007FF8A876B9E3), ref: 00007FF8A87683CC
EVP_EncryptFinal.LIBCRYPTO-1_1(?,?,?,?,..\s\ssl\statem\statem_srvr.c,?,?,?,00007FF8A876B9E3), ref: 00007FF8A8768410
HMAC_Update.LIBCRYPTO-1_1(?,?,?,?,..\s\ssl\statem\statem_srvr.c,?,?,?,00007FF8A876B9E3), ref: 00007FF8A8768486
HMAC_Final.LIBCRYPTO-1_1(?,?,?,?,..\s\ssl\statem\statem_srvr.c,?,?,?,00007FF8A876B9E3), ref: 00007FF8A87684AF

Strings

..\s\ssl\statem\statem_srvr.c, xrefs: 00007FF8A8767FC4, 00007FF8A876803D, 00007FF8A8768548

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: X_free$EncryptFinalO_freeUpdate$D_bytesM_growO_mallocP_sha256memcpy
String ID: ..\s\ssl\statem\statem_srvr.c
API String ID: 1480902132-348624464
Opcode ID: f7cb21e527d5dbcd4b4f5878137a25a5e323864e2d05e7c40326ee368155d1cf
Instruction ID: 5f6c9d95f59f5feee194a7843ca391c20afd0b576fd6442601474897f29360d3
Opcode Fuzzy Hash: f7cb21e527d5dbcd4b4f5878137a25a5e323864e2d05e7c40326ee368155d1cf
Instruction Fuzzy Hash: 92E19021B8E642A5FB20DB62D4502BD23A1EF45BC8F004531EE4D5BB9AEF3DE515C728

Function 00007FF8A871191A Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 286COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8736DEF

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A8736DDF, 00007FF8A8736F61

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error
String ID: ..\s\ssl\ssl_lib.c
API String ID: 1767461275-1080266419
Opcode ID: b307cbf11fa145ea730c4665a47a4d239338577f27ea1e879c234206da3170c6
Instruction ID: d0ed2b028db026625239b7e5d018f0ee59cc73dbea541b6b2de8d48627fa28d3
Opcode Fuzzy Hash: b307cbf11fa145ea730c4665a47a4d239338577f27ea1e879c234206da3170c6
Instruction Fuzzy Hash: B0D17C3264AB82A2EB98DF25D5507AD73A0FB84BC4F048036DB5D8B795DF38E460C725

Function 00007FF8A872EA40 Relevance: 24.7, APIs: 9, Strings: 5, Instructions: 182COMMON

Download Yara Rule

APIs

CRYPTO_THREAD_run_once.LIBCRYPTO-1_1 ref: 00007FF8A872EA9D
OPENSSL_sk_find.LIBCRYPTO-1_1 ref: 00007FF8A872EAC0
OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 00007FF8A872EACE
EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 00007FF8A872EC02
EVP_get_cipherbyname.LIBCRYPTO-1_1 ref: 00007FF8A872EC61
EVP_get_cipherbyname.LIBCRYPTO-1_1 ref: 00007FF8A872EC7E
EVP_get_cipherbyname.LIBCRYPTO-1_1 ref: 00007FF8A872EC9E
EVP_get_cipherbyname.LIBCRYPTO-1_1 ref: 00007FF8A872ECBB
EVP_get_cipherbyname.LIBCRYPTO-1_1 ref: 00007FF8A872ECDB

Strings

AES-256-CBC-HMAC-SHA1, xrefs: 00007FF8A872EC97
AES-256-CBC-HMAC-SHA256, xrefs: 00007FF8A872ECD4
AES-128-CBC-HMAC-SHA256, xrefs: 00007FF8A872ECB4
RC4-HMAC-MD5, xrefs: 00007FF8A872EC5A
AES-128-CBC-HMAC-SHA1, xrefs: 00007FF8A872EC77

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: P_get_cipherbyname$D_run_onceL_sk_findL_sk_valueR_flags
String ID: AES-128-CBC-HMAC-SHA1$AES-128-CBC-HMAC-SHA256$AES-256-CBC-HMAC-SHA1$AES-256-CBC-HMAC-SHA256$RC4-HMAC-MD5
API String ID: 4011776655-741925770
Opcode ID: 0669f23e6b6eec9916e7ddb097731dd54086a2498511ffa5c8336983b30e7903
Instruction ID: e85f25646ed35315f37e3662e500d7aaae9ad493557708a999cd59e02c9fcdb2
Opcode Fuzzy Hash: 0669f23e6b6eec9916e7ddb097731dd54086a2498511ffa5c8336983b30e7903
Instruction Fuzzy Hash: C1814F32A8B746A5EF71AF14945027932E8FF587D8F944531DA4E42796EF3CE880C728

Function 00007FF8A8711104 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A872B933
X509_free.LIBCRYPTO-1_1 ref: 00007FF8A872B947
EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A872B954
OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 00007FF8A872B967
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A872B980
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A872B9AB
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A872B9C4
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A872B9DD
X509_STORE_free.LIBCRYPTO-1_1 ref: 00007FF8A872B9E9
X509_STORE_free.LIBCRYPTO-1_1 ref: 00007FF8A872B9F5
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A872BA1A
CRYPTO_THREAD_lock_free.LIBCRYPTO-1_1 ref: 00007FF8A872BA26
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A872BA3B

Strings

..\s\ssl\ssl_cert.c, xrefs: 00007FF8A872B970, 00007FF8A872B99E, 00007FF8A872B9B7, 00007FF8A872B9D0, 00007FF8A872BA0D, 00007FF8A872BA31

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$E_freeX509_Y_free$D_lock_freeL_sk_pop_freeX509_free
String ID: ..\s\ssl\ssl_cert.c
API String ID: 3478116879-349359282
Opcode ID: 051599ced6ac1d9b900c4ed1ce015904e8d61fa9b3736b5ac5cba87f4de5d6ea
Instruction ID: 157fe3ae9d3009aa6338d4dc3f45fe984d0feb241781f4616a6cbf82ec4e6657
Opcode Fuzzy Hash: 051599ced6ac1d9b900c4ed1ce015904e8d61fa9b3736b5ac5cba87f4de5d6ea
Instruction Fuzzy Hash: 4E316D32B8AA42A5EB44EF25D4803BC6321FB85BC4F440032EA5D4769ADF38E561C764

Function 00007FF8A8711E6F Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_iv_length.LIBCRYPTO-1_1 ref: 00007FF8A8722237
memcpy.VCRUNTIME140 ref: 00007FF8A8722658

Strings

M, xrefs: 00007FF8A8722617
..\s\ssl\record\ssl3_record_tls13.c, xrefs: 00007FF8A87221B3, 00007FF8A87225F7, 00007FF8A8722624

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: X_iv_lengthmemcpy
String ID: ..\s\ssl\record\ssl3_record_tls13.c$M
API String ID: 544732426-1371881060
Opcode ID: a248fa1536625f869eff02b445ecf5a4575a5434dfefbe0031bfa17b5c97ca1b
Instruction ID: b9d88cf29149abfb7ebd60cc98cf4e2d1b72e27dda26d7e22268e917da51bcc6
Opcode Fuzzy Hash: a248fa1536625f869eff02b445ecf5a4575a5434dfefbe0031bfa17b5c97ca1b
Instruction Fuzzy Hash: 78E1F422B5A682AAEB60CB26D4503BD77E0FB497C8F048135DE4D47B95EF38D851C724

Function 00007FF8A871EA80 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 257COMMON

Download Yara Rule

APIs

EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 00007FF8A871EB48
EVP_MD_size.LIBCRYPTO-1_1 ref: 00007FF8A871EB50

Strings

..\s\ssl\record\ssl3_record.c, xrefs: 00007FF8A871EAE3, 00007FF8A871EB8D, 00007FF8A871EC0B, 00007FF8A871EE4E, 00007FF8A871EE8D, 00007FF8A871EEC8

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: D_sizeX_md
String ID: ..\s\ssl\record\ssl3_record.c
API String ID: 3984586431-2721125279
Opcode ID: 84db3ea8021c0cfe29904651d39d52430c1b65a760eb546f7586d4e5c57c8883
Instruction ID: 6c613f39ef001435db24efd5c78549094e51b7775c095b0abef148cfaa03b293
Opcode Fuzzy Hash: 84db3ea8021c0cfe29904651d39d52430c1b65a760eb546f7586d4e5c57c8883
Instruction Fuzzy Hash: 22C19432A4AA82A1F760DF21D8047A93795FB84BC8F844131DA4D4BBA4DF3DE545D738

Function 00007FF8A875A940 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

X509_get0_pubkey.LIBCRYPTO-1_1(?,?,?,?,?,?,?,?,?,00007FF8A875B557), ref: 00007FF8A875A9AF

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A875A976, 00007FF8A875A9BF
0, xrefs: 00007FF8A875AB6B

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: X509_get0_pubkey
String ID: ..\s\ssl\statem\statem_clnt.c$0
API String ID: 2698272274-513810425
Opcode ID: c60ef5d66cadd84f282e28db2c18b7b7ed1b8eedb0d9a194f8691d8f78a3b868
Instruction ID: 80959a351544241e84202f4455e4a38a070b47408fdc705e5a1b719426d47296
Opcode Fuzzy Hash: c60ef5d66cadd84f282e28db2c18b7b7ed1b8eedb0d9a194f8691d8f78a3b868
Instruction Fuzzy Hash: 3071D33274A74296EB24DB12E4507AAB795EB84BC8F044031DE8D47B95DF3CE642CB68

Function 00007FF8A8711EF1 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A8771B22
memcpy.VCRUNTIME140 ref: 00007FF8A8771B49
memcpy.VCRUNTIME140 ref: 00007FF8A8771BC4
memcmp.VCRUNTIME140 ref: 00007FF8A8771BD9
memcmp.VCRUNTIME140 ref: 00007FF8A8771BF6
memcmp.VCRUNTIME140 ref: 00007FF8A8771C3A
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8771CF2
CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 00007FF8A8771D0C

Strings

server finished, xrefs: 00007FF8A8771BEC
..\s\ssl\t1_enc.c, xrefs: 00007FF8A8771B18, 00007FF8A8771CE1, 00007FF8A8771CFF
extended master secret, xrefs: 00007FF8A8771C30
client finished, xrefs: 00007FF8A8771BCF

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: memcmp$memcpy$O_clear_freeO_mallocR_put_error
String ID: ..\s\ssl\t1_enc.c$client finished$extended master secret$server finished
API String ID: 1314788138-462687698
Opcode ID: a2c7c2993d44508e8e774e9d64e47ed1f7e0fe724717715cb39b61e85cc31dae
Instruction ID: 43cf30814b65801d2710ae34ffca80f5eaccdf222e0eef20ab80a7ac734715c2
Opcode Fuzzy Hash: a2c7c2993d44508e8e774e9d64e47ed1f7e0fe724717715cb39b61e85cc31dae
Instruction Fuzzy Hash: 3E61A062A4AB81A1E7608F15E8403BA77A4FB54BC4F549135DE8C03B59EF3CE581C728

Function 00007FF8A8711AFF Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A872D211
CRYPTO_mem_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A872D221
OPENSSL_sk_find.LIBCRYPTO-1_1 ref: 00007FF8A872D251
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A872D26A
CRYPTO_mem_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A872D274
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872D298
OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 00007FF8A872D2C1
CRYPTO_mem_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A872D2CF
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A872D2F6
CRYPTO_mem_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A872D300
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872D346

Strings

..\s\ssl\ssl_ciph.c, xrefs: 00007FF8A872D205, 00007FF8A872D260, 00007FF8A872D279, 00007FF8A872D2EC, 00007FF8A872D312, 00007FF8A872D327

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_mem_ctrl$O_freeR_put_error$L_sk_findL_sk_pushO_malloc
String ID: ..\s\ssl\ssl_ciph.c
API String ID: 951782134-1847046956
Opcode ID: d6ffe78c984a9a7727b75eeebcee89ca4e3a2a41484359dc379944b31f1d8789
Instruction ID: 44a0e28e18bcf403996fa66df38819e27076d764b31a82dfb1caa84ecacb0e4b
Opcode Fuzzy Hash: d6ffe78c984a9a7727b75eeebcee89ca4e3a2a41484359dc379944b31f1d8789
Instruction Fuzzy Hash: E8418061F8F74262F715EB11E4143B95AA1EF89BC4F540434EA4D0B7D6EF6CE5408B28

Function 00007FF8A8712063 Relevance: 21.0, APIs: 11, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A877AAA3
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A877AABC
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877AAC8
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877AAD4
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877AAE0
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877AAEC
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877AAF8
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877AB04
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877AB10
BN_free.LIBCRYPTO-1_1 ref: 00007FF8A877AB1C
memset.VCRUNTIME140 ref: 00007FF8A877AB2E

Strings

..\s\ssl\tls_srp.c, xrefs: 00007FF8A877AA96, 00007FF8A877AAAF

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: N_free$O_free$memset
String ID: ..\s\ssl\tls_srp.c
API String ID: 2671087460-1778748169
Opcode ID: 7906b3f3e7ac0c16a273dc6ac09d4814df4d70dd73a6bdd6e88d5f947eb82421
Instruction ID: a401af923c9a1d63223795d38c150dda074f006d1d703421afeda96c723a2289
Opcode Fuzzy Hash: 7906b3f3e7ac0c16a273dc6ac09d4814df4d70dd73a6bdd6e88d5f947eb82421
Instruction Fuzzy Hash: FE11DA22A57582A1EB45FF25C8513F82355EF94BC8F540031E90D4A696DF29E641C328

Function 00007FF8A8711028 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 331COMMON

Download Yara Rule

APIs

EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A875CE01
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A875CED9
EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A875D325

Strings

c:\a\6\s\ssl\packet_locl.h, xrefs: 00007FF8A875CEF7, 00007FF8A875CF07
..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A875CE0D, 00007FF8A875CEB0, 00007FF8A875CF31, 00007FF8A875CF52
z, xrefs: 00007FF8A875D2FC

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeX_freeY_free
String ID: ..\s\ssl\statem\statem_clnt.c$c:\a\6\s\ssl\packet_locl.h$z
API String ID: 392469334-898382007
Opcode ID: e5d51fa70321f13d4fc234ab60147dbe6e860dbfb4ea4f26ed47027690ae6090
Instruction ID: c3f3789c6f0ae81929ed980c91a1ba790238464d546311b899874973daa8f24d
Opcode Fuzzy Hash: e5d51fa70321f13d4fc234ab60147dbe6e860dbfb4ea4f26ed47027690ae6090
Instruction Fuzzy Hash: 66E17872B4A642A5FB28CA21D4407B92FA1EB45BD8F045131DE4D1BB99DF3CE285C728

Function 00007FF8A871207C Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 316COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A875D62B
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A875D6F5
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A875D71E
CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A875D745
EVP_sha256.LIBCRYPTO-1_1 ref: 00007FF8A875D86F
EVP_Digest.LIBCRYPTO-1_1 ref: 00007FF8A875D89B
EVP_MD_size.LIBCRYPTO-1_1 ref: 00007FF8A875D927
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A875D9B3

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A875D600, 00007FF8A875D6FE
resumption, xrefs: 00007FF8A875D956
o, xrefs: 00007FF8A875D8BD

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$D_sizeDigestO_mallocP_sha256_time64
String ID: ..\s\ssl\statem\statem_clnt.c$o$resumption
API String ID: 1034084170-2120662796
Opcode ID: d00a0f078ee3ac19f8569a99c78a1e111f28aa969934c48dfa25f5a70fbfb9d9
Instruction ID: 78095107de384a2d24f216b1f9b281de3b9650d29a8754f10400c631cdbd08c2
Opcode Fuzzy Hash: d00a0f078ee3ac19f8569a99c78a1e111f28aa969934c48dfa25f5a70fbfb9d9
Instruction Fuzzy Hash: 57E1BE3264AA8195EB24CF16E4843AD7FA1FB89BC8F049135EA8C87794DF3DE441C714

Function 00007FF8A871101E Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8A875A5D0: OPENSSL_cleanse.LIBCRYPTO-1_1(?,?,00000000,?,?,?,00007FF8A875B53E), ref: 00007FF8A875A826
Part of subcall function 00007FF8A875A5D0: OPENSSL_cleanse.LIBCRYPTO-1_1(?,?,00000000,?,?,?,00007FF8A875B53E), ref: 00007FF8A875A835
Part of subcall function 00007FF8A875A5D0: CRYPTO_clear_free.LIBCRYPTO-1_1(?,?,00000000,?,?,?,00007FF8A875B53E), ref: 00007FF8A875A849
Part of subcall function 00007FF8A875A5D0: CRYPTO_clear_free.LIBCRYPTO-1_1(?,?,00000000,?,?,?,00007FF8A875B53E), ref: 00007FF8A875A85D

EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A875B5CD
BN_num_bits.LIBCRYPTO-1_1 ref: 00007FF8A875B635
BN_bn2bin.LIBCRYPTO-1_1 ref: 00007FF8A875B677
EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A875B684
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A875B799
EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A875B7A1
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A875B836
CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 00007FF8A875B8E6
CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 00007FF8A875B917

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A875B516

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_clear_free$Y_free$L_cleanseO_free$N_bn2binN_num_bits
String ID: ..\s\ssl\statem\statem_clnt.c
API String ID: 407376196-1507966698
Opcode ID: d92df96b983f04ba9464eed69f0818f9326b374627714f5abaab226193589c8a
Instruction ID: 81ca2da4bbe5dfe4bc6c75b70c8da668b7bac606ead8c21b478fbea2da8d96b7
Opcode Fuzzy Hash: d92df96b983f04ba9464eed69f0818f9326b374627714f5abaab226193589c8a
Instruction Fuzzy Hash: 92B1B272A4A782A5FB69DB12D450BB92751EF85FC4F185131EE8D0BB95CF3CE1018728

Function 00007FF8A8729040 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A87290CA
ASN1_item_free.LIBCRYPTO-1_1 ref: 00007FF8A87290D9
memcpy.VCRUNTIME140 ref: 00007FF8A87291EE
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A8729205
X509_free.LIBCRYPTO-1_1 ref: 00007FF8A872922D
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A87292E0

Part of subcall function 00007FF8A8729B70: CRYPTO_free.LIBCRYPTO-1_1(00000000,00007FF8A872927F), ref: 00007FF8A8729B99
Part of subcall function 00007FF8A8729B70: CRYPTO_strndup.LIBCRYPTO-1_1(00000000,00007FF8A872927F), ref: 00007FF8A8729BBE

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A87293A0
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8729409
ASN1_item_free.LIBCRYPTO-1_1 ref: 00007FF8A872945B

Strings

..\s\ssl\ssl_asn1.c, xrefs: 00007FF8A87290BA, 00007FF8A8729134, 00007FF8A872915E, 00007FF8A87292BD, 00007FF8A8729333, 00007FF8A872937A, 00007FF8A87293EF

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$N1_item_free$O_strndupR_put_errorX509_free_time64memcpy
String ID: ..\s\ssl\ssl_asn1.c
API String ID: 3498103060-3659835543
Opcode ID: 7e7d3a42c9b02347176a37bfccebe9c3884c758c242b50cb4785e4a81089b42f
Instruction ID: c892a3fe783efb297ebae3dee9f8a0f01ed0f4261ae6b5c1e4106cb16aaf9cd3
Opcode Fuzzy Hash: 7e7d3a42c9b02347176a37bfccebe9c3884c758c242b50cb4785e4a81089b42f
Instruction Fuzzy Hash: D8C1293264AB86A6EB649F25D4847A833E0FB44B84F484036DF5D4B795EF38E5A0C324

Function 00007FF8A8711ACD Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 00007FF8A87430DB
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8743103

Strings

..\s\ssl\ssl_sess.c, xrefs: 00007FF8A87430CF, 00007FF8A87430E8, 00007FF8A8743151, 00007FF8A87431A3
T, xrefs: 00007FF8A8743158

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_zallocR_put_error
String ID: ..\s\ssl\ssl_sess.c$T
API String ID: 2718799170-2647723609
Opcode ID: 5ae9f38cfef7a5515773f63cd3fe129ed58ef47d211663cf1b951027431a2655
Instruction ID: 173a65e590d9fa3ebd663e013e2d64bde937d3d84fed586ec2c6db14fd7a415e
Opcode Fuzzy Hash: 5ae9f38cfef7a5515773f63cd3fe129ed58ef47d211663cf1b951027431a2655
Instruction Fuzzy Hash: C4318531A5AA4292EB50EF61D8057F926E1FB88784F845036DA1D47795EF3CE508CB24

Function 00007FF8A872DA30 Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

COMP_zlib.LIBCRYPTO-1_1 ref: 00007FF8A872DA3F
CRYPTO_mem_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A872DA4C
OPENSSL_sk_new.LIBCRYPTO-1_1 ref: 00007FF8A872DA58
COMP_get_type.LIBCRYPTO-1_1 ref: 00007FF8A872DA67
CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A872DA91
COMP_get_name.LIBCRYPTO-1_1 ref: 00007FF8A872DAAB
OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 00007FF8A872DABE
OPENSSL_sk_sort.LIBCRYPTO-1_1 ref: 00007FF8A872DACA
CRYPTO_mem_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A872DAD9

Strings

..\s\ssl\ssl_ciph.c, xrefs: 00007FF8A872DA85

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_mem_ctrl$L_sk_newL_sk_pushL_sk_sortO_mallocP_get_nameP_get_typeP_zlib
String ID: ..\s\ssl\ssl_ciph.c
API String ID: 680475741-1847046956
Opcode ID: 02b3ac63088004735e3a3c1d5530f46cb10b6455710c2f01f4791ff1c3e9a59a
Instruction ID: 7dfd98d9e606e920c4d729c587e40ebe350947b4fe186e01097a30d1bd9bab73
Opcode Fuzzy Hash: 02b3ac63088004735e3a3c1d5530f46cb10b6455710c2f01f4791ff1c3e9a59a
Instruction Fuzzy Hash: 68111861E9F70261FB45AB15E8153B8AAA4EF88BC4F440035E90D0B7E2EF6CE440C728

Function 00007FF8A8762110 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 314COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,00007FF8A8761EE3), ref: 00007FF8A87621B0
EVP_MD_CTX_free.LIBCRYPTO-1_1(?,?,?,?,?,?,?,00007FF8A8761EE3), ref: 00007FF8A87621B9
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A87621CB
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A87621DD
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A87621EE
memset.VCRUNTIME140(?,?,?,?,?,?,00007FF8A8761EE3), ref: 00007FF8A8762265
memcpy.VCRUNTIME140 ref: 00007FF8A87623EA

Strings

..\s\ssl\statem\statem_dtls.c, xrefs: 00007FF8A876214F, 00007FF8A876243E, 00007FF8A87624F3, 00007FF8A8762546

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$X_free$memcpymemset
String ID: ..\s\ssl\statem\statem_dtls.c
API String ID: 1378287987-3140652063
Opcode ID: 94c01cb7e329e10205ed4c22f942804327cf3f53f20210a0164e3a1f009d15c7
Instruction ID: 834c0ff96a390700ab34ab8754e03630b0a50a4a547bece4c305a952a5ef226c
Opcode Fuzzy Hash: 94c01cb7e329e10205ed4c22f942804327cf3f53f20210a0164e3a1f009d15c7
Instruction Fuzzy Hash: 9EE1BF32B1A681A6EBA49F21D4503BCB7A1FB45BC8F044035EE8D4BB95CF38D995C324

Function 00007FF8A876E910 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 167COMMON

Download Yara Rule

APIs

EVP_PKEY_CTX_new.LIBCRYPTO-1_1(?,?,?,?,?,?,..\s\ssl\statem\statem_srvr.c,00007FF8A8770885), ref: 00007FF8A876E995
X509_get0_pubkey.LIBCRYPTO-1_1(?,?,?,?,?,?,..\s\ssl\statem\statem_srvr.c,00007FF8A8770885), ref: 00007FF8A876E9FE
ERR_clear_error.LIBCRYPTO-1_1(?,?,?,?,?,?,..\s\ssl\statem\statem_srvr.c,00007FF8A8770885), ref: 00007FF8A876EA17
EVP_PKEY_decrypt.LIBCRYPTO-1_1(?,?,?,?,?,?,..\s\ssl\statem\statem_srvr.c,00007FF8A8770885), ref: 00007FF8A876EAE2
EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1(?,?,?,?,?,?,..\s\ssl\statem\statem_srvr.c,00007FF8A8770885), ref: 00007FF8A876EB52
EVP_PKEY_CTX_free.LIBCRYPTO-1_1(?,?,?,?,?,?,..\s\ssl\statem\statem_srvr.c,00007FF8A8770885), ref: 00007FF8A876EBA3

Strings

, xrefs: 00007FF8A876E93D
..\s\ssl\statem\statem_srvr.c, xrefs: 00007FF8A876E915, 00007FF8A876E9AE, 00007FF8A876EB83
+, xrefs: 00007FF8A876EB73

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_clear_errorX509_get0_pubkeyX_ctrlX_freeX_newY_decrypt
String ID: $+$..\s\ssl\statem\statem_srvr.c
API String ID: 2818273386-3825620723
Opcode ID: e399e3b895ee4be37c7f464b603969c2077d2af6227d06419fcdff418546c30f
Instruction ID: 3a92938f26cc83d4ad061cecab8c9a18531de4f5b49db5e98237ca4e4c10f0bc
Opcode Fuzzy Hash: e399e3b895ee4be37c7f464b603969c2077d2af6227d06419fcdff418546c30f
Instruction Fuzzy Hash: 7771E372A4EB42A1FB609B15E4407B97790EF84BC4F688135EA8D07B95DF3CE541C728

Function 00007FF8A8727FE0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

EVP_PKEY_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A872802B
EVP_PKEY_derive_init.LIBCRYPTO-1_1 ref: 00007FF8A8728036
EVP_PKEY_derive_set_peer.LIBCRYPTO-1_1 ref: 00007FF8A8728049
EVP_PKEY_derive.LIBCRYPTO-1_1 ref: 00007FF8A8728060
CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A8728082
EVP_PKEY_derive.LIBCRYPTO-1_1 ref: 00007FF8A87280AB
CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 00007FF8A87281C0
EVP_PKEY_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A87281C8

Strings

..\s\ssl\s3_lib.c, xrefs: 00007FF8A8728072, 00007FF8A872818A, 00007FF8A87281F2

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: Y_derive$O_clear_freeO_mallocX_freeX_newY_derive_initY_derive_set_peer
String ID: ..\s\ssl\s3_lib.c
API String ID: 2104848214-4238427508
Opcode ID: c3fa8c68627f24cd9c83baff33b25ae08f74552ecc575daf68d025c33a24ef8a
Instruction ID: 37394de86e92324ba01d1ee080690fa5938c6b561767431288386a3b61c6ae7e
Opcode Fuzzy Hash: c3fa8c68627f24cd9c83baff33b25ae08f74552ecc575daf68d025c33a24ef8a
Instruction Fuzzy Hash: A751E532B5E64262FB24DA12A8406B967D1FF84BC4F044435DE8C4BB95EF3DE551C728

Function 00007FF8A8735D50 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8735D82
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8735DD9
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8735E2D

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A8735D78, 00007FF8A8735DC5, 00007FF8A8735E1D, 00007FF8A8735ED4

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error$O_free
String ID: ..\s\ssl\ssl_lib.c
API String ID: 3616133153-1080266419
Opcode ID: 93953efb896dc761844fa9dd57e64d78bc94da747e2105a61f60f2f69bc111eb
Instruction ID: 2d4cbda5e7bb493c767023ff6475399e295a270f2d3dd52a74409c3cfe820cd1
Opcode Fuzzy Hash: 93953efb896dc761844fa9dd57e64d78bc94da747e2105a61f60f2f69bc111eb
Instruction Fuzzy Hash: CC515772A4AB8291E750DF21D8443AD33A4FB85F98F484135CA9C4B7A9DF38D481CB24

Function 00007FF8A8711F82 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 412COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A871A79D
BIO_clear_flags.LIBCRYPTO-1_1 ref: 00007FF8A871AA8B
BIO_set_flags.LIBCRYPTO-1_1 ref: 00007FF8A871AA98
BIO_snprintf.LIBCRYPTO-1_1 ref: 00007FF8A871AB51
ERR_add_error_data.LIBCRYPTO-1_1 ref: 00007FF8A871AB67

Strings

SSL alert number , xrefs: 00007FF8A871AB60
..\s\ssl\record\rec_layer_d1.c, xrefs: 00007FF8A871A6BC, 00007FF8A871A734

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_clear_flagsO_freeO_set_flagsO_snprintfR_add_error_data
String ID: ..\s\ssl\record\rec_layer_d1.c$SSL alert number
API String ID: 3064126697-720991377
Opcode ID: accc02505d5ef5ebf6448eef49741ac6b4e051723696af77402d22a0f9ae448c
Instruction ID: 9e87cfc92c7814ee96edf3ecfa9684f80638901f54f3a9f2484bce470ac24c0d
Opcode Fuzzy Hash: accc02505d5ef5ebf6448eef49741ac6b4e051723696af77402d22a0f9ae448c
Instruction Fuzzy Hash: C2128531A8A682A5FB608F21D4503B9B6A0EB45BD8F084135DE4D4BAE9DF3DE445C738

Function 00007FF8A872EFC0 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 369stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A872F177
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A872F21A
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872F3A9
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A872F3DD
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872F438

Strings

SECLEVEL=, xrefs: 00007FF8A872F3D6
STRENGTH, xrefs: 00007FF8A872F213
..\s\ssl\ssl_ciph.c, xrefs: 00007FF8A872F399, 00007FF8A872F428

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: strncmp$R_put_error
String ID: ..\s\ssl\ssl_ciph.c$SECLEVEL=$STRENGTH
API String ID: 2707563706-3120971754
Opcode ID: 44fb702380f2bb2c46561585e3925fe35465a44421aaf26e1847d0e198ccb994
Instruction ID: c231b66024b7e2ee4c6ffeb8971e2500eb9880e8c3a5417a6a458d0683aa6dd9
Opcode Fuzzy Hash: 44fb702380f2bb2c46561585e3925fe35465a44421aaf26e1847d0e198ccb994
Instruction Fuzzy Hash: 62F1A172A4E6829AE770CF25E40037A77E1FB89BD4F544135DA9D43A98EB3CE8418F14

Function 00007FF8A875A190 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 198COMMON

Download Yara Rule

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A875A196, 00007FF8A875A1F9, 00007FF8A875A232
, xrefs: 00007FF8A875A3B9

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID:
String ID: $..\s\ssl\statem\statem_clnt.c
API String ID: 0-745226041
Opcode ID: b52115dda393f4357d386fd4cda95e55dfaeff608795671e95da5661acfa4efa
Instruction ID: 88c061d836823a339f44271d0364563cf1d16eacdd07f6c1073ff70e06a74d06
Opcode Fuzzy Hash: b52115dda393f4357d386fd4cda95e55dfaeff608795671e95da5661acfa4efa
Instruction Fuzzy Hash: A481B37174B78266FB689B16E4147BA6251EF84BC4F005031EE8E4BB96DF3CE542C728

Function 00007FF8A8711E97 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF8A8754272
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A87542A5
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A87542C4
CRYPTO_strndup.LIBCRYPTO-1_1 ref: 00007FF8A87542DC
CRYPTO_memcmp.LIBCRYPTO-1_1 ref: 00007FF8A8754353

Strings

c:\a\6\s\ssl\packet_locl.h, xrefs: 00007FF8A87542BB, 00007FF8A87542CF
..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FF8A8754277, 00007FF8A87543AD, 00007FF8A87543DE
k, xrefs: 00007FF8A87543D6

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$O_memcmpO_strndupmemchr
String ID: ..\s\ssl\statem\extensions_srvr.c$c:\a\6\s\ssl\packet_locl.h$k
API String ID: 2294304191-3731288143
Opcode ID: 0740f029613d31b1dbbf0e720b8bb8a9bba23b63f22bbe2036924612453fd76d
Instruction ID: 70438237cb367e6cb1e8e560ce58137b9948839333b2612b0fad39944b76745a
Opcode Fuzzy Hash: 0740f029613d31b1dbbf0e720b8bb8a9bba23b63f22bbe2036924612453fd76d
Instruction Fuzzy Hash: 217124B2A8E79196EB548B15E4403B977A1FB847C0F045235EA9D57BE4CF3CE180C754

Function 00007FF8A8711BF9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1 ref: 00007FF8A871FB38
EVP_CIPHER_CTX_block_size.LIBCRYPTO-1_1 ref: 00007FF8A871FB63
memset.VCRUNTIME140 ref: 00007FF8A871FB94
EVP_Cipher.LIBCRYPTO-1_1 ref: 00007FF8A871FBD8
EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 00007FF8A871FBE9
EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 00007FF8A871FBFA
EVP_MD_size.LIBCRYPTO-1_1 ref: 00007FF8A871FC02

Strings

..\s\ssl\record\ssl3_record.c, xrefs: 00007FF8A871FC18

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: X_md$CipherD_sizeX_block_sizeX_ciphermemset
String ID: ..\s\ssl\record\ssl3_record.c
API String ID: 2928813329-2721125279
Opcode ID: 0838d48073e85c8e37a80c080673eab5d89c6697bc256662034cd5a1a7298da3
Instruction ID: b1f4e049b96c304886c5bf53f60cc2a6e13e3f088555fc03f0016b7d341d6fc7
Opcode Fuzzy Hash: 0838d48073e85c8e37a80c080673eab5d89c6697bc256662034cd5a1a7298da3
Instruction Fuzzy Hash: 8F510A32B8AA8162EB24DE26D5606BA6791FB44BD8F144131DF4D07F61DF3CE451D318

Function 00007FF8A8719FC0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A871A020
memset.VCRUNTIME140 ref: 00007FF8A871A0EF
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A871A10D
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A871A11E

Strings

..\s\ssl\record\rec_layer_d1.c, xrefs: 00007FF8A871A012

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$O_mallocmemset
String ID: ..\s\ssl\record\rec_layer_d1.c
API String ID: 1168073369-1306860146
Opcode ID: cb1c2e2e2c577e105b95e25f3491dcf53fc35653235691055057ac0863a9655b
Instruction ID: c1427360cbee2a365c4a298baa718db8854d0240ab2bf1a0a19f572a43904726
Opcode Fuzzy Hash: cb1c2e2e2c577e105b95e25f3491dcf53fc35653235691055057ac0863a9655b
Instruction Fuzzy Hash: 6F51B622A09B8182E710EF35E8402B9A3A1FB95BC4F149234DF9D4BB56EF3DE581C754

Function 00007FF8A8711005 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A871937A
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8719390
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A87193D5
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A87193EB
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8719435
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A871944B
memset.VCRUNTIME140 ref: 00007FF8A871947E

Strings

..\s\ssl\record\rec_layer_d1.c, xrefs: 00007FF8A8719369, 00007FF8A8719383, 00007FF8A87193C4, 00007FF8A87193DE, 00007FF8A8719424, 00007FF8A871943E

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$memset
String ID: ..\s\ssl\record\rec_layer_d1.c
API String ID: 286756525-1306860146
Opcode ID: 8a6c0e93becfcd759957275409e6eaf5b712d25d0c6fae68a3e4024bf0415c9e
Instruction ID: 89a7884893455adf3538ef068a36db9ecc9d2479efa45693495a6205e88924be
Opcode Fuzzy Hash: 8a6c0e93becfcd759957275409e6eaf5b712d25d0c6fae68a3e4024bf0415c9e
Instruction Fuzzy Hash: D441232275BA4290EF14EF26D4502B86751EF84FC8F581435EA4D4BBA6EF2DE442C364

Function 00007FF8A873C0F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 00007FF8A873C12E
CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 00007FF8A873C148
OBJ_nid2sn.LIBCRYPTO-1_1 ref: 00007FF8A873C17A
EVP_get_digestbyname.LIBCRYPTO-1_1 ref: 00007FF8A873C182

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A873C11E, 00007FF8A873C139, 00007FF8A873C1DD, 00007FF8A873C1F2, 00007FF8A873C20E

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_zalloc$J_nid2snP_get_digestbyname
String ID: ..\s\ssl\ssl_lib.c
API String ID: 4284552970-1080266419
Opcode ID: a0346553b6f201cc896888fb512db2eab44c67314ecb4c880cef8ce3580fddd2
Instruction ID: fede9be38378ace4c5c4d66b4e934f6f0f4b706a27aa49ee9bdc4b4b06888c1c
Opcode Fuzzy Hash: a0346553b6f201cc896888fb512db2eab44c67314ecb4c880cef8ce3580fddd2
Instruction Fuzzy Hash: ED31E166B4FB91A6E7119B25E4003A97760EB85BC0F480035DF8C07B9ADF7DE151C724

Function 00007FF8A872D940 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CRYPTO_mem_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A872D95C
OPENSSL_sk_new.LIBCRYPTO-1_1 ref: 00007FF8A872D968
COMP_get_type.LIBCRYPTO-1_1 ref: 00007FF8A872D977
CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A872D9A1
OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 00007FF8A872D9CE
OPENSSL_sk_sort.LIBCRYPTO-1_1 ref: 00007FF8A872D9DA
CRYPTO_mem_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A872D9E9

Strings

..\s\ssl\ssl_ciph.c, xrefs: 00007FF8A872D995

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_mem_ctrl$L_sk_newL_sk_pushL_sk_sortO_mallocP_get_type
String ID: ..\s\ssl\ssl_ciph.c
API String ID: 2525466407-1847046956
Opcode ID: c0fda2c7cfd2f08080c51aecd5afd4d8a6e0385d499b365ab04a7af8835099d9
Instruction ID: 198e818f70513b322490496a3bb7ac39273e98b09f0c9c5175ffd6a0f7632972
Opcode Fuzzy Hash: c0fda2c7cfd2f08080c51aecd5afd4d8a6e0385d499b365ab04a7af8835099d9
Instruction Fuzzy Hash: 47113C61E9F70261FB45AB15E8153B8A694EF88BC4F440036E94D0B7E2EF6CE440C338

Function 00007FF8A8711B0E Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF8A874A1E0
OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 00007FF8A874A31B
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A874A358
CRYPTO_memdup.LIBCRYPTO-1_1 ref: 00007FF8A874A370
OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 00007FF8A874A3C7
CRYPTO_memcmp.LIBCRYPTO-1_1 ref: 00007FF8A874A558

Strings

..\s\ssl\statem\extensions_clnt.c, xrefs: 00007FF8A874A199, 00007FF8A874A277, 00007FF8A874A2AB, 00007FF8A874A331, 00007FF8A874A3A2

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_cleanse$O_freeO_memcmpO_memdupmemset
String ID: ..\s\ssl\statem\extensions_clnt.c
API String ID: 780863833-592572767
Opcode ID: 86bf496f679b3b7786b672491b5610af1af8bf809d3bf7cd0764ed97caaeb9cd
Instruction ID: 9cb3f010fc052cf901d4dc762fbe37ee51659d276467181e0333c8ae62619a5e
Opcode Fuzzy Hash: 86bf496f679b3b7786b672491b5610af1af8bf809d3bf7cd0764ed97caaeb9cd
Instruction Fuzzy Hash: DCE1C631A4EA8296EB60CB55E4443BEB7A1FB847C4F144131EA8D4BB98DF3CD585C724

Function 00007FF8A8747DD0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 295COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 00007FF8A8747E5B
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8748289

Strings

gfffffff, xrefs: 00007FF8A8747EBE
gfffffff, xrefs: 00007FF8A8748130
gfffffff, xrefs: 00007FF8A8747FFC
gfffffff, xrefs: 00007FF8A874800C
..\s\ssl\statem\extensions.c, xrefs: 00007FF8A8747E3E, 00007FF8A874815A, 00007FF8A874818A, 00007FF8A87481BA, 00007FF8A8748271

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_zalloc
String ID: ..\s\ssl\statem\extensions.c$gfffffff$gfffffff$gfffffff$gfffffff
API String ID: 2237658545-598456477
Opcode ID: b22d729487809d557a3d33063db97eaab8ac1ca793ce9e3dc5a18c44bfa7e4ca
Instruction ID: 5b8dfec4d3ce4e3feb7e80405df2845d048d76aaad135b83bc484aad0913ac5e
Opcode Fuzzy Hash: b22d729487809d557a3d33063db97eaab8ac1ca793ce9e3dc5a18c44bfa7e4ca
Instruction Fuzzy Hash: F4C14532A4AB8992EB608B46F4407BA77A0FB84BC4F144136CEAD47B94CF3DD491C719

Function 00007FF8A876EF80 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

EVP_PKEY_get0_RSA.LIBCRYPTO-1_1(?,?,?,?,00007FF8A87706EA), ref: 00007FF8A876EFB7

Strings

..\s\ssl\statem\statem_srvr.c, xrefs: 00007FF8A876EFCF, 00007FF8A876F0AE, 00007FF8A876F0DF

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: Y_get0_
String ID: ..\s\ssl\statem\statem_srvr.c
API String ID: 2256133966-348624464
Opcode ID: 8fd71ec65a6dfdb4e59a58c5261a0906fa3b1b7508e60a72f15b55f1af989665
Instruction ID: 11eb79a1e999de87a10b719ea682654a5b9fad13ca8c6786c6c8043355adab19
Opcode Fuzzy Hash: 8fd71ec65a6dfdb4e59a58c5261a0906fa3b1b7508e60a72f15b55f1af989665
Instruction Fuzzy Hash: 5EA1533271E6819AE7248B21E8107BE7BA0FB857C4F404634EA8D8BB86DF3CD545CB14

Function 00007FF8A871212B Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A8766D6E
EVP_MD_CTX_copy_ex.LIBCRYPTO-1_1 ref: 00007FF8A8766DA9
CRYPTO_memcmp.LIBCRYPTO-1_1 ref: 00007FF8A8766EB0
memcpy.VCRUNTIME140 ref: 00007FF8A8766F09
memcpy.VCRUNTIME140 ref: 00007FF8A8766F25

Strings

O, xrefs: 00007FF8A8766DB2
..\s\ssl\statem\statem_lib.c, xrefs: 00007FF8A8766E06

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: memcpy$O_memcmpX_copy_exX_new
String ID: ..\s\ssl\statem\statem_lib.c$O
API String ID: 941845511-1434326050
Opcode ID: 504e8cfc47fc407f1f468d2551aaed851390b3828e4e6bff11e3aa74a68fdae4
Instruction ID: fcb9a1dce523af2eb95e4812f368f5655db2db9d97e877985b248b3bbf049248
Opcode Fuzzy Hash: 504e8cfc47fc407f1f468d2551aaed851390b3828e4e6bff11e3aa74a68fdae4
Instruction Fuzzy Hash: 1881A272B4A641A6EBA18F15D440BAD37A0FB40FC8F984035DA4C4B7A8CF7DE985C725

Function 00007FF8A8711FA0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 00007FF8A87708D1

Strings

..\s\ssl\statem\statem_srvr.c, xrefs: 00007FF8A8770674
y, xrefs: 00007FF8A87706B6

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_clear_free
String ID: ..\s\ssl\statem\statem_srvr.c$y
API String ID: 2011826501-250535175
Opcode ID: 02ea46a341b3ac752227e9fe15433ed3a83cb194abfae2c8fb4ef930d3aee8c3
Instruction ID: ddf213e621504c393724f85a40ed0afd7c0775319775469f81c83352fe6b146c
Opcode Fuzzy Hash: 02ea46a341b3ac752227e9fe15433ed3a83cb194abfae2c8fb4ef930d3aee8c3
Instruction Fuzzy Hash: 9561CE32E8B682A5F7609B16D4947BD26A0EB80BC4F184131DE8C4BBD5CF3CE441CB68

Function 00007FF8A8711C1C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

, xrefs: 00007FF8A8772459
..\s\ssl\t1_enc.c, xrefs: 00007FF8A87722C7, 00007FF8A8772384
key expansion, xrefs: 00007FF8A8772452
, xrefs: 00007FF8A8772444

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID:
String ID: $ $..\s\ssl\t1_enc.c$key expansion
API String ID: 0-2405982772
Opcode ID: 00e4ceef71d3f967ad82ad07f975e0ef309b05b5ddf9f8cc28cdfed3fcec350b
Instruction ID: ead6331e8afbbf8b52cff431cfa0511cfec641cc2881f142eecd6e79d7498c09
Opcode Fuzzy Hash: 00e4ceef71d3f967ad82ad07f975e0ef309b05b5ddf9f8cc28cdfed3fcec350b
Instruction Fuzzy Hash: 9F716B3264AB81A6EBA4CF15E4803EDB7A4F788B94F044136DB8D07B54CF38D5A9CB14

Function 00007FF8A876EC80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

c:\a\6\s\ssl\packet_locl.h, xrefs: 00007FF8A876ED52, 00007FF8A876ED71
..\s\ssl\statem\statem_srvr.c, xrefs: 00007FF8A876EC85, 00007FF8A876EDE6, 00007FF8A876EEA0

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID:
String ID: ..\s\ssl\statem\statem_srvr.c$c:\a\6\s\ssl\packet_locl.h
API String ID: 0-3574010447
Opcode ID: fd165d01d434ba55c1cb6715ec2c4d638b8887a1889ac74a023fd1009967e8b0
Instruction ID: 633f7e2d4b23b51f97478aad6bbd440c74ade48312a12591289be20abc4aa8fa
Opcode Fuzzy Hash: fd165d01d434ba55c1cb6715ec2c4d638b8887a1889ac74a023fd1009967e8b0
Instruction Fuzzy Hash: B851C332B4AA81A5F7609B11E4407BE7760F788BC8F544131EA9D07BA4DF3CD595CB24

Function 00007FF8A8711D9D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

CONF_parse_list.LIBCRYPTO-1_1 ref: 00007FF8A877686F
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A87768C3
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A87769E6

Strings

..\s\ssl\t1_lib.c, xrefs: 00007FF8A87768A6, 00007FF8A87768DF, 00007FF8A87768F3, 00007FF8A8776982, 00007FF8A87769DC

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: F_parse_listO_freeR_put_error
String ID: ..\s\ssl\t1_lib.c
API String ID: 3984800049-1643863364
Opcode ID: 3e61863d7fb49f107a188f56dd70355b02bffbf8f4dc67c9efcef499e17c5dbe
Instruction ID: 9180c8682d07aac19bcc47246f9644e915e6cde71f9728c9a9aa6bc501ba2968
Opcode Fuzzy Hash: 3e61863d7fb49f107a188f56dd70355b02bffbf8f4dc67c9efcef499e17c5dbe
Instruction Fuzzy Hash: 08416D32A4BA52A6E7A0CB11D840BB973A0FB58BC4F454139D98D07B98DF7CE545CB28

Function 00007FF8A8761960 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A87619D0
EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A87619D9
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A87619EF
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8761A05
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8761A1A
memcpy.VCRUNTIME140 ref: 00007FF8A8761A8E

Strings

..\s\ssl\statem\statem_dtls.c, xrefs: 00007FF8A87619E2, 00007FF8A87619F8, 00007FF8A8761A10

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$X_free$memcpy
String ID: ..\s\ssl\statem\statem_dtls.c
API String ID: 1711549817-3140652063
Opcode ID: 8858f249ca6f69a65f0d607540f2cb391f0198a4bd9761290ca33ba841402d27
Instruction ID: 562e9f8e1c7f5327f92260c928bf6d31d7602c99f5c3967cc06a2c1ca6b41faf
Opcode Fuzzy Hash: 8858f249ca6f69a65f0d607540f2cb391f0198a4bd9761290ca33ba841402d27
Instruction Fuzzy Hash: 0E41AC22A4AA4291EB54EF66E4553B92361EF84FC4F044031DE8D4B796DF3CD882C328

Function 00007FF8A874ECA0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1(?,?,?,00007FF8A874E84E), ref: 00007FF8A874ECDD
CRYPTO_malloc.LIBCRYPTO-1_1(?,?,?,00007FF8A874E84E), ref: 00007FF8A874ECF7
CRYPTO_free.LIBCRYPTO-1_1(?,?,?,00007FF8A874E84E), ref: 00007FF8A874EDA0
CRYPTO_free.LIBCRYPTO-1_1(?,?,?,00007FF8A874E84E), ref: 00007FF8A874EDB5
CRYPTO_free.LIBCRYPTO-1_1(?,?,?,00007FF8A874E84E), ref: 00007FF8A874EDCE
CRYPTO_free.LIBCRYPTO-1_1(?,?,?,00007FF8A874E84E), ref: 00007FF8A874EDE3

Strings

..\s\ssl\statem\extensions_cust.c, xrefs: 00007FF8A874ECCA, 00007FF8A874ECE8, 00007FF8A874ED96, 00007FF8A874EDAB, 00007FF8A874EDC4, 00007FF8A874EDD9

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$O_malloc
String ID: ..\s\ssl\statem\extensions_cust.c
API String ID: 2767441526-3973221358
Opcode ID: f215baa7073ca4f4fb2e75baa64611919c353d9e5cba702df3a41c334ae1fba1
Instruction ID: a713857460b349f649bae433ca48089076d0d65cce45f811f3a415c2f376687b
Opcode Fuzzy Hash: f215baa7073ca4f4fb2e75baa64611919c353d9e5cba702df3a41c334ae1fba1
Instruction Fuzzy Hash: 51316D3674EB81A1EB10DB16E8406AA73A0FB89BD0F444135DE8D47B65EF7CD1508718

Function 00007FF8A8711AB9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

CONF_parse_list.LIBCRYPTO-1_1 ref: 00007FF8A87774BF
CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A877750A
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8777532

Strings

..\s\ssl\t1_lib.c, xrefs: 00007FF8A87774E1, 00007FF8A8777517, 00007FF8A8777549

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: F_parse_listO_mallocR_put_error
String ID: ..\s\ssl\t1_lib.c
API String ID: 3458554092-1643863364
Opcode ID: 325817bae9ed82bbd3c35002695c00800150ce1f18cfe50ac2cb8f1513004902
Instruction ID: 0713db0c302eb56bb7f08d8b513e4161e4cf484a8dba1005687d5a83bdfb17e9
Opcode Fuzzy Hash: 325817bae9ed82bbd3c35002695c00800150ce1f18cfe50ac2cb8f1513004902
Instruction Fuzzy Hash: C0313932A5BA82A6E760DB11E4407FA73A5EB48BC4F440136DE8D47B55DF3CE544CB28

Function 00007FF8A872BB70 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 00007FF8A872BB8F
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872BBB7
CRYPTO_THREAD_lock_new.LIBCRYPTO-1_1 ref: 00007FF8A872BBF8
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872BC24
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A872BC39

Strings

B, xrefs: 00007FF8A872BC10
..\s\ssl\ssl_cert.c, xrefs: 00007FF8A872BB88, 00007FF8A872BB9C, 00007FF8A872BC09, 00007FF8A872BC2F

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error$D_lock_newO_freeO_zalloc
String ID: ..\s\ssl\ssl_cert.c$B
API String ID: 3411496311-1824687510
Opcode ID: f5b4160db7fb2a49903338376766cfb787b54cabaa19fe5d13ea93a546565ea9
Instruction ID: 0b82f6c38687a67ae59fe0a93a64d34fc1d9cf61c444b2d150efd3e7420bc3c1
Opcode Fuzzy Hash: f5b4160db7fb2a49903338376766cfb787b54cabaa19fe5d13ea93a546565ea9
Instruction Fuzzy Hash: 2F118B71A8B742A6E711DF20E4003E937A1FF84788F844535CA4C0A396EF7CE695CB28

Function 00007FF8A8711A05 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

..\s\ssl\s3_enc.c, xrefs: 00007FF8A8724FFA, 00007FF8A87250AF

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID:
String ID: ..\s\ssl\s3_enc.c
API String ID: 0-1839494539
Opcode ID: 2b381683268a77f2856527c629260568b443d877ed8306b885aca1c1d2dadc3e
Instruction ID: 50e6e05764ff077eecf5c4b04036c3e8d5935d5819c6e8bb50db09ace00ff2b3
Opcode Fuzzy Hash: 2b381683268a77f2856527c629260568b443d877ed8306b885aca1c1d2dadc3e
Instruction Fuzzy Hash: BE51583670AB81A6EB94CB25E4803A977A0FB88BD4F544132DB8C47764EF38D1A5CB14

Function 00007FF8A8711E56 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 129COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 00007FF8A8718C37
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8718C60

Strings

b, xrefs: 00007FF8A8718C4C
..\s\ssl\packet.c, xrefs: 00007FF8A8718C29, 00007FF8A8718C45, 00007FF8A8718CFE

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_zallocR_put_error
String ID: ..\s\ssl\packet.c$b
API String ID: 2718799170-1717309047
Opcode ID: 8e154372d9579edd06fa87ef2637298999779d031245173bad8de20e3a265e24
Instruction ID: c1f29df3c23f13af4a1d1ec3f289dd5a105bfa1d5b4f132f7d34f864d098a274
Opcode Fuzzy Hash: 8e154372d9579edd06fa87ef2637298999779d031245173bad8de20e3a265e24
Instruction Fuzzy Hash: AD51CF72B4AB4591EF14CF29D540368A3A2EB58BE8F208235CA6C07BE8EF3CD455C354

Function 00007FF8A8743E40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

CRYPTO_THREAD_read_lock.LIBCRYPTO-1_1 ref: 00007FF8A8743EF8
CRYPTO_THREAD_read_lock.LIBCRYPTO-1_1 ref: 00007FF8A8743F0B
CRYPTO_THREAD_unlock.LIBCRYPTO-1_1 ref: 00007FF8A8743F3F
CRYPTO_THREAD_unlock.LIBCRYPTO-1_1 ref: 00007FF8A8743F4B
memset.VCRUNTIME140 ref: 00007FF8A8743F60

Strings

..\s\ssl\ssl_sess.c, xrefs: 00007FF8A8743E7E, 00007FF8A8743FFA

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: D_read_lockD_unlock$memset
String ID: ..\s\ssl\ssl_sess.c
API String ID: 1035704990-2868363209
Opcode ID: 213f6c514b44790e30a162bb42aa48313e4cf5b3731d69adda2230f7cb7e54d1
Instruction ID: 87e326739cc958621fbb111fdad50cdcc4d487c00206792f6d8ab29b140ef164
Opcode Fuzzy Hash: 213f6c514b44790e30a162bb42aa48313e4cf5b3731d69adda2230f7cb7e54d1
Instruction Fuzzy Hash: 0F41B132B4AA81A6E754CB55E8447ED63A0FB88BC8F080131EB4D4BB95DF3DD592CB14

Function 00007FF8A8711D43 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

BN_num_bits.LIBCRYPTO-1_1 ref: 00007FF8A877BB17
CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A877BB3E
BN_bn2bin.LIBCRYPTO-1_1 ref: 00007FF8A877BB75
BN_clear_free.LIBCRYPTO-1_1 ref: 00007FF8A877BBA2
BN_clear_free.LIBCRYPTO-1_1 ref: 00007FF8A877BBAA

Strings

..\s\ssl\tls_srp.c, xrefs: 00007FF8A877BB1F

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: N_clear_free$N_bn2binN_num_bitsO_malloc
String ID: ..\s\ssl\tls_srp.c
API String ID: 49705458-1778748169
Opcode ID: 3458508ad74e6a9c5ddb4e1bc822bba62e66597da02ef1c87795de70b82e1931
Instruction ID: a9271bee49fe8b0221612373e0a993b19d2126e87bddaea54feff97ac24b2dd3
Opcode Fuzzy Hash: 3458508ad74e6a9c5ddb4e1bc822bba62e66597da02ef1c87795de70b82e1931
Instruction Fuzzy Hash: E5318126A4F74291EB50EB2294012B96791FF88FD8F084035EE8C4BB99DF3CE541C768

Function 00007FF8A8726B53 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8726B6E
CRYPTO_strdup.LIBCRYPTO-1_1 ref: 00007FF8A8726BE2
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8726C12
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8726C41

Strings

..\s\ssl\s3_lib.c, xrefs: 00007FF8A8726B5A, 00007FF8A8726BD8, 00007FF8A8726C04, 00007FF8A8726C31
, xrefs: 00007FF8A8726B61

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error$O_freeO_strdup
String ID: $..\s\ssl\s3_lib.c
API String ID: 3510034342-2670486660
Opcode ID: 60b292991f2e6b7ef5fbd0a7f0de2b987e162dfc2b4a1a0d189aba64dfdd7646
Instruction ID: 085eddacf41c5b3cbc42d6bb4696180e5f961fda1864ce516403aca82fcf7690
Opcode Fuzzy Hash: 60b292991f2e6b7ef5fbd0a7f0de2b987e162dfc2b4a1a0d189aba64dfdd7646
Instruction Fuzzy Hash: 2E212431B6B54266FB259B24E45077C32D0FF007C8F54043ADA4D46A86EF3CE6818728

Function 00007FF8A8716D00 Relevance: 9.1, APIs: 6, Instructions: 92COMMON

Download Yara Rule

APIs

BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A8716D39
BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A8716D7F
BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A8716DCB
BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A8716DF6
BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A8716E27
BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A8716E5F

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_ctrl
String ID:
API String ID: 3605655398-0
Opcode ID: cad228a1b109db095b319e36ede78fe50c19ccca394e0b220c76b63737845c3c
Instruction ID: 5f96cf38b53aae28b44b54707753dd900dba180ec32fdb5a9bce20f0fd62b701
Opcode Fuzzy Hash: cad228a1b109db095b319e36ede78fe50c19ccca394e0b220c76b63737845c3c
Instruction Fuzzy Hash: 8B31C333B1A28192EF89DB65D9A1BFD62A2FB88BC4F005134DE4D47B91DF68A410C715

Function 00007FF8A8711B54 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

EVP_PKEY_get1_tls_encodedpoint.LIBCRYPTO-1_1 ref: 00007FF8A874ABC3
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A874AC42
EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A874ACCC
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A874ACDF

Strings

..\s\ssl\statem\extensions_clnt.c, xrefs: 00007FF8A874AAF3, 00007FF8A874AB6E, 00007FF8A874AC33, 00007FF8A874AC99

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$Y_freeY_get1_tls_encodedpoint
String ID: ..\s\ssl\statem\extensions_clnt.c
API String ID: 4042585043-592572767
Opcode ID: 77f09486588cfa54c45d4d7499db293d983741bf977e107540237cc9d7ae8e20
Instruction ID: 72298559073dead1654f2da5c23f142ff113fa9e8f3e0d82e5b5ffea24b58409
Opcode Fuzzy Hash: 77f09486588cfa54c45d4d7499db293d983741bf977e107540237cc9d7ae8e20
Instruction Fuzzy Hash: 6771C331B8A642A6F6609B56E4403BAA7A1FB85BC0F084035EE8D07B95DF3CD545DB28

Function 00007FF8A8711CD5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A875200E
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A875204C
CRYPTO_memdup.LIBCRYPTO-1_1 ref: 00007FF8A875207E

Strings

c:\a\6\s\ssl\packet_locl.h, xrefs: 00007FF8A875201A, 00007FF8A875206E
..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FF8A8751FED, 00007FF8A87520EF

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$O_memdup
String ID: ..\s\ssl\statem\extensions_srvr.c$c:\a\6\s\ssl\packet_locl.h
API String ID: 3545228654-102051108
Opcode ID: 40434401159744e8a4225a2b54a467dfec811ac02435699359ea7903b3635f6b
Instruction ID: 1b06ef453c05038d949f7562dd407fd1c5af565042dd51087f3088f3fde64a53
Opcode Fuzzy Hash: 40434401159744e8a4225a2b54a467dfec811ac02435699359ea7903b3635f6b
Instruction Fuzzy Hash: AF51B432A6AB8196EB558F14F4403A9B3A0FB84BC0F545235EAEE07B94DF3CE190C714

Function 00007FF8A8712130 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8734217
CRYPTO_realloc.LIBCRYPTO-1_1 ref: 00007FF8A8734270
CRYPTO_realloc.LIBCRYPTO-1_1 ref: 00007FF8A87342A5
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A87342CF

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A87341FC, 00007FF8A8734250, 00007FF8A873428E, 00007FF8A87342BF

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_reallocR_put_error
String ID: ..\s\ssl\ssl_lib.c
API String ID: 1389097454-1080266419
Opcode ID: 5d727deca9f6739c39d30736d54b5ad5c4d919e2b1368247bad45ffca0bedc34
Instruction ID: 32200af88dd189d4c563193ee8de13a90b53640cc6d91d389c4b4c2dc66694cc
Opcode Fuzzy Hash: 5d727deca9f6739c39d30736d54b5ad5c4d919e2b1368247bad45ffca0bedc34
Instruction Fuzzy Hash: 7B41357270BB9562E7198B15E8007B977A0FB58B84F444031EE9D137A0DF3CE192D724

Function 00007FF8A8749A30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

EVP_PKEY_get1_tls_encodedpoint.LIBCRYPTO-1_1 ref: 00007FF8A8749ACD
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8749B41
EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A8749B8F
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8749BA2

Strings

..\s\ssl\statem\extensions_clnt.c, xrefs: 00007FF8A8749A86, 00007FF8A8749B1A, 00007FF8A8749B5C

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$Y_freeY_get1_tls_encodedpoint
String ID: ..\s\ssl\statem\extensions_clnt.c
API String ID: 4042585043-592572767
Opcode ID: f0e962e3d80d257cd3bc69660173b9cdf384b31ae3d4f9ac2af2ae0cae04d5a9
Instruction ID: f73a2f633758ae8798bb675d08830e4453d164a7dd13d1822543fec6dfd6e6fc
Opcode Fuzzy Hash: f0e962e3d80d257cd3bc69660173b9cdf384b31ae3d4f9ac2af2ae0cae04d5a9
Instruction Fuzzy Hash: E141E431B4EB51A2EB609B56E4043BA6790FB85BC4F048031EE8C0BBA9CF7DD545D728

Function 00007FF8A875ACC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

BN_num_bits.LIBCRYPTO-1_1 ref: 00007FF8A875ACF2
BN_bn2bin.LIBCRYPTO-1_1 ref: 00007FF8A875AD2D
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A875AD50
CRYPTO_strdup.LIBCRYPTO-1_1 ref: 00007FF8A875AD65

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A875AD39, 00007FF8A875ADB1

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: N_bn2binN_num_bitsO_freeO_strdup
String ID: ..\s\ssl\statem\statem_clnt.c
API String ID: 487688590-1507966698
Opcode ID: fcb021e5b712207a46bfd784cc93daca295419eae2572c4cd418b691ba72ef90
Instruction ID: 871b3ecc0ba7a7bb8bf36b4a03e7a9be52257be2d51fef21bba6ade24587ebcf
Opcode Fuzzy Hash: fcb021e5b712207a46bfd784cc93daca295419eae2572c4cd418b691ba72ef90
Instruction Fuzzy Hash: 1B21A172B4EA8291EB50DB12E9447BD6761EB84BC9F180131DE8C4FB99CF3DD5418B18

Function 00007FF8A8711C3A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

X509_free.LIBCRYPTO-1_1 ref: 00007FF8A872B1F4
EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A872B201
OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 00007FF8A872B214
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A872B22D

Strings

..\s\ssl\ssl_cert.c, xrefs: 00007FF8A872B21D

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_sk_pop_freeO_freeX509_freeY_free
String ID: ..\s\ssl\ssl_cert.c
API String ID: 1247630535-349359282
Opcode ID: 7c2b41f69e71c7938e9867aad85f58eb8e17ec81c85136260d4929784c867e85
Instruction ID: 265118e9008152da9e4829b9670f8adfbc8654b2796f1656ff6a13f1aac7d7f6
Opcode Fuzzy Hash: 7c2b41f69e71c7938e9867aad85f58eb8e17ec81c85136260d4929784c867e85
Instruction Fuzzy Hash: AD017936A5AB9191E7109B28E4441AD73A4FB89F88F040021EA8D1BB49CF3CD611C764

Function 00007FF8A8732010 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8732050
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8732070
OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 00007FF8A8732083
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8732098

Strings

..\s\ssl\ssl_conf.c, xrefs: 00007FF8A8732043, 00007FF8A8732063, 00007FF8A873208E

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$L_sk_pop_free
String ID: ..\s\ssl\ssl_conf.c
API String ID: 1650471521-1527728938
Opcode ID: a46d0f9e5653f16f353e64e04730983924d19fff32bdcb0f21e641e5c15a612f
Instruction ID: d97bedc304fa9d85dc3edb29752c4752330cf9661cec214c8613107d7956ce4f
Opcode Fuzzy Hash: a46d0f9e5653f16f353e64e04730983924d19fff32bdcb0f21e641e5c15a612f
Instruction Fuzzy Hash: 1701D432B6EA43A2EB50AB15F4802F86325FB84BC0F485031EA5D57755CF2CE645C764

Function 00007FF8A8776F30 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1(?,?,?,?,?,00000000,00007FF8A8776D83), ref: 00007FF8A8776F7B
CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A877716A
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8777192

Strings

..\s\ssl\t1_lib.c, xrefs: 00007FF8A8776F4E, 00007FF8A8777163, 00007FF8A8777177

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_mallocR_put_error
String ID: ..\s\ssl\t1_lib.c
API String ID: 2160744234-1643863364
Opcode ID: ae136d7c0c687b3ec7fa0c80472eddc214f9a39e5940ee724782a269a884c487
Instruction ID: b1cce632e2336cc8c9ac58ea63677befc5eed96d492db354448629c68e2504c2
Opcode Fuzzy Hash: ae136d7c0c687b3ec7fa0c80472eddc214f9a39e5940ee724782a269a884c487
Instruction Fuzzy Hash: 77718E32B8BA82A6EBA18F1195407B923A5FB84BD4F5D4035DE4C07794DF3CE881D728

Function 00007FF8A8711F0F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

..\s\ssl\statem\extensions_clnt.c, xrefs: 00007FF8A874D81E, 00007FF8A874D8CC, 00007FF8A874D922

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID:
String ID: ..\s\ssl\statem\extensions_clnt.c
API String ID: 0-592572767
Opcode ID: 7b601a3dfbcf51421a90d4aab34b97328be81c96de875f22516ef5da5eedadc5
Instruction ID: bfc65fcc56316aaa8c74c22622d2b57b7be0eeed0fa0635b5ea47728c9bce0c2
Opcode Fuzzy Hash: 7b601a3dfbcf51421a90d4aab34b97328be81c96de875f22516ef5da5eedadc5
Instruction Fuzzy Hash: 4851DF72A59B8192EB50CB15E0447ADBBA1FB89BC0F484131EACC47B95EF3DD190CB14

Function 00007FF8A873CD70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A873CE1A

Strings

%02x, xrefs: 00007FF8A873CE86, 00007FF8A873CEC5
..\s\ssl\ssl_lib.c, xrefs: 00007FF8A873CDEE, 00007FF8A873CE2C, 00007FF8A873CEFD

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_malloc
String ID: %02x$..\s\ssl\ssl_lib.c
API String ID: 1457121658-1214724818
Opcode ID: 9f0c2a1d39fb2cc775fd98811a429d83b0c291a91e885f5ac5e393e8511b49fc
Instruction ID: c9bcb433a78f71f7102a500434889ec343b407ed52ca6c2fcc4c470517cad507
Opcode Fuzzy Hash: 9f0c2a1d39fb2cc775fd98811a429d83b0c291a91e885f5ac5e393e8511b49fc
Instruction Fuzzy Hash: 54410722B4A79196EB618F25F8003AA7B90FB89BC4F488031DE8D47765DF3CD1469B14

Function 00007FF8A871109B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A876DC30
CRYPTO_memdup.LIBCRYPTO-1_1 ref: 00007FF8A876DC48
CRYPTO_memdup.LIBCRYPTO-1_1 ref: 00007FF8A876DD2A

Strings

..\s\ssl\statem\statem_srvr.c, xrefs: 00007FF8A876DC19, 00007FF8A876DD7A

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_memdup$O_free
String ID: ..\s\ssl\statem\statem_srvr.c
API String ID: 2280451731-348624464
Opcode ID: c93d6cdc5efcc6c9fed961493748bfb0fb1300031d0969c797883b987519fbcd
Instruction ID: a1fd6524c3001617bd556074110afa679c8058ccf1e4eb0b9a6274e2860c2907
Opcode Fuzzy Hash: c93d6cdc5efcc6c9fed961493748bfb0fb1300031d0969c797883b987519fbcd
Instruction Fuzzy Hash: D3517B72A0AA8195E751DF11E4807BE7BA0F785BD4F184032EA8C4B7A8CF79D5818B24

Function 00007FF8A871DDA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A871DE24
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A871DED7
CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A871DEEB

Strings

..\s\ssl\record\ssl3_buffer.c, xrefs: 00007FF8A871DDC5

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_malloc$O_free
String ID: ..\s\ssl\record\ssl3_buffer.c
API String ID: 2640950527-837614940
Opcode ID: 87e39b50ec14eaaa685634e9eccf18b25fbc9051a7c43bb8a94a74d5588d35e9
Instruction ID: 72daaa84df72027f9483f157adfdd7237a0f2b6a6b3158c78a9796905728698f
Opcode Fuzzy Hash: 87e39b50ec14eaaa685634e9eccf18b25fbc9051a7c43bb8a94a74d5588d35e9
Instruction Fuzzy Hash: 8B41A232B0AB8196EB20DF21D9403A96BE5FB44BC8F448534DE8C4BBA9DF3CD5518758

Function 00007FF8A874EA60 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102COMMON

Download Yara Rule

APIs

CRYPTO_realloc.LIBCRYPTO-1_1(?,?,?,00007FF8A874ED8A,?,?,?,00007FF8A874E84E), ref: 00007FF8A874EB85

Strings

t3, xrefs: 00007FF8A874EAE5
3, xrefs: 00007FF8A874EAEF
..\s\ssl\statem\extensions_cust.c, xrefs: 00007FF8A874EB7E

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_realloc
String ID: ..\s\ssl\statem\extensions_cust.c$3$t3
API String ID: 3931833713-171970420
Opcode ID: 035e8623ada3c8a43ce03e19c8aff552e57156c26daef37ae137d0616fa850ce
Instruction ID: 8732a2b0b15b824b108e8c4934e976cf0b59848648674f0c7caca0d7cc675d3c
Opcode Fuzzy Hash: 035e8623ada3c8a43ce03e19c8aff552e57156c26daef37ae137d0616fa850ce
Instruction Fuzzy Hash: 8C419173B4AB8291EA609B49D480239B7A0FB44BE4F984131DE8D437A4DF7DD492C71C

Function 00007FF8A8769CDC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8769D9C
CRYPTO_memdup.LIBCRYPTO-1_1 ref: 00007FF8A8769DC1

Strings

c:\a\6\s\ssl\packet_locl.h, xrefs: 00007FF8A8769D8F, 00007FF8A8769DB5
..\s\ssl\statem\statem_srvr.c, xrefs: 00007FF8A8769E04, 00007FF8A8769E4D

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_memdup
String ID: ..\s\ssl\statem\statem_srvr.c$c:\a\6\s\ssl\packet_locl.h
API String ID: 3962629258-3574010447
Opcode ID: 96ddc471845c80fd40dc4c7019bffa9fc103ce9200c8abc2f9f53410b38d7f36
Instruction ID: a051f6abd41f463de207908682a05c5861fd1530c39eb61f6ff6d1b111e4bcc1
Opcode Fuzzy Hash: 96ddc471845c80fd40dc4c7019bffa9fc103ce9200c8abc2f9f53410b38d7f36
Instruction Fuzzy Hash: F041C932A1EB8192E7418F15F4402AAB7A5FB94BD0F484132FA8D03B69DF7CD5A5CB14

Function 00007FF8A8770AF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8770BCA
CRYPTO_memdup.LIBCRYPTO-1_1 ref: 00007FF8A8770BEF

Strings

c:\a\6\s\ssl\packet_locl.h, xrefs: 00007FF8A8770BB8, 00007FF8A8770BE3
..\s\ssl\statem\statem_srvr.c, xrefs: 00007FF8A8770C31, 00007FF8A8770C67

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_memdup
String ID: ..\s\ssl\statem\statem_srvr.c$c:\a\6\s\ssl\packet_locl.h
API String ID: 3962629258-3574010447
Opcode ID: 90d401d86ff461c11954c547e2215ac4d9c7f46c91f81a2391a639914b56a965
Instruction ID: 9fb99698186349b635696aafcaa30f55039adedc0145b22346e83e6a4509b3fe
Opcode Fuzzy Hash: 90d401d86ff461c11954c547e2215ac4d9c7f46c91f81a2391a639914b56a965
Instruction Fuzzy Hash: 76418C32A2AB8192E751CF15E4406BAB7A4FB84B84F485135EACD07B65DF3CD1A1CB14

Function 00007FF8A8759FC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A875A107
EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A875A10F

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A8759FFD, 00007FF8A875A037

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeY_free
String ID: ..\s\ssl\statem\statem_clnt.c
API String ID: 1826982404-1507966698
Opcode ID: 41dded0ee1671f73fd930d32ee02b6d0fda7d9168bf0cd49d3a136534c904316
Instruction ID: ea125fac7052b33e6b2f1e99cb50f22f4f3765b308d3f2267483ceee10621e48
Opcode Fuzzy Hash: 41dded0ee1671f73fd930d32ee02b6d0fda7d9168bf0cd49d3a136534c904316
Instruction Fuzzy Hash: 8931B53164E68296EB24DF11E4406ADBB51FB88BC4F040134EE8C17F55DF7CE2468B29

Function 00007FF8A87119E7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A8736205
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A873622D
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A87362B6

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A87361FE, 00007FF8A8736212, 00007FF8A87362AC

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_mallocR_put_error
String ID: ..\s\ssl\ssl_lib.c
API String ID: 2160744234-1080266419
Opcode ID: 205947dd9d00332af5316d61340bed4d183e53cc2001715f3ac9530677b37328
Instruction ID: 17fb02f17af4560b7e832b42af51ec1256f28b5096cb03c3b9793a38a98be1d1
Opcode Fuzzy Hash: 205947dd9d00332af5316d61340bed4d183e53cc2001715f3ac9530677b37328
Instruction Fuzzy Hash: 3831DB32B4BB4192EB90CF45D4442B863A1FB44BC4F998431DA4D47BA4DF3EE582D718

Function 00007FF8A875BEF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A875BF1C
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A875BF8A
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A875BFDF

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A875BF4B

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$X_free
String ID: ..\s\ssl\statem\statem_clnt.c
API String ID: 306345296-1507966698
Opcode ID: 2853cef346287139e6258ed757a523e10d4385730c7c8a897cda4547f5d0c931
Instruction ID: b8578faf4cefd44e05a45af8d5162feb8c8805756ef3f0a148b7d608c6bb6f20
Opcode Fuzzy Hash: 2853cef346287139e6258ed757a523e10d4385730c7c8a897cda4547f5d0c931
Instruction Fuzzy Hash: AF31D03270968192E7649B12E5003AAA3A5FB89BC0F044135EFCC4BF86CF3DE552CB18

Function 00007FF8A8717F50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 00007FF8A8718C37
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8718C60

Strings

b, xrefs: 00007FF8A8718C4C
..\s\ssl\packet.c, xrefs: 00007FF8A8718C29, 00007FF8A8718C45

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_zallocR_put_error
String ID: ..\s\ssl\packet.c$b
API String ID: 2718799170-1717309047
Opcode ID: eff02652ad15797b469cfb7daf1f46a3ce03e86826f86970131a0a7076143f53
Instruction ID: d2b032f3ff3d390e09f2c74fc8b3ea4a36c89b185a4533292bb4bfba3f5a5aa1
Opcode Fuzzy Hash: eff02652ad15797b469cfb7daf1f46a3ce03e86826f86970131a0a7076143f53
Instruction Fuzzy Hash: FA213632A1EB42A5EB14CB11D4013A973A5FB047D0F504234D66C47BE1EF7DDA4AC768

Function 00007FF8A8762DB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A8762DF7
memcpy.VCRUNTIME140 ref: 00007FF8A8762E6D

Strings

-, xrefs: 00007FF8A8762E04
..\s\ssl\statem\statem_lib.c, xrefs: 00007FF8A8762DDA

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_mallocmemcpy
String ID: -$..\s\ssl\statem\statem_lib.c
API String ID: 1834057931-2154746619
Opcode ID: 22acb04d894ddeae20fcb9948c2a0cd56429033462bab073a80b87f4ed32b332
Instruction ID: 5c1a1dacbac93c17bfd97870be58692963d9f5adc77e38fb921b6c87cf772ab2
Opcode Fuzzy Hash: 22acb04d894ddeae20fcb9948c2a0cd56429033462bab073a80b87f4ed32b332
Instruction Fuzzy Hash: C8217122A19B81A6E650CF12E4042A9B720F798BC4F459235EF8C17B66DF38E2D5C704

Function 00007FF8A8717DF0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 00007FF8A8717E32
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8717E5B

Strings

b, xrefs: 00007FF8A8717E47
..\s\ssl\packet.c, xrefs: 00007FF8A8717E18, 00007FF8A8717E40

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_zallocR_put_error
String ID: ..\s\ssl\packet.c$b
API String ID: 2718799170-1717309047
Opcode ID: e5a2cdc41ec90c580c07a578ba4c76683c16f6a8104d0e368a94bb5b754420c7
Instruction ID: 051be3d794f64ac68451f96b2331404c80d784e6506f5711132fa5da80f7cd8b
Opcode Fuzzy Hash: e5a2cdc41ec90c580c07a578ba4c76683c16f6a8104d0e368a94bb5b754420c7
Instruction Fuzzy Hash: E001923260AB0196D711CF19E44019873A1FB047E8FA44235D7AC07BE5EF39D995C714

Function 00007FF8A8726C53 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8726C12
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8726C7A
CRYPTO_strdup.LIBCRYPTO-1_1 ref: 00007FF8A8726C8F

Strings

..\s\ssl\s3_lib.c, xrefs: 00007FF8A8726C04, 00007FF8A8726C73, 00007FF8A8726C85

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_strdupR_put_error
String ID: ..\s\ssl\s3_lib.c
API String ID: 626504629-4238427508
Opcode ID: 9a8f3001c94748e9cc0e49b444bd24d09230ddecbf5a64631e044a42999358b1
Instruction ID: f53a9a18366f394f82812f2a0bc69ef2f2112db49d3d944a28423869d0c2b83e
Opcode Fuzzy Hash: 9a8f3001c94748e9cc0e49b444bd24d09230ddecbf5a64631e044a42999358b1
Instruction Fuzzy Hash: 75016231B6FA43A1EB51EB15E4807B863A0FF407C8F440436DA1C0A6A5EF3CE694D718

Function 00007FF8A8719020 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

CRYPTO_zalloc.LIBCRYPTO-1_1 ref: 00007FF8A871903D
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8719065

Strings

..\s\ssl\pqueue.c, xrefs: 00007FF8A8719033, 00007FF8A871904A
+, xrefs: 00007FF8A8719051

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_zallocR_put_error
String ID: +$..\s\ssl\pqueue.c
API String ID: 2718799170-3697747608
Opcode ID: da2d707b9abfcd818f8fd289379682dd5420eddc93187a191c5632dd55a8878a
Instruction ID: 476433d2b5c5f40d47b649f7902552e66fb07119188f1bf09b6f18784a5e1991
Opcode Fuzzy Hash: da2d707b9abfcd818f8fd289379682dd5420eddc93187a191c5632dd55a8878a
Instruction Fuzzy Hash: 2FE06D26B5B503A6EB11EB14D8096E93762EF44784F801035DA0C077A1EF3CF68ACB24

Function 00007FF8A873F0E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1(00000000,00007FF8A873C892), ref: 00007FF8A873F107
EVP_PKEY_free.LIBCRYPTO-1_1(00000000,00007FF8A873C892), ref: 00007FF8A873F110
CRYPTO_free.LIBCRYPTO-1_1(00000000,00007FF8A873C892), ref: 00007FF8A873F125

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A873F0F6, 00007FF8A873F11B

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free$Y_free
String ID: ..\s\ssl\ssl_lib.c
API String ID: 3642664693-1080266419
Opcode ID: 60bd61d8338763e193275d770789ca317e6d5ad48d66d38ffe40c408143abd0f
Instruction ID: f2993b73ed57a7f5ef32858992465fe25b067599ddf3065fc1e253f8196f9900
Opcode Fuzzy Hash: 60bd61d8338763e193275d770789ca317e6d5ad48d66d38ffe40c408143abd0f
Instruction Fuzzy Hash: 61E04F59F8B612A0FB56AB91D8517B42210DF59FC0F445031ED0D4A7D2DF1CE581C739

Function 00007FF8A87121AD Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF8A8743B28
CRYPTO_THREAD_read_lock.LIBCRYPTO-1_1 ref: 00007FF8A8743B3C
OPENSSL_LH_retrieve.LIBCRYPTO-1_1 ref: 00007FF8A8743B51
CRYPTO_THREAD_unlock.LIBCRYPTO-1_1 ref: 00007FF8A8743B76

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: D_read_lockD_unlockH_retrievememcpy
String ID:
API String ID: 2272600717-0
Opcode ID: eacee982258474cf84c65c756c29dcf2f4c82a3100d24e29db710f983da2b86b
Instruction ID: 6e2d407e8423e9b299ced81d37b15bebe8fd8bd3d0440c3c3772898dd31e6ccd
Opcode Fuzzy Hash: eacee982258474cf84c65c756c29dcf2f4c82a3100d24e29db710f983da2b86b
Instruction Fuzzy Hash: 1731D522B5AB81A7EBA4DF19D4407A96390FB89BD4F084036EE4D87751CF3CE445CB14

Function 00007FF8A8738D80 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF8A8738DCF
CRYPTO_THREAD_read_lock.LIBCRYPTO-1_1 ref: 00007FF8A8738DE2
OPENSSL_LH_retrieve.LIBCRYPTO-1_1 ref: 00007FF8A8738DF7
CRYPTO_THREAD_unlock.LIBCRYPTO-1_1 ref: 00007FF8A8738E0D

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: D_read_lockD_unlockH_retrievememcpy
String ID:
API String ID: 2272600717-0
Opcode ID: 95562a0fa145f06d9eefa1d15c01e6f63a6924d186dac670d583ea54314ce72c
Instruction ID: 68e44fa02cfb32bf1b838168b1072c2480fe3f17601412450ed5cb3c78ab7bae
Opcode Fuzzy Hash: 95562a0fa145f06d9eefa1d15c01e6f63a6924d186dac670d583ea54314ce72c
Instruction Fuzzy Hash: B4118222B5AA8196EAA09B25E8853A96360FBCCBC0F540131DA8D87755DF2CE451CB14

Function 00007FF8A8711B9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A871E1BD
CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A871E1D1

Strings

..\s\ssl\record\ssl3_buffer.c, xrefs: 00007FF8A871E19F

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_malloc
String ID: ..\s\ssl\record\ssl3_buffer.c
API String ID: 2609694610-837614940
Opcode ID: 161690fe3d120fecc0365f51744ad0243a47d203dd1c10dc79fd71f3304b47f8
Instruction ID: 4e826aa4a8e062c2d9fee592a5c5a2fa82ddd50664ee11196bce57209cfc9697
Opcode Fuzzy Hash: 161690fe3d120fecc0365f51744ad0243a47d203dd1c10dc79fd71f3304b47f8
Instruction Fuzzy Hash: D431C233A4AB8196EB609F11E8003A9B2A0FB44BD4F548534EE8C17FA9DF3CD551D768

Function 00007FF8A8711B8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A874DF60
CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A874DF8C

Part of subcall function 00007FF8A87494F0: memcpy.VCRUNTIME140(..\s\ssl\statem\extensions_clnt.c,00007FF8A874DFAB), ref: 00007FF8A8749518

Strings

..\s\ssl\statem\extensions_clnt.c, xrefs: 00007FF8A874DF49, 00007FF8A874E014

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_mallocmemcpy
String ID: ..\s\ssl\statem\extensions_clnt.c
API String ID: 2350084802-592572767
Opcode ID: a85f72143a0c0fd1736c704b1baba5e9bdc4db8ed992779f532dbe1233837df9
Instruction ID: 936b3937e576bcc7abb814c978986f515377f07394b759c63260a20cfe51cb46
Opcode Fuzzy Hash: a85f72143a0c0fd1736c704b1baba5e9bdc4db8ed992779f532dbe1233837df9
Instruction Fuzzy Hash: 1331E422B4AB8191F760DB02E40076A6791FB84BD4F184131EE9C5BFA9CF3DE5528B18

Function 00007FF8A875CA20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A875CB29
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A875CB70

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A875CA42, 00007FF8A875CB1C

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free
String ID: ..\s\ssl\statem\statem_clnt.c
API String ID: 2581946324-1507966698
Opcode ID: 5d8c67b895b3c50561d38290c557db9f06c88ca0d133ecff49650a370d8977e5
Instruction ID: 2d73ee4a56b8f908d5ab0af2d391d55fdc12001eba9fbd02132a287ca9714cdf
Opcode Fuzzy Hash: 5d8c67b895b3c50561d38290c557db9f06c88ca0d133ecff49650a370d8977e5
Instruction Fuzzy Hash: E431BD72A2DBC091E7108B10F0407AAB7A0E7847E8F445235FAD907B99CF7CD290CB14

Function 00007FF8A87581AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8758291
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A87582D1

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A8758284

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free
String ID: ..\s\ssl\statem\statem_clnt.c
API String ID: 2581946324-1507966698
Opcode ID: c2c557aa48da27dcf0d17581f6830024d28730c24a44c868588f271b72b3f970
Instruction ID: 358a26eea4bc4db4f8158b53cac176cd89bbc6648204915f94dd7ae9eb5a1291
Opcode Fuzzy Hash: c2c557aa48da27dcf0d17581f6830024d28730c24a44c868588f271b72b3f970
Instruction Fuzzy Hash: A531ED72A5DB8192E7609B11F44026EBBA5FB857E0F046235FBC90BB98DF7CD1908B14

Function 00007FF8A8711E4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 00007FF8A8759DAA

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A8759D04
4, xrefs: 00007FF8A8759D5B

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_clear_free
String ID: ..\s\ssl\statem\statem_clnt.c$4
API String ID: 2011826501-211860627
Opcode ID: 5d45f23a3ec260e8048e75da4e62eae19f54caca38a67e6f6395f620907aac9c
Instruction ID: b437249f4e90a418d25844b176743cef1450364f95bae8af417c5f51721b8bef
Opcode Fuzzy Hash: 5d45f23a3ec260e8048e75da4e62eae19f54caca38a67e6f6395f620907aac9c
Instruction Fuzzy Hash: AA21C33274EB42A5E7549B12E5447B9B765FB44FC4F084035EE8D07B9ACF2CE5418714

Function 00007FF8A871DFE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A871E05F

Strings

..\s\ssl\record\ssl3_buffer.c, xrefs: 00007FF8A871E052
F, xrefs: 00007FF8A871E06D

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_malloc
String ID: ..\s\ssl\record\ssl3_buffer.c$F
API String ID: 1457121658-4203526889
Opcode ID: a3cd77f036b2bc36b14fd0ebc9cb259e1bd49fbc175166a75b899e9f387e85d3
Instruction ID: c0587b01d4dcb3ed1cd10b3c4796ae377e5db868be0c1ae969ababc6edf6c1ba
Opcode Fuzzy Hash: a3cd77f036b2bc36b14fd0ebc9cb259e1bd49fbc175166a75b899e9f387e85d3
Instruction Fuzzy Hash: AC21A536B0AB8181EB009B15E9003A963A0F788FC4F584135EF9C57B99DF3DD951CB18

Function 00007FF8A8725E70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8725E8D
CRYPTO_strdup.LIBCRYPTO-1_1 ref: 00007FF8A8725EE3

Strings

..\s\ssl\s3_lib.c, xrefs: 00007FF8A8725E80, 00007FF8A8725ED9

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_strdup
String ID: ..\s\ssl\s3_lib.c
API String ID: 2148955802-4238427508
Opcode ID: b2ac1617885e30515bd3331832a3824524bd7ba21c1496dd31ef2bb6b46e8c94
Instruction ID: 49ad92a4e575aa35d361ae82262048782067f3e73d82e3044cfd8120b1e5f47d
Opcode Fuzzy Hash: b2ac1617885e30515bd3331832a3824524bd7ba21c1496dd31ef2bb6b46e8c94
Instruction Fuzzy Hash: 2E11A325F5F65265F7A19B05E0403B86681FB81BD4F440535DA8C0BB84EF7CE6858728

Function 00007FF8A8711EA1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

CRYPTO_strdup.LIBCRYPTO-1_1 ref: 00007FF8A8732157
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8732185

Strings

..\s\ssl\ssl_conf.c, xrefs: 00007FF8A873214D, 00007FF8A8732178

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_strdup
String ID: ..\s\ssl\ssl_conf.c
API String ID: 2148955802-1527728938
Opcode ID: 19eeffa5107bfee824819ae2d4f177631e91d9b2f0d3a63995373046b4eacfc3
Instruction ID: f14e01fe36468e50be5d07a851bd5070223c5830f92730428fb0ae4b618926aa
Opcode Fuzzy Hash: 19eeffa5107bfee824819ae2d4f177631e91d9b2f0d3a63995373046b4eacfc3
Instruction Fuzzy Hash: 0F11E522F6E78391FB568745B2803296651EF44BC0F089134EBAD07B95DF2CE9918718

Function 00007FF8A8727D40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1(?,00007FF8A8726225), ref: 00007FF8A8727D75
CRYPTO_memdup.LIBCRYPTO-1_1(?,00007FF8A8726225), ref: 00007FF8A8727DB0

Strings

..\s\ssl\s3_lib.c, xrefs: 00007FF8A8727D61, 00007FF8A8727DA3

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_memdup
String ID: ..\s\ssl\s3_lib.c
API String ID: 3962629258-4238427508
Opcode ID: 59cb654d803b1f208d3a9cbb58e2b8480ccce989ff7860c3020f46270b625d2a
Instruction ID: 8d022582cd538e985794db9ee60dea7de77886e2ce92f33e134bd66f4f4e053d
Opcode Fuzzy Hash: 59cb654d803b1f208d3a9cbb58e2b8480ccce989ff7860c3020f46270b625d2a
Instruction Fuzzy Hash: D9019632B5AB8161EB959B25E5403E9A2D0FF48BC0F484136EF5C47B85EF3CE5A18714

Function 00007FF8A8711F55 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8743255
CRYPTO_memdup.LIBCRYPTO-1_1 ref: 00007FF8A8743277

Strings

..\s\ssl\ssl_sess.c, xrefs: 00007FF8A8743241, 00007FF8A874326A

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_memdup
String ID: ..\s\ssl\ssl_sess.c
API String ID: 3962629258-2868363209
Opcode ID: 1836bb05a4f62116483b270b8fe70ac1791ed0b9384182d7233336a295cb44e9
Instruction ID: 7ef8d7ddbc53ac8e8f2c26f2d76f14f73b91eec177873e0dd57e75d95cc8352a
Opcode Fuzzy Hash: 1836bb05a4f62116483b270b8fe70ac1791ed0b9384182d7233336a295cb44e9
Instruction Fuzzy Hash: 66110021B1BB81A2E7918B51F5447A873A0EB08FD4F080130EE9C0BB99DF3CD2C18324

Function 00007FF8A8711CC6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A871FA54
COMP_expand_block.LIBCRYPTO-1_1 ref: 00007FF8A871FA7D

Strings

..\s\ssl\record\ssl3_record.c, xrefs: 00007FF8A871FA48

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_mallocP_expand_block
String ID: ..\s\ssl\record\ssl3_record.c
API String ID: 3543690440-2721125279
Opcode ID: 08f26bc5cef2c74bc437e48d09897db956cf6b275f9dbeb6f4336e90eee26c23
Instruction ID: 998f7eb2415faff17c520e6618e6e44fe414aeb4dfde424fca65f3bdb90fd263
Opcode Fuzzy Hash: 08f26bc5cef2c74bc437e48d09897db956cf6b275f9dbeb6f4336e90eee26c23
Instruction Fuzzy Hash: BF01D866B1AB4192EB408F21E40026963A4FB4CFC8F148034EF4C4B7A9EF3CD4908714

Function 00007FF8A8733900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8733937
CRYPTO_memdup.LIBCRYPTO-1_1 ref: 00007FF8A8733960

Strings

c:\a\6\s\ssl\packet_locl.h, xrefs: 00007FF8A8733927, 00007FF8A8733950

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_memdup
String ID: c:\a\6\s\ssl\packet_locl.h
API String ID: 3962629258-1218263599
Opcode ID: 82cc0c290bd63d22a3bb1b67c53c11106551047646f95201d2823dbe769c54a3
Instruction ID: 309f1c9fd05c4f63154d7f12189368c2e349fde9480563d9d9751d553d6d5618
Opcode Fuzzy Hash: 82cc0c290bd63d22a3bb1b67c53c11106551047646f95201d2823dbe769c54a3
Instruction Fuzzy Hash: A1011A3271BB9291EB508F12E8802997364EB99BC0F089031EECC47B55DF3CD5508714

Function 00007FF8A8767AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8767B17
CRYPTO_memdup.LIBCRYPTO-1_1 ref: 00007FF8A8767B40

Strings

c:\a\6\s\ssl\packet_locl.h, xrefs: 00007FF8A8767B07, 00007FF8A8767B30

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_memdup
String ID: c:\a\6\s\ssl\packet_locl.h
API String ID: 3962629258-1218263599
Opcode ID: eeb5d4d8649d2da17d62270f6c599bd3ca5c6421b882ea7982d3a08df20dd110
Instruction ID: d666ec90ef284bfad92c4dbd8173f6ee79b87a8fe48cb8c1652600cbbd823a10
Opcode Fuzzy Hash: eeb5d4d8649d2da17d62270f6c599bd3ca5c6421b882ea7982d3a08df20dd110
Instruction Fuzzy Hash: ED011632B1BB9291EB508F12E8802A973A4EB99BC0F488031EE9C87B55DF3CD5608714

Function 00007FF8A8756A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1(?,00007FF8A875C599), ref: 00007FF8A8756AA7
CRYPTO_memdup.LIBCRYPTO-1_1(?,00007FF8A875C599), ref: 00007FF8A8756AD0

Strings

c:\a\6\s\ssl\packet_locl.h, xrefs: 00007FF8A8756A97, 00007FF8A8756AC0

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_memdup
String ID: c:\a\6\s\ssl\packet_locl.h
API String ID: 3962629258-1218263599
Opcode ID: 8d5aab214fd404bef3fc709da8b0426a893f35599c19c384ca151d23c2458978
Instruction ID: c2089d573d7d7e77219389e6cb937657d746e610fe78e8e60a3229e5ec87520d
Opcode Fuzzy Hash: 8d5aab214fd404bef3fc709da8b0426a893f35599c19c384ca151d23c2458978
Instruction Fuzzy Hash: D9012836B1BB9291EB50CF12E88069A73A4EB99BC0F089031EE8C87B55DF3CD560C714

Function 00007FF8A874FD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A874FDB7
CRYPTO_memdup.LIBCRYPTO-1_1 ref: 00007FF8A874FDE0

Strings

c:\a\6\s\ssl\packet_locl.h, xrefs: 00007FF8A874FDA7, 00007FF8A874FDD0

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_memdup
String ID: c:\a\6\s\ssl\packet_locl.h
API String ID: 3962629258-1218263599
Opcode ID: 690931dd4660a8e1c3abbbbf885b13e2506281f35b338e317031ea349117d685
Instruction ID: 6f5257671d486bcf169a49b1c6758368a28b24a5c6134716eca5c03b6c65fedf
Opcode Fuzzy Hash: 690931dd4660a8e1c3abbbbf885b13e2506281f35b338e317031ea349117d685
Instruction Fuzzy Hash: 96011632B1BB9291EB508F12E88069973A4EB99BC0F088031EE8C87B59DF3CD5608714

Function 00007FF8A8711C03 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A874332D
CRYPTO_strdup.LIBCRYPTO-1_1 ref: 00007FF8A874335E

Strings

..\s\ssl\ssl_sess.c, xrefs: 00007FF8A8743320, 00007FF8A8743354

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_strdup
String ID: ..\s\ssl\ssl_sess.c
API String ID: 2148955802-2868363209
Opcode ID: 178e9497fad3f2a4ff0ef21f609f41b639233a161d0df03aafb23d5c47e84525
Instruction ID: fcef412af5256cd9808dd7bd4aca9295b2058a440f86f34a51b81953d9b32000
Opcode Fuzzy Hash: 178e9497fad3f2a4ff0ef21f609f41b639233a161d0df03aafb23d5c47e84525
Instruction Fuzzy Hash: 52F04C22B9EA4291EB45CB16EA807FC2391EF48BC0F0C8031DD5C47B59EF2CD2918714

Function 00007FF8A8718E00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A8718E27
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8718E4F

Strings

..\s\ssl\pqueue.c, xrefs: 00007FF8A8718E1D, 00007FF8A8718E34

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_mallocR_put_error
String ID: ..\s\ssl\pqueue.c
API String ID: 2513334388-354262084
Opcode ID: 7f5c6d1fc43aa2d2bbb5b36b69cdf226d291e47c092f4a89c86f37d36a983452
Instruction ID: e6385508644562eecbf528942f7f9941e43af4d788e3678236f9dddb8d0a5810
Opcode Fuzzy Hash: 7f5c6d1fc43aa2d2bbb5b36b69cdf226d291e47c092f4a89c86f37d36a983452
Instruction Fuzzy Hash: C9016D36B0AA4196DB41CB15E5447A973A1FB48BC4F544036DB5C03BA5EF38D658CB14

Function 00007FF8A8746CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8746D21
CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8746D64

Strings

..\s\ssl\statem\extensions.c, xrefs: 00007FF8A8746D06, 00007FF8A8746D50

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free
String ID: ..\s\ssl\statem\extensions.c
API String ID: 2581946324-1165805907
Opcode ID: e3141c5992fd8e8eab726a4de85d7e3daf78a5c6a36883fed29ca62df062fa42
Instruction ID: ed70dd63bcd383345b889c17aeafa563b9a9db0962e110929c0c6f2c1d4a2494
Opcode Fuzzy Hash: e3141c5992fd8e8eab726a4de85d7e3daf78a5c6a36883fed29ca62df062fa42
Instruction Fuzzy Hash: 74017132B09B81A5DB81DF19D4807A873A8FB85FC4F188132DE5C0B7A5CF34C5858310

Function 00007FF8A8729B70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1(00000000,00007FF8A872927F), ref: 00007FF8A8729B99
CRYPTO_strndup.LIBCRYPTO-1_1(00000000,00007FF8A872927F), ref: 00007FF8A8729BBE

Strings

..\s\ssl\ssl_asn1.c, xrefs: 00007FF8A8729B8C, 00007FF8A8729BAD

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_strndup
String ID: ..\s\ssl\ssl_asn1.c
API String ID: 2641571835-3659835543
Opcode ID: 43273745b5347fdd41e96acaf56ae468701052affd1fd60802e98f95bb950175
Instruction ID: 10f14faa9a6a20e08936811d22ad021cd8490bb1ec9447e1a8e16c09fb4fd4f0
Opcode Fuzzy Hash: 43273745b5347fdd41e96acaf56ae468701052affd1fd60802e98f95bb950175
Instruction Fuzzy Hash: 95F09032B0AB42A1EB519B56F6407B863A0EF58BD4F084032EE5C57B95EF7CD4A08724

Function 00007FF8A8756D00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8756D29
CRYPTO_strndup.LIBCRYPTO-1_1 ref: 00007FF8A8756D42

Strings

c:\a\6\s\ssl\packet_locl.h, xrefs: 00007FF8A8756D1F, 00007FF8A8756D32

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_strndup
String ID: c:\a\6\s\ssl\packet_locl.h
API String ID: 2641571835-1218263599
Opcode ID: 4443a19ce801fa2f38ee564212dfacdf1dad8c59d96f0d6752c382a5dd0d0d13
Instruction ID: 99b5f53e5fe7b15abe0f1bb0932ea9f56b14aa90e1246486c0dfc9ebc3034da2
Opcode Fuzzy Hash: 4443a19ce801fa2f38ee564212dfacdf1dad8c59d96f0d6752c382a5dd0d0d13
Instruction Fuzzy Hash: A4F03036B4BE42A5EB44AB15E8916E87320EF4DFD4F448036EA0C877A6DF2CD561C714

Function 00007FF8A8767D00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8767D29
CRYPTO_strndup.LIBCRYPTO-1_1 ref: 00007FF8A8767D42

Strings

c:\a\6\s\ssl\packet_locl.h, xrefs: 00007FF8A8767D1F, 00007FF8A8767D32

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_strndup
String ID: c:\a\6\s\ssl\packet_locl.h
API String ID: 2641571835-1218263599
Opcode ID: 64ab56c54da3a3f0f0f2b16151768cc2328846c4935f2feb436605d04a5d6344
Instruction ID: 99b5f53e5fe7b15abe0f1bb0932ea9f56b14aa90e1246486c0dfc9ebc3034da2
Opcode Fuzzy Hash: 64ab56c54da3a3f0f0f2b16151768cc2328846c4935f2feb436605d04a5d6344
Instruction Fuzzy Hash: A4F03036B4BE42A5EB44AB15E8916E87320EF4DFD4F448036EA0C877A6DF2CD561C714

Function 00007FF8A874FF70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A874FF99
CRYPTO_strndup.LIBCRYPTO-1_1 ref: 00007FF8A874FFB2

Strings

c:\a\6\s\ssl\packet_locl.h, xrefs: 00007FF8A874FF8F, 00007FF8A874FFA2

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_strndup
String ID: c:\a\6\s\ssl\packet_locl.h
API String ID: 2641571835-1218263599
Opcode ID: 43847e487971f886af575f9619a387cd3ec89e43bb4a790e5bca43ea5b60f1dc
Instruction ID: 99b5f53e5fe7b15abe0f1bb0932ea9f56b14aa90e1246486c0dfc9ebc3034da2
Opcode Fuzzy Hash: 43847e487971f886af575f9619a387cd3ec89e43bb4a790e5bca43ea5b60f1dc
Instruction Fuzzy Hash: A4F03036B4BE42A5EB44AB15E8916E87320EF4DFD4F448036EA0C877A6DF2CD561C714

Function 00007FF8A8743C80 Relevance: 4.6, APIs: 3, Instructions: 59COMMON

Download Yara Rule

APIs

OPENSSL_LH_retrieve.LIBCRYPTO-1_1(?,00007FF8A8743705), ref: 00007FF8A8743CDC
OPENSSL_LH_delete.LIBCRYPTO-1_1(?,00007FF8A8743705), ref: 00007FF8A8743CF5
CRYPTO_THREAD_unlock.LIBCRYPTO-1_1(?,00007FF8A8743705), ref: 00007FF8A8743D1E

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: D_unlockH_deleteH_retrieve
String ID:
API String ID: 1793884636-0
Opcode ID: 20047998944a814fbcf33cb3746300f07edaca980de84f25069ef87140b737f9
Instruction ID: dbf31f4fe87a6d05baf61200a67bcc4e74434acb727cb4205019f0e1e9686273
Opcode Fuzzy Hash: 20047998944a814fbcf33cb3746300f07edaca980de84f25069ef87140b737f9
Instruction Fuzzy Hash: 5721C321B6FB8295EB54DB56940067D92A1EF88FC0F084031EE1D4BB86DF3DD8018B24

Function 00007FF8A8711B40 Relevance: 4.5, APIs: 3, Instructions: 34COMMON

Download Yara Rule

APIs

CRYPTO_THREAD_write_lock.LIBCRYPTO-1_1 ref: 00007FF8A87428F5
OPENSSL_LH_set_down_load.LIBCRYPTO-1_1 ref: 00007FF8A874292C
CRYPTO_THREAD_unlock.LIBCRYPTO-1_1 ref: 00007FF8A8742938

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: D_unlockD_write_lockH_set_down_load
String ID:
API String ID: 3243170206-0
Opcode ID: 7c46cc46120e4e0be1e095f47cc15411eab864c593159186eb6ea1fd04625f82
Instruction ID: a0de56bc2f3071a0347c2bc290583d432002ca4cf057dde61412a94745948707
Opcode Fuzzy Hash: 7c46cc46120e4e0be1e095f47cc15411eab864c593159186eb6ea1fd04625f82
Instruction Fuzzy Hash: 4C012122B5AB81A2DA10DB56E48116D6360FFCCBD4F544131FA4D47B56DF3CE521C718

Function 00007FF8A8760F00 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1(?,00000000,?,00007FF8A8760C33), ref: 00007FF8A876121D

Part of subcall function 00007FF8A87607E0: CRYPTO_malloc.LIBCRYPTO-1_1(?,00007FF8A875FE43), ref: 00007FF8A876081B
Part of subcall function 00007FF8A87607E0: ERR_put_error.LIBCRYPTO-1_1(?,00007FF8A875FE43), ref: 00007FF8A8760843

Strings

..\s\ssl\statem\statem_dtls.c, xrefs: 00007FF8A8761213

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_mallocR_put_error
String ID: ..\s\ssl\statem\statem_dtls.c
API String ID: 2160744234-3140652063
Opcode ID: 2eb6a37a8a4d1b55963d2e3916000a6b0ef3e239bda2c0f93615a071388ee1c7
Instruction ID: dd5dfed45e40b9b3da7dc8fdc526e98f3a24d22ea6fff40537e4b003a921e580
Opcode Fuzzy Hash: 2eb6a37a8a4d1b55963d2e3916000a6b0ef3e239bda2c0f93615a071388ee1c7
Instruction Fuzzy Hash: 5AA1DF73A0AAC696EB21CB25D4442B977A0FB95BC4F044231DB8D47B96EF3DE094C724

Function 00007FF8A87119B5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A875C2BA

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A875C2A7, 00007FF8A875C321, 00007FF8A875C348

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_malloc
String ID: ..\s\ssl\statem\statem_clnt.c
API String ID: 1457121658-1507966698
Opcode ID: d673e230224418802c9ee0fc61558f4de0820fc47b1c53415483aca9a2f3c3fb
Instruction ID: 0ce8f22bbcc50b416ccbb3fa369930560d96b834a45cae7e7b9736addb3d18cd
Opcode Fuzzy Hash: d673e230224418802c9ee0fc61558f4de0820fc47b1c53415483aca9a2f3c3fb
Instruction Fuzzy Hash: 5E310532B4A7819AE7149B11F4007ADB7A0FB85BD4F484230EA9C47B95DF3CD291D719

Function 00007FF8A87120FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A875C13A

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A875C0C0

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_malloc
String ID: ..\s\ssl\statem\statem_clnt.c
API String ID: 1457121658-1507966698
Opcode ID: 8a911f4adaa048c3d7b29af1516124e71e513f246c1d64adc296d0ba14aca938
Instruction ID: 5469e2db1d07a98977e6476d0c2aabfc3f6173a9cde1f8e821a2698623a558f5
Opcode Fuzzy Hash: 8a911f4adaa048c3d7b29af1516124e71e513f246c1d64adc296d0ba14aca938
Instruction Fuzzy Hash: 79312572B0E68296FB148B11E8007BD77A1EBC5BD0F488231DA9D47BC1DF2CD5518728

Function 00007FF8A8757E6F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

CRYPTO_malloc.LIBCRYPTO-1_1 ref: 00007FF8A8757EE4

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A8757ED1, 00007FF8A8757F5E

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_malloc
String ID: ..\s\ssl\statem\statem_clnt.c
API String ID: 1457121658-1507966698
Opcode ID: f553896e5aa0eb456cef5d22f9417dab30b1f450b8d9af471c01d76deb3453b2
Instruction ID: 44cd76eda1a1efb8641e4188da0f8a1e4e66e5f328f2b2c61530b5200f71aa00
Opcode Fuzzy Hash: f553896e5aa0eb456cef5d22f9417dab30b1f450b8d9af471c01d76deb3453b2
Instruction Fuzzy Hash: DD312932B4EA4695E724CF11E9006BDBB91DB81BD8F449231DAAD0B7C5DF3CD2518314

Function 00007FF8A8711AB4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A874A055

Strings

..\s\ssl\statem\extensions_clnt.c, xrefs: 00007FF8A8749FD2

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free
String ID: ..\s\ssl\statem\extensions_clnt.c
API String ID: 2581946324-592572767
Opcode ID: f3ecefee9bcb7d9a04b0b8e0ee77ec492f4a2bc1a7e5b4783c1cf10ea48dfe90
Instruction ID: 4bd66cde3e045f3df7e290e1c22d3ae5447d4b54c6cc4553b6c9587103962a15
Opcode Fuzzy Hash: f3ecefee9bcb7d9a04b0b8e0ee77ec492f4a2bc1a7e5b4783c1cf10ea48dfe90
Instruction Fuzzy Hash: 9421C732B4D64152E7509B96F1403AEA360FB44BC4F144031DE5C4BBAADF3DE8818B78

Function 00007FF8A8718AF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8718BB9

Strings

..\s\ssl\packet.c, xrefs: 00007FF8A8718BA5

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free
String ID: ..\s\ssl\packet.c
API String ID: 2581946324-1434567093
Opcode ID: c94538580860ac6f0dd4d3e3b5e2d3b9c22995ab0ec359a4b6d598912a330b54
Instruction ID: 6ecf7d321ea5b0e7ff0f3f641ea6b422cbbab4e4dc44877dc1024a1d49e1568a
Opcode Fuzzy Hash: c94538580860ac6f0dd4d3e3b5e2d3b9c22995ab0ec359a4b6d598912a330b54
Instruction Fuzzy Hash: A7219AB6B16B4991DF65CF29C098B7863A4FB58BC8F568431DA1C43B60EF3AD420C324

Function 00007FF8A8711F5F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CRYPTO_strdup.LIBCRYPTO-1_1 ref: 00007FF8A874E16F

Strings

..\s\ssl\statem\extensions_clnt.c, xrefs: 00007FF8A874E0EA, 00007FF8A874E12E, 00007FF8A874E14B

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_strdup
String ID: ..\s\ssl\statem\extensions_clnt.c
API String ID: 1296259186-592572767
Opcode ID: 0e96f5486a9c86993f531d0f9bee11afe7e7360e008dea49c8eaaa8e04b031e0
Instruction ID: f36e9103c6aab6c00f8e4925747b3d7e3aba7e7fa44c23804bb49f0818de3476
Opcode Fuzzy Hash: 0e96f5486a9c86993f531d0f9bee11afe7e7360e008dea49c8eaaa8e04b031e0
Instruction Fuzzy Hash: 5221D432A8EA4595F7A09B00E8447BE6760F744BE8F940131DA5D0B6A5CFBCD6C5CB18

Function 00007FF8A871DCF0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A871DD40

Strings

..\s\ssl\record\ssl3_buffer.c, xrefs: 00007FF8A871DD33

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free
String ID: ..\s\ssl\record\ssl3_buffer.c
API String ID: 2581946324-837614940
Opcode ID: a40e4c01ded770121cc6210f39a78a8d18fa9b240fbe0e702c87c7e42915363b
Instruction ID: c499a4f88754744c505f8afc757e340c4db748add8cf368cc57cf198c8685a8c
Opcode Fuzzy Hash: a40e4c01ded770121cc6210f39a78a8d18fa9b240fbe0e702c87c7e42915363b
Instruction Fuzzy Hash: FB01483262AB92E5EA509F05E54029C67A4FB48B84F591136EB8C0BA55CF38D162CB90

Function 00007FF8A8717CF0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8717D36

Strings

..\s\ssl\packet.c, xrefs: 00007FF8A8717D29

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free
String ID: ..\s\ssl\packet.c
API String ID: 2581946324-1434567093
Opcode ID: 62f60933037da910d7077f734ddb183dea72e790f1214cb6b053f64371f3f153
Instruction ID: cc6c06b9e8b9756a6fac06823769d64ec175ba8ecf526bdbb1224c28d74c8a5d
Opcode Fuzzy Hash: 62f60933037da910d7077f734ddb183dea72e790f1214cb6b053f64371f3f153
Instruction Fuzzy Hash: 3DF0B4A2B5A60252EB119B26C44037823B1EF487D0F442030DA4C8BBA5DF6CD8D1C728

Function 00007FF8A8746C50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8746C91

Strings

..\s\ssl\statem\extensions.c, xrefs: 00007FF8A8746C84

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free
String ID: ..\s\ssl\statem\extensions.c
API String ID: 2581946324-1165805907
Opcode ID: 7164dbfd80076827dbd28b1f2aeff73028a82f0832e4444926e121e6a36e1ef0
Instruction ID: a91372d5bedf30720ad3c3a6e8b8877233947cdbd7cec63da54e0d408c577553
Opcode Fuzzy Hash: 7164dbfd80076827dbd28b1f2aeff73028a82f0832e4444926e121e6a36e1ef0
Instruction Fuzzy Hash: 1FF09BB2F076418AF7909F78D4447942291FB44B95F581230D61C8F3D1EF2B95E2C724

Function 00007FF8A8717BA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8717BD0

Strings

..\s\ssl\packet.c, xrefs: 00007FF8A8717BC3

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free
String ID: ..\s\ssl\packet.c
API String ID: 2581946324-1434567093
Opcode ID: d015a26117427757ddc54211e59d7268a83010bbaab9829161d2671efcafd637
Instruction ID: 869cfb550e2bf01c3d0d4c9ded451d732b198db78c2c4d77f0e725f73d3ed909
Opcode Fuzzy Hash: d015a26117427757ddc54211e59d7268a83010bbaab9829161d2671efcafd637
Instruction Fuzzy Hash: 24E09226B1FA4191FF509F46E4407B41221FF58BC4F580034EA4C47B95DF2CD4508724

Function 00007FF8A87240B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CRYPTO_clear_free.LIBCRYPTO-1_1 ref: 00007FF8A87240E4

Strings

..\s\ssl\s3_enc.c, xrefs: 00007FF8A87240C2

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_clear_free
String ID: ..\s\ssl\s3_enc.c
API String ID: 2011826501-1839494539
Opcode ID: 6d15e9bca7093c64b67abccaf57bc47edc1c3f3c4f044bc31ce0d445c21825d7
Instruction ID: 6355b2db917b573ba188950e4ee85bd5e7b55b940a98a6e74575c34fb8707fc6
Opcode Fuzzy Hash: 6d15e9bca7093c64b67abccaf57bc47edc1c3f3c4f044bc31ce0d445c21825d7
Instruction Fuzzy Hash: EBE0E576B4AB80D4DB409B6AD8893E823A0FB49F94F584132DE5D8B361CF29C197C324

Function 00007FF8A8746EB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8746EDD

Strings

..\s\ssl\statem\extensions.c, xrefs: 00007FF8A8746EC2

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free
String ID: ..\s\ssl\statem\extensions.c
API String ID: 2581946324-1165805907
Opcode ID: bd8ef7996465aaa123a9ed5fcd9aa2ec83acebaf0b4b8fd92fb51a958bfe70fe
Instruction ID: c0dc3c2d00fb732307e7f8d88caf80c80aae0a948ad846a40329f133281a868f
Opcode Fuzzy Hash: bd8ef7996465aaa123a9ed5fcd9aa2ec83acebaf0b4b8fd92fb51a958bfe70fe
Instruction Fuzzy Hash: D7E0C2A6B4678090EB80AB19C4483E83310EB48FC0F084131DE8C4F3B1DF69C0C68328

Function 00007FF8A8746E40 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8746E6D

Strings

..\s\ssl\statem\extensions.c, xrefs: 00007FF8A8746E52

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free
String ID: ..\s\ssl\statem\extensions.c
API String ID: 2581946324-1165805907
Opcode ID: 1ae04f608c47b7b071d537360b43de49cb38d9448fa9a7f12d68393753ed3c2c
Instruction ID: 2b934f210e3fe6fc8068421b9b219130e1c211cad6a8e9c10074ca45f829769a
Opcode Fuzzy Hash: 1ae04f608c47b7b071d537360b43de49cb38d9448fa9a7f12d68393753ed3c2c
Instruction Fuzzy Hash: 1CE0C2A2B4674290EB40AB19C4887F83320FB88FC0F084031DE5C4F3A2DF29C0868324

Function 00007FF8A8725FAA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A8725FBE

Strings

..\s\ssl\s3_lib.c, xrefs: 00007FF8A8725FB1

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free
String ID: ..\s\ssl\s3_lib.c
API String ID: 2581946324-4238427508
Opcode ID: 7ae72a30f544c8c2a7bb2631f02d0963bb63774449a42ec570a7266584d9cf7e
Instruction ID: 596ae02471d9cb6147a01d14d4fb88957cb9b9b6295e8f0ab6e3e2dfc5785fdd
Opcode Fuzzy Hash: 7ae72a30f544c8c2a7bb2631f02d0963bb63774449a42ec570a7266584d9cf7e
Instruction Fuzzy Hash: 3FE04622A0AA5191E701AF25E0406A86352E780BA8F090032DE0C0B695DE7AD0A2C324

Function 00007FF8A871DC90 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A871DCB6

Strings

..\s\ssl\record\ssl3_buffer.c, xrefs: 00007FF8A871DCA2

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free
String ID: ..\s\ssl\record\ssl3_buffer.c
API String ID: 2581946324-837614940
Opcode ID: 0fab9104d690dfdc4b2c58140b20426d9cbe820762dd88e720a3d67a9eb35bd8
Instruction ID: 19dc8b4c5e55b1529e3b3b56222ed3dd88567274ee5dc0815192c1b92fe96e08
Opcode Fuzzy Hash: 0fab9104d690dfdc4b2c58140b20426d9cbe820762dd88e720a3d67a9eb35bd8
Instruction Fuzzy Hash: F9D05E56F46A4091E7007B55D8053E42350FB08B85F044034ED4C4E782DF1D91858B24

Function 00007FF8A871DBE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CRYPTO_free.LIBCRYPTO-1_1 ref: 00007FF8A871DC00

Strings

..\s\ssl\record\ssl3_buffer.c, xrefs: 00007FF8A871DBF9

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_free
String ID: ..\s\ssl\record\ssl3_buffer.c
API String ID: 2581946324-837614940
Opcode ID: 89b000c5dabd9ea683806d246d5a4687071895b774cc8c145858db24a744a993
Instruction ID: 66091c4ef8859d5bbf03fc2c0f3571623c1a8e8307fb9fa178625a81f9156dfa
Opcode Fuzzy Hash: 89b000c5dabd9ea683806d246d5a4687071895b774cc8c145858db24a744a993
Instruction Fuzzy Hash: 7DD0A762F0A50195EB017F21D8013A42350EB48B84F458030D50C4B742DF2C9584C724

Function 00007FF8A87120DB Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

CRYPTO_THREAD_read_lock.LIBCRYPTO-1_1 ref: 00007FF8A874364D
CRYPTO_THREAD_unlock.LIBCRYPTO-1_1 ref: 00007FF8A8743672

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: D_read_lockD_unlock
String ID:
API String ID: 102331797-0
Opcode ID: 2be5ada4b618e032d2bea9dc6ce15e754e51126d1b7950891cfef9aa44b7dc28
Instruction ID: a56adc187b6fdd322ec3ea49f51ef376a9dcd960c405f142fdbed2569811011f
Opcode Fuzzy Hash: 2be5ada4b618e032d2bea9dc6ce15e754e51126d1b7950891cfef9aa44b7dc28
Instruction Fuzzy Hash: 69E06522B5A98157E7449B15D9407EC9260EF88BC4F1C0031FA1D4B796CF38E8925715

Function 00007FF8A876AEB0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

CRYPTO_memcmp.LIBCRYPTO-1_1 ref: 00007FF8A876AFAE

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_memcmp
String ID:
API String ID: 2788248766-0
Opcode ID: 93a04d3b6f8ccf0020798d0397c8e16ed48a0930a2fe11fdc3b0c287641772ed
Instruction ID: 85a3fcd0855b26e6ec390d031a5d49f6b2499b544e6f0dfd2e2aaa4114f9a335
Opcode Fuzzy Hash: 93a04d3b6f8ccf0020798d0397c8e16ed48a0930a2fe11fdc3b0c287641772ed
Instruction Fuzzy Hash: D23126A2A0AAC192EB214724E4012F9F760FB857E0F084331EAEC03AD1DF2CD2918B14

Function 00007FF8A874FA50 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

CRYPTO_memcmp.LIBCRYPTO-1_1 ref: 00007FF8A874FA6D

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_memcmp
String ID:
API String ID: 2788248766-0
Opcode ID: f33865e7c834f3f591e9e9f89c30cc85254ed43a6fca7aa66533db7c50c5e956
Instruction ID: 5a651632537007a8428e01bb4dc93e35b4a9be1a8d0ec392b565663944935a53
Opcode Fuzzy Hash: f33865e7c834f3f591e9e9f89c30cc85254ed43a6fca7aa66533db7c50c5e956
Instruction Fuzzy Hash: 66D0A716F4700241E744B2398C9617802C0EB40780F948034E10DC1691CE0CD5A64621

Function 00007FF8A872DC70 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CRYPTO_THREAD_run_once.LIBCRYPTO-1_1(00007FF8A872D23E), ref: 00007FF8A872DC8B

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: D_run_once
String ID:
API String ID: 1403826838-0
Opcode ID: 7c5af16a9dc87f73c85252f64bc18109751982fe2cdf42626bf89392200f8992
Instruction ID: a6d0862b586bf5872d9dea25ada896a0c722e4d74551daf558f07e96c0da3c7d
Opcode Fuzzy Hash: 7c5af16a9dc87f73c85252f64bc18109751982fe2cdf42626bf89392200f8992
Instruction Fuzzy Hash: 4CD09E29F8B503A6EA44A728DC561B56351EF48380F404075E40E86561DF1CA905CB68

Function 00007FF8A87331B0 Relevance: 71.9, APIs: 35, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A87331D2
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A87331DF
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A87331EC
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A87331F9
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A8733206
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A8733213
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A8733220
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A873322D
EVP_aes_256_cbc.LIBCRYPTO-1_1 ref: 00007FF8A8733232
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A873323A
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A8733247
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A8733254
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A8733261
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A873326E
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A873327B
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A8733288
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A8733295
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A87332A2
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A87332AF
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A87332BC
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A87332C9
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A87332D6
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A87332E3
EVP_add_cipher.LIBCRYPTO-1_1 ref: 00007FF8A87332F0
EVP_md5.LIBCRYPTO-1_1 ref: 00007FF8A87332F5
EVP_add_digest.LIBCRYPTO-1_1 ref: 00007FF8A8733322
EVP_sha1.LIBCRYPTO-1_1 ref: 00007FF8A8733327
EVP_add_digest.LIBCRYPTO-1_1 ref: 00007FF8A873332F
OBJ_NAME_add.LIBCRYPTO-1_1 ref: 00007FF8A8733347
OBJ_NAME_add.LIBCRYPTO-1_1 ref: 00007FF8A873335F
EVP_add_digest.LIBCRYPTO-1_1 ref: 00007FF8A873336C
EVP_sha256.LIBCRYPTO-1_1 ref: 00007FF8A8733371
EVP_add_digest.LIBCRYPTO-1_1 ref: 00007FF8A8733379
EVP_add_digest.LIBCRYPTO-1_1 ref: 00007FF8A8733386
EVP_add_digest.LIBCRYPTO-1_1 ref: 00007FF8A8733393

Part of subcall function 00007FF8A871191F: OBJ_nid2sn.LIBCRYPTO-1_1 ref: 00007FF8A8730C77
Part of subcall function 00007FF8A871191F: EVP_get_digestbyname.LIBCRYPTO-1_1 ref: 00007FF8A8730C7F
Part of subcall function 00007FF8A871191F: EVP_PKEY_asn1_find_str.LIBCRYPTO-1_1 ref: 00007FF8A8730D01
Part of subcall function 00007FF8A871191F: EVP_PKEY_asn1_get0_info.LIBCRYPTO-1_1 ref: 00007FF8A8730D21
Part of subcall function 00007FF8A871191F: ENGINE_finish.LIBCRYPTO-1_1 ref: 00007FF8A8730D35
Part of subcall function 00007FF8A871191F: EVP_PKEY_asn1_find_str.LIBCRYPTO-1_1 ref: 00007FF8A8730D73
Part of subcall function 00007FF8A871191F: EVP_PKEY_asn1_get0_info.LIBCRYPTO-1_1 ref: 00007FF8A8730D93
Part of subcall function 00007FF8A871191F: ENGINE_finish.LIBCRYPTO-1_1 ref: 00007FF8A8730DA7

Strings

ssl3-sha1, xrefs: 00007FF8A8733340
RSA-SHA1-2, xrefs: 00007FF8A8733358
SHA1, xrefs: 00007FF8A8733334
ssl3-md5, xrefs: 00007FF8A873330E
MD5, xrefs: 00007FF8A8733302
RSA-SHA1, xrefs: 00007FF8A873334C

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: P_add_cipher$P_add_digest$E_addE_finishY_asn1_find_strY_asn1_get0_info$J_nid2snP_aes_256_cbcP_get_digestbynameP_md5P_sha1P_sha256
String ID: MD5$RSA-SHA1$RSA-SHA1-2$SHA1$ssl3-md5$ssl3-sha1
API String ID: 1429678301-3803824401
Opcode ID: 50bc0d389ec4add2b6b019e9396afca5876b120b1659bdd8f08d120d6539e405
Instruction ID: 7d55f688716fd620009c74eaf056a69465a3fc6f72664ace83e27684d605fc9b
Opcode Fuzzy Hash: 50bc0d389ec4add2b6b019e9396afca5876b120b1659bdd8f08d120d6539e405
Instruction Fuzzy Hash: 6E410151E8F64764F944B7E1641A3F82285DFEABC0F444035E91D66693EF2CA0C4C67E

Function 00007FF8A8711E47 Relevance: 63.4, APIs: 19, Strings: 17, Instructions: 441COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_reset.LIBCRYPTO-1_1 ref: 00007FF8A8778B60
EVP_CIPHER_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A8778B7F
EVP_MD_size.LIBCRYPTO-1_1 ref: 00007FF8A8778C64
EVP_CIPHER_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A8778C81

Part of subcall function 00007FF8A8778780: EVP_MD_size.LIBCRYPTO-1_1(?,?,?,?,?,00000374,00000000,?,00007FF8A877A8DF), ref: 00007FF8A87787F1
Part of subcall function 00007FF8A8778780: OPENSSL_cleanse.LIBCRYPTO-1_1(?,?,?,?,?,00000374,00000000,?,00007FF8A877A8DF), ref: 00007FF8A87789F4

memcpy.VCRUNTIME140 ref: 00007FF8A8779076
memcpy.VCRUNTIME140 ref: 00007FF8A8779095
memcpy.VCRUNTIME140 ref: 00007FF8A877917B
memcpy.VCRUNTIME140 ref: 00007FF8A877920C
OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 00007FF8A87792B6

Strings

s ap traffic, xrefs: 00007FF8A8778C06, 00007FF8A877905C, 00007FF8A877915B
c hs traffic, xrefs: 00007FF8A8778FB0
CLIENT_TRAFFIC_SECRET_0, xrefs: 00007FF8A8778FD4
finished, xrefs: 00007FF8A8779240
c ap traffic, xrefs: 00007FF8A8778C22, 00007FF8A877909A, 00007FF8A8779100
CLIENT_HANDSHAKE_TRAFFIC_SECRET, xrefs: 00007FF8A8778FBB
SERVER_HANDSHAKE_TRAFFIC_SECRET, xrefs: 00007FF8A8778C6C
CLIENT_EARLY_TRAFFIC_SECRET, xrefs: 00007FF8A8778CED
EXPORTER_SECRET, xrefs: 00007FF8A87791DB
res master, xrefs: 00007FF8A87790BD
exp master, xrefs: 00007FF8A8779197
e exp master, xrefs: 00007FF8A8778EC7
s hs traffic, xrefs: 00007FF8A8778C29, 00007FF8A877907B
..\s\ssl\tls13_enc.c, xrefs: 00007FF8A8778BA0, 00007FF8A8778D1E, 00007FF8A8778D83, 00007FF8A8778DC1, 00007FF8A8778DF1, 00007FF8A8778F0E, 00007FF8A8778F5C
SERVER_TRAFFIC_SECRET_0, xrefs: 00007FF8A8778CA6
EARLY_EXPORTER_SECRET, xrefs: 00007FF8A8778F33
c e traffic, xrefs: 00007FF8A8778C1B, 00007FF8A8779284

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: memcpy$D_sizeL_cleanseX_new$X_reset
String ID: ..\s\ssl\tls13_enc.c$CLIENT_EARLY_TRAFFIC_SECRET$CLIENT_HANDSHAKE_TRAFFIC_SECRET$CLIENT_TRAFFIC_SECRET_0$EARLY_EXPORTER_SECRET$EXPORTER_SECRET$SERVER_HANDSHAKE_TRAFFIC_SECRET$SERVER_TRAFFIC_SECRET_0$c ap traffic$c e traffic$c hs traffic$e exp master$exp master$finished$res master$s ap traffic$s hs traffic
API String ID: 2058625460-2823458745
Opcode ID: 828bc4e07da1edb6e5280f2130e6b0f1ae9111debb28a28bee823e7fa26c9e14
Instruction ID: 192984abf2b6e7de5a0f33a90d3359c019e47c4b895657e0960990796f49b405
Opcode Fuzzy Hash: 828bc4e07da1edb6e5280f2130e6b0f1ae9111debb28a28bee823e7fa26c9e14
Instruction Fuzzy Hash: 50227B32A4BB42A6EB50DB21E8403B977A5FB447C4F400136EA8C57BA5DF3CE565C728

Function 00007FF8A8711DB1 Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 219COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872AC4C
X509_STORE_new.LIBCRYPTO-1_1 ref: 00007FF8A872AC5C
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A872AC71
OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 00007FF8A872AC86
X509_STORE_add_cert.LIBCRYPTO-1_1 ref: 00007FF8A872AC91
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A872ACA4
X509_STORE_add_cert.LIBCRYPTO-1_1 ref: 00007FF8A872ACB3
X509_STORE_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A872ACF1
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872AD19
X509_STORE_CTX_init.LIBCRYPTO-1_1 ref: 00007FF8A872AD2F
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872AD53
X509_STORE_CTX_set_flags.LIBCRYPTO-1_1 ref: 00007FF8A872AD69
X509_verify_cert.LIBCRYPTO-1_1 ref: 00007FF8A872AD71
ERR_clear_error.LIBCRYPTO-1_1 ref: 00007FF8A872AD8D
X509_STORE_CTX_get1_chain.LIBCRYPTO-1_1 ref: 00007FF8A872AD9D
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872ADC6
X509_STORE_CTX_get_error.LIBCRYPTO-1_1 ref: 00007FF8A872ADCE
X509_verify_cert_error_string.LIBCRYPTO-1_1 ref: 00007FF8A872ADD5
ERR_add_error_data.LIBCRYPTO-1_1 ref: 00007FF8A872ADE9
X509_free.LIBCRYPTO-1_1 ref: 00007FF8A872ADFE
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A872AE0C
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A872AE18
OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 00007FF8A872AE23
X509_get_extension_flags.LIBCRYPTO-1_1 ref: 00007FF8A872AE2B
X509_free.LIBCRYPTO-1_1 ref: 00007FF8A872AE41
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A872AE4B
OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 00007FF8A872AE59
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A872AE86
OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 00007FF8A872AE9A
X509_STORE_free.LIBCRYPTO-1_1 ref: 00007FF8A872AEB8
X509_STORE_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A872AEC0
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872AEFC
OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 00007FF8A872AF0B

Strings

..\s\ssl\ssl_cert.c, xrefs: 00007FF8A872AC2F, 00007FF8A872ACFE, 00007FF8A872AD38, 00007FF8A872ADB6, 00007FF8A872AEE0
Verify error:, xrefs: 00007FF8A872ADDD

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: X509_$L_sk_num$R_put_error$L_sk_value$E_add_certL_sk_pop_freeX509_free$E_freeE_newR_add_error_dataR_clear_errorX509_get_extension_flagsX509_verify_certX509_verify_cert_error_stringX_freeX_get1_chainX_get_errorX_initX_newX_set_flags
String ID: ..\s\ssl\ssl_cert.c$Verify error:
API String ID: 2742951747-2787608381
Opcode ID: 8f23f0ffaa077f971528c7fe8e67f52115ef543c6c0c3a72c975c7346f5e4f6e
Instruction ID: 988aa977053e1a898c36e619ce208d5795a26b6ecb40eea6e007757d8f735cf1
Opcode Fuzzy Hash: 8f23f0ffaa077f971528c7fe8e67f52115ef543c6c0c3a72c975c7346f5e4f6e
Instruction Fuzzy Hash: AE81C421A8F64366FB25AB2695513BDA291EF85BC4F044031EE4E477E2EF3CE541C328

Function 00007FF8A87111EA Relevance: 49.2, APIs: 25, Strings: 3, Instructions: 179COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-1_1 ref: 00007FF8A8729E97
OPENSSL_sk_set_cmp_func.LIBCRYPTO-1_1 ref: 00007FF8A8729EBD
BIO_s_file.LIBCRYPTO-1_1 ref: 00007FF8A8729EC5
BIO_new.LIBCRYPTO-1_1 ref: 00007FF8A8729ECD
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8729EF9
BIO_free.LIBCRYPTO-1_1 ref: 00007FF8A8729F04
X509_free.LIBCRYPTO-1_1 ref: 00007FF8A8729F0E
OPENSSL_sk_set_cmp_func.LIBCRYPTO-1_1 ref: 00007FF8A8729F19
OPENSSL_DIR_read.LIBCRYPTO-1_1 ref: 00007FF8A8729F2E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8A8729F3F
GetLastError.KERNEL32 ref: 00007FF8A8729F4E
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8729F6E
ERR_add_error_data.LIBCRYPTO-1_1 ref: 00007FF8A8729F89
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8729FAB
BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A8729FC6
PEM_read_bio_X509.LIBCRYPTO-1_1 ref: 00007FF8A8729FE1
X509_get_subject_name.LIBCRYPTO-1_1 ref: 00007FF8A8729FF5
X509_NAME_dup.LIBCRYPTO-1_1 ref: 00007FF8A872A006
X509_NAME_free.LIBCRYPTO-1_1 ref: 00007FF8A872A029
OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 00007FF8A872A036
PEM_read_bio_X509.LIBCRYPTO-1_1 ref: 00007FF8A872A04D
ERR_clear_error.LIBCRYPTO-1_1 ref: 00007FF8A872A057
X509_NAME_free.LIBCRYPTO-1_1 ref: 00007FF8A872A064
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872A08B
OPENSSL_DIR_end.LIBCRYPTO-1_1 ref: 00007FF8A872A0D5

Strings

%s/%s, xrefs: 00007FF8A8729E88
OPENSSL_DIR_read(&ctx, ', xrefs: 00007FF8A8729F7D
..\s\ssl\ssl_cert.c, xrefs: 00007FF8A8729EDE, 00007FF8A8729F64, 00007FF8A8729F9B, 00007FF8A872A07B

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error$X509_$E_freeL_sk_set_cmp_funcM_read_bio_X509$E_dupErrorL_sk_pushLastO_ctrlO_freeO_newO_s_fileO_snprintfR_add_error_dataR_clear_errorR_endR_readX509_freeX509_get_subject_name_errno
String ID: %s/%s$..\s\ssl\ssl_cert.c$OPENSSL_DIR_read(&ctx, '
API String ID: 1298587036-4291904164
Opcode ID: bfaec08295fa187a42c2bae2134a07b14a1be90769edc37cfa1149c9e0ecbee9
Instruction ID: 2807cb65602e957601773964e91231ca291ae45c7d2f82cbce900a2f71db70e6
Opcode Fuzzy Hash: bfaec08295fa187a42c2bae2134a07b14a1be90769edc37cfa1149c9e0ecbee9
Instruction Fuzzy Hash: 6871A362A4F682A1FB60AB11E4507BA6391FF85BC4F440035EA4D17B96EF3CE545C72C

Function 00007FF8A8741B80 Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 208COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741BF6
OPENSSL_sk_num.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741C1B
OPENSSL_sk_value.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741C29
OPENSSL_sk_num.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741C4E
X509_get_pubkey.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741C62
ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741CB1
ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741CD7
EVP_PKEY_missing_parameters.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741CEE
ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741D1A
EVP_PKEY_copy_parameters.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741D36
EVP_PKEY_id.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741D3E
EVP_PKEY_get0_RSA.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741D4B
RSA_flags.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741D53
EVP_PKEY_cmp.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741D66
ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741D93
ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741DE7
X509_chain_up_ref.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741DF9
ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741E23
OPENSSL_sk_pop_free.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741E45
X509_free.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741E71
X509_up_ref.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741E79
EVP_PKEY_free.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741EA0
EVP_PKEY_up_ref.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741EA8
EVP_PKEY_free.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A873FDEA), ref: 00007FF8A8741EEC

Strings

..\s\ssl\ssl_rsa.c, xrefs: 00007FF8A8741BDA, 00007FF8A8741C94, 00007FF8A8741CBB, 00007FF8A8741CFB, 00007FF8A8741D74, 00007FF8A8741DC8, 00007FF8A8741E08

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error$L_sk_numY_free$A_flagsL_sk_pop_freeL_sk_valueX509_chain_up_refX509_freeX509_get_pubkeyX509_up_refY_cmpY_copy_parametersY_get0_Y_idY_missing_parametersY_up_ref
String ID: ..\s\ssl\ssl_rsa.c
API String ID: 4117821453-2723262194
Opcode ID: e6024f1cf54ac9806412a1fdec46b1d3a709c4903ee597b082f0ef5f79bfbcc9
Instruction ID: 03bc0b53b34349ba843b3ed7ca2fc148bfaa60b2f858ff284c653ff2aa5d327c
Opcode Fuzzy Hash: e6024f1cf54ac9806412a1fdec46b1d3a709c4903ee597b082f0ef5f79bfbcc9
Instruction Fuzzy Hash: B591D371A8FA82A5EB60EB52D4547B963A0FB89BC0F440136EA8D47B95CF3DD501C738

Function 00007FF8A87110DC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A872A5F0
OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 00007FF8A872A625
X509_get_subject_name.LIBCRYPTO-1_1 ref: 00007FF8A872A637
X509_NAME_dup.LIBCRYPTO-1_1 ref: 00007FF8A872A64B
OPENSSL_LH_retrieve.LIBCRYPTO-1_1 ref: 00007FF8A872A662
X509_NAME_free.LIBCRYPTO-1_1 ref: 00007FF8A872A66F
OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 00007FF8A872A689
PEM_read_bio_X509.LIBCRYPTO-1_1 ref: 00007FF8A872A6A0
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872A6D7
X509_NAME_free.LIBCRYPTO-1_1 ref: 00007FF8A872A6DF
OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 00007FF8A872A6EE
BIO_free.LIBCRYPTO-1_1 ref: 00007FF8A872A6F8
X509_free.LIBCRYPTO-1_1 ref: 00007FF8A872A702
OPENSSL_LH_free.LIBCRYPTO-1_1 ref: 00007FF8A872A70A
ERR_clear_error.LIBCRYPTO-1_1 ref: 00007FF8A872A714

Strings

..\s\ssl\ssl_cert.c, xrefs: 00007FF8A872A6C8

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: X509_$E_free$E_dupH_freeH_retrieveL_sk_new_nullL_sk_pop_freeL_sk_pushM_read_bio_O_ctrlO_freeR_clear_errorR_put_errorX509X509_freeX509_get_subject_name
String ID: ..\s\ssl\ssl_cert.c
API String ID: 1315476032-349359282
Opcode ID: 00e58a32cfc21ac5b3b35e8b5e0e928215f7a2bcebd13ad3ffba05c767f12916
Instruction ID: 919e2b95c63c0972d29365e6372153c309d1e2023ea15d9d0ad77257f551d455
Opcode Fuzzy Hash: 00e58a32cfc21ac5b3b35e8b5e0e928215f7a2bcebd13ad3ffba05c767f12916
Instruction Fuzzy Hash: 60419D21A8F64369FB51AB2694117B99291EF8ABC4F084034ED0D0BB96EF7CE401C768

Function 00007FF8A8763B00 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

X509_STORE_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A8763B90
X509_STORE_CTX_init.LIBCRYPTO-1_1 ref: 00007FF8A8763BDB
X509_STORE_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A8763BE7
X509_verify_cert.LIBCRYPTO-1_1 ref: 00007FF8A8763BFC
ERR_clear_error.LIBCRYPTO-1_1 ref: 00007FF8A8763C01
X509_STORE_CTX_get0_chain.LIBCRYPTO-1_1 ref: 00007FF8A8763C09
X509_STORE_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A8763C2C
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A8763C44
OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 00007FF8A8763C56
X509_STORE_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A8763C79
X509_STORE_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A8763C86

Strings

..\s\ssl\statem\statem_lib.c, xrefs: 00007FF8A8763BAC

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: X509_$X_free$L_sk_numL_sk_valueR_clear_errorX509_verify_certX_get0_chainX_initX_new
String ID: ..\s\ssl\statem\statem_lib.c
API String ID: 763122443-2839845709
Opcode ID: 075e843ef75536d1c9cd74613c60976b59a86466f3289857b931039d86a0a7d4
Instruction ID: 0d0298697d93d2b53c827796617a3e3d91b016f07803cb857669b5ca3433da64
Opcode Fuzzy Hash: 075e843ef75536d1c9cd74613c60976b59a86466f3289857b931039d86a0a7d4
Instruction Fuzzy Hash: F851C660B8F68261FB61AA2258507BE6680EF85FC4F184034ED4D47BD2DF2CE542C72C

Function 00007FF8A87111CC Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 374COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF8A8774FB9

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 0c00cf3d59b9a8b7540c50735eae0699765dff90e778f59e0a662ece70efbc7b
Instruction ID: e8501738a21533286c460f09674e95e81ddb506ecd4b1377ab126495d20e5e38
Opcode Fuzzy Hash: 0c00cf3d59b9a8b7540c50735eae0699765dff90e778f59e0a662ece70efbc7b
Instruction Fuzzy Hash: 0BE1F3A1E8F782A1FA648B26948037A2692FF45BC4F140535DE4E877D5DF3CE881C729

Function 00007FF8A8770D20 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 156COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1(?,?,?,00007FF8A8771EA7), ref: 00007FF8A8770DAC
EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1(?,?,?,00007FF8A8771EA7), ref: 00007FF8A8770E02
EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1(?,?,?,00007FF8A8771EA7), ref: 00007FF8A8770E3B
EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1(?,?,?,00007FF8A8771EA7), ref: 00007FF8A8770E66
EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1(?,?,?,00007FF8A8771EA7), ref: 00007FF8A8770E94
EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1(?,?,?,00007FF8A8771EA7), ref: 00007FF8A8770ECA
EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1(?,?,?,00007FF8A8771EA7), ref: 00007FF8A8770F03
EVP_PKEY_CTX_ctrl.LIBCRYPTO-1_1(?,?,?,00007FF8A8771EA7), ref: 00007FF8A8770F38
EVP_PKEY_CTX_free.LIBCRYPTO-1_1(?,?,?,00007FF8A8771EA7), ref: 00007FF8A8770FB8

Strings

7, xrefs: 00007FF8A8770F9F
..\s\ssl\t1_enc.c, xrefs: 00007FF8A8770D5D, 00007FF8A8770F64
5, xrefs: 00007FF8A8770F79

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: X_ctrl$R_put_errorX_free
String ID: ..\s\ssl\t1_enc.c$5$7
API String ID: 250720567-3625921376
Opcode ID: 3ae972235292024a7fc3ead35476b7aa594fbede8c3ce86f09c99634b3f02422
Instruction ID: cacb97867e013825b5d5ae0e09b4b4587ba5e9a62e6fe9f42ec6f6dde20f69a3
Opcode Fuzzy Hash: 3ae972235292024a7fc3ead35476b7aa594fbede8c3ce86f09c99634b3f02422
Instruction Fuzzy Hash: 6A616531B4A78196F730EA25A40076A7691FB88BD4F144234EE9C47BD9DF7CE541CB18

Function 00007FF8A871119F Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A8724B93
EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 00007FF8A8724C3D
EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 00007FF8A8724C53
EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 00007FF8A8724C77
EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 00007FF8A8724C9B
EVP_DigestFinal_ex.LIBCRYPTO-1_1 ref: 00007FF8A8724CB5
EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 00007FF8A8724CD2
EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 00007FF8A8724CE4
EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 00007FF8A8724CFA
EVP_DigestFinal_ex.LIBCRYPTO-1_1 ref: 00007FF8A8724D0E
EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A8724D67
OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 00007FF8A8724D76

Strings

..\s\ssl\s3_enc.c, xrefs: 00007FF8A8724BA3, 00007FF8A8724D44

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: Digest$Update$Final_ex$Init_exL_cleanseX_freeX_new
String ID: ..\s\ssl\s3_enc.c
API String ID: 1085713656-1839494539
Opcode ID: 39a1919e9ef59d7ed045724917498608cbe3b6190e0008732e4af122b5381e89
Instruction ID: 1f730827fd9ea3cbf4bdd514edd216dd19c7bf14cfaf767aff47521314eb2bd2
Opcode Fuzzy Hash: 39a1919e9ef59d7ed045724917498608cbe3b6190e0008732e4af122b5381e89
Instruction Fuzzy Hash: B6510771B8EB9261EB559B16A8007BA6791FF85BC4F805031EE4D47B56EF3CE440CB28

Function 00007FF8A8711C08 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 132stringCOMMON

Download Yara Rule

APIs

OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 00007FF8A87176B9
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A87176E1
strchr.VCRUNTIME140 ref: 00007FF8A8717718
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF8A871778C
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A87177C3
OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 00007FF8A87177CB

Strings

H, xrefs: 00007FF8A87176CB
..\s\ssl\d1_srtp.c, xrefs: 00007FF8A87176D3, 00007FF8A87177AE

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error$L_sk_freeL_sk_new_nullstrchrstrncmp
String ID: ..\s\ssl\d1_srtp.c$H
API String ID: 767303460-1001428523
Opcode ID: 7b7a6390bed2181aebf5e2a1c2c0be56bfb3cc0c2d6cba689b40a30af0b555db
Instruction ID: adc3b4383cc3fb05db6ff0ec8abbb7f641da7278079808d81a811be762705cf7
Opcode Fuzzy Hash: 7b7a6390bed2181aebf5e2a1c2c0be56bfb3cc0c2d6cba689b40a30af0b555db
Instruction Fuzzy Hash: FA41E521B8F242A6FB119B25A8003795691EF44FC4F584435EE4D8BFA9DF3CE542C728

Function 00007FF8A8711C30 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A8779B08
EVP_PKEY_new_raw_private_key.LIBCRYPTO-1_1 ref: 00007FF8A8779BD8
OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 00007FF8A8779BEA
EVP_PKEY_new_raw_private_key.LIBCRYPTO-1_1 ref: 00007FF8A8779C04
EVP_DigestSignInit.LIBCRYPTO-1_1 ref: 00007FF8A8779C26
EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 00007FF8A8779C3F
EVP_DigestSignFinal.LIBCRYPTO-1_1 ref: 00007FF8A8779C53
EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A8779C91
EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A8779C99

Strings

finished, xrefs: 00007FF8A8779B9A
..\s\ssl\tls13_enc.c, xrefs: 00007FF8A8779C70

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: Digest$SignY_new_raw_private_key$FinalInitL_cleanseUpdateX_freeX_newY_free
String ID: ..\s\ssl\tls13_enc.c$finished
API String ID: 2202177965-3224497825
Opcode ID: 2816fe4870f40e959f7b44cc93383418d0bead9498ae76b310b75180e0229bd1
Instruction ID: 3e5b9e642a6e58b55f011405fc808d8e42d06f0c37c9c6b783cd3a2297697426
Opcode Fuzzy Hash: 2816fe4870f40e959f7b44cc93383418d0bead9498ae76b310b75180e0229bd1
Instruction Fuzzy Hash: 1151922164FB82A6EA64DB62E4407EAA3A5FF84BC0F444031EE8D47B95DF7CD401C724

Function 00007FF8A8711924 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

BIO_method_type.LIBCRYPTO-1_1 ref: 00007FF8A873AC09
BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A873AC22
BIO_up_ref.LIBCRYPTO-1_1 ref: 00007FF8A873AC2E
BIO_s_socket.LIBCRYPTO-1_1 ref: 00007FF8A873AC43
BIO_new.LIBCRYPTO-1_1 ref: 00007FF8A873AC4B
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A873AC73
BIO_int_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A873AC97
BIO_pop.LIBCRYPTO-1_1 ref: 00007FF8A873ACA7
BIO_free_all.LIBCRYPTO-1_1 ref: 00007FF8A873ACB4
BIO_push.LIBCRYPTO-1_1 ref: 00007FF8A873ACC9

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A873AC58

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_ctrlO_free_allO_int_ctrlO_method_typeO_newO_popO_pushO_s_socketO_up_refR_put_error
String ID: ..\s\ssl\ssl_lib.c
API String ID: 2857342199-1080266419
Opcode ID: afe129a1da331925c3ba9b75f75f9256d16665101ed034ab7058a5105b0c2eee
Instruction ID: 11067717e5f1b3ae898ee2b6b47804d83379dd8d7f97becbe580ac4112560908
Opcode Fuzzy Hash: afe129a1da331925c3ba9b75f75f9256d16665101ed034ab7058a5105b0c2eee
Instruction Fuzzy Hash: C521E122A4FA0252EB55DB21E5527BD73A1EF84BC8F044131DE4C47B96CF2CE841C799

Function 00007FF8A8731070 Relevance: 18.1, APIs: 12, Instructions: 77COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-1_1(?,00007FF8A872D4BB), ref: 00007FF8A87310B3
OPENSSL_sk_value.LIBCRYPTO-1_1(?,00007FF8A872D4BB), ref: 00007FF8A87310C5
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A87310E0
OPENSSL_sk_num.LIBCRYPTO-1_1(?,00007FF8A872D4BB), ref: 00007FF8A87310EE
OPENSSL_sk_value.LIBCRYPTO-1_1(?,00007FF8A872D4BB), ref: 00007FF8A8731105
OPENSSL_sk_insert.LIBCRYPTO-1_1(?,00007FF8A872D4BB), ref: 00007FF8A8731113
OPENSSL_sk_num.LIBCRYPTO-1_1(?,00007FF8A872D4BB), ref: 00007FF8A873111D
OPENSSL_sk_dup.LIBCRYPTO-1_1(?,00007FF8A872D4BB), ref: 00007FF8A8731129
OPENSSL_sk_free.LIBCRYPTO-1_1(?,00007FF8A872D4BB), ref: 00007FF8A8731139
OPENSSL_sk_set_cmp_func.LIBCRYPTO-1_1(?,00007FF8A872D4BB), ref: 00007FF8A873114B
OPENSSL_sk_sort.LIBCRYPTO-1_1(?,00007FF8A872D4BB), ref: 00007FF8A8731153
OPENSSL_sk_free.LIBCRYPTO-1_1(?,00007FF8A872D4BB), ref: 00007FF8A873115B

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_sk_num$L_sk_freeL_sk_value$L_sk_dupL_sk_insertL_sk_set_cmp_funcL_sk_sort
String ID:
API String ID: 567883156-0
Opcode ID: efb8e30b7614238f6bec727fef9f359d8886d255d7fd97784a2dd3b8903396cd
Instruction ID: a1da5ff77b72d91d2106232f87f3ee299368a9960c8386388c2aa9e494034aa7
Opcode Fuzzy Hash: efb8e30b7614238f6bec727fef9f359d8886d255d7fd97784a2dd3b8903396cd
Instruction Fuzzy Hash: 0C214F21B8BA4260FA45EB16A8513B96395EFC9FC0F049031FE8D47796DF3DE4018729

Function 00007FF8A8741FF0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8742036
X509_get0_pubkey.LIBCRYPTO-1_1 ref: 00007FF8A874205F
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8742084

Strings

..\s\ssl\ssl_rsa.c, xrefs: 00007FF8A8742028, 00007FF8A8742069

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error$X509_get0_pubkey
String ID: ..\s\ssl\ssl_rsa.c
API String ID: 2083351937-2723262194
Opcode ID: 758f28cdbd2ccb923fb728b149dfb51d1ee814eed399240e30ea96a7bbb1880f
Instruction ID: 387fab575bfd0f1f803da0a94c8b43b86942864c93d86f5c6c144cbbffcec532
Opcode Fuzzy Hash: 758f28cdbd2ccb923fb728b149dfb51d1ee814eed399240e30ea96a7bbb1880f
Instruction Fuzzy Hash: FE418E22B5A98291EF00DB65E5502BDA360FBD8BC8F440231EA4E437AAEF7CD554C714

Function 00007FF8A8711CDF Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

BIO_puts.LIBCRYPTO-1_1 ref: 00007FF8A874652C
BIO_puts.LIBCRYPTO-1_1 ref: 00007FF8A8746543
BIO_printf.LIBCRYPTO-1_1 ref: 00007FF8A8746573
BIO_puts.LIBCRYPTO-1_1 ref: 00007FF8A8746592
BIO_printf.LIBCRYPTO-1_1 ref: 00007FF8A87465C0
BIO_puts.LIBCRYPTO-1_1 ref: 00007FF8A87465DC

Strings

Session-ID:, xrefs: 00007FF8A8746539
%02X, xrefs: 00007FF8A8746569, 00007FF8A87465B6
RSA , xrefs: 00007FF8A8746525
Master-Key:, xrefs: 00007FF8A8746588

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_puts$O_printf
String ID: Master-Key:$%02X$RSA $Session-ID:
API String ID: 4098839300-1878088908
Opcode ID: 6439ea0abf71c53b0b28808bb68b17e8a342f49eafa54fc74df7f6dff14ec5b0
Instruction ID: 674e2a79b93d79fc8e17181ff53be14bd123b982d9ba95f31011e96cbb46695f
Opcode Fuzzy Hash: 6439ea0abf71c53b0b28808bb68b17e8a342f49eafa54fc74df7f6dff14ec5b0
Instruction Fuzzy Hash: 8A3108B5A8AA83B5FA84DB55D5007B8A3A4FF487C0F084170DE2D43699DF2CE460C728

Function 00007FF8A8740B50 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8740B89
EVP_PKEY_new.LIBCRYPTO-1_1 ref: 00007FF8A8740BA0
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8740BC8

Strings

o, xrefs: 00007FF8A8740BB4
..\s\ssl\ssl_rsa.c, xrefs: 00007FF8A8740B6E, 00007FF8A8740BAD

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error$Y_new
String ID: ..\s\ssl\ssl_rsa.c$o
API String ID: 2632022502-2060984337
Opcode ID: b4e2002193e5270f6cb0f522eb2a9cea031549ee476cf656a9c34cd95f8dc690
Instruction ID: 67fa665e7009028a80883f02276c4af797ad9e5f0ca0a2a97302ff932a65cbcb
Opcode Fuzzy Hash: b4e2002193e5270f6cb0f522eb2a9cea031549ee476cf656a9c34cd95f8dc690
Instruction Fuzzy Hash: 4821A421B4A54292E750EB65F5013BD63A1EF89BC8F480031EB4C47B96DF2DD9518B18

Function 00007FF8A87110EB Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 454COMMON

Download Yara Rule

APIs

EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A87522AA
EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A875233D
EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A8752345
EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A8752945
EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A875294D
EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A8752968
EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A8752970

Strings

..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FF8A87529A3

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: X_freeY_free$X_new
String ID: ..\s\ssl\statem\extensions_srvr.c
API String ID: 762765117-1853348325
Opcode ID: f4343afbcf12128f5cc01bbde587fdb0aa201b54c81854f24e587dbeb17be2f0
Instruction ID: 525117b34d5f280741e1cfc81f39e90d0b9cd466dcdc10e07a3d6711c4fbec8a
Opcode Fuzzy Hash: f4343afbcf12128f5cc01bbde587fdb0aa201b54c81854f24e587dbeb17be2f0
Instruction Fuzzy Hash: EC122532B1E682A2FB24CB11E4443BEA7A0FB847D4F545030EA8D56AD5DF7CE945C728

Function 00007FF8A8711A41 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 286COMMON

Download Yara Rule

Strings

..\s\ssl\statem\extensions_srvr.c, xrefs: 00007FF8A87506A6, 00007FF8A875070F

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID:
String ID: ..\s\ssl\statem\extensions_srvr.c
API String ID: 0-1853348325
Opcode ID: 27d1466eff719b0577324f9a770f6c28553586702bfe742e8fd3f5b3479ee174
Instruction ID: af79e76d0455ce82d779839ff01bced26d9a9518c5c61e8fc2a207f286c09e5d
Opcode Fuzzy Hash: 27d1466eff719b0577324f9a770f6c28553586702bfe742e8fd3f5b3479ee174
Instruction Fuzzy Hash: 1FC18F61F8A643A5FB68DA2294103BE2391EF85BC4F046031DE4D5BB99DF3DE542C728

Function 00007FF8A875EF10 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

BN_bin2bn.LIBCRYPTO-1_1(?,?,00000000,?,..\s\ssl\statem\statem_clnt.c,?,00007FF8A875CFAA), ref: 00007FF8A875F0AB
BN_bin2bn.LIBCRYPTO-1_1(?,?,00000000,?,..\s\ssl\statem\statem_clnt.c,?,00007FF8A875CFAA), ref: 00007FF8A875F0BD
BN_free.LIBCRYPTO-1_1(?,?,00000000,?,..\s\ssl\statem\statem_clnt.c,?,00007FF8A875CFAA), ref: 00007FF8A875F28B
BN_free.LIBCRYPTO-1_1(?,?,00000000,?,..\s\ssl\statem\statem_clnt.c,?,00007FF8A875CFAA), ref: 00007FF8A875F293
BN_free.LIBCRYPTO-1_1(?,?,00000000,?,..\s\ssl\statem\statem_clnt.c,?,00007FF8A875CFAA), ref: 00007FF8A875F29B
DH_free.LIBCRYPTO-1_1(?,?,00000000,?,..\s\ssl\statem\statem_clnt.c,?,00007FF8A875CFAA), ref: 00007FF8A875F2A3
EVP_PKEY_free.LIBCRYPTO-1_1(?,?,00000000,?,..\s\ssl\statem\statem_clnt.c,?,00007FF8A875CFAA), ref: 00007FF8A875F2AB

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A875EF16, 00007FF8A875F274, 00007FF8A875F2C4

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: N_free$N_bin2bn$H_freeY_free
String ID: ..\s\ssl\statem\statem_clnt.c
API String ID: 2982095754-1507966698
Opcode ID: 4e494cb8bb5019ee3dec541ef5838f2fc5a0ec19a6087ec1e2a4d4f9df8139db
Instruction ID: ac76bb92fef4f4916aaba78b21f4ed2b049fece721adc4f13211df50783fb173
Opcode Fuzzy Hash: 4e494cb8bb5019ee3dec541ef5838f2fc5a0ec19a6087ec1e2a4d4f9df8139db
Instruction Fuzzy Hash: 65A1E072A4E7C292EB249B25A8107BA6394FB89BD4F145230EE8C47B91DF3CE091C714

Function 00007FF8A871194C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

BIO_s_file.LIBCRYPTO-1_1 ref: 00007FF8A873FFF0
BIO_new.LIBCRYPTO-1_1 ref: 00007FF8A873FFF8
BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A8740025
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A87400BA
X509_free.LIBCRYPTO-1_1 ref: 00007FF8A87400C2
BIO_free.LIBCRYPTO-1_1 ref: 00007FF8A87400CA

Strings

..\s\ssl\ssl_rsa.c, xrefs: 00007FF8A87400A9

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_ctrlO_freeO_newO_s_fileR_put_errorX509_free
String ID: ..\s\ssl\ssl_rsa.c
API String ID: 785824201-2723262194
Opcode ID: 69582a1d855e7b914acad6534438b30c5f7717f845d7e5f511cf41423f94229e
Instruction ID: 7653c8cb17b89a68560dd02d432804fc195fe590b364a6e6131bd574d433d039
Opcode Fuzzy Hash: 69582a1d855e7b914acad6534438b30c5f7717f845d7e5f511cf41423f94229e
Instruction Fuzzy Hash: CE31D722F4F692A6F760DA9295003BA6251FF88BC4F044031ED9D0BB96DF7DE5018768

Function 00007FF8A8711032 Relevance: 15.3, APIs: 10, Instructions: 281COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1 ref: 00007FF8A87600D6
EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 00007FF8A87600DE
EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 00007FF8A87600F0
EVP_MD_size.LIBCRYPTO-1_1 ref: 00007FF8A87600F8
EVP_CIPHER_CTX_cipher.LIBCRYPTO-1_1 ref: 00007FF8A8760111
EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 00007FF8A8760119
EVP_CIPHER_CTX_block_size.LIBCRYPTO-1_1 ref: 00007FF8A876012F
BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A87601A3
BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A87601E3
BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A876031A

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_ctrl$R_flagsX_cipher$D_sizeX_block_sizeX_md
String ID:
API String ID: 1400698538-0
Opcode ID: 4ca2974128096a214107f2a6056e3b456719f43b31765e87fc24bcc2f2c6897f
Instruction ID: ce4eafc18f7c163485d4537cf6aed550c52becb50b49fb4296a9f4f5c2dccd56
Opcode Fuzzy Hash: 4ca2974128096a214107f2a6056e3b456719f43b31765e87fc24bcc2f2c6897f
Instruction Fuzzy Hash: 60D1F262A4A7C195DB659F26D4003BD7BA1FB46BC8F188136DE8C5B386DF38D484C329

Function 00007FF8A8777A50 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 255COMMON

Download Yara Rule

APIs

EVP_PKEY_get0_EC_KEY.LIBCRYPTO-1_1 ref: 00007FF8A8777BBC
EC_KEY_get0_group.LIBCRYPTO-1_1 ref: 00007FF8A8777BC4
EC_GROUP_get_curve_name.LIBCRYPTO-1_1 ref: 00007FF8A8777BCC
EVP_PKEY_get0.LIBCRYPTO-1_1 ref: 00007FF8A8777CC6

Part of subcall function 00007FF8A8772AD0: EVP_PKEY_get0_EC_KEY.LIBCRYPTO-1_1(00000000,00000000,?,?,?,00007FF8A8775276), ref: 00007FF8A8772C05
Part of subcall function 00007FF8A8772AD0: EC_KEY_get0_group.LIBCRYPTO-1_1(00000000,00000000,?,?,?,00007FF8A8775276), ref: 00007FF8A8772C0D
Part of subcall function 00007FF8A8772AD0: EC_GROUP_get_curve_name.LIBCRYPTO-1_1(00000000,00000000,?,?,?,00007FF8A8775276), ref: 00007FF8A8772C15

Strings

gfffffff, xrefs: 00007FF8A8777CE6
..\s\ssl\t1_lib.c, xrefs: 00007FF8A8777AEA
gfffffff, xrefs: 00007FF8A8777B2F
gfffffff, xrefs: 00007FF8A8777BD4

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: P_get_curve_nameY_get0_Y_get0_group$Y_get0
String ID: ..\s\ssl\t1_lib.c$gfffffff$gfffffff$gfffffff
API String ID: 2351481120-1408384096
Opcode ID: 0301c8233ff7bcaa53abf8c5077df8be11b5744cb58e21b489ab46e1c0175b38
Instruction ID: 2f9c5a8941c3e6c5dea2f93b6e0ed11e5ff262ab9c35bb8ea8fcc87c0f9a3935
Opcode Fuzzy Hash: 0301c8233ff7bcaa53abf8c5077df8be11b5744cb58e21b489ab46e1c0175b38
Instruction Fuzzy Hash: 8EB1C262A4B74693EA549E16E0443B937A0FB84BE8F184135DE0D477D4EF78E482C329

Function 00007FF8A8711B72 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A877963B
EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 00007FF8A8779667
EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 00007FF8A877968D
EVP_DigestFinal_ex.LIBCRYPTO-1_1 ref: 00007FF8A87796AA
EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 00007FF8A87796C0
EVP_DigestFinal_ex.LIBCRYPTO-1_1 ref: 00007FF8A87796DA
EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A877978E

Strings

exporter, xrefs: 00007FF8A877973E

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: Digest$Final_exInit_ex$UpdateX_freeX_new
String ID: exporter
API String ID: 3991325671-111224270
Opcode ID: d9e15bc0b10dbfb786a0703012da535e9b52b23369bdc91180afe960d733e64d
Instruction ID: 4d4dce213aa13e736f5a4a99812cac651a50ffdb76fa067790f93e5b743e4e39
Opcode Fuzzy Hash: d9e15bc0b10dbfb786a0703012da535e9b52b23369bdc91180afe960d733e64d
Instruction Fuzzy Hash: 9C417F3264AB8265EB61DB16A8407EAB394EFC8BC0F440032EE8D47B59DF7CD041CB54

Function 00007FF8A87121EE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A873FA99
EVP_PKEY_new.LIBCRYPTO-1_1 ref: 00007FF8A873FAB0
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A873FAD8

Strings

..\s\ssl\ssl_rsa.c, xrefs: 00007FF8A873FA7E, 00007FF8A873FABD

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error$Y_new
String ID: ..\s\ssl\ssl_rsa.c
API String ID: 2632022502-2723262194
Opcode ID: 07d59772858b8cf33ac669a744615438c5ba041662f0fcd3673215319aac739a
Instruction ID: 21d18520cff819e181391fcfafec6db7a6c7f529b6ac31215581e7982144438a
Opcode Fuzzy Hash: 07d59772858b8cf33ac669a744615438c5ba041662f0fcd3673215319aac739a
Instruction Fuzzy Hash: F221B621B4A64252E750EB25F5112FE63A1EF89BC4F484031EF4C47B96DF2CD951CB18

Function 00007FF8A8725CEF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8725D13
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8725D4A

Strings

..\s\ssl\s3_lib.c, xrefs: 00007FF8A8725D02, 00007FF8A8725D2F, 00007FF8A8725D7A
b, xrefs: 00007FF8A8725D81

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error
String ID: ..\s\ssl\s3_lib.c$b
API String ID: 1767461275-2522393336
Opcode ID: fd1d3794e3a92b4deefbb9211fb4da4641c8640cdd1d5248c33bdde61c5bff35
Instruction ID: 0e9a0d7d29b033fc794dee2990cbdbad091cd0a9b1c5f8e40d29ab73f0fe9722
Opcode Fuzzy Hash: fd1d3794e3a92b4deefbb9211fb4da4641c8640cdd1d5248c33bdde61c5bff35
Instruction Fuzzy Hash: 9321C031B4E942A2F761EB61E5407B962D1EB84BC4F440536EE4D07B95EF3CE5028B38

Function 00007FF8A873BC70 Relevance: 13.6, APIs: 9, Instructions: 77COMMON

Download Yara Rule

APIs

d2i_OCSP_RESPONSE.LIBCRYPTO-1_1 ref: 00007FF8A873BCC7
OCSP_response_get1_basic.LIBCRYPTO-1_1 ref: 00007FF8A873BCD7
OCSP_resp_count.LIBCRYPTO-1_1 ref: 00007FF8A873BCEE
OCSP_resp_get0.LIBCRYPTO-1_1 ref: 00007FF8A873BD05
OCSP_SINGLERESP_get1_ext_d2i.LIBCRYPTO-1_1 ref: 00007FF8A873BD1D

Part of subcall function 00007FF8A873BF00: OPENSSL_sk_new_null.LIBCRYPTO-1_1(?,00007FF8A8737D8C), ref: 00007FF8A873BF33
Part of subcall function 00007FF8A873BF00: ERR_put_error.LIBCRYPTO-1_1(?,00007FF8A8737D8C), ref: 00007FF8A873BF5B

OCSP_resp_count.LIBCRYPTO-1_1 ref: 00007FF8A873BD45
SCT_LIST_free.LIBCRYPTO-1_1 ref: 00007FF8A873BD56
OCSP_BASICRESP_free.LIBCRYPTO-1_1 ref: 00007FF8A873BD5E
OCSP_RESPONSE_free.LIBCRYPTO-1_1 ref: 00007FF8A873BD66

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: P_resp_count$E_freeL_sk_new_nullP_freeP_get1_ext_d2iP_resp_get0P_response_get1_basicR_put_errorT_freed2i_
String ID:
API String ID: 4245524859-0
Opcode ID: 5ac87df2d3e065e92e8881cbe1f2a9fb799263a04d341fb3799bb782bc645414
Instruction ID: 80ab8d9fa857781359af2da79d63c2c102352a2f927e8a02cff48a30006f842d
Opcode Fuzzy Hash: 5ac87df2d3e065e92e8881cbe1f2a9fb799263a04d341fb3799bb782bc645414
Instruction Fuzzy Hash: 7E210011F5F76222EE15AA6664517791AD0EFC8BD0F088035EE0D4BB82EF7CE4018768

Function 00007FF8A873CBC0 Relevance: 13.6, APIs: 9, Instructions: 68COMMON

Download Yara Rule

APIs

OPENSSL_sk_new_null.LIBCRYPTO-1_1(?,00007FF8A87371A2), ref: 00007FF8A873CC02
OPENSSL_sk_num.LIBCRYPTO-1_1(?,00007FF8A87371A2), ref: 00007FF8A873CC19
OPENSSL_sk_value.LIBCRYPTO-1_1(?,00007FF8A87371A2), ref: 00007FF8A873CC27
X509_NAME_dup.LIBCRYPTO-1_1(?,00007FF8A87371A2), ref: 00007FF8A873CC2F
OPENSSL_sk_insert.LIBCRYPTO-1_1(?,00007FF8A87371A2), ref: 00007FF8A873CC45
OPENSSL_sk_num.LIBCRYPTO-1_1(?,00007FF8A87371A2), ref: 00007FF8A873CC53

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_sk_num$E_dupL_sk_insertL_sk_new_nullL_sk_valueX509_
String ID:
API String ID: 267177147-0
Opcode ID: 5287aba897fe34a1fcca4d1d8d96223fb7cde2f2ee089342e9ab99d91da408e5
Instruction ID: 73dee76b5d168e97bb743985b56f82c8749b986d094973aa09529d9bc6edf222
Opcode Fuzzy Hash: 5287aba897fe34a1fcca4d1d8d96223fb7cde2f2ee089342e9ab99d91da408e5
Instruction Fuzzy Hash: 4921C521B4F74264FB54EB2655802BA6290EF89FC0F185030EE4D47B86DF2CE051C728

Function 00007FF8A8711FD7 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A874C23D
OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 00007FF8A874C259
i2d_OCSP_RESPID.LIBCRYPTO-1_1 ref: 00007FF8A874C298
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A874C2AA
i2d_X509_EXTENSIONS.LIBCRYPTO-1_1 ref: 00007FF8A874C2E6
i2d_X509_EXTENSIONS.LIBCRYPTO-1_1 ref: 00007FF8A874C329

Strings

..\s\ssl\statem\extensions_clnt.c, xrefs: 00007FF8A874C386, 00007FF8A874C3B5

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: i2d_$L_sk_numX509_$L_sk_value
String ID: ..\s\ssl\statem\extensions_clnt.c
API String ID: 917959868-592572767
Opcode ID: c3c255ee72e8dc28f7e0f5ad3abcd32766784a0d2bd7d65d3694f9c9ae34d130
Instruction ID: 4f2827c31aa7b35d55f3150be224cd163c9462f280d42edd1779803f03324618
Opcode Fuzzy Hash: c3c255ee72e8dc28f7e0f5ad3abcd32766784a0d2bd7d65d3694f9c9ae34d130
Instruction Fuzzy Hash: 5051B261B8F64261FB20AAA294003BE6395EFC5BC4F144031DD4D8BB95DF3DE9429739

Function 00007FF8A8759E10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A8759E76
EVP_PKEY_get0_DH.LIBCRYPTO-1_1 ref: 00007FF8A8759EAD
DH_get0_key.LIBCRYPTO-1_1 ref: 00007FF8A8759EE4
BN_num_bits.LIBCRYPTO-1_1 ref: 00007FF8A8759EEE
BN_bn2bin.LIBCRYPTO-1_1 ref: 00007FF8A8759F4E
EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A8759F56

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A8759E58, 00007FF8A8759F26

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: Y_free$H_get0_keyN_bn2binN_num_bitsY_get0_
String ID: ..\s\ssl\statem\statem_clnt.c
API String ID: 2719771601-1507966698
Opcode ID: 22c88816910da411fa46c432b8266cba31a2f9c4576e17f505b31b0102581fa8
Instruction ID: f773823dc6fc64403c1f9f29ed128160abb78ff61838dab33dcb508ee685551a
Opcode Fuzzy Hash: 22c88816910da411fa46c432b8266cba31a2f9c4576e17f505b31b0102581fa8
Instruction Fuzzy Hash: DB31B462B8A68195EB649B12F8007B96791EB88BC4F085131EA8D4BF95DF3CE501C728

Function 00007FF8A87110E6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BIO_s_file.LIBCRYPTO-1_1 ref: 00007FF8A873F90F
BIO_new.LIBCRYPTO-1_1 ref: 00007FF8A873F917
BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A873F944
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A873F9DD
BIO_free.LIBCRYPTO-1_1 ref: 00007FF8A873F9E5

Strings

..\s\ssl\ssl_rsa.c, xrefs: 00007FF8A873F9CC

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_ctrlO_freeO_newO_s_fileR_put_error
String ID: ..\s\ssl\ssl_rsa.c
API String ID: 2618924202-2723262194
Opcode ID: e119138f731be628a1ae1c4a33aea523f832b136644f6fd16cef32c389a8efa9
Instruction ID: e401fcb6fb3b78ac2c27dbd5af9efed027d62f57849c9ff304c060f2637cdce3
Opcode Fuzzy Hash: e119138f731be628a1ae1c4a33aea523f832b136644f6fd16cef32c389a8efa9
Instruction Fuzzy Hash: 9631C521A4EB82A2F7249F52A0003BE7651FB99BC4F148035EE8D4BB85CF3CE501CB59

Function 00007FF8A873DD40 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 00007FF8A873DD84
EVP_MD_size.LIBCRYPTO-1_1 ref: 00007FF8A873DD8C
EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A873DD9F
EVP_MD_CTX_copy_ex.LIBCRYPTO-1_1 ref: 00007FF8A873DDB2
EVP_DigestFinal_ex.LIBCRYPTO-1_1 ref: 00007FF8A873DDC4
EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A873DE10

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A873DDEF

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: D_sizeDigestFinal_exX_copy_exX_freeX_mdX_new
String ID: ..\s\ssl\ssl_lib.c
API String ID: 2082763299-1080266419
Opcode ID: ad77977b52e3e84a55675214eeb901b9bd41a6527611301d6633d76eb7e555a8
Instruction ID: 20d8c16dc2f6a33c99875c186756f0c2aaf7100bfa74227414d17a2d760db5f7
Opcode Fuzzy Hash: ad77977b52e3e84a55675214eeb901b9bd41a6527611301d6633d76eb7e555a8
Instruction Fuzzy Hash: C421C222B4F79261EB50EA12B80066A6A90EF44BD4F088431EE4D4BBA5DF7CD041C729

Function 00007FF8A873BF00 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

OPENSSL_sk_new_null.LIBCRYPTO-1_1(?,00007FF8A8737D8C), ref: 00007FF8A873BF33
ERR_put_error.LIBCRYPTO-1_1(?,00007FF8A8737D8C), ref: 00007FF8A873BF5B
OPENSSL_sk_pop.LIBCRYPTO-1_1(?,00007FF8A8737D8C), ref: 00007FF8A873BF68
OPENSSL_sk_push.LIBCRYPTO-1_1(?,00007FF8A8737D8C), ref: 00007FF8A873BF8A
OPENSSL_sk_pop.LIBCRYPTO-1_1(?,00007FF8A8737D8C), ref: 00007FF8A873BF98
OPENSSL_sk_push.LIBCRYPTO-1_1(?,00007FF8A8737D8C), ref: 00007FF8A873BFCD

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A873BF40

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_sk_popL_sk_push$L_sk_new_nullR_put_error
String ID: ..\s\ssl\ssl_lib.c
API String ID: 531138727-1080266419
Opcode ID: 47f8a990c43ce1483deb2d7ee7dff604a62f152148f98c5c6c9943a4bd3ef91d
Instruction ID: 9705bf3fff6a0a47e953c413c2ee66899324114ebf2efa28bcedf7f18602b580
Opcode Fuzzy Hash: 47f8a990c43ce1483deb2d7ee7dff604a62f152148f98c5c6c9943a4bd3ef91d
Instruction Fuzzy Hash: 1A214221A4B64361EB16DB1594012796395EF88BC4F049535FF8C47BA5DF3CE411CB29

Function 00007FF8A87121CB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ERR_clear_error.LIBCRYPTO-1_1 ref: 00007FF8A87421F3
BIO_s_file.LIBCRYPTO-1_1 ref: 00007FF8A874221B
BIO_new.LIBCRYPTO-1_1 ref: 00007FF8A8742223
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A874224B
X509_free.LIBCRYPTO-1_1 ref: 00007FF8A87423C0
BIO_free.LIBCRYPTO-1_1 ref: 00007FF8A87423C8

Strings

..\s\ssl\ssl_rsa.c, xrefs: 00007FF8A8742230

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_freeO_newO_s_fileR_clear_errorR_put_errorX509_free
String ID: ..\s\ssl\ssl_rsa.c
API String ID: 1025733963-2723262194
Opcode ID: 7e73416609eb91a4b42bdbde52ac007e4a5475fdec970492dddfd46e9b7bbb0a
Instruction ID: 4ab524989cecb4a1f53036b97047f8ffc40380bde87698f686fcf666571228b5
Opcode Fuzzy Hash: 7e73416609eb91a4b42bdbde52ac007e4a5475fdec970492dddfd46e9b7bbb0a
Instruction Fuzzy Hash: 8B11E626A5F682E5E604EBA2A8017BA6650FF48BC4F044031FE5C4B796CF3CE951C724

Function 00007FF8A872EDB0 Relevance: 12.1, APIs: 8, Instructions: 114COMMON

Download Yara Rule

APIs

OBJ_nid2sn.LIBCRYPTO-1_1 ref: 00007FF8A872EE5A
EVP_get_digestbyname.LIBCRYPTO-1_1 ref: 00007FF8A872EE62
EVP_MD_size.LIBCRYPTO-1_1 ref: 00007FF8A872EE73
OBJ_nid2sn.LIBCRYPTO-1_1 ref: 00007FF8A872EEB1
EVP_get_cipherbyname.LIBCRYPTO-1_1 ref: 00007FF8A872EEB9
EVP_CIPHER_flags.LIBCRYPTO-1_1 ref: 00007FF8A872EEC9
EVP_CIPHER_iv_length.LIBCRYPTO-1_1 ref: 00007FF8A872EEDE
EVP_CIPHER_block_size.LIBCRYPTO-1_1 ref: 00007FF8A872EEE9

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: J_nid2sn$D_sizeP_get_cipherbynameP_get_digestbynameR_block_sizeR_flagsR_iv_length
String ID:
API String ID: 4211416117-0
Opcode ID: 820bd310bc987b47bbd29bdb3456714c5387236caa37f4ffd66f9bd617770e5e
Instruction ID: 0bebb1c533ebb2fde0159303209a075a76bc9082d16c76bf883d565ddac330df
Opcode Fuzzy Hash: 820bd310bc987b47bbd29bdb3456714c5387236caa37f4ffd66f9bd617770e5e
Instruction Fuzzy Hash: 5041C323E4B652A6FB64AB15945427862D8EF48BD0F940531EE4D437E3EF7CE8428378

Function 00007FF8A8713AB0 Relevance: 12.1, APIs: 8, Instructions: 111COMMON

Download Yara Rule

APIs

BIO_get_data.LIBCRYPTO-1_1 ref: 00007FF8A8713AFD
BIO_clear_flags.LIBCRYPTO-1_1 ref: 00007FF8A8713B10
BIO_set_flags.LIBCRYPTO-1_1 ref: 00007FF8A8713B55
BIO_set_retry_reason.LIBCRYPTO-1_1 ref: 00007FF8A8713BF0

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_clear_flagsO_get_dataO_set_flagsO_set_retry_reason
String ID:
API String ID: 3836630899-0
Opcode ID: 3871330ddc1fb52b9fbedb46d79d72dc9a7f28f2e9602a1e25385491669f7eed
Instruction ID: 302b696d2be83b8b827edbcf9ffcc3907244f27ea7cb3b4f35569d2a912b0b9d
Opcode Fuzzy Hash: 3871330ddc1fb52b9fbedb46d79d72dc9a7f28f2e9602a1e25385491669f7eed
Instruction Fuzzy Hash: 6831B322F4E60262E769EB26A54127D6291EF40BD8F104431DD0D47F9ADF3CE842C368

Function 00007FF8A8712121 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

APIs

EVP_PKEY_new.LIBCRYPTO-1_1 ref: 00007FF8A874D4A6
EVP_PKEY_copy_parameters.LIBCRYPTO-1_1 ref: 00007FF8A874D4BD
EVP_PKEY_set1_tls_encodedpoint.LIBCRYPTO-1_1 ref: 00007FF8A874D4D3
EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A874D50C

Strings

..\s\ssl\statem\extensions_clnt.c, xrefs: 00007FF8A874D405, 00007FF8A874D4DF, 00007FF8A874D577, 00007FF8A874D5A2, 00007FF8A874D5D3

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: Y_copy_parametersY_freeY_newY_set1_tls_encodedpoint
String ID: ..\s\ssl\statem\extensions_clnt.c
API String ID: 3743944661-592572767
Opcode ID: 1dfa27e6dabe1f5f029db19b8e9abf1b7302160e5dd4c1c6dde11550fc66eb3a
Instruction ID: a4000de264934017c60a6a2968fc5f06b58eab837094ec21fd1768625cc23938
Opcode Fuzzy Hash: 1dfa27e6dabe1f5f029db19b8e9abf1b7302160e5dd4c1c6dde11550fc66eb3a
Instruction Fuzzy Hash: CF91E472A4AB8196EB50CB55E4402797FA1FB81BD4F484231EACC07B95DF3CE591CB28

Function 00007FF8A873ECA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A873ED14
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A873ED2B
CT_POLICY_EVAL_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A873ED4F
OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 00007FF8A873ED7C

Part of subcall function 00007FF8A87124D2: SCT_LIST_free.LIBCRYPTO-1_1 ref: 00007FF8A8737C53
Part of subcall function 00007FF8A87124D2: d2i_OCSP_RESPONSE.LIBCRYPTO-1_1 ref: 00007FF8A8737CA8
Part of subcall function 00007FF8A87124D2: OCSP_response_get1_basic.LIBCRYPTO-1_1 ref: 00007FF8A8737CB8
Part of subcall function 00007FF8A87124D2: OCSP_resp_count.LIBCRYPTO-1_1 ref: 00007FF8A8737CCA
Part of subcall function 00007FF8A87124D2: OCSP_resp_get0.LIBCRYPTO-1_1 ref: 00007FF8A8737CD8
Part of subcall function 00007FF8A87124D2: OCSP_SINGLERESP_get1_ext_d2i.LIBCRYPTO-1_1 ref: 00007FF8A8737CF0
Part of subcall function 00007FF8A87124D2: OCSP_resp_count.LIBCRYPTO-1_1 ref: 00007FF8A8737D18
Part of subcall function 00007FF8A87124D2: SCT_LIST_free.LIBCRYPTO-1_1 ref: 00007FF8A8737D24
Part of subcall function 00007FF8A87124D2: OCSP_BASICRESP_free.LIBCRYPTO-1_1 ref: 00007FF8A8737D2C
Part of subcall function 00007FF8A87124D2: OCSP_RESPONSE_free.LIBCRYPTO-1_1 ref: 00007FF8A8737D34

CT_POLICY_EVAL_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A873EE4B

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A873EE2E

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_sk_numP_resp_countT_free$E_freeL_sk_valueP_freeP_get1_ext_d2iP_resp_get0P_response_get1_basicX_freeX_newd2i_
String ID: ..\s\ssl\ssl_lib.c
API String ID: 382793502-1080266419
Opcode ID: 9f104f3394336e248a06bdfad8182fbc7d949da42687ce6875a499c25a1223f6
Instruction ID: 41a9228300356e5ed278ee6b6af3966117af023be7282d655bc2918db1b720eb
Opcode Fuzzy Hash: 9f104f3394336e248a06bdfad8182fbc7d949da42687ce6875a499c25a1223f6
Instruction Fuzzy Hash: 5C41C522B8F64266FA64AB1194503BD6750EF85FC4F888035DE4D4BB95CF3CE4428729

Function 00007FF8A8711BCC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 90COMMON

Download Yara Rule

APIs

OPENSSL_cleanse.LIBCRYPTO-1_1 ref: 00007FF8A87720F6

Strings

0, xrefs: 00007FF8A8772136
master secret, xrefs: 00007FF8A8772182
, xrefs: 00007FF8A877216A
extended master secret, xrefs: 00007FF8A87720CD
, xrefs: 00007FF8A8772189

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_cleanse
String ID: $ $0$extended master secret$master secret
API String ID: 1040887069-741269486
Opcode ID: 393769c40ecb4b6c435d37cba0897ed25c4dd0886ec3de41fe728c38848c6237
Instruction ID: f62db36a614c98411c7a2a8ea3b7d495155f4b04e4a4c699d4408bc7e74ecaa5
Opcode Fuzzy Hash: 393769c40ecb4b6c435d37cba0897ed25c4dd0886ec3de41fe728c38848c6237
Instruction Fuzzy Hash: 2341477265AB81A1E760CB11F8403AAB7E4FB887C4F148134EACC46BA9DF7CD055CB14

Function 00007FF8A8772CF0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 88COMMON

Download Yara Rule

APIs

OBJ_sn2nid.LIBCRYPTO-1_1 ref: 00007FF8A8772E0A

Strings

PSS, xrefs: 00007FF8A8772D79
DSA, xrefs: 00007FF8A8772DA8
ECDSA, xrefs: 00007FF8A8772DD5
RSA-PSS, xrefs: 00007FF8A8772D4A
RSA, xrefs: 00007FF8A8772D12

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: J_sn2nid
String ID: DSA$ECDSA$PSS$RSA$RSA-PSS
API String ID: 1172147710-2025297953
Opcode ID: 7097399078b95809bb58880c5345e94904c58ddadf4c586de5a7e66d43202429
Instruction ID: 72be13da67c524cb48e9a49403e339627f27ac278976a54eef22cd9b456309bd
Opcode Fuzzy Hash: 7097399078b95809bb58880c5345e94904c58ddadf4c586de5a7e66d43202429
Instruction Fuzzy Hash: 64316962E5E58195EB968F15F04077C3BA0EB46BC0F484031D7AF06A8ADF6CD991CB28

Function 00007FF8A8724130 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A8724174
EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A87241BF
BIO_free.LIBCRYPTO-1_1 ref: 00007FF8A872428B

Strings

..\s\ssl\s3_enc.c, xrefs: 00007FF8A872418E, 00007FF8A87241F3

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_ctrlO_freeX_new
String ID: ..\s\ssl\s3_enc.c
API String ID: 22238829-1839494539
Opcode ID: d21913b7ac1cdf88c9ab77d1032cfcb2dd9613f3d145742f3a79a5242c47caa3
Instruction ID: 1e963164a3c1e8fc1f60670a477b6209222390f12d9c400a39d2f86b5ff94308
Opcode Fuzzy Hash: d21913b7ac1cdf88c9ab77d1032cfcb2dd9613f3d145742f3a79a5242c47caa3
Instruction Fuzzy Hash: 2C41B13270AA91A5EB50CB16E4403AE63A0FB88FC4F184431DE8D5BBA9EF7CD5818714

Function 00007FF8A8711B1D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

BIO_s_file.LIBCRYPTO-1_1 ref: 00007FF8A8740D5F
BIO_new.LIBCRYPTO-1_1 ref: 00007FF8A8740D67
BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A8740D94
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8740E2D
BIO_free.LIBCRYPTO-1_1 ref: 00007FF8A8740E35

Strings

..\s\ssl\ssl_rsa.c, xrefs: 00007FF8A8740E1C

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_ctrlO_freeO_newO_s_fileR_put_error
String ID: ..\s\ssl\ssl_rsa.c
API String ID: 2618924202-2723262194
Opcode ID: b52bce63b32edf11eb13fedb9386755e62e2f199134a7f00cfc40428c88927b4
Instruction ID: 6dba2a0fc521fa80a58bd272351e077d2c149a5a497107f290ac4502827f5aec
Opcode Fuzzy Hash: b52bce63b32edf11eb13fedb9386755e62e2f199134a7f00cfc40428c88927b4
Instruction Fuzzy Hash: 5F31B121E4F69292F764AF5294006BA7291FB88BC4F444035EE8D0BB96CF3DF5158B68

Function 00007FF8A872BD60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A872BDBF
OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 00007FF8A872BDD5
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A872BDFA
OPENSSL_sk_pop_free.LIBCRYPTO-1_1 ref: 00007FF8A872BE0E
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872BE50

Strings

..\s\ssl\ssl_cert.c, xrefs: 00007FF8A872BE34

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_sk_num$L_sk_pop_freeL_sk_valueR_put_error
String ID: ..\s\ssl\ssl_cert.c
API String ID: 732311666-349359282
Opcode ID: bf305ba9b34b98b788a8d0f6eb7e02a5e64e466c1135b502335cb414d8549ec6
Instruction ID: c442c6c5587b5b9b04d00cd89613ba5e55ef5ce3d2ae52b952ed7921f7bf689f
Opcode Fuzzy Hash: bf305ba9b34b98b788a8d0f6eb7e02a5e64e466c1135b502335cb414d8549ec6
Instruction Fuzzy Hash: 8C21D622B4E681D5E751DB25A8403F96390FF84BD0F040531EE4C47BA6DF3CD4428728

Function 00007FF8A873DA10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A873DA4B
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A873DA5F

Part of subcall function 00007FF8A873C300: OPENSSL_sk_pop_free.LIBCRYPTO-1_1(?,00007FF8A8737528), ref: 00007FF8A873C321
Part of subcall function 00007FF8A873C300: OPENSSL_sk_pop_free.LIBCRYPTO-1_1(?,00007FF8A8737528), ref: 00007FF8A873C337
Part of subcall function 00007FF8A873C300: X509_free.LIBCRYPTO-1_1(?,00007FF8A8737528), ref: 00007FF8A873C344

OPENSSL_sk_new_reserve.LIBCRYPTO-1_1 ref: 00007FF8A873DA96
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A873DAC2
OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 00007FF8A873DADA

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A873DAA7

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_sk_numL_sk_pop_free$L_sk_new_reserveL_sk_valueR_put_errorX509_free
String ID: ..\s\ssl\ssl_lib.c
API String ID: 1042751175-1080266419
Opcode ID: f9156d42fc8ceb713e0273c8f2194505f6cb773dc267014d350ae483b8bbc5a3
Instruction ID: f7a42d53c295a90dec97feed070277e7e4197e64362c691baa23d8e76745d80f
Opcode Fuzzy Hash: f9156d42fc8ceb713e0273c8f2194505f6cb773dc267014d350ae483b8bbc5a3
Instruction Fuzzy Hash: 56318132649B8292E715DB21D4503AEBBA1FB85BC4F088435EE8D47796DF3CD550CB24

Function 00007FF8A8711B45 Relevance: 9.1, APIs: 6, Instructions: 105COMMON

Download Yara Rule

APIs

OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 00007FF8A87739CE
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A8773A12
OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 00007FF8A8773A3A
X509_get_extension_flags.LIBCRYPTO-1_1 ref: 00007FF8A8773A66
X509_get_signature_info.LIBCRYPTO-1_1 ref: 00007FF8A8773A8B
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A8773AE4

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_sk_numL_sk_value$X509_get_extension_flagsX509_get_signature_info
String ID:
API String ID: 420811412-0
Opcode ID: 47b4072a4124a7f61a8f71d258181b326220254ac2c4607e17c4381a4f8c122a
Instruction ID: f18ede32152490774318ac5b01abf69e37a235ba303d652536ad5c67b9320c16
Opcode Fuzzy Hash: 47b4072a4124a7f61a8f71d258181b326220254ac2c4607e17c4381a4f8c122a
Instruction Fuzzy Hash: 9A31D722B5B28266F764961668417BA6690FF85BC4F404031FE8D93BA6DF3CD401DB28

Function 00007FF8A8737E90 Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A8737EF4
OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 00007FF8A8737F05
OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 00007FF8A8737F2A
OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 00007FF8A8737F3D
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A8737F4B
OPENSSL_sk_free.LIBCRYPTO-1_1 ref: 00007FF8A8737F5C

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_sk_num$L_sk_freeL_sk_new_nullL_sk_pushL_sk_value
String ID:
API String ID: 1173513325-0
Opcode ID: 4da740d25c2825872fa485b01caa17a3f09dc52885b8b7972d72c12d835a8235
Instruction ID: 6b78f0cf90f49fe7f53086b3e006110b74aa0429ba9e45ed6559abf202c8fe2a
Opcode Fuzzy Hash: 4da740d25c2825872fa485b01caa17a3f09dc52885b8b7972d72c12d835a8235
Instruction Fuzzy Hash: 1D218111F8F65761FB95AA2654413BA5290EF84FC4F089034FE8D4BB96DF2CE8438729

Function 00007FF8A873BBA0 Relevance: 9.0, APIs: 6, Instructions: 33COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_free.LIBCRYPTO-1_1(?,00007FF8A87375F7), ref: 00007FF8A873BBC4
EVP_CIPHER_CTX_free.LIBCRYPTO-1_1(?,00007FF8A87375F7), ref: 00007FF8A873BBDC
COMP_CTX_free.LIBCRYPTO-1_1(?,00007FF8A87375F7), ref: 00007FF8A873BBEF
COMP_CTX_free.LIBCRYPTO-1_1(?,00007FF8A87375F7), ref: 00007FF8A873BC02
EVP_MD_CTX_free.LIBCRYPTO-1_1(?,00007FF8A87375F7), ref: 00007FF8A873BC15
EVP_MD_CTX_free.LIBCRYPTO-1_1(?,00007FF8A87375F7), ref: 00007FF8A873BC28

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: X_free
String ID:
API String ID: 2268491255-0
Opcode ID: 44855870ceade7a4ab3ecbe8a03690fb9cec8cc02717d41dfc695da2fe052186
Instruction ID: f64c1a27c3180a4c20a76ef581e309db38af59a07a1dc71caaca89316c080bca
Opcode Fuzzy Hash: 44855870ceade7a4ab3ecbe8a03690fb9cec8cc02717d41dfc695da2fe052186
Instruction Fuzzy Hash: 2F01256254AA8151D741AF61D9513BC6394EF84FCCF084035EF4D4B6AACF289450C339

Function 00007FF8A87119B0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A875B00E, 00007FF8A875B3B1

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID:
String ID: ..\s\ssl\statem\statem_clnt.c
API String ID: 0-1507966698
Opcode ID: 0c011f8b7f34282e96d597a8a80a3ee51135cd850614b19c297d63ecfffc2844
Instruction ID: 218a6dc5e5e4bd5c2fe95c1918c5549c524f2cd15a41ff42719a940fa7053208
Opcode Fuzzy Hash: 0c011f8b7f34282e96d597a8a80a3ee51135cd850614b19c297d63ecfffc2844
Instruction Fuzzy Hash: 12B1A161B8E64291FBAA9B22D4003BE6690EF84BC4F186035DE4D5BBD5DF3CE5418738

Function 00007FF8A8712036 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

ENGINE_load_ssl_client_cert.LIBCRYPTO-1_1 ref: 00007FF8A875BCCB

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A875BD68, 00007FF8A875BE1F

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: E_load_ssl_client_cert
String ID: ..\s\ssl\statem\statem_clnt.c
API String ID: 2904557448-1507966698
Opcode ID: f0ca030fa4f1cbf58c94224b1e67fecb90c9b64d4dee19a33429269d86c684fa
Instruction ID: 47c77987c986aa10cca99841d10ff7806f1773bc6aac5cd26795bbaec0ed20a0
Opcode Fuzzy Hash: f0ca030fa4f1cbf58c94224b1e67fecb90c9b64d4dee19a33429269d86c684fa
Instruction Fuzzy Hash: 7461B372A4EB8292EB558F12E4403BD63A1EB84BD4F181035EE4D47B99DF7CE441CB28

Function 00007FF8A8711ADC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A8762C8B
OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 00007FF8A8762C99
i2d_X509_NAME.LIBCRYPTO-1_1 ref: 00007FF8A8762CDD
OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A8762CEB

Strings

..\s\ssl\statem\statem_lib.c, xrefs: 00007FF8A8762C48, 00007FF8A8762D0D

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_sk_num$L_sk_valueX509_i2d_
String ID: ..\s\ssl\statem\statem_lib.c
API String ID: 3754435392-2839845709
Opcode ID: 65d8deee70154f053cc6f33636507a4df70b03b3805c42fba857438a21c57b60
Instruction ID: df4b39347344664e4aa77267ab33a60e3324a0249df9c84133bda941af6e5a37
Opcode Fuzzy Hash: 65d8deee70154f053cc6f33636507a4df70b03b3805c42fba857438a21c57b60
Instruction Fuzzy Hash: 4431C821B5F74265FB61DB22A4102BAA794EF85BD0F040530ED8C47B96EF7CE9418738

Function 00007FF8A873EF00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A873EF4D
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A873EF88

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A873EF30, 00007FF8A873EF69, 00007FF8A873EFB9

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error
String ID: ..\s\ssl\ssl_lib.c
API String ID: 1767461275-1080266419
Opcode ID: 664da3bb5ebbb6a6094b7c89baa944a8a636ad8bd96706cea84dd4dfea61b1f4
Instruction ID: c4020668bc30d13036e14a841bbce3cd8553ebab97c2d9ebcffee65c9f7cade7
Opcode Fuzzy Hash: 664da3bb5ebbb6a6094b7c89baa944a8a636ad8bd96706cea84dd4dfea61b1f4
Instruction Fuzzy Hash: 7931BD32A4AB8296E320AF14E4043A97760FB84BC4F548135EB9D47BE5CF7DE441CB28

Function 00007FF8A8711C44 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8736A28
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8736A63

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A8736A09, 00007FF8A8736A44, 00007FF8A8736AAA

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error
String ID: ..\s\ssl\ssl_lib.c
API String ID: 1767461275-1080266419
Opcode ID: feaf4211dbf536bc8def34518951488ea76392c6826d00b827b690999808d9c2
Instruction ID: a6e0dc7752dadef1fa93735df3b32ead04a2bf9674c59b8e8cedfde05bf50370
Opcode Fuzzy Hash: feaf4211dbf536bc8def34518951488ea76392c6826d00b827b690999808d9c2
Instruction Fuzzy Hash: 4131C632A4AA81A2F7608B24E4407BE23A0FB45BD8F548234DB5C4B7E5DF3DD545DB18

Function 00007FF8A877BC20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

BN_ucmp.LIBCRYPTO-1_1 ref: 00007FF8A877BC40
BN_ucmp.LIBCRYPTO-1_1 ref: 00007FF8A877BC5B
BN_is_zero.LIBCRYPTO-1_1 ref: 00007FF8A877BC6F
BN_num_bits.LIBCRYPTO-1_1 ref: 00007FF8A877BC83

Strings

..\s\ssl\tls_srp.c, xrefs: 00007FF8A877BD1F

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: N_ucmp$N_is_zeroN_num_bits
String ID: ..\s\ssl\tls_srp.c
API String ID: 1527310491-1778748169
Opcode ID: 65f4d77ecd700fa8f3cab1ee0ba0c6f33d99929f34c276842e1a8ee588a81d12
Instruction ID: 54d24a087d2a3e9b84f64f287e3d8599a7baa038b9bc0ca13af38a701ccc5e39
Opcode Fuzzy Hash: 65f4d77ecd700fa8f3cab1ee0ba0c6f33d99929f34c276842e1a8ee588a81d12
Instruction Fuzzy Hash: 00214F61B4F68291FB519A21D8403B923A0EBC8BC8F584431DE0C8BB95DF3DE541CB68

Function 00007FF8A8711DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A872B134
OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 00007FF8A872B14F
OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 00007FF8A872B163
X509_up_ref.LIBCRYPTO-1_1 ref: 00007FF8A872B16F

Strings

..\s\ssl\ssl_cert.c, xrefs: 00007FF8A872B118

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_sk_new_nullL_sk_pushR_put_errorX509_up_ref
String ID: ..\s\ssl\ssl_cert.c
API String ID: 1254856836-349359282
Opcode ID: a157bb09e600f02e2f9732b1e0c9f260522da547fdbe89928c6bbe9f46d3c201
Instruction ID: 3f471b55a6fa1d7c7fefdf5fa4f5074bce3b99f089c420c29cdd8aebf4fbcb21
Opcode Fuzzy Hash: a157bb09e600f02e2f9732b1e0c9f260522da547fdbe89928c6bbe9f46d3c201
Instruction Fuzzy Hash: CA118C21B4B64291FF96DB25A4503B952E0EF48BC4F480135DF1C47B95EF3CE8408628

Function 00007FF8A8724E60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

BIO_new.LIBCRYPTO-1_1 ref: 00007FF8A8724E7E
BIO_free.LIBCRYPTO-1_1 ref: 00007FF8A8724ECF
EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A8724EF4
BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A8724F32

Strings

..\s\ssl\s3_enc.c, xrefs: 00007FF8A8724E8B

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_ctrlO_freeO_newX_free
String ID: ..\s\ssl\s3_enc.c
API String ID: 3686289451-1839494539
Opcode ID: bdc71f935df0f2d3ea3887a0f30e4cf6aa9ea9af759c96416e0cd263afb7ac85
Instruction ID: 2c2be0abdf9be9e303f24c405cc7fc8c54ab56cb20c3b8ee14a0fe8055514b05
Opcode Fuzzy Hash: bdc71f935df0f2d3ea3887a0f30e4cf6aa9ea9af759c96416e0cd263afb7ac85
Instruction Fuzzy Hash: 29115632B1A781A5EB81DB21E4503EC33A0FB88BC8F488531DE8D0BB65DF39D5848714

Function 00007FF8A873C020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

OPENSSL_sk_num.LIBCRYPTO-1_1 ref: 00007FF8A873C045
OPENSSL_sk_value.LIBCRYPTO-1_1 ref: 00007FF8A873C059
SCT_get_validation_status.LIBCRYPTO-1_1 ref: 00007FF8A873C061
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A873C090

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A873C071

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_sk_numL_sk_valueR_put_errorT_get_validation_status
String ID: ..\s\ssl\ssl_lib.c
API String ID: 2393801384-1080266419
Opcode ID: ad87b41ed8e5b4d91ebea544e417ce0fa30628a79d22aa4c8b7654e1c8d39680
Instruction ID: 9295bb620f082e3b7a0ff265d9a7400b4efe994cd6a5fae87a46286ec9a626b0
Opcode Fuzzy Hash: ad87b41ed8e5b4d91ebea544e417ce0fa30628a79d22aa4c8b7654e1c8d39680
Instruction Fuzzy Hash: FE014C35F4E65252F7148759E4412BA5261EFC5BC4F248030EB6C477DACF3ED8418728

Function 00007FF8A8731C10 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

BIO_s_file.LIBCRYPTO-1_1 ref: 00007FF8A8731C52
BIO_new.LIBCRYPTO-1_1 ref: 00007FF8A8731C5A
BIO_ctrl.LIBCRYPTO-1_1 ref: 00007FF8A8731C76
DH_free.LIBCRYPTO-1_1 ref: 00007FF8A8731CD0
BIO_free.LIBCRYPTO-1_1 ref: 00007FF8A8731CD8

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: H_freeO_ctrlO_freeO_newO_s_file
String ID:
API String ID: 1469330667-0
Opcode ID: 0042054431d6c60f6d3db2821f9201866da266e62d5e21131d509b05ca79e676
Instruction ID: 4d4edc66a4e53143d658207adb3c7cdc128774053bc738718f0f9fd3c2a31952
Opcode Fuzzy Hash: 0042054431d6c60f6d3db2821f9201866da266e62d5e21131d509b05ca79e676
Instruction Fuzzy Hash: 8F210322B4B64156FA95DA57A81177963E0EF84FC0F049131FE9D47B42EF38E812C768

Function 00007FF8A8711F46 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 00007FF8A872A894
X509_get_subject_name.LIBCRYPTO-1_1 ref: 00007FF8A872A8A4
X509_NAME_dup.LIBCRYPTO-1_1 ref: 00007FF8A872A8AC
OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 00007FF8A872A8BF
X509_NAME_free.LIBCRYPTO-1_1 ref: 00007FF8A872A8CB

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: X509_$E_dupE_freeL_sk_new_nullL_sk_pushX509_get_subject_name
String ID:
API String ID: 2231116090-0
Opcode ID: cfd89f52ebe70ceed7983481f1aba6d32456500a5a5535677183bd620f305abe
Instruction ID: 53d3fc33e53b71ab84e234ee97695132d0b8801b88e496b103bf61bbc39f67e9
Opcode Fuzzy Hash: cfd89f52ebe70ceed7983481f1aba6d32456500a5a5535677183bd620f305abe
Instruction Fuzzy Hash: 5F018B01E8FA0260FF86A635A95537991D0DF49BC4F144030E90D4A7D2FF2CE4428329

Function 00007FF8A87111DB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 266COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF8A874B373
EVP_MD_size.LIBCRYPTO-1_1 ref: 00007FF8A874B3B8
EVP_MD_size.LIBCRYPTO-1_1 ref: 00007FF8A874B43F

Strings

..\s\ssl\statem\extensions_clnt.c, xrefs: 00007FF8A874B32D

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: D_size$_time64
String ID: ..\s\ssl\statem\extensions_clnt.c
API String ID: 2874025382-592572767
Opcode ID: 63bfa268b9bb4970c077f589afdcf2321f9d43d50646c3f6b61773d748a912fd
Instruction ID: dbf559019408c178835818d976bbab814f0be1048844ef9be82efe6bab5fa3ca
Opcode Fuzzy Hash: 63bfa268b9bb4970c077f589afdcf2321f9d43d50646c3f6b61773d748a912fd
Instruction Fuzzy Hash: 7EB1B132A4E74295EB658AD2A5403BE6290FF45BC4F044035DE8D8BBD5DF7CE841C729

Function 00007FF8A87630C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00007FF8A876675D), ref: 00007FF8A87631DB
BIO_ctrl.LIBCRYPTO-1_1(?,00007FF8A876675D), ref: 00007FF8A8763208

Strings

..\s\ssl\statem\statem_lib.c, xrefs: 00007FF8A876321E
, xrefs: 00007FF8A8763117

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_ctrlmemcpy
String ID: $..\s\ssl\statem\statem_lib.c
API String ID: 2266715306-830051739
Opcode ID: d757a6376fe1c489b74ad65ac18f8ee1954cdf65887604a99235a8fc60f655b4
Instruction ID: 3d2c17e349b14b90ef7dbf4910bb7b1ed4dd3c9bde0c65b5f985ed7f51e7afc1
Opcode Fuzzy Hash: d757a6376fe1c489b74ad65ac18f8ee1954cdf65887604a99235a8fc60f655b4
Instruction Fuzzy Hash: DC41A772A0AB81A6EB548B19E88027DB7A0FB44BC4F144136DB8C87B95CF39D4A5C718

Function 00007FF8A8711E8D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A873B1DE

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A873B110, 00007FF8A873B1D2

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error
String ID: ..\s\ssl\ssl_lib.c
API String ID: 1767461275-1080266419
Opcode ID: 22115867e9bdc90c0b0ee46f8f2ccba984f57112110115d04254e0b3e02426c0
Instruction ID: 9a22eee02273e266e2ad748d4c367452424f40d158f85217052f4abda2dac4fe
Opcode Fuzzy Hash: 22115867e9bdc90c0b0ee46f8f2ccba984f57112110115d04254e0b3e02426c0
Instruction Fuzzy Hash: 5931C572B9E141A6F7768A10D8143F92690EF84788F444138DA4D4ABD0CF7DE580CB2A

Function 00007FF8A872CA7E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-1_1 ref: 00007FF8A872CD04

Strings

IDEA(128), xrefs: 00007FF8A872CADA
GOST01, xrefs: 00007FF8A872CA7E
SHA256, xrefs: 00007FF8A872CB80

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_snprintf
String ID: GOST01$IDEA(128)$SHA256
API String ID: 3142812517-4064199452
Opcode ID: 0081804d5951e25ee2a13b140437cdbd1372c614aa97c468c357874e200097bc
Instruction ID: 74cc018dc8b4c92a32a314e1b5cf8543e00d5b0845e357675bd107c08e73143e
Opcode Fuzzy Hash: 0081804d5951e25ee2a13b140437cdbd1372c614aa97c468c357874e200097bc
Instruction Fuzzy Hash: A8116322CCEA42A1E3759728A48817962E0EBA13D4F450172DD4D12AA49F3DE980936C

Function 00007FF8A872CA87 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-1_1 ref: 00007FF8A872CD04

Strings

IDEA(128), xrefs: 00007FF8A872CADA
GOST12, xrefs: 00007FF8A872CA87
SHA256, xrefs: 00007FF8A872CB80

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_snprintf
String ID: GOST12$IDEA(128)$SHA256
API String ID: 3142812517-3478822438
Opcode ID: 2657a3a5e4d4d28e041b8e7fb8e20a1ff1ab77de301a8a91245b7607df0775eb
Instruction ID: e5fefd9c5d1861e653b551a143507c703abfe67479c199b28ee6db573171d548
Opcode Fuzzy Hash: 2657a3a5e4d4d28e041b8e7fb8e20a1ff1ab77de301a8a91245b7607df0775eb
Instruction Fuzzy Hash: 7E116622CCE64361E3759728A58817962E0EBA13D4F450172CD4D12AA49F3DE980936C

Function 00007FF8A872CA90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-1_1 ref: 00007FF8A872CD04

Strings

IDEA(128), xrefs: 00007FF8A872CADA
SHA256, xrefs: 00007FF8A872CB80
any, xrefs: 00007FF8A872CA90

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_snprintf
String ID: IDEA(128)$SHA256$any
API String ID: 3142812517-1956614738
Opcode ID: 6a864da8912e5533e2256bc16630b8cc7e9510c92145bd87db4d0fcb95005123
Instruction ID: 0c899ba05be521c7dbd8159b5a60b8ea070a81cc38cf1a2d7c791b6110c766a9
Opcode Fuzzy Hash: 6a864da8912e5533e2256bc16630b8cc7e9510c92145bd87db4d0fcb95005123
Instruction Fuzzy Hash: 53116022CCEA43A1E3759728A58817962E0EBA13D4F450172CD4D12AA4AF3DEA80936C

Function 00007FF8A872CA55 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-1_1 ref: 00007FF8A872CD04

Strings

IDEA(128), xrefs: 00007FF8A872CADA
SHA256, xrefs: 00007FF8A872CB80
DSS, xrefs: 00007FF8A872CA55

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_snprintf
String ID: DSS$IDEA(128)$SHA256
API String ID: 3142812517-3841199953
Opcode ID: 3d2fd7bf93b3df9050172ef9cebf7ebb29588b6bba50f17e8a696d8ae700d946
Instruction ID: d4778a8f92868e74633bcc02f7d091463a27979eb5ab8c847e4154c347582dc7
Opcode Fuzzy Hash: 3d2fd7bf93b3df9050172ef9cebf7ebb29588b6bba50f17e8a696d8ae700d946
Instruction Fuzzy Hash: CF116022CCEA42A1E3759728A48817962E0EBA13D4F450172CD4D12AA4AF3DEA81936C

Function 00007FF8A872CA63 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-1_1 ref: 00007FF8A872CD04

Strings

IDEA(128), xrefs: 00007FF8A872CADA
SHA256, xrefs: 00007FF8A872CB80
ECDSA, xrefs: 00007FF8A872CA63

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_snprintf
String ID: ECDSA$IDEA(128)$SHA256
API String ID: 3142812517-1715931570
Opcode ID: 8f9e42904fc853de33595d070cc727ff6a7eecac5b7ed14b1821419205f960ce
Instruction ID: 7f7dddd4c78afcd40df75186931ca58e5e90caba7f71aed1ecf691023f4aa516
Opcode Fuzzy Hash: 8f9e42904fc853de33595d070cc727ff6a7eecac5b7ed14b1821419205f960ce
Instruction Fuzzy Hash: 50116322CCEA42A1E3759728A48817962E0EBA13D4F450172DD4D12AA49F3DE981936C

Function 00007FF8A872CA6C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-1_1 ref: 00007FF8A872CD04

Strings

IDEA(128), xrefs: 00007FF8A872CADA
SHA256, xrefs: 00007FF8A872CB80
PSK, xrefs: 00007FF8A872CA6C

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_snprintf
String ID: IDEA(128)$PSK$SHA256
API String ID: 3142812517-1637006702
Opcode ID: 3076256d6b74e3f9935704829b40b98b3aaef4a8449d8cf0cb10f2e252ccb529
Instruction ID: 7ef969a792526e052985d61065f6635041ec2b01237c4bb26704aaca7f9df56e
Opcode Fuzzy Hash: 3076256d6b74e3f9935704829b40b98b3aaef4a8449d8cf0cb10f2e252ccb529
Instruction Fuzzy Hash: 1D116022CCEA42A1E3759728A48817962E0EBA13D4F450172CD4D12AA4AF3DEA81936C

Function 00007FF8A872CA75 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-1_1 ref: 00007FF8A872CD04

Strings

IDEA(128), xrefs: 00007FF8A872CADA
SRP, xrefs: 00007FF8A872CA75
SHA256, xrefs: 00007FF8A872CB80

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_snprintf
String ID: IDEA(128)$SHA256$SRP
API String ID: 3142812517-1647395391
Opcode ID: f28a77de5bb641434630d58a4a208d3a566b7e236f8daa70a3ec5d91c537cfbb
Instruction ID: a3c86404c949c0e1c152dd6bd9e673b90c1fb81514d6b856b30de6f6c4e6d8e2
Opcode Fuzzy Hash: f28a77de5bb641434630d58a4a208d3a566b7e236f8daa70a3ec5d91c537cfbb
Instruction Fuzzy Hash: 70116322CCEA42A1E3759728A48817962E0EBA13D4F450172DD4D12AA49F3DE980936C

Function 00007FF8A871118B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

BIO_new.LIBCRYPTO-1_1 ref: 00007FF8A873DEF1

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A873DF4E

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_new
String ID: ..\s\ssl\ssl_lib.c
API String ID: 458078758-1080266419
Opcode ID: ce70231a05faa6ea60785fe4a50d45faf556dfad7a4d223e9885db2279cdee14
Instruction ID: d5a56b2e7f9aeb3a17c94fbb588e3af2ed549974e7d341cf91637817b79ed65e
Opcode Fuzzy Hash: ce70231a05faa6ea60785fe4a50d45faf556dfad7a4d223e9885db2279cdee14
Instruction Fuzzy Hash: 7311A572B5B642A2EB51DB65F5013B967A0EF847C0F440130EB4D07B91EF7DE891C628

Function 00007FF8A872695D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

EC_KEY_get0_group.LIBCRYPTO-1_1 ref: 00007FF8A8726972
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8726997

Strings

..\s\ssl\s3_lib.c, xrefs: 00007FF8A872697C

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_errorY_get0_group
String ID: ..\s\ssl\s3_lib.c
API String ID: 3547453883-4238427508
Opcode ID: 0e9dc11834c929a4a92aae2d86bb0b668fb8ca4cf33f942f419e2ecdf05cf504
Instruction ID: 8e441dfcf73a6b5546df801d5e5f0a249e8ef980e44533c865a84053fbd37479
Opcode Fuzzy Hash: 0e9dc11834c929a4a92aae2d86bb0b668fb8ca4cf33f942f419e2ecdf05cf504
Instruction Fuzzy Hash: 7F01DE21A0A54291EB50DB24F5402A963A0FB947C8F80043ADA8C07A99EF3CD584CB18

Function 00007FF8A8726E16 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

OPENSSL_sk_new_null.LIBCRYPTO-1_1 ref: 00007FF8A8726E22
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8726E4E
OPENSSL_sk_push.LIBCRYPTO-1_1 ref: 00007FF8A8726E66

Strings

..\s\ssl\s3_lib.c, xrefs: 00007FF8A8726E40

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_sk_new_nullL_sk_pushR_put_error
String ID: ..\s\ssl\s3_lib.c
API String ID: 1176158178-4238427508
Opcode ID: 477397e50a60c0d540ab04b71180e531b4601ec8d818973e2cc62173b46b5d9a
Instruction ID: 8c8520ffc21d630016237737385450505a0d77228857b9ca9272f7d5e03d3d2e
Opcode Fuzzy Hash: 477397e50a60c0d540ab04b71180e531b4601ec8d818973e2cc62173b46b5d9a
Instruction Fuzzy Hash: CCF0A921B4E64392EF619B21E1407B923E0FB14BC8F04013AEB0C06BA5FF3CE5909728

Function 00007FF8A8772F80 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF8A8772FCF
EC_curve_nist2nid.LIBCRYPTO-1_1 ref: 00007FF8A8772FE8
OBJ_sn2nid.LIBCRYPTO-1_1 ref: 00007FF8A8772FF8
OBJ_ln2nid.LIBCRYPTO-1_1 ref: 00007FF8A8773008

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: C_curve_nist2nidJ_ln2nidJ_sn2nidmemcpy
String ID:
API String ID: 722349470-0
Opcode ID: 3589df518e814f2c1b6cee752c96d34c30101d664b7d3ebca52f7da53a35e291
Instruction ID: 81e2e2a2352e7eef3c888cbb29c52e2bfe0eabfb90f9b10d7f9b10c391f6fddd
Opcode Fuzzy Hash: 3589df518e814f2c1b6cee752c96d34c30101d664b7d3ebca52f7da53a35e291
Instruction Fuzzy Hash: 6B213B22B4FA4261FB649B74D45037D62D1FF89BC4FD04031E65E9269AEF2CD981C329

Function 00007FF8A87119C4 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

BIO_find_type.LIBCRYPTO-1_1 ref: 00007FF8A8714A50
BIO_find_type.LIBCRYPTO-1_1 ref: 00007FF8A8714A60
BIO_get_data.LIBCRYPTO-1_1 ref: 00007FF8A8714A75
BIO_get_data.LIBCRYPTO-1_1 ref: 00007FF8A8714A80

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_find_typeO_get_data
String ID:
API String ID: 280995463-0
Opcode ID: d0f089459478ce0474b71b8656c9d47bb1b1cd1a3c036a72a8685ffe64c7f616
Instruction ID: b53efd1cd5d13fb6bd6c2b241881fed47a629c362edb327a23233da965cc8633
Opcode Fuzzy Hash: d0f089459478ce0474b71b8656c9d47bb1b1cd1a3c036a72a8685ffe64c7f616
Instruction Fuzzy Hash: 0601B111F4F692A1FE459656E1002B95292EF88BC4F094030EE5D4BF9FDF2CE941872C

Function 00007FF8A8711D2A Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A873E46C
EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 00007FF8A873E478
EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 00007FF8A873E493
EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A873E4AD

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: X_free$DigestInit_exX_new
String ID:
API String ID: 4262507187-0
Opcode ID: 3908ec200b85e2983a370706cbba9d834aa69e0fd4459fb68dce8b8133b0ae1a
Instruction ID: 828a492118ff3aa82990eb59bded25bc27067a4252e02714a4ca6f343a3f50e6
Opcode Fuzzy Hash: 3908ec200b85e2983a370706cbba9d834aa69e0fd4459fb68dce8b8133b0ae1a
Instruction Fuzzy Hash: 32F0A422B5AB4150EB81A729E5513385290DF48FD4F44C430FE5C47B9ADF3CD4408715

Function 00007FF8A87111A4 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

EVP_CIPHER_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A873D964
EVP_CIPHER_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A873D97C
COMP_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A873D98F
COMP_CTX_free.LIBCRYPTO-1_1 ref: 00007FF8A873D9A2

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: X_free
String ID:
API String ID: 2268491255-0
Opcode ID: 82e1d11b7c0ecd73b567d5d7cf8315dcadafa679966966f9cc7b343eecd773c7
Instruction ID: a4542ff98d02a53e5ea8f63f3a57842822195773e895dc24b8dbb8ad3fee1a99
Opcode Fuzzy Hash: 82e1d11b7c0ecd73b567d5d7cf8315dcadafa679966966f9cc7b343eecd773c7
Instruction Fuzzy Hash: 31F01262A4B68151EB80EF61D5813BC67A4EF94FC8F184039EF8D4B696CF28D450C63A

Function 00007FF8A87311D0 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

OPENSSL_sk_dup.LIBCRYPTO-1_1(00000000,00007FF8A8730775), ref: 00007FF8A87311E9
OPENSSL_sk_free.LIBCRYPTO-1_1(00000000,00007FF8A8730775), ref: 00007FF8A8731204
OPENSSL_sk_set_cmp_func.LIBCRYPTO-1_1(00000000,00007FF8A8730775), ref: 00007FF8A8731216
OPENSSL_sk_sort.LIBCRYPTO-1_1(00000000,00007FF8A8730775), ref: 00007FF8A873121E

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: L_sk_dupL_sk_freeL_sk_set_cmp_funcL_sk_sort
String ID:
API String ID: 1312970346-0
Opcode ID: 38160d876cea3b4985bc4e992428a22d63ba24e8063d3bc00bf50ef85e4380fe
Instruction ID: 15a3ff9a1348847dc6d9118cd1cff962b62323422dea3a269f3b67220177e0d1
Opcode Fuzzy Hash: 38160d876cea3b4985bc4e992428a22d63ba24e8063d3bc00bf50ef85e4380fe
Instruction Fuzzy Hash: 99F08262F4B64191EB41EB25F99137C5390EF88BC4F445031FE5D4BB9AEF2CD4808629

Function 00007FF8A871D9C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF8A871DA45
BIO_write.LIBCRYPTO-1_1 ref: 00007FF8A871DA6A

Strings

..\s\ssl\record\rec_layer_s3.c, xrefs: 00007FF8A871DAEE, 00007FF8A871DB3D

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: ErrorLastO_write
String ID: ..\s\ssl\record\rec_layer_s3.c
API String ID: 186964608-2209325370
Opcode ID: c3d22cc2d86fbe127466d4f782f76b5f20942385974a73c1357ffe6ffe0b2fec
Instruction ID: 18d15dec1c47c472f4732250dec07147e730fc0bc34e47e9c607edb91e247973
Opcode Fuzzy Hash: c3d22cc2d86fbe127466d4f782f76b5f20942385974a73c1357ffe6ffe0b2fec
Instruction Fuzzy Hash: 1F41A232B4AA41A6EB20CF15D4442697BA1FB44BD8F188235DB8D07BA4DF3DE851DB18

Function 00007FF8A8711DAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

BIO_clear_flags.LIBCRYPTO-1_1 ref: 00007FF8A875873B
BIO_set_flags.LIBCRYPTO-1_1 ref: 00007FF8A8758748

Strings

..\s\ssl\statem\statem_clnt.c, xrefs: 00007FF8A8758988

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_clear_flagsO_set_flags
String ID: ..\s\ssl\statem\statem_clnt.c
API String ID: 3946675294-1507966698
Opcode ID: 28c3f517823522640e735040973c17768b2cf3d12b7f11715bcf0f73f8f5afdd
Instruction ID: 89a5612af2750243134b7ed9d848de184e448f6f7b5954058fd6d2c4c3a7b22c
Opcode Fuzzy Hash: 28c3f517823522640e735040973c17768b2cf3d12b7f11715bcf0f73f8f5afdd
Instruction Fuzzy Hash: C0310972B4A54196FB54DB15E48037D3790E749BC8F188430DA4D8B795CF3CD892C718

Function 00007FF8A8711A4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8737358
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A87373D3

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A873733B, 00007FF8A87373B4

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error
String ID: ..\s\ssl\ssl_lib.c
API String ID: 1767461275-1080266419
Opcode ID: e9339d296cf4c7c4dd0096b94222aa85dc0416be0311f202977cb97808b2dc33
Instruction ID: f3e3e3701399a8d803c471cad81ffa9defb33c27594c1e32f02c92c65cb8a6a7
Opcode Fuzzy Hash: e9339d296cf4c7c4dd0096b94222aa85dc0416be0311f202977cb97808b2dc33
Instruction Fuzzy Hash: 34215E36B4A682A2E7A0CB61D8007F922A1EB847C4F44C035DE0C8B7A1DF7DE545D639

Function 00007FF8A8711E01 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

BIO_clear_flags.LIBCRYPTO-1_1 ref: 00007FF8A876A30E
BIO_set_flags.LIBCRYPTO-1_1 ref: 00007FF8A876A31B

Strings

..\s\ssl\statem\statem_srvr.c, xrefs: 00007FF8A876A33F

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_clear_flagsO_set_flags
String ID: ..\s\ssl\statem\statem_srvr.c
API String ID: 3946675294-348624464
Opcode ID: a822d9bb87825374a6549099ed44b4a0dc0f27676cc6932e0884995b8e2685dc
Instruction ID: 5dcdabb0775472f11d1a49496579621048f801c6d42f22c245d66ec5ee497b7b
Opcode Fuzzy Hash: a822d9bb87825374a6549099ed44b4a0dc0f27676cc6932e0884995b8e2685dc
Instruction Fuzzy Hash: 1721F532F4A242A6E754DB11E894BB837A0FB89788F908131E94D87B92CF3DE541D719

Function 00007FF8A876A1CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

BIO_clear_flags.LIBCRYPTO-1_1 ref: 00007FF8A876A30E
BIO_set_flags.LIBCRYPTO-1_1 ref: 00007FF8A876A31B

Strings

..\s\ssl\statem\statem_srvr.c, xrefs: 00007FF8A876A33F

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_clear_flagsO_set_flags
String ID: ..\s\ssl\statem\statem_srvr.c
API String ID: 3946675294-348624464
Opcode ID: 445f187b3da220a20ded2faaee016e89c322089d365443f4f66cefdfa5413dcf
Instruction ID: d74cf3478e0b804f6886be62a507493ee80be1fae87bcf225e8bd2582976ddb5
Opcode Fuzzy Hash: 445f187b3da220a20ded2faaee016e89c322089d365443f4f66cefdfa5413dcf
Instruction Fuzzy Hash: 2711D331F8A2429AFB609B12D445BBD7785FB85380F844035DA4D0B786EF7ED4859B18

Function 00007FF8A873E100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1(?,?,?,?,?,?,00007FF8A8739742), ref: 00007FF8A873E14D

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A873E130

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error
String ID: ..\s\ssl\ssl_lib.c
API String ID: 1767461275-1080266419
Opcode ID: 2edb63da3d684045c2362323214212629023d1d49c079dc5e734b482dca42726
Instruction ID: 10639bc13c54b91b5f9b9e7a032be5cbb312412dc66f551b122715fc83b25e2d
Opcode Fuzzy Hash: 2edb63da3d684045c2362323214212629023d1d49c079dc5e734b482dca42726
Instruction Fuzzy Hash: C9219A32A4AB8292E7519B15E4403AAB7A0FB88FC4F584135EE8D47BA9CF3CD451CB54

Function 00007FF8A872CA5E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

BIO_snprintf.LIBCRYPTO-1_1 ref: 00007FF8A872CD04

Strings

IDEA(128), xrefs: 00007FF8A872CADA
SHA256, xrefs: 00007FF8A872CB80

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_snprintf
String ID: IDEA(128)$SHA256
API String ID: 3142812517-2727354722
Opcode ID: f6cd50909d54a1819278025c5f07f2fde3c3f2b31f99c079fe934eabe613a531
Instruction ID: 0dc799ce6fc90aa6c643523817b1b988da39280bde9018869eb77e07360f17bd
Opcode Fuzzy Hash: f6cd50909d54a1819278025c5f07f2fde3c3f2b31f99c079fe934eabe613a531
Instruction Fuzzy Hash: 11117223CCEB42A1E3759728A48817962E0EBE13D4F450172CD4D13AA4AF3DEA80936C

Function 00007FF8A8711D52 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A87173C6
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A87173F8

Strings

..\s\ssl\d1_msg.c, xrefs: 00007FF8A87173B6, 00007FF8A87173E8

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error
String ID: ..\s\ssl\d1_msg.c
API String ID: 1767461275-424620239
Opcode ID: 855a8ae2a66f2e3ea63fc2224fb77fd476cb01764c04cea8d42874fa9542f34e
Instruction ID: 22d28c7e267fdd414b489e2323a2c92fb0629c3ed971b7568a58afc5f466084e
Opcode Fuzzy Hash: 855a8ae2a66f2e3ea63fc2224fb77fd476cb01764c04cea8d42874fa9542f34e
Instruction Fuzzy Hash: 8D117221A4D64666E2209B16E8002A96764FF85BD0F544235EE9D07FE9CF7CE9508728

Function 00007FF8A8711C76 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

EVP_MD_CTX_copy_ex.LIBCRYPTO-1_1 ref: 00007FF8A876510C

Strings

f, xrefs: 00007FF8A876511A
..\s\ssl\statem\statem_lib.c, xrefs: 00007FF8A87650DB, 00007FF8A8765122

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: X_copy_ex
String ID: ..\s\ssl\statem\statem_lib.c$f
API String ID: 774438373-288918473
Opcode ID: 43b72dd576c0a49c90067c4b7101db9f7e25063f7758619820a5f2d00fa1be7a
Instruction ID: b742ed8a42ef674368ae7b4bae649d2ad06046fdd9d8c5c0db11710b74ee6257
Opcode Fuzzy Hash: 43b72dd576c0a49c90067c4b7101db9f7e25063f7758619820a5f2d00fa1be7a
Instruction Fuzzy Hash: 2E012871B0B502A6F7618B21E8043AE7390EF44BD0F540230DE4C4BBA1EF2DD6D19B28

Function 00007FF8A87399C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8739A0D
ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8739A44

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A87399EE, 00007FF8A8739A25

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error
String ID: ..\s\ssl\ssl_lib.c
API String ID: 1767461275-1080266419
Opcode ID: 42e72fae4823f246006c6a1f5c8ab95baa661923ab3051eb830a147018046908
Instruction ID: 38265790387010884aca0b0605be2e8f262c4543400ce5346ad4b0770a3d7738
Opcode Fuzzy Hash: 42e72fae4823f246006c6a1f5c8ab95baa661923ab3051eb830a147018046908
Instruction Fuzzy Hash: E701DFB2F4A68296F7509B54C8043E926A0FB40B88F408138D78C4B7E1CFBCD986CB25

Function 00007FF8A8711D34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A873F87A
EVP_PKEY_free.LIBCRYPTO-1_1 ref: 00007FF8A873F8A0

Strings

..\s\ssl\ssl_rsa.c, xrefs: 00007FF8A873F85F

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_errorY_free
String ID: ..\s\ssl\ssl_rsa.c
API String ID: 3485142574-2723262194
Opcode ID: aa52e9310cd744896fd84d5a3570e715b8629c80c4c97dc2cadb9d0123446ae9
Instruction ID: 854a1e72252f2a3d9cd0cbdbd5b752ea8aee3ecdc85295ad43ffcf40a0126e72
Opcode Fuzzy Hash: aa52e9310cd744896fd84d5a3570e715b8629c80c4c97dc2cadb9d0123446ae9
Instruction Fuzzy Hash: 0A018B21B4A68151E744D765F5402B9A391EF88BC4F584031EA4C47B5ADF7CD541C614

Function 00007FF8A8711F64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8740CDA
RSA_free.LIBCRYPTO-1_1 ref: 00007FF8A8740CFC

Strings

..\s\ssl\ssl_rsa.c, xrefs: 00007FF8A8740CBF

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: A_freeR_put_error
String ID: ..\s\ssl\ssl_rsa.c
API String ID: 2676655247-2723262194
Opcode ID: 72c29b5fd5a66d891dc46ea6151b9d53bd226e6150693e1e1df9dfc19f636d4c
Instruction ID: cec196ebe07e34444e3f54902bd56b50e710d181e1944737cfcdf614ad837b16
Opcode Fuzzy Hash: 72c29b5fd5a66d891dc46ea6151b9d53bd226e6150693e1e1df9dfc19f636d4c
Instruction Fuzzy Hash: 66F0F921B4A64191EB50DB65F5402BDA3A0EF887C0F544032EB4C4BB96DF3CD540C614

Function 00007FF8A8717100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 00007FF8A8717126
SystemTimeToFileTime.KERNEL32 ref: 00007FF8A8717136

Strings

gfff, xrefs: 00007FF8A871716A

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: Time$System$File
String ID: gfff
API String ID: 2838179519-1553575800
Opcode ID: 8598e0d54cfaff5949dc28ec1506e56c8935b470442241552d9a963358eca039
Instruction ID: 45f711e12231ed7e736f99023da7f2612654e6df17bb1a54e021eeb2452b1509
Opcode Fuzzy Hash: 8598e0d54cfaff5949dc28ec1506e56c8935b470442241552d9a963358eca039
Instruction Fuzzy Hash: DE01A7A2B1954586DB60DB25E8011656791F7CC7C4F449031F69ECAB65EF2CD1518B10

Function 00007FF8A8725E09 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

EC_KEY_get0_group.LIBCRYPTO-1_1 ref: 00007FF8A8725E1E

Strings

{, xrefs: 00007FF8A8725E0E

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: Y_get0_group
String ID: {
API String ID: 3268241200-4087598719
Opcode ID: 1baf22aea847f424de8ca57e84cb34f188ebb91a18b5e641cc457d59bc7fc816
Instruction ID: d8f5143b810db7e96dc6f417a86dafcc5bae57675cf999ca002c6bb0b6770105
Opcode Fuzzy Hash: 1baf22aea847f424de8ca57e84cb34f188ebb91a18b5e641cc457d59bc7fc816
Instruction Fuzzy Hash: 71F0A431A5E552A5FBA1DE11E0002BD6790EF847D4F400132DE4D47695FF3CE546CB28

Function 00007FF8A875896B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

BIO_clear_flags.LIBCRYPTO-1_1 ref: 00007FF8A875873B
BIO_set_flags.LIBCRYPTO-1_1 ref: 00007FF8A8758748

Strings

), xrefs: 00007FF8A8758973

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: O_clear_flagsO_set_flags
String ID: )
API String ID: 3946675294-2427484129
Opcode ID: 65fec3cecdfe988b1043912a1c46b612975988de8ce40039839f9cddff237cd8
Instruction ID: cd823ac935568d405d886ad834aa3dbc8eb292df129d015623a20fb57da119ca
Opcode Fuzzy Hash: 65fec3cecdfe988b1043912a1c46b612975988de8ce40039839f9cddff237cd8
Instruction Fuzzy Hash: CEF09662B4924296FB45DF25E04537D6391EB85BC8F184134CE4C0B78ADF3DD4958714

Function 00007FF8A873A9F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A873AA1E
memcpy.VCRUNTIME140 ref: 00007FF8A873AA3B

Strings

..\s\ssl\ssl_lib.c, xrefs: 00007FF8A873AA10

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_errormemcpy
String ID: ..\s\ssl\ssl_lib.c
API String ID: 1385177007-1080266419
Opcode ID: 10cb0884061ef3f206dd78203e440ca8d92b14d13812e3b5a076d9c7ae8bf948
Instruction ID: 314387eb5726986793a6127f18544336c90a7bb49fbce15f7135ec33b8579753
Opcode Fuzzy Hash: 10cb0884061ef3f206dd78203e440ca8d92b14d13812e3b5a076d9c7ae8bf948
Instruction Fuzzy Hash: F5E09266F5A49656E760E764D4067AC33A0FB40784FC04034E34C06AA1DF6EA657CF28

Function 00007FF8A8725DCB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

ERR_put_error.LIBCRYPTO-1_1 ref: 00007FF8A8725DE8

Strings

..\s\ssl\s3_lib.c, xrefs: 00007FF8A8725DD8
m, xrefs: 00007FF8A8725DD0

Memory Dump Source

Source File: 00000002.00000002.2129405203.00007FF8A8711000.00000020.00000001.01000000.00000013.sdmp, Offset: 00007FF8A8710000, based on PE: true

Associated: 00000002.00000002.2129387201.00007FF8A8710000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129405203.00007FF8A8781000.00000020.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129521175.00007FF8A8783000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129549523.00007FF8A87A6000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87AB000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B1000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000002.00000002.2129569733.00007FF8A87B8000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8a8710000_zapret.jbxd

Similarity

API ID: R_put_error
String ID: ..\s\ssl\s3_lib.c$m
API String ID: 1767461275-297842231
Opcode ID: 015f7276b4616ebe684561128c72bfed2733b800ce5d44119271066c22264b62
Instruction ID: b3f76921460479d30fc7cb11c59ecdf9e6d79910db342dc76c4fd23fd6d66659
Opcode Fuzzy Hash: 015f7276b4616ebe684561128c72bfed2733b800ce5d44119271066c22264b62
Instruction Fuzzy Hash: AED0C736B08801A6E321EB01F4002EA6360F7883A0F800833EB0C026A5DB3CE586DA28

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zapret.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\6m52a7vx

C:\Users\user\AppData\Local\Temp\_MEI50042\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI50042\VCRUNTIME140_1.dll

C:\Users\user\AppData\Local\Temp\_MEI50042\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI50042\_ctypes.pyd

C:\Users\user\AppData\Local\Temp\_MEI50042\_elementtree.pyd

C:\Users\user\AppData\Local\Temp\_MEI50042\_hashlib.pyd

C:\Users\user\AppData\Local\Temp\_MEI50042\_lzma.pyd

C:\Users\user\AppData\Local\Temp\_MEI50042\_queue.pyd

C:\Users\user\AppData\Local\Temp\_MEI50042\_socket.pyd

C:\Users\user\AppData\Local\Temp\_MEI50042\_ssl.pyd

C:\Users\user\AppData\Local\Temp\_MEI50042\_win32sysloader.pyd

C:\Users\user\AppData\Local\Temp\_MEI50042\base_library.zip

C:\Users\user\AppData\Local\Temp\_MEI50042\certifi\cacert.pem

C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md.cp38-win_amd64.pyd

C:\Users\user\AppData\Local\Temp\_MEI50042\charset_normalizer\md__mypyc.cp38-win_amd64.pyd

C:\Users\user\AppData\Local\Temp\_MEI50042\libcrypto-1_1.dll

C:\Users\user\AppData\Local\Temp\_MEI50042\libffi-7.dll

C:\Users\user\AppData\Local\Temp\_MEI50042\libssl-1_1.dll

C:\Users\user\AppData\Local\Temp\_MEI50042\mfc140u.dll

C:\Users\user\AppData\Local\Temp\_MEI50042\psutil\_psutil_windows.pyd

Windows Analysis Report
zapret.exe

C:\Users\user\AppData\Local\Temp\tmpt3ztn0zp\gen_py\init.py

Function 00007FF630481154 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 123
COMMON

Function 00007FF630481C80 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 123
COMMON

Function 00007FF630487270 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 118
COMMON

Function 00007FF630481710 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 198
fileCOMMON

Function 00007FF630488440 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 96
COMMON

Function 00007FF63048E5E0 Relevance: 25.9, APIs: 17, Instructions: 353
COMMON

Function 00007FF630481E80 Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 144
COMMON

Function 00007FF6304879C0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 89
processsynchronizationCOMMON

Function 00007FF6304816D0 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 285
stringCOMMON

Function 00007FF630487490 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86
COMMON