Edit tour

Windows Analysis Report
DeltaX.exe

Overview

General Information

Sample name:	DeltaX.exe
Analysis ID:	1578142
MD5:	8c02c616f0d561e49ae8c000c1c9bc7a
SHA1:	9709433a4028348c3d1bd0f6684d97e5d949e9c0
SHA256:	6dc4e9a65a2aa8622e224c4b1d55b5d1389143a3971a58c2393d20dc29f307b4
Tags:	CoinMinerexeuser-sa6ta6ni6c
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contains functionality to infect the boot sector

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

DeltaX.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\DeltaX.exe" MD5: 8C02C616F0D561E49AE8C000C1C9BC7A)

DeltaX.exe (PID: 7376 cmdline: "C:\Users\user\Desktop\DeltaX.exe" MD5: 8C02C616F0D561E49AE8C000C1C9BC7A)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: DeltaX.exe

Virustotal: Detection: 8%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Source: C:\Users\user\Desktop\DeltaX.exe

Code function: 1_2_66FA43A0 PyCFunction_NewEx,CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,clock,clock,clock,clock,CryptReleaseContext,

1_2_66FA43A0

Source: DeltaX.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32trace.pdb source: DeltaX.exe, 00000000.00000003.1708925728.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, win32trace.pyd.0.dr
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdb source: mfc140u.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1774855825.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32ui.pdb source: win32ui.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\pythoncom.pdb}},GCTL source: DeltaX.exe, 00000001.00000002.1773333690.00007FFE0144C000.00000002.00000001.01000000.0000000C.sdmp, pythoncom38.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_ssl.pdb source: DeltaX.exe, 00000001.00000002.1774346844.00007FFE0EC2D000.00000002.00000001.01000000.00000011.sdmp, _ssl.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1774669645.00007FFE101D9000.00000002.00000001.01000000.0000000F.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\python3.pdb source: DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775421875.00007FFE11BB2000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: DeltaX.exe, 00000001.00000002.1771891248.00007FFE013B3000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775798175.00007FFE12E15000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32api.pdb source: DeltaX.exe, 00000001.00000002.1774548019.00007FFE0EC53000.00000002.00000001.01000000.0000000D.sdmp, win32api.pyd.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: DeltaX.exe, 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\_win32sysloader.pdb source: DeltaX.exe, 00000000.00000003.1699183866.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\python38.pdb source: DeltaX.exe, 00000001.00000002.1769037884.00007FFDFB76D000.00000002.00000001.01000000.00000004.sdmp, python38.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: DeltaX.exe, 00000001.00000002.1775307609.00007FFE11541000.00000002.00000001.01000000.00000006.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1774855825.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32api.pdb!! source: DeltaX.exe, 00000001.00000002.1774548019.00007FFE0EC53000.00000002.00000001.01000000.0000000D.sdmp, win32api.pyd.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: DeltaX.exe, 00000000.00000003.1697696910.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775995653.00007FFE13205000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775016727.00007FFE1030E000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdbGCTL source: mfc140u.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_queue.pdb source: DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775567682.00007FFE120C3000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\_elementtree.pdb source: DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: DeltaX.exe, 00000000.00000003.1697539313.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775695544.00007FFE126EE000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\pywintypes.pdb source: DeltaX.exe, 00000001.00000002.1775125523.00007FFE11511000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32ui.pdbOO source: win32ui.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\pywintypes.pdb** source: DeltaX.exe, 00000001.00000002.1775125523.00007FFE11511000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: DeltaX.exe, 00000001.00000002.1771891248.00007FFE013B3000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\select.pdb source: DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775896309.00007FFE130C3000.00000002.00000001.01000000.00000010.sdmp, select.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: DeltaX.exe, 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: DeltaX.exe, 00000000.00000003.1708141296.000001A974FA8000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1769594405.00007FFE00825000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: vcruntime140.amd64.pdb source: DeltaX.exe, 00000000.00000003.1697539313.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775695544.00007FFE126EE000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: DeltaX.exe, 00000000.00000003.1697696910.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775995653.00007FFE13205000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\pythoncom.pdb source: DeltaX.exe, 00000001.00000002.1773333690.00007FFE0144C000.00000002.00000001.01000000.0000000C.sdmp, pythoncom38.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\pyexpat.pdb source: pyexpat.pyd.0.dr

Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 0_2_00007FF654CA85E0 FindFirstFileExW,FindClose,		0_2_00007FF654CA85E0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FF654CA85E0 FindFirstFileExW,FindClose,		1_2_00007FF654CA85E0

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\DeltaX.exe

Code function: 1_2_66F93330 strchr,WSAStartup,gethostbyname,socket,htons,ioctlsocket,ioctlsocket,connect,ioctlsocket,send,send,WSAGetLastError,closesocket,WSACleanup,SetLastError,recv,recv,closesocket,WSACleanup,strstr,toupper,strstr,toupper,toupper,toupper,toupper,strstr,memcmp,memcmp,_mktime64,gethostbyname,WSAGetLastError,WSAGetLastError,ioctlsocket,WSAGetLastError,WSAGetLastError,WSACleanup,SetLastError,WSAGetLastError,select,ioctlsocket,

1_2_66F93330

Source: global traffic

DNS traffic detected: DNS query: brave.com

Source: DeltaX.exe, 00000001.00000002.1766522050.000001A7902D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: DeltaX.exe, 00000000.00000003.1708141296.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700506254.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699773414.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1706429326.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698206159.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705738829.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699057229.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: DeltaX.exe, 00000000.00000003.1708141296.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700506254.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699773414.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1706429326.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698206159.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705738829.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699057229.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: DeltaX.exe, 00000001.00000003.1757814022.000001A78FF64000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760550087.000001A78FF8C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757540201.000001A78FF74000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757405857.000001A78FF5A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757120471.000001A78FF6D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757540201.000001A78FF5B000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757859158.000001A78FF85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: DeltaX.exe, 00000001.00000003.1761432959.000001A78F65F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755723115.000001A78FA24000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759335177.000001A78FA2E000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1763699919.000001A78F660000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1761271260.000001A78FF0B000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756626751.000001A78FA26000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758465727.000001A78FA29000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754932185.000001A78F65A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF00000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758192126.000001A78FF00000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757486091.000001A78FA28000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF00000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1761105478.000001A78FF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: DeltaX.exe, 00000001.00000003.1757679214.000001A78FF20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: DeltaX.exe, 00000001.00000003.1757814022.000001A78FF64000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760550087.000001A78FF8C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757540201.000001A78FF74000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757405857.000001A78FF5A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757120471.000001A78FF6D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757540201.000001A78FF5B000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757859158.000001A78FF85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: DeltaX.exe, 00000001.00000003.1757814022.000001A78FF64000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757405857.000001A78FF5A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757540201.000001A78FF5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlEc
Source: DeltaX.exe, 00000001.00000003.1755530803.000001A78FA82000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FA86000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764740250.000001A78FA8C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: DeltaX.exe, 00000001.00000003.1756095628.000001A78FA59000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756046392.000001A78FA3C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759655073.000001A78FA5D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760073324.000001A78FA60000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: DeltaX.exe, 00000001.00000003.1755530803.000001A78FA82000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FA86000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764740250.000001A78FA8C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crlts
Source: DeltaX.exe, 00000001.00000003.1755530803.000001A78FA82000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FA86000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764740250.000001A78FA8C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: DeltaX.exe, 00000001.00000003.1756095628.000001A78FA59000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756046392.000001A78FA3C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759655073.000001A78FA5D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760073324.000001A78FA60000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: DeltaX.exe, 00000001.00000003.1755530803.000001A78FA82000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FA86000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764740250.000001A78FA8C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crlpF
Source: DeltaX.exe, 00000000.00000003.1708141296.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700506254.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699773414.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1706429326.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698206159.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705738829.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699057229.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: DeltaX.exe, 00000001.00000003.1755530803.000001A78FA82000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FA86000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764740250.000001A78FA8C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757337027.000001A78FF1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: DeltaX.exe, 00000000.00000003.1708141296.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700506254.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699773414.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1706429326.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698206159.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705738829.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699057229.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: DeltaX.exe, 00000000.00000003.1708141296.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700506254.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699773414.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1706429326.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698206159.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705738829.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699057229.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: DeltaX.exe, 00000000.00000003.1708141296.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700506254.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699773414.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1706429326.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698206159.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705738829.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699057229.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DeltaX.exe, 00000000.00000003.1708141296.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700506254.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699773414.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1706429326.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698206159.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705738829.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699057229.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: DeltaX.exe, 00000001.00000002.1766522050.000001A7902D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: DeltaX.exe, 00000001.00000002.1766904404.000001A790450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl.
Source: DeltaX.exe, 00000001.00000003.1755530803.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756836999.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758569140.000001A78FB38000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: DeltaX.exe, 00000001.00000003.1761417012.000001A78FB32000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755530803.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764904259.000001A78FB33000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756836999.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758818088.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: DeltaX.exe, 00000001.00000003.1755530803.000001A78FA82000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FA86000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758818088.000001A78FA90000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756836999.000001A78FA8F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764756491.000001A78FA90000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: DeltaX.exe, 00000001.00000003.1759120907.000001A78F607000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://json.org
Source: DeltaX.exe, 00000001.00000002.1766861189.000001A790410000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757896569.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765993745.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: DeltaX.exe, 00000000.00000003.1708141296.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700506254.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699773414.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1706429326.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698206159.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705738829.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699057229.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: DeltaX.exe, 00000000.00000003.1708141296.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700506254.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699773414.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1706429326.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698206159.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705738829.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699057229.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: DeltaX.exe, 00000000.00000003.1708141296.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700506254.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699773414.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1706429326.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698206159.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705738829.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699057229.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: python38.dll.0.dr	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: DeltaX.exe, 00000001.00000003.1755270685.000001A78FEC3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754966477.000001A78FBD8000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765197838.000001A78FBD9000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760439389.000001A78FBD9000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754518855.000001A78FBCB000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757337027.000001A78FF1D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758150457.000001A78FEC8000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757679214.000001A78FF20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757337027.000001A78FF1D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757679214.000001A78FF20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/V
Source: DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757337027.000001A78FF1D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757679214.000001A78FF20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/i
Source: DeltaX.exe, 00000001.00000002.1765536273.000001A78FDE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: DeltaX.exe, 00000000.00000003.1708141296.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700506254.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699773414.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1706429326.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698206159.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705738829.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699057229.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: DeltaX.exe, 00000000.00000003.1708141296.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700506254.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699773414.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1706429326.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698206159.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705738829.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699057229.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: DeltaX.exe, 00000000.00000003.1708141296.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700506254.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699773414.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1706429326.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698206159.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705738829.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699057229.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757896569.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765993745.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757391154.000001A78FF48000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757896569.000001A78FF50000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757455382.000001A78FF4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757896569.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765993745.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757391154.000001A78FF48000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757896569.000001A78FF50000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757455382.000001A78FF4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crldX
Source: DeltaX.exe, 00000001.00000003.1755306092.000001A78F5E2000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755372402.000001A78F5E6000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758700404.000001A78F5FA000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759120907.000001A78F5FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757896569.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765993745.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755306092.000001A78F5E2000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755372402.000001A78F5E6000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757896569.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765993745.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758700404.000001A78F5FA000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759120907.000001A78F5FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: DeltaX.exe, 00000001.00000003.1754788522.000001A78F688000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759212930.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757264882.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758628205.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757540201.000001A78FF74000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755486890.000001A78F68C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756530762.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1766070477.000001A78FF75000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757120471.000001A78FF6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: DeltaX.exe, 00000001.00000003.1754788522.000001A78F688000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759212930.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757264882.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758628205.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755486890.000001A78F68C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756530762.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/n
Source: DeltaX.exe, 00000001.00000003.1757745656.000001A78FF95000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1761207999.000001A78FFA5000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758010409.000001A78FF98000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1766194456.000001A78FFB3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757503305.000001A78FF94000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757152144.000001A78FFAE000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1766158101.000001A78FFA8000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757120471.000001A78FF6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: DeltaX.exe, 00000001.00000003.1756095628.000001A78FA59000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756046392.000001A78FA3C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758890361.000001A78FA79000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: DeltaX.exe, 00000001.00000002.1765663765.000001A78FEC1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1714163997.000001A78D4EC000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1713551488.000001A78D4D9000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1713925480.000001A78D490000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1713779399.000001A78D4EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/
Source: DeltaX.exe, 00000000.00000003.1709738620.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764130223.000001A78F7D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: DeltaX.exe, 00000001.00000002.1763197818.000001A78F550000.00000004.00001000.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1713254959.000001A78D4D5000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1713095449.000001A78D4D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: DeltaX.exe, 00000001.00000002.1765816879.000001A78FF09000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF00000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758192126.000001A78FF00000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF00000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1761105478.000001A78FF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: DeltaX.exe, 00000001.00000003.1755270685.000001A78FEC3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758150457.000001A78FEC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: DeltaX.exe, 00000001.00000002.1765816879.000001A78FF09000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF00000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758192126.000001A78FF00000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF00000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1761105478.000001A78FF05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps=
Source: DeltaX.exe, 00000001.00000003.1757728184.000001A78FBCB000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758786155.000001A78FBD4000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759429791.000001A78FBD6000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754518855.000001A78FBCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: DeltaX.exe, 00000001.00000002.1766976010.000001A7904F0000.00000004.00001000.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764224078.000001A78F860000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://brave.com/api/webhooks/123
Source: DeltaX.exe, 00000001.00000002.1766976010.000001A7904F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://brave.com/api/webhooks/1230)Q
Source: DeltaX.exe, 00000001.00000002.1766976010.000001A7904F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://brave.com/api/webhooks/123p%Q
Source: DeltaX.exe, 00000001.00000002.1764224078.000001A78F860000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://brave.com/api/webhooks/123te
Source: DeltaX.exe, 00000001.00000002.1764370950.000001A78F940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: DeltaX.exe, 00000001.00000003.1756253162.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756412026.000001A78FBB1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755628529.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754698786.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: DeltaX.exe, 00000001.00000003.1711483457.000001A78D5D5000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1761169246.000001A78D47F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755306092.000001A78F5E2000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712793757.000001A78D46D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754989910.000001A78D434000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712923053.000001A78D46D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756591004.000001A78D47D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759497477.000001A78D47E000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1714403326.000001A78D5D1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1762500518.000001A78D47F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712623533.000001A78D485000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1711569935.000001A78D486000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755393075.000001A78D457000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712037466.000001A78D486000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712202345.000001A78D485000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758943333.000001A790022000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758261157.000001A790011000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755781066.000001A790009000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754428082.000001A78FFF1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1766398569.000001A790032000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756731502.000001A79000F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759615246.000001A790032000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giK?t
Source: DeltaX.exe, 00000001.00000003.1759365816.000001A79003B000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758943333.000001A790022000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1766904404.000001A790450000.00000004.00001000.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758261157.000001A790011000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755781066.000001A790009000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754428082.000001A78FFF1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1766417726.000001A790042000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756731502.000001A79000F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760874035.000001A79003E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: DeltaX.exe, DeltaX.exe, 00000001.00000002.1775167367.00007FFE11522000.00000002.00000001.01000000.00000008.sdmp, DeltaX.exe, 00000001.00000002.1774604729.00007FFE0EC61000.00000002.00000001.01000000.0000000D.sdmp, DeltaX.exe, 00000001.00000002.1774049119.00007FFE01494000.00000002.00000001.01000000.0000000C.sdmp, win32api.pyd.0.dr, pythoncom38.dll.0.dr, win32trace.pyd.0.dr, win32ui.pyd.0.dr	String found in binary or memory: https://github.com/mhammond/pywin32
Source: DeltaX.exe, 00000001.00000002.1766602794.000001A790350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: DeltaX.exe, 00000001.00000003.1711483457.000001A78D5D5000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1762949765.000001A78F1D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: DeltaX.exe, 00000001.00000003.1756187553.000001A78F5E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: DeltaX.exe, 00000001.00000003.1711483457.000001A78D5D5000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1761169246.000001A78D47F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755306092.000001A78F5E2000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712793757.000001A78D46D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754989910.000001A78D434000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712923053.000001A78D46D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756591004.000001A78D47D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759497477.000001A78D47E000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1714403326.000001A78D5D1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1763368434.000001A78F5E3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1762500518.000001A78D47F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712623533.000001A78D485000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1711569935.000001A78D486000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755393075.000001A78D457000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712037466.000001A78D486000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712202345.000001A78D485000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756187553.000001A78F5E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: DeltaX.exe, 00000001.00000003.1711483457.000001A78D5D5000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1761169246.000001A78D47F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755306092.000001A78F5E2000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712793757.000001A78D46D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754989910.000001A78D434000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712923053.000001A78D46D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756591004.000001A78D47D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759497477.000001A78D47E000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1714403326.000001A78D5D1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1763368434.000001A78F5E3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1762500518.000001A78D47F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712623533.000001A78D485000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1711569935.000001A78D486000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755393075.000001A78D457000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712037466.000001A78D486000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712202345.000001A78D485000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756187553.000001A78F5E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: DeltaX.exe, 00000001.00000002.1764370950.000001A78F940000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: DeltaX.exe, 00000001.00000003.1755228217.000001A78D4C3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754989910.000001A78D434000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759598297.000001A78D4E6000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755328581.000001A78D4D2000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759446724.000001A78D4E3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755907138.000001A78D4D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: DeltaX.exe, 00000001.00000002.1765504074.000001A78FDA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: DeltaX.exe, 00000001.00000002.1765471329.000001A78FD60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: DeltaX.exe, 00000001.00000002.1765471329.000001A78FD60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/32902
Source: DeltaX.exe, 00000001.00000003.1755871525.000001A78F607000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755158982.000001A78F607000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757831705.000001A78F629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urlliby
Source: DeltaX.exe, 00000001.00000003.1756803320.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: DeltaX.exe, 00000001.00000003.1755228217.000001A78D4C3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756253162.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754989910.000001A78D434000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758716572.000001A78FBB0000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757291539.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760804885.000001A78D4C7000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1762658774.000001A78D4CC000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755628529.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754698786.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756803320.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: DeltaX.exe, 00000001.00000003.1757831705.000001A78F629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: DeltaX.exe, 00000001.00000003.1758419753.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765003307.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756253162.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755628529.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754698786.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: DeltaX.exe, 00000001.00000003.1754836900.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: DeltaX.exe, 00000001.00000002.1765536273.000001A78FDE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: DeltaX.exe, 00000001.00000002.1764490843.000001A78FA10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: DeltaX.exe, 00000001.00000002.1765663765.000001A78FEC1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1714163997.000001A78D4EC000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1713551488.000001A78D4D9000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1713925480.000001A78D490000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1713779399.000001A78D4EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: DeltaX.exe, 00000001.00000002.1765471329.000001A78FD60000.00000004.00001000.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765504074.000001A78FDA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: DeltaX.exe, 00000001.00000002.1764224078.000001A78F860000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/gabjohn3/nb/main/12kav.json
Source: DeltaX.exe, 00000001.00000002.1766602794.000001A790350000.00000004.00001000.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764490843.000001A78FA10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: DeltaX.exe, 00000001.00000003.1759365816.000001A79003B000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758943333.000001A790022000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1766904404.000001A790450000.00000004.00001000.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758261157.000001A790011000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755781066.000001A790009000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754428082.000001A78FFF1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1766417726.000001A790042000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756731502.000001A79000F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760874035.000001A79003E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: DeltaX.exe, 00000001.00000003.1758419753.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765003307.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756253162.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755628529.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754698786.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: DeltaX.exe, 00000001.00000003.1755530803.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756253162.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756836999.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758716572.000001A78FBB0000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757291539.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758569140.000001A78FB38000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755628529.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754698786.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759159899.000001A78FB3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756803320.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: DeltaX.exe, 00000001.00000002.1765370865.000001A78FCD0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: DeltaX.exe, 00000001.00000002.1765339924.000001A78FC90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: DeltaX.exe, 00000000.00000003.1708141296.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700506254.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699773414.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1706429326.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698206159.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705738829.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699057229.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmp, DeltaX.exe, 00000001.00000002.1772648557.00007FFE013E8000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: DeltaX.exe, 00000001.00000002.1764490843.000001A78FA10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: DeltaX.exe, 00000001.00000003.1760647399.000001A78D4E5000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755228217.000001A78D4C3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754989910.000001A78D434000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755328581.000001A78D4D2000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759446724.000001A78D4E3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755907138.000001A78D4D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757540201.000001A78FF74000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757120471.000001A78FF6D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757859158.000001A78FF85000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757944935.000001A78FF8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760550087.000001A78FF8C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757540201.000001A78FF74000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757120471.000001A78FF6D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757859158.000001A78FF85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: DeltaX.exe, 00000001.00000003.1755228217.000001A78D4C3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756253162.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754989910.000001A78D434000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758716572.000001A78FBB0000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757291539.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760804885.000001A78D4C7000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1762658774.000001A78D4CC000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755628529.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754698786.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756803320.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: C:\Users\user\Desktop\DeltaX.exe

Code function: 1_2_66F93050 WSAStartup,gethostbyname,socket,setsockopt,setsockopt,setsockopt,htons,sendto,sendto,recvfrom,recvfrom,ntohl,ntohl,ntohl,closesocket,WSACleanup,WSAGetLastError,closesocket,WSACleanup,SetLastError,WSAGetLastError,WSACleanup,SetLastError,

1_2_66F93050

Source: C:\Users\user\Desktop\DeltaX.exe

Code function: 1_2_66F92240: memset,wsprintfA,CreateFileA,memset,DeviceIoControl,CloseHandle,isxdigit,isxdigit,isxdigit,isprint,memcpy,CloseHandle,strlen,memcpy,

1_2_66F92240

Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 0_2_00007FF654CA8C60	0_2_00007FF654CA8C60
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 0_2_00007FF654CABE20	0_2_00007FF654CABE20
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 0_2_00007FF654CA2560	0_2_00007FF654CA2560
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 0_2_00007FF654CAB2A0	0_2_00007FF654CAB2A0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 0_2_00007FF654CA9640	0_2_00007FF654CA9640
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 0_2_00007FF654CA9660	0_2_00007FF654CA9660
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 0_2_00007FF654CB508A	0_2_00007FF654CB508A
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 0_2_00007FF654CA9458	0_2_00007FF654CA9458
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F87560	1_2_66F87560
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F86560	1_2_66F86560
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F93B90	1_2_66F93B90
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FA36F0	1_2_66FA36F0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FD96A0	1_2_66FD96A0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FE7650	1_2_66FE7650
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FA6640	1_2_66FA6640
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FAC620	1_2_66FAC620
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FD74F5	1_2_66FD74F5
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FD6450	1_2_66FD6450
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F945C0	1_2_66F945C0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FA05A0	1_2_66FA05A0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FA9560	1_2_66FA9560
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FA4520	1_2_66FA4520
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FAE230	1_2_66FAE230
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F953B0	1_2_66F953B0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F97370	1_2_66F97370
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FA80E0	1_2_66FA80E0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F971D0	1_2_66F971D0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F9B170	1_2_66F9B170
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FE7170	1_2_66FE7170
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FA9140	1_2_66FA9140
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F81E10	1_2_66F81E10
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FAAFE0	1_2_66FAAFE0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FADFB0	1_2_66FADFB0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FD7F10	1_2_66FD7F10
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F9FCE0	1_2_66F9FCE0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FFECA0	1_2_66FFECA0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F89C60	1_2_66F89C60
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FC1C50	1_2_66FC1C50
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FD6C10	1_2_66FD6C10
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FE7D70	1_2_66FE7D70
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F87D60	1_2_66F87D60
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F93D10	1_2_66F93D10
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F83AC1	1_2_66F83AC1
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F89AA0	1_2_66F89AA0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FD8A30	1_2_66FD8A30
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FC8A20	1_2_66FC8A20
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FA7BF0	1_2_66FA7BF0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F838D6	1_2_66F838D6
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FC18C2	1_2_66FC18C2
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F97890	1_2_66F97890
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F90832	1_2_66F90832
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_670009D0	1_2_670009D0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66F96810	1_2_66F96810
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FA7800	1_2_66FA7800
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FE09F0	1_2_66FE09F0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FF654CABE20	1_2_00007FF654CABE20
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FF654CA2560	1_2_00007FF654CA2560
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FF654CA9640	1_2_00007FF654CA9640
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FF654CA9660	1_2_00007FF654CA9660
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FF654CB508A	1_2_00007FF654CB508A
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FF654CAB2A0	1_2_00007FF654CAB2A0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FF654CA8C60	1_2_00007FF654CA8C60
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FF654CA9458	1_2_00007FF654CA9458
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB26FB70	1_2_00007FFDFB26FB70
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB1312C1	1_2_00007FFDFB1312C1
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB363B80	1_2_00007FFDFB363B80
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB134025	1_2_00007FFDFB134025
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB2CBA70	1_2_00007FFDFB2CBA70
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB19FB00	1_2_00007FFDFB19FB00
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB13385F	1_2_00007FFDFB13385F
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB134B24	1_2_00007FFDFB134B24
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB133C1A	1_2_00007FFDFB133C1A
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB132504	1_2_00007FFDFB132504
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB132BC6	1_2_00007FFDFB132BC6
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB13513C	1_2_00007FFDFB13513C
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB2DFF80	1_2_00007FFDFB2DFF80
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB25BFA0	1_2_00007FFDFB25BFA0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB2C7E70	1_2_00007FFDFB2C7E70
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB137194	1_2_00007FFDFB137194
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB13135C	1_2_00007FFDFB13135C
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB14BF20	1_2_00007FFDFB14BF20
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB14BD60	1_2_00007FFDFB14BD60
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB13200E	1_2_00007FFDFB13200E
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB131B95	1_2_00007FFDFB131B95
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB1348CC	1_2_00007FFDFB1348CC
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB132A27	1_2_00007FFDFB132A27
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB14F200	1_2_00007FFDFB14F200
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB134B74	1_2_00007FFDFB134B74
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB135227	1_2_00007FFDFB135227
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB132513	1_2_00007FFDFB132513
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB14F060	1_2_00007FFDFB14F060
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB133EB3	1_2_00007FFDFB133EB3
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB131B72	1_2_00007FFDFB131B72
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB131889	1_2_00007FFDFB131889
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB1311DB	1_2_00007FFDFB1311DB
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB13282E	1_2_00007FFDFB13282E
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB15B850	1_2_00007FFDFB15B850
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB133DBE	1_2_00007FFDFB133DBE
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB134651	1_2_00007FFDFB134651
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB25B600	1_2_00007FFDFB25B600
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB15B4C0	1_2_00007FFDFB15B4C0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB2C74F0	1_2_00007FFDFB2C74F0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB135B91	1_2_00007FFDFB135B91
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB136717	1_2_00007FFDFB136717
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB1360D7	1_2_00007FFDFB1360D7
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB133EA4	1_2_00007FFDFB133EA4
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB1312A8	1_2_00007FFDFB1312A8
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB135204	1_2_00007FFDFB135204
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB1369F6	1_2_00007FFDFB1369F6
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB131AE1	1_2_00007FFDFB131AE1
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB131EB0	1_2_00007FFDFB131EB0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB21A870	1_2_00007FFDFB21A870
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB13105F	1_2_00007FFDFB13105F
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB131F73	1_2_00007FFDFB131F73
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB2CA910	1_2_00007FFDFB2CA910
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB136596	1_2_00007FFDFB136596
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB132112	1_2_00007FFDFB132112
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB1351D7	1_2_00007FFDFB1351D7
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB132671	1_2_00007FFDFB132671
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB25EE80	1_2_00007FFDFB25EE80
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB14EF00	1_2_00007FFDFB14EF00
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB1360DC	1_2_00007FFDFB1360DC
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB1334AE	1_2_00007FFDFB1334AE
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB26EDB0	1_2_00007FFDFB26EDB0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB131BC7	1_2_00007FFDFB131BC7
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB1324AA	1_2_00007FFDFB1324AA
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB212410	1_2_00007FFDFB212410
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB136915	1_2_00007FFDFB136915
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB134DA4	1_2_00007FFDFB134DA4
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB133099	1_2_00007FFDFB133099
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB132D60	1_2_00007FFDFB132D60
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB134421	1_2_00007FFDFB134421
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB1319D8	1_2_00007FFDFB1319D8
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB136000	1_2_00007FFDFB136000
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB13258B	1_2_00007FFDFB13258B
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB266710	1_2_00007FFDFB266710
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB134129	1_2_00007FFDFB134129
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB132B2B	1_2_00007FFDFB132B2B
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB13654B	1_2_00007FFDFB13654B
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB134E7B	1_2_00007FFDFB134E7B

Source: C:\Users\user\Desktop\DeltaX.exe	Code function: String function: 00007FF654CA2CD0 appears 92 times
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: String function: 00007FFDFB135DDA appears 347 times
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: String function: 67022C70 appears 48 times
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: String function: 00007FFDFB13206D appears 52 times
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: String function: 00007FFDFB131C08 appears 69 times
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: String function: 00007FF654CA2DB0 appears 200 times
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: String function: 00007FFDFB131055 appears 737 times
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: String function: 00007FFDFB134688 appears 86 times
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: String function: 67022C28 appears 65 times
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: String function: 00007FFDFB1340F7 appears 210 times
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: String function: 00007FF654CA2E50 appears 34 times
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: String function: 66F9D070 appears 235 times

Source: pyarmor_runtime.pyd.0.dr	Static PE information: Number of sections : 11 > 10
Source: DeltaX.exe	Static PE information: Number of sections : 12 > 10

Source: python3.dll.0.dr

Static PE information: No import functions for PE file found

Source: DeltaX.exe, 00000000.00000003.1708141296.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ha vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1708925728.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32trace.pyd0 vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1697539313.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1706429326.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython38.dll. vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1709241058.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32ui.pyd0 vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1707743124.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepywintypes38.dll0 vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_elementtree.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1699210158.000001A974FAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1698206159.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1708784563.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1707437058.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepythoncom38.dll0 vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1705738829.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1699057229.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1699183866.000001A974FAC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1697696910.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000000.00000003.1699183866.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs DeltaX.exe
Source: DeltaX.exe	Binary or memory string: OriginalFilename vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1775604875.00007FFE120C6000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1775167367.00007FFE11522000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamepywintypes38.dll0 vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1775380845.00007FFE1154C000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1775053670.00007FFE10314000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1769517956.00007FFDFB87F000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython38.dll. vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1775933031.00007FFE130C6000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1774604729.00007FFE0EC61000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1774049119.00007FFE01494000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenamepythoncom38.dll0 vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1770016093.00007FFE0082B000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1775736854.00007FFE126F3000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1775421875.00007FFE11BB2000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1775839558.00007FFE12E1A000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1776034544.00007FFE13209000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1774946032.00007FFE1026C000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1774718889.00007FFE101E3000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1774456970.00007FFE0EC3C000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs DeltaX.exe
Source: DeltaX.exe, 00000001.00000002.1772648557.00007FFE013E8000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilenamelibsslH vs DeltaX.exe

Source: classification engine

Classification label: mal56.winEXE@3/34@1/1

Source: C:\Users\user\Desktop\DeltaX.exe

Code function: 0_2_00007FF654CA7E50 FormatMessageW,WideCharToMultiByte,GetLastError,

0_2_00007FF654CA7E50

Source: C:\Users\user\Desktop\DeltaX.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI73442

Jump to behavior

Source: DeltaX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DeltaX.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DeltaX.exe

Virustotal: Detection: 8%

Source: C:\Users\user\Desktop\DeltaX.exe

File read: C:\Users\user\Desktop\DeltaX.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DeltaX.exe "C:\Users\user\Desktop\DeltaX.exe"
Source: C:\Users\user\Desktop\DeltaX.exe	Process created: C:\Users\user\Desktop\DeltaX.exe "C:\Users\user\Desktop\DeltaX.exe"
Source: C:\Users\user\Desktop\DeltaX.exe	Process created: C:\Users\user\Desktop\DeltaX.exe "C:\Users\user\Desktop\DeltaX.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\DeltaX.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: DeltaX.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: DeltaX.exe

Static file information: File size 10374703 > 1048576

Source: DeltaX.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32trace.pdb source: DeltaX.exe, 00000000.00000003.1708925728.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, win32trace.pyd.0.dr
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdb source: mfc140u.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1774855825.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32ui.pdb source: win32ui.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\pythoncom.pdb}},GCTL source: DeltaX.exe, 00000001.00000002.1773333690.00007FFE0144C000.00000002.00000001.01000000.0000000C.sdmp, pythoncom38.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_ssl.pdb source: DeltaX.exe, 00000001.00000002.1774346844.00007FFE0EC2D000.00000002.00000001.01000000.00000011.sdmp, _ssl.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1774669645.00007FFE101D9000.00000002.00000001.01000000.0000000F.sdmp, _socket.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\python3.pdb source: DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775421875.00007FFE11BB2000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb?? source: DeltaX.exe, 00000001.00000002.1771891248.00007FFE013B3000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775798175.00007FFE12E15000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32api.pdb source: DeltaX.exe, 00000001.00000002.1774548019.00007FFE0EC53000.00000002.00000001.01000000.0000000D.sdmp, win32api.pyd.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: DeltaX.exe, 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\_win32sysloader.pdb source: DeltaX.exe, 00000000.00000003.1699183866.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\python38.pdb source: DeltaX.exe, 00000001.00000002.1769037884.00007FFDFB76D000.00000002.00000001.01000000.00000004.sdmp, python38.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: DeltaX.exe, 00000001.00000002.1775307609.00007FFE11541000.00000002.00000001.01000000.00000006.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1774855825.00007FFE10264000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32api.pdb!! source: DeltaX.exe, 00000001.00000002.1774548019.00007FFE0EC53000.00000002.00000001.01000000.0000000D.sdmp, win32api.pyd.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: DeltaX.exe, 00000000.00000003.1697696910.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775995653.00007FFE13205000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775016727.00007FFE1030E000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\mfc140u.amd64.pdbGCTL source: mfc140u.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_queue.pdb source: DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775567682.00007FFE120C3000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\_elementtree.pdb source: DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: DeltaX.exe, 00000000.00000003.1697539313.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775695544.00007FFE126EE000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\pywintypes.pdb source: DeltaX.exe, 00000001.00000002.1775125523.00007FFE11511000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\win32ui.pdbOO source: win32ui.pyd.0.dr
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\pywintypes.pdb** source: DeltaX.exe, 00000001.00000002.1775125523.00007FFE11511000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: DeltaX.exe, 00000001.00000002.1771891248.00007FFE013B3000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\select.pdb source: DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775896309.00007FFE130C3000.00000002.00000001.01000000.00000010.sdmp, select.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: DeltaX.exe, 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: DeltaX.exe, 00000000.00000003.1708141296.000001A974FA8000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1769594405.00007FFE00825000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: vcruntime140.amd64.pdb source: DeltaX.exe, 00000000.00000003.1697539313.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775695544.00007FFE126EE000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: DeltaX.exe, 00000000.00000003.1697696910.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1775995653.00007FFE13205000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\pywin32\pywin32\build\temp.win-amd64-cpython-38\Release\pythoncom.pdb source: DeltaX.exe, 00000001.00000002.1773333690.00007FFE0144C000.00000002.00000001.01000000.0000000C.sdmp, pythoncom38.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\pyexpat.pdb source: pyexpat.pyd.0.dr

Source: VCRUNTIME140_1.dll.0.dr

Static PE information: 0xFAEA9D3D [Sun May 27 03:27:57 2103 UTC]

Source: C:\Users\user\Desktop\DeltaX.exe

Code function: 0_2_00007FF654CA15E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF654CA15E0

Source: md__mypyc.cp38-win_amd64.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x25d58
Source: _win32sysloader.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xb07b
Source: win32trace.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x145f4
Source: pyarmor_runtime.pyd.0.dr	Static PE information: real checksum: 0xa7ade should be: 0xa0dc7
Source: md.cp38-win_amd64.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0xb550
Source: win32api.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x30505
Source: pythoncom38.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xb0750
Source: _psutil_windows.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x1f645
Source: pywintypes38.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x27641
Source: win32ui.pyd.0.dr	Static PE information: real checksum: 0x0 should be: 0x11b4b8

Source: DeltaX.exe	Static PE information: section name: /4
Source: DeltaX.exe	Static PE information: section name: .xdata
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: mfc140u.dll.0.dr	Static PE information: section name: .didat
Source: pyarmor_runtime.pyd.0.dr	Static PE information: section name: .xdata

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\DeltaX.exe	Code function: memset,wsprintfA,CreateFileA,memset,DeviceIoControl,CloseHandle,isxdigit,isxdigit,isxdigit,isprint,memcpy,CloseHandle,strlen,memcpy, \\.\PhysicalDrive%d		1_2_66F92240
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: _snprintf,_snprintf,CreateFileA,CreateFileA,GlobalAlloc,DeviceIoControl,GlobalFree,_snprintf,CreateFileA,GlobalAlloc,GlobalAlloc,GlobalAlloc,DeviceIoControl,GlobalFree,GlobalFree,GlobalFree,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle, \\.\PhysicalDrive%d		1_2_66F91E90

Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\charset_normalizer\md.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32\pywintypes38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32\pythoncom38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\pyarmor_runtime_000000\pyarmor_runtime.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\charset_normalizer\md__mypyc.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73442\python38.dll	Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\DeltaX.exe	Code function: memset,wsprintfA,CreateFileA,memset,DeviceIoControl,CloseHandle,isxdigit,isxdigit,isxdigit,isprint,memcpy,CloseHandle,strlen,memcpy, \\.\PhysicalDrive%d		1_2_66F92240
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: _snprintf,_snprintf,CreateFileA,CreateFileA,GlobalAlloc,DeviceIoControl,GlobalFree,_snprintf,CreateFileA,GlobalAlloc,GlobalAlloc,GlobalAlloc,DeviceIoControl,GlobalFree,GlobalFree,GlobalFree,CloseHandle,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CloseHandle, \\.\PhysicalDrive%d		1_2_66F91E90

Source: C:\Users\user\Desktop\DeltaX.exe

Code function: 0_2_00007FF654CA4410 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF654CA4410

Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\charset_normalizer\md.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32\pywintypes38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\charset_normalizer\md__mypyc.cp38-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32\pythoncom38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\pyarmor_runtime_000000\pyarmor_runtime.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\DeltaX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73442\_lzma.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\DeltaX.exe

API coverage: 3.5 %

Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 0_2_00007FF654CA85E0 FindFirstFileExW,FindClose,		0_2_00007FF654CA85E0
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FF654CA85E0 FindFirstFileExW,FindClose,		1_2_00007FF654CA85E0

Source: DeltaX.exe, 00000000.00000003.1710151642.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, cacert.pem.0.dr	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: DeltaX.exe, 00000001.00000003.1754788522.000001A78F688000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759212930.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757264882.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758628205.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755486890.000001A78F68C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756530762.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWv
Source: DeltaX.exe, 00000001.00000003.1755228217.000001A78D4C3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760647399.000001A78D4D5000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754989910.000001A78D434000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756236255.000001A78D4D3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755328581.000001A78D4D2000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759285894.000001A78D4D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: cacert.pem.0.dr	Binary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd

Source: C:\Users\user\Desktop\DeltaX.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DeltaX.exe

Code function: 1_2_66F82C80 PyEval_GetGlobals,PyFunction_NewWithQualName,_PyObject_CallFunction_SizeT,_Py_Dealloc,PyExc_RuntimeError,PyErr_Format,GetProcAddress,strlen,IsDebuggerPresent,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,PyExc_RuntimeError,PyErr_Format,PyExc_RuntimeError,PyErr_Format,PyExc_RuntimeError,PyErr_Format,PyExc_SystemExit,PyExc_SystemExit,PyExc_SystemExit,_errno,_errno,_errno,PyExc_SystemExit,_errno,_errno,_Py_Dealloc,_Py_Dealloc,

1_2_66F82C80

Source: C:\Users\user\Desktop\DeltaX.exe

Code function: 0_2_00007FF654CA15E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF654CA15E0

Source: C:\Users\user\Desktop\DeltaX.exe

Code function: 1_2_66F945C0 GetComputerNameA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetAdaptersAddresses,HeapFree,strlen,GetProcessHeap,HeapFree,malloc,GetAdaptersAddresses,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersAddresses,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersAddresses,RegOpenKeyExA,RegEnumKeyExA,RegEnumKeyExA,RegGetValueA,strlen,memcmp,RegGetValueA,RegCloseKey,

1_2_66F945C0

Source: C:\Users\user\Desktop\DeltaX.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 0_2_00007FF654CA1154 Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,exit,_cexit,	0_2_00007FF654CA1154
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_66FFF770 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	1_2_66FFF770
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FF654CA1154 Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,exit,_cexit,	1_2_00007FF654CA1154
Source: C:\Users\user\Desktop\DeltaX.exe	Code function: 1_2_00007FFDFB134FDE __scrt_fastfail,IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFDFB134FDE

Source: C:\Users\user\Desktop\DeltaX.exe

Process created: C:\Users\user\Desktop\DeltaX.exe "C:\Users\user\Desktop\DeltaX.exe"

Jump to behavior

Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32\pywintypes38.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\kyojenit VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp4i57dvwl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32\pythoncom38.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\win32api.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pyarmor_runtime_000000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pyarmor_runtime_000000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pyarmor_runtime_000000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pyarmor_runtime_000000\pyarmor_runtime.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\charset_normalizer\md.cp38-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\charset_normalizer\md__mypyc.cp38-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\certifi\cacert.pem VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp4i57dvwl VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp4i57dvwl\gen_py\__init__.py VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp4i57dvwl\gen_py\dicts.dat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73442\psutil\_psutil_windows.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\Desktop\DeltaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DeltaX.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\tmp4i57dvwl VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DeltaX.exe

Code function: 1_2_66FFF690 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_66FFF690

Source: C:\Users\user\Desktop\DeltaX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Bootkit	11 Process Injection	11 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Bootkit	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DeltaX.exe	8%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI73442\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\_elementtree.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\_win32sysloader.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\charset_normalizer\md.cp38-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\charset_normalizer\md__mypyc.cp38-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\libffi-7.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\mfc140u.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\psutil\_psutil_windows.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\pyexpat.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\python3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\python38.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32\pythoncom38.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32\pywintypes38.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\win32api.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\win32trace.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73442\win32ui.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://repository.swisssign.com/V	0%	Avira URL Cloud	safe
http://repository.swisssign.com/i	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
brave.com	54.230.112.122	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://google.com/	DeltaX.exe, 00000001.00000003.1755530803.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756836999.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758569140.000001A78FB38000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	DeltaX.exe, 00000001.00000002.1765663765.000001A78FEC1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1714163997.000001A78D4EC000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1713551488.000001A78D4D9000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1713925480.000001A78D490000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1713779399.000001A78D4EC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl	DeltaX.exe, 00000001.00000003.1755530803.000001A78FA82000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FA86000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764740250.000001A78FA8C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/giampaolo/psutil/issues/875.	DeltaX.exe, 00000001.00000003.1759365816.000001A79003B000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758943333.000001A790022000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1766904404.000001A790450000.00000004.00001000.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758261157.000001A790011000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755781066.000001A790009000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754428082.000001A78FFF1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1766417726.000001A790042000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756731502.000001A79000F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760874035.000001A79003E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://.../back.jpeg	DeltaX.exe, 00000001.00000002.1766522050.000001A7902D0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.python.org/	DeltaX.exe, 00000001.00000002.1765663765.000001A78FEC1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1714163997.000001A78D4EC000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1713551488.000001A78D4D9000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1713925480.000001A78D490000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1713779399.000001A78D4EC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/mhammond/pywin32	DeltaX.exe, DeltaX.exe, 00000001.00000002.1775167367.00007FFE11522000.00000002.00000001.01000000.00000008.sdmp, DeltaX.exe, 00000001.00000002.1774604729.00007FFE0EC61000.00000002.00000001.01000000.0000000D.sdmp, DeltaX.exe, 00000001.00000002.1774049119.00007FFE01494000.00000002.00000001.01000000.0000000C.sdmp, win32api.pyd.0.dr, pythoncom38.dll.0.dr, win32trace.pyd.0.dr, win32ui.pyd.0.dr	false		high
https://httpbin.org/post	DeltaX.exe, 00000001.00000002.1764490843.000001A78FA10000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Ousret/charset_normalizer	DeltaX.exe, 00000001.00000003.1756253162.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756412026.000001A78FBB1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755628529.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754698786.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.firmaprofesional.com/cps0	DeltaX.exe, 00000001.00000003.1757745656.000001A78FF95000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1761207999.000001A78FFA5000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758010409.000001A78FF98000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1766194456.000001A78FFB3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757503305.000001A78FF94000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757152144.000001A78FFAE000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1766158101.000001A78FFA8000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757120471.000001A78FF6D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	DeltaX.exe, 00000001.00000003.1711483457.000001A78D5D5000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1761169246.000001A78D47F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755306092.000001A78F5E2000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712793757.000001A78D46D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754989910.000001A78D434000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712923053.000001A78D46D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756591004.000001A78D47D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759497477.000001A78D47E000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1714403326.000001A78D5D1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1763368434.000001A78F5E3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1762500518.000001A78D47F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712623533.000001A78D485000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1711569935.000001A78D486000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755393075.000001A78D457000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712037466.000001A78D486000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712202345.000001A78D485000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756187553.000001A78F5E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2920	DeltaX.exe, 00000001.00000002.1765504074.000001A78FDA0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl0	DeltaX.exe, 00000001.00000003.1756095628.000001A78FA59000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756046392.000001A78FA3C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759655073.000001A78FA5D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760073324.000001A78FA60000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.python.org/download/releases/2.3/mro/.	DeltaX.exe, 00000001.00000002.1763197818.000001A78F550000.00000004.00001000.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1713254959.000001A78D4D5000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1713095449.000001A78D4D5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/giK?t	DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758943333.000001A790022000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758261157.000001A790011000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755781066.000001A790009000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754428082.000001A78FFF1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1766398569.000001A790032000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756731502.000001A79000F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759615246.000001A790032000.00000004.00000020.00020000.00000000.sdmp	false		high
https://yahoo.com/	DeltaX.exe, 00000001.00000003.1755228217.000001A78D4C3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756253162.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754989910.000001A78D434000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758716572.000001A78FBB0000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757291539.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760804885.000001A78D4C7000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1762658774.000001A78D4CC000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755628529.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754698786.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756803320.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	DeltaX.exe, 00000001.00000003.1756095628.000001A78FA59000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756046392.000001A78FA3C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759655073.000001A78FA5D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760073324.000001A78FA60000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://goo.gl/zeJZl.	DeltaX.exe, 00000001.00000002.1766904404.000001A790450000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	DeltaX.exe, 00000001.00000003.1758419753.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765003307.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756253162.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755628529.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754698786.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crlts	DeltaX.exe, 00000001.00000003.1755530803.000001A78FA82000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FA86000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764740250.000001A78FA8C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	DeltaX.exe, 00000001.00000003.1756095628.000001A78FA59000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756046392.000001A78FA3C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758890361.000001A78FA79000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps=	DeltaX.exe, 00000001.00000002.1765816879.000001A78FF09000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF00000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758192126.000001A78FF00000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF00000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1761105478.000001A78FF05000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	DeltaX.exe, 00000000.00000003.1708141296.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700506254.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699773414.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1706429326.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698206159.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705738829.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699057229.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	false		high
https://html.spec.whatwg.org/multipage/	DeltaX.exe, 00000001.00000003.1758419753.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765003307.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756253162.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755628529.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754698786.000001A78FB7A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	DeltaX.exe, 00000001.00000003.1755270685.000001A78FEC3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758150457.000001A78FEC8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl	DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757391154.000001A78FF48000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757896569.000001A78FF50000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757455382.000001A78FF4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	DeltaX.exe, 00000001.00000002.1765339924.000001A78FC90000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0	DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757896569.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765993745.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	DeltaX.exe, 00000001.00000003.1760647399.000001A78D4E5000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755228217.000001A78D4C3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754989910.000001A78D434000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755328581.000001A78D4D2000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759446724.000001A78D4E3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755907138.000001A78D4D9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/i	DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757337027.000001A78FF1D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757679214.000001A78FF20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	DeltaX.exe, 00000001.00000002.1764370950.000001A78F940000.00000004.00001000.00020000.00000000.sdmp	false		high
https://brave.com/api/webhooks/123	DeltaX.exe, 00000001.00000002.1766976010.000001A7904F0000.00000004.00001000.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764224078.000001A78F860000.00000004.00001000.00020000.00000000.sdmp	false		high
https://requests.readthedocs.io	DeltaX.exe, 00000001.00000002.1766602794.000001A790350000.00000004.00001000.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764490843.000001A78FA10000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crlpF	DeltaX.exe, 00000001.00000003.1755530803.000001A78FA82000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FA86000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764740250.000001A78FA8C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	DeltaX.exe, 00000001.00000003.1757814022.000001A78FF64000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760550087.000001A78FF8C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757540201.000001A78FF74000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757405857.000001A78FF5A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757120471.000001A78FF6D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757540201.000001A78FF5B000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757859158.000001A78FF85000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curl.haxx.se/rfc/cookie_spec.html	DeltaX.exe, 00000001.00000002.1766522050.000001A7902D0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.accv.es	DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.python.org/dev/peps/pep-0205/	DeltaX.exe, 00000000.00000003.1709738620.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764130223.000001A78F7D0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://brave.com/api/webhooks/123p%Q	DeltaX.exe, 00000001.00000002.1766976010.000001A7904F0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/V	DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757337027.000001A78FF1D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757679214.000001A78FF20000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/	DeltaX.exe, 00000001.00000003.1755270685.000001A78FEC3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754966477.000001A78FBD8000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765197838.000001A78FBD9000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760439389.000001A78FBD9000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754518855.000001A78FBCB000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757337027.000001A78FF1D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758150457.000001A78FEC8000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757679214.000001A78FF20000.00000004.00000020.00020000.00000000.sdmp	false		high
http://json.org	DeltaX.exe, 00000001.00000003.1759120907.000001A78F607000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	DeltaX.exe, 00000001.00000002.1765370865.000001A78FCD0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	DeltaX.exe, 00000001.00000003.1711483457.000001A78D5D5000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1762949765.000001A78F1D0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://python.org/dev/peps/pep-0263/	python38.dll.0.dr	false		high
https://httpbin.org/get	DeltaX.exe, 00000001.00000002.1765536273.000001A78FDE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl	DeltaX.exe, 00000001.00000003.1755530803.000001A78FA82000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FA86000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764740250.000001A78FA8C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/n	DeltaX.exe, 00000001.00000003.1754788522.000001A78F688000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759212930.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757264882.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758628205.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755486890.000001A78F68C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756530762.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org	DeltaX.exe, 00000001.00000002.1764490843.000001A78FA10000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm0U	DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757896569.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765993745.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760550087.000001A78FF8C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757540201.000001A78FF74000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757120471.000001A78FF6D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757859158.000001A78FF85000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.accv.es0	DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757896569.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765993745.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.thawte.com0	DeltaX.exe, 00000000.00000003.1708141296.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698583518.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700506254.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699773414.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698843890.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1706429326.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705910155.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698369792.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698206159.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698686581.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1697794468.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1705738829.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1699057229.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1707918613.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000000.00000003.1698935972.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	DeltaX.exe, 00000001.00000003.1711483457.000001A78D5D5000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1761169246.000001A78D47F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755306092.000001A78F5E2000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712793757.000001A78D46D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754989910.000001A78D434000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712923053.000001A78D46D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756591004.000001A78D47D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759497477.000001A78D47E000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1714403326.000001A78D5D1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1763368434.000001A78F5E3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1762500518.000001A78D47F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712623533.000001A78D485000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1711569935.000001A78D486000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755393075.000001A78D457000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712037466.000001A78D486000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712202345.000001A78D485000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756187553.000001A78F5E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	DeltaX.exe, 00000001.00000002.1766861189.000001A790410000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/	DeltaX.exe, 00000001.00000003.1754836900.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/	DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757540201.000001A78FF74000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757120471.000001A78FF6D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757859158.000001A78FF85000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757944935.000001A78FF8F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://twitter.com/	DeltaX.exe, 00000001.00000003.1755530803.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756253162.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756836999.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758716572.000001A78FBB0000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757291539.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758569140.000001A78FB38000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755628529.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754698786.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759159899.000001A78FB3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756803320.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp	false		high
https://stackoverflow.com/questions/4457745#4457745.	DeltaX.exe, 00000001.00000003.1759365816.000001A79003B000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758943333.000001A790022000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1766904404.000001A790450000.00000004.00001000.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758261157.000001A790011000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755781066.000001A790009000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754428082.000001A78FFF1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1766417726.000001A790042000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756731502.000001A79000F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760874035.000001A79003E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps	DeltaX.exe, 00000001.00000002.1765816879.000001A78FF09000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF00000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758192126.000001A78FF00000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF00000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1761105478.000001A78FF05000.00000004.00000020.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	DeltaX.exe, 00000001.00000003.1755530803.000001A78FA82000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FA86000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758818088.000001A78FA90000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756836999.000001A78FA8F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764756491.000001A78FA90000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	DeltaX.exe, 00000001.00000003.1711483457.000001A78D5D5000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1761169246.000001A78D47F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755306092.000001A78F5E2000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712793757.000001A78D46D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754989910.000001A78D434000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712923053.000001A78D46D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756591004.000001A78D47D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759497477.000001A78D47E000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1714403326.000001A78D5D1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1762500518.000001A78D47F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712623533.000001A78D485000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1711569935.000001A78D486000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755393075.000001A78D457000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712037466.000001A78D486000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1712202345.000001A78D485000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crlEc	DeltaX.exe, 00000001.00000003.1757814022.000001A78FF64000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757405857.000001A78FF5A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757540201.000001A78FF5B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/	DeltaX.exe, 00000001.00000003.1756803320.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail/	DeltaX.exe, 00000001.00000003.1757831705.000001A78F629000.00000004.00000020.00020000.00000000.sdmp	false		high
http://google.com/mail/	DeltaX.exe, 00000001.00000003.1761417012.000001A78FB32000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755530803.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764904259.000001A78FB33000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756836999.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758818088.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FB20000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/32902	DeltaX.exe, 00000001.00000002.1765471329.000001A78FD60000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	DeltaX.exe, 00000001.00000003.1755530803.000001A78FA82000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755928909.000001A78FA86000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1764740250.000001A78FA8C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754836900.000001A78FA3A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wwwsearch.sf.net/):	DeltaX.exe, 00000001.00000003.1757728184.000001A78FBCB000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758786155.000001A78FBD4000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759429791.000001A78FBD6000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754518855.000001A78FBCB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/3290	DeltaX.exe, 00000001.00000002.1765471329.000001A78FD60000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757896569.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765993745.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm	DeltaX.exe, 00000001.00000003.1755306092.000001A78F5E2000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755372402.000001A78F5E6000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758700404.000001A78F5FA000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759120907.000001A78F5FD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	DeltaX.exe, 00000001.00000002.1765536273.000001A78FDE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/gabjohn3/nb/main/12kav.json	DeltaX.exe, 00000001.00000002.1764224078.000001A78F860000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757337027.000001A78FF1D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.openssl.org/H	DeltaX.exe, 00000000.00000003.1700661501.000001A974FA1000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmp, DeltaX.exe, 00000001.00000002.1772648557.00007FFE013E8000.00000002.00000001.01000000.00000013.sdmp	false		high
http://crl.certigna.fr/certignarootca.crl01	DeltaX.exe, 00000001.00000003.1757814022.000001A78FF64000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760550087.000001A78FF8C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757540201.000001A78FF74000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757405857.000001A78FF5A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757120471.000001A78FF6D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757540201.000001A78FF5B000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757859158.000001A78FF85000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crldX	DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757391154.000001A78FF48000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757896569.000001A78FF50000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757455382.000001A78FF4F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/	DeltaX.exe, 00000001.00000003.1754788522.000001A78F688000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759212930.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757264882.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758628205.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757540201.000001A78FF74000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755486890.000001A78F68C000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756530762.000001A78F68D000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1766070477.000001A78FF75000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757120471.000001A78FF6D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail	DeltaX.exe, 00000001.00000003.1755228217.000001A78D4C3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756253162.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754989910.000001A78D434000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758716572.000001A78FBB0000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757291539.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1760804885.000001A78D4C7000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1762658774.000001A78D4CC000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755628529.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754698786.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756803320.000001A78FBAF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/specifications/entry-points/	DeltaX.exe, 00000001.00000002.1765471329.000001A78FD60000.00000004.00001000.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765504074.000001A78FDA0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://brave.com/api/webhooks/123te	DeltaX.exe, 00000001.00000002.1764224078.000001A78F860000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es00	DeltaX.exe, 00000001.00000003.1757078401.000001A78FF3F000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757217863.000001A78FF52000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755306092.000001A78F5E2000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1756969636.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754237730.000001A78FF1A000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755372402.000001A78F5E6000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757896569.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000002.1765993745.000001A78FF55000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1758700404.000001A78F5FA000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759120907.000001A78F5FD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	DeltaX.exe, 00000001.00000003.1756187553.000001A78F5E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urlliby	DeltaX.exe, 00000001.00000003.1755871525.000001A78F607000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755158982.000001A78F607000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1757831705.000001A78F629000.00000004.00000020.00020000.00000000.sdmp	false		high
https://brave.com/api/webhooks/1230)Q	DeltaX.exe, 00000001.00000002.1766976010.000001A7904F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://foss.heptapod.net/pypy/pypy/-/issues/3539	DeltaX.exe, 00000001.00000002.1764370950.000001A78F940000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	DeltaX.exe, 00000001.00000003.1755228217.000001A78D4C3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1754989910.000001A78D434000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759598297.000001A78D4E6000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755328581.000001A78D4D2000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1759446724.000001A78D4E3000.00000004.00000020.00020000.00000000.sdmp, DeltaX.exe, 00000001.00000003.1755907138.000001A78D4D9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/psf/requests/pull/6710	DeltaX.exe, 00000001.00000002.1766602794.000001A790350000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.230.112.122	brave.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578142
Start date and time:	2024-12-19 10:24:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DeltaX.exe
Detection:	MAL
Classification:	mal56.winEXE@3/34@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 76% Number of executed functions: 54 Number of non-executed functions: 202
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54.230.112.122	http://propdfhub.com	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
brave.com	zapret.exe	Get hash	malicious	Unknown	Browse	18.66.161.26
	https://t.co/dTm4CudfP0	Get hash	malicious	Unknown	Browse	18.173.233.74
	https://t.co/dTm4CudfP0	Get hash	malicious	Unknown	Browse	18.173.233.30

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	CROC000400 .pdf	Get hash	malicious	Unknown	Browse	108.158.75.106
	arm7.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	35.167.216.68
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	35.156.171.87
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	3.163.158.110
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	3.248.220.130
	https://ipfs.io/ipfs/bafybeih7f27bkklyai5zhnf5s57wuee5khsdrrblepmiz5bozrxxoam2lq/index12.html#pdeneve@vanas.eu	Get hash	malicious	HTMLPhisher	Browse	13.227.8.47
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	13.232.112.86
	pM3fQBuTLy.exe	Get hash	malicious	Vidar	Browse	108.139.47.108
	Aqua.mpsl.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	Rapporteer inbreuk op auteursrechten.lnk.d.lnk	Get hash	malicious	Unknown	Browse	3.125.102.39

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI73442\VCRUNTIME140.dll	zapret.exe	Get hash	malicious	Unknown	Browse
	uFVgJVXaEU.exe	Get hash	malicious	RedLine	Browse
	m5804Te9Uw.exe	Get hash	malicious	RedLine	Browse
	zapret.exe	Get hash	malicious	Unknown	Browse
	3Qv3xyyL5G.exe	Get hash	malicious	RedLine	Browse
	K6qneGSDSB.exe	Get hash	malicious	Babadeda, RedLine	Browse
	oKfMLwqaRZ.exe	Get hash	malicious	Unknown	Browse
	mggoBrtk9t.exe	Get hash	malicious	Amadey, RedLine	Browse
	yINR7uQlPr.exe	Get hash	malicious	Amadey, RedLine	Browse
	file.exe	Get hash	malicious	RedLine	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI73442\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	89752
Entropy (8bit):	6.5021374229557996
Encrypted:	false
SSDEEP:	1536:EFmmAQ77IPzHql9a2k+2v866Xc/0i+N1WtYil42TZiCvecbtjawN+o/J:EQmI+NnXertP42xvecbtjd+ox
MD5:	0E675D4A7A5B7CCD69013386793F68EB
SHA1:	6E5821DDD8FEA6681BDA4448816F39984A33596B
SHA-256:	BF5FF4603557C9959ACEC995653D052D9054AD4826DF967974EFD2F377C723D1
SHA-512:	CAE69A90F92936FEBDE67DACD6CE77647CB3B3ED82BB66463CD9047E90723F633AA2FC365489DE09FECDC510BE15808C183B12E6236B0893AF19633F6A670E66
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: zapret.exe, Detection: malicious, Browse Filename: uFVgJVXaEU.exe, Detection: malicious, Browse Filename: m5804Te9Uw.exe, Detection: malicious, Browse Filename: zapret.exe, Detection: malicious, Browse Filename: 3Qv3xyyL5G.exe, Detection: malicious, Browse Filename: K6qneGSDSB.exe, Detection: malicious, Browse Filename: oKfMLwqaRZ.exe, Detection: malicious, Browse Filename: mggoBrtk9t.exe, Detection: malicious, Browse Filename: yINR7uQlPr.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............x.D.x.D.x.D..AD.x.D..=D.x.D.x.D.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx.QD.x.Dx..E.x.DRich.x.D........PE..d....}.Y.........." .........T...............................................`.......Y....`A........................................p...4............@.......0..(.... ...>...P..p.......8...........................@................................................text...$........................... ..`.rdata...6.......8..................@..@.data...0.... ......................@....pdata..(....0......................@..@.rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	6.702924040492291
Encrypted:	false
SSDEEP:	768:qzzO6ujT3MbR3v0Cz6SKLq83yN+iRxw9zv6JmEpw9zF:3q/o1j3c+iIzv6JmEp4zF
MD5:	05052BE2C36166FF9646D7D00BB7413F
SHA1:	D8D7C4B322D76E3A7B591024C62F15934979FE40
SHA-256:	26E470B29BED3D873E0C328186E53F95E9EDBFE0B0FD0CDA44743A0B1A04A828
SHA-512:	0460CC66D06DF9A2941607473F3ECCFD909F2ADAB53A3328FADCEDD1B194B388ECA738C2C6C2E193DE33606925FBED1FE39EFA160015128E93F5E3A03C62170D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\..\..\...]..\...]..\..O\..\..\...\...]..\...]..\...]..\...]..\..#\..\...]..\Rich..\........PE..d...=............." ...*.<...8.......@..............................................U0....`A........................................pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text....;.......<.................. ..`.rdata.."#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84040
Entropy (8bit):	6.41469022264903
Encrypted:	false
SSDEEP:	1536:SSpo7/9ZwseNsUQJ8rbXis0WwOpcAE+8aoBnuRtApxbBVZIG4VJyI:SSW7lZws+bLwOpvEZa+uRWVVZIG4VF
MD5:	3DC8AF67E6EE06AF9EEC52FE985A7633
SHA1:	1451B8C598348A0C0E50AFC0EC91513C46FE3AF6
SHA-256:	C55821F5FDB0064C796B2C0B03B51971F073140BC210CBE6ED90387DB2BED929
SHA-512:	DA16BFBC66C8ABC078278D4D3CE1595A54C9EF43AE8837CEB35AE2F4757B930FE55E258827036EBA8218315C10AF5928E30CB22C60FF69159C8FE76327280087
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H.1.).b.).b.).b.Qib.).b.A.c.).bM.=b.).b.A.c.).b.A.c.).b.A.c.).bD@.c.).b.O.c.).b.).b.).bD@.c.).bD@.c.).bD@.b.).bD@.c.).bRich.).b................PE..d.....].........." .........f......t........................................p.......a....`.............................................H............P.......@..(.......H....`......p...T...............................................8............................text...>........................... ..`.rdata..~A.......B..................@..@.data........0......................@....pdata..(....@......................@..@.rsrc........P....... ..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123464
Entropy (8bit):	5.886703955852103
Encrypted:	false
SSDEEP:	3072:qpG85kJGmH3c+5M333KvUPzeENGLf3Tz4ccUZw1IGVPE:qDSGT+5+KMPzyLf3TEcKu
MD5:	F1E33A8F6F91C2ED93DC5049DD50D7B8
SHA1:	23C583DC98AA3F6B8B108DB5D90E65D3DD72E9B4
SHA-256:	9459D246DF7A3C638776305CF3683946BA8DB26A7DE90DF8B60E1BE0B27E53C4
SHA-512:	229896DA389D78CBDF2168753ED7FCC72D8E0E62C6607A3766D6D47842C0ABD519AC4F5D46607B15E7BA785280F9D27B482954E931645337A152B8A54467C6A5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..4..4..4..L@..4..\..4..\..4..\..4..\..4..]..4..R..4..R..4..]..4..4.i4..]..4..]..4..],..4..]..4.Rich.4.........PE..d.....].........." .................]....................................................`..........................................`......$a..........................H...........0...T...............................................`............................text............................... ..`.rdata..0l.......n..................@..@.data....>.......:...l..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\_elementtree.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	176712
Entropy (8bit):	6.328697645521823
Encrypted:	false
SSDEEP:	3072:6ELu4rq1inmE50HKwCty09ZVz1pGFEH0HCo65Obfh69K+2WhJKP6mrxhM2buspI6:Vu/iCqdty09ZLpGmH4CSr0c+2WhJKP6+
MD5:	5240ABC89BB0822B4F1D830883A17578
SHA1:	1B4412454E35AC9AF9E1E13CF3A441F35E5C7A69
SHA-256:	DEC95E6D7AC0F15DAAC635F1ADDA13B4289BBE7175BA0B14494DC983601F0590
SHA-512:	215B1E807253826C17E9744F46D539C6ED0E0A5FA12FFA654603CEEB6252C64CEA6C931404203364575DE709FD2D964D0EE719F1CC881BD98C5B495885E63D29
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t.IA.z.A.z.A.z.Hm..M.z..}{.C.z..}..J.z..}~.I.z..}y.C.z..\|{.C.z.$s{.B.z.A.{...z..\|w.E.z..\|z.@.z..\|..@.z..\|x.@.z.RichA.z.................PE..d.....].........." ................X~..............................................1.....`.........................................0V..X....V..................0.......H.......X...`...T...............................................8............................text...C........................... ..`.rdata...z.......\|..................@..@.data........p.......^..............@....pdata..0............p..............@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45640
Entropy (8bit):	5.996546047346997
Encrypted:	false
SSDEEP:	768:8skeCps0iszzPFrGE/CBAdIPGV03ju774xxIGsIx7WDG4yw:81eCpLzDBZ+AdIPmYju7OxIGsIxWyw
MD5:	A6448BC5E5DA21A222DE164823ADD45C
SHA1:	6C26EB949D7EB97D19E42559B2E3713D7629F2F9
SHA-256:	3692FC8E70E6E29910032240080FC8109248CE9A996F0A70D69ACF1542FCA69A
SHA-512:	A3833C7E1CF0E4D181AC4DE95C5DFA685CF528DC39010BF0AC82864953106213ECCFF70785021CCB05395B5CF0DCB89404394327CD7E69F820D14DFA6FBA8CBA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2..&v.uv.uv.u...ur.u$..tt.u$..t}.u$..t~.u$..tt.u...tt.u.ts.uv.u..u.tw.u.tw.u.iuw.u.tw.uRichv.u................PE..d.....].........." .....@...Z......X2...............................................7....`..........................................u..P...@v..........................H............X..T...........................`X...............P...............................text....?.......@.................. ..`.rdata..p3...P...4...D..............@..@.data...h............x..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	252488
Entropy (8bit):	6.080982550390949
Encrypted:	false
SSDEEP:	6144:bkHDwqjhhwYbOqQNEkT/4OQhJwAbHoqLNvka/gOFhUw6b4qCNxkV/3OdhAWwPbGE:bd7/IbtSKOt
MD5:	37057C92F50391D0751F2C1D7AD25B02
SHA1:	A43C6835B11621663FA251DA421BE58D143D2AFB
SHA-256:	9442DC46829485670A6AC0C02EF83C54B401F1570D1D5D1D85C19C1587487764
SHA-512:	953DC856AD00C3AEC6AEAB3AFA2DEB24211B5B791C184598A2573B444761DB2D4D770B8B807EBBA00EE18725FF83157EC5FA2E3591A7756EB718EBA282491C7C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0d..^7..^7..^7..7..^7.._6..^7..[6..^7..Z6..^7..]6..^7Q._6..^7.._6..^7.._7..^7Q.S6..^7Q.^6..^7Q..7..^7Q.\6..^7Rich..^7........PE..d.....].........." .................6..............................................o*....`............................................L.......x.......................H.......$...@...T............................................... ............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	28232
Entropy (8bit):	6.051366978773049
Encrypted:	false
SSDEEP:	384:bp/aC60HGTPk/ltSA/6rCbCnA/cEXEz65D1IGqUrnYPLxDG4y8xxzzI:bH60HGw/b/6rCb9iKD1IGqUrWDG4yCI
MD5:	44B72E0AD8D1E1EC3D8722088B48C3C5
SHA1:	E0F41BF85978DD8F5ABB0112C26322B72C0D7770
SHA-256:	4AA1BBDE1621C49EDAB4376CF9A13C1AA00A9B0A9905D9640A2694EF92F77D5E
SHA-512:	05853F93C6D79D8F9C96519CE4C195B9204DF1255B01329DEAA65E29BD3E988D41454CD305E2199404F587E855737879C330638F2F07BFF11388A49E67BA896C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........k...k...k.......k......k......k......k......k..u....k......k...k..k..u....k..u....k..u.r..k..u....k..Rich.k..................PE..d.....].........." .........8............................................................`..........................................B..L...\B..d....p.......`.......T..H.......l... 3..T............................3...............0..(............................text............................... ..`.rdata.......0......."..............@..@.data........P.......>..............@....pdata.......`.......B..............@..@.rsrc........p.......F..............@..@.reloc..l............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	78920
Entropy (8bit):	6.061178831576516
Encrypted:	false
SSDEEP:	1536:KzMe79sDb+eGm08Vr5lcDAB9/s+7+pkaOz3CkNA9y1IGVwCyMPbi:de79u8/GFmAB9/se+pROz3jN1IGVw+Pm
MD5:	D6BAE4B430F349AB42553DC738699F0E
SHA1:	7E5EFC958E189C117ECCEF39EC16EBF00E7645A9
SHA-256:	587C4F3092B5F3E34F6B1E927ECC7127B3FE2F7FA84E8A3D0C41828583BD5CEF
SHA-512:	A8F8FED5EA88E8177E291B708E44B763D105907E9F8C9E046C4EEBB8684A1778383D1FBA6A5FA863CA37C42FD58ED977E9BB3A6B12C5B8D9AB6EF44DE75E3D1E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........1..._..._..._....._...^.._...Z..._...[..._...\.._.a.^.._...^.._...^.B._.a.R..._.a._..._.a..._.a.]..._.Rich.._.................PE..d.....].........." .....x..........h........................................`.......2....`.............................................P...0........@.......0..........H....P.........T...........................@................................................text....v.......x.................. ..`.rdata...v.......x...\|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	117832
Entropy (8bit):	6.052642675957794
Encrypted:	false
SSDEEP:	3072:x3xozhUCVgMUGSo5iY0nx2bsxSV3QilzQmxLZIG47HZ:p6zh72PGz0nxrmVG
MD5:	8EE827F2FE931163F078ACDC97107B64
SHA1:	149BB536F3492BC59BD7071A3DA7D1F974860641
SHA-256:	EAEEFA6722C45E486F48A67BA18B4ABB3FF0C29E5B30C23445C29A4D0B1CD3E4
SHA-512:	A6D24E72BF620EF695F08F5FFDE70EF93F42A3FA60F7C76EB0F521393C595717E05CCB7A61AE216C18FE41E95FB238D82637714CF5208EE8F1DD32AE405B5565
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0.u.0.u.0.u.9...6.u.b.t.2.u.b.p.<.u.b.q.8.u.b.v.2.u..t.6.u.U.t.7.u.0.t.C.u..x.2.u..u.1.u...1.u..w.1.u.Rich0.u.........PE..d.....].........." ................................................................K.....`..........................................S..d...4T..........................H...........`...T............................................................................text...Q........................... ..`.rdata.............................@..@.data...P4...........h..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\_win32sysloader.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.115421390329823
Encrypted:	false
SSDEEP:	192:xOCm72PEO1jIUs0YqEcPbF55UgCWV4rofnDPXRD0QpHvcqvn7ycIt/z/:xOardA0Bzx14r6nDZJhv+L/
MD5:	DC2B691495107A597281EECF8FE49258
SHA1:	B07F274B0C8120C8F9DEFC9C9E98CEEF02818FF1
SHA-256:	B155B2F3310E35F2AE40C89726453CBDBA48632A854192D78A9A7B634C310255
SHA-512:	1D12902BDA5645A92D2FABB93365E1A76FB1C30EF5865B17FD7A54A90FAAB61F4B238AF471C30A20080C8DDF06BEC983010FD9E10EFAE0C85BCB5B4A0ABECDF9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f...............................................................................................Rich............................PE..d...L..g.........." ......................................................................`..........................................;..`...p;..d....p..l....`..................@...\|2..T............................2..8............0..p............................text............................... ..`.rdata..4....0......................@..@.data........P......................@....pdata.......`.......0..............@..@.rsrc...l....p.......4..............@..@.reloc..@............8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1028082
Entropy (8bit):	5.501427098501224
Encrypted:	false
SSDEEP:	24576:fhidpNtosQNRs54PK4IMoVw59bfCEzXxTLEo0zR32w:fhidpNtosQNRs54PK4IM9pTLp0hH
MD5:	E16F9002B63FE3700891D9C164F971F0
SHA1:	FB683ACE0A9E17ED8A4C75B9FF21D98A9931DFA1
SHA-256:	258EFFCB73CFEB1DD3764DA30B0A3D2D15102720FF45FD653025143A746F63AA
SHA-512:	630418BA29A61C366A02E9DF835671CCCC933D83D760A745B54D6F1CFF187DFF600E1BF6AB3EC84D08F179582F68218153653A0338EF6F03E0FF6C92C783F100
Malicious:	false
Preview:	PK..........!...7............._bootlocale.pycU....................................@....z...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nJz.e.j...W.n4..e.k.rj......e.e.d...r\d.d.d...Z.n.d.d.d...Z.Y.n.X.d.d.d...Z.d.S.)...A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C........t.j.j.r.d.S.t.....d...S.).N..UTF-8.........sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r......_bootlocale.py..getpreferredencoding...............r......getandroidapilevelc....................C........d.S.).Nr....r....r....r....r....r....r...............c....................C........t.j.j.r.d.S.d.d.l.}.\|...\|...S.).Nr....r......r....r....r......localer......r....r....r....r....r....r.....................c....................C....6...\|.r.t...t.j.j.r.d.S.t...t.j...}.\|.s2t.j.d.k.r2d.}.\|.S.).Nr......darwin....A

C:\Users\user\AppData\Local\Temp\_MEI73442\certifi\cacert.pem

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI73442\charset_normalizer\md.cp38-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.82244276484902
Encrypted:	false
SSDEEP:	96:G03K74ACb0xx2uKynu10YLsgxwJiUNiL0U5IZsJFPGktCFVCVAZ0fcX6g8H4a81:SFCk2z1/t12iwU5usJFICC4cqgg
MD5:	19286C0938EE5B29D916B4035E539200
SHA1:	FA74A9047A3DFCFE3F4F305B8D61267FB16B0650
SHA-256:	CBCB25410A11775DF37DCF4809B6EC5D6F3AA1E997C8AC8CD3FAA2C155121693
SHA-512:	3B849F2D727FA902E92DBBD8D93254CF3D7E7410269E45334D935C7D3B7FD1480A658066F2550DA26AAC5D978D16E0B12BF39DC4FC7C10E4C3C169BD5963124F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...B...B...K.X.@...R...@.......@...R...A...R...J...R...I......A...B...d.......C.......C.....4.C.......C...RichB...........PE..d....".g.........." ...).....................................................p............`..........................................'..l...\(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\charset_normalizer\md__mypyc.cp38-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120832
Entropy (8bit):	5.898330437655099
Encrypted:	false
SSDEEP:	3072:Wd/i8g30pUQTpLwNo80GYVqr5wfgB2e/amZB:WVoMrgoe/PZB
MD5:	D702A14B17BCD02C9AD1CE8137D925AA
SHA1:	7A26ED8CCC3EBA1F97DA7CCADA58B043945B7575
SHA-256:	98C04FDC308F1D6388BB129F0101F88EBB020AEB8116F280129E19CDCB832D8D
SHA-512:	02515C6128B2A7909D0B2E43B0D253E331BDBAEB3DF786C9692612703C7E9FD0F7B6CB8E13954F63A0DF6B671D83DD6C021C7F68C965E336A74BDF7057986E00
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......rQy.60..60..60..?H..>0..&...40..}H..40..&...50..&...>0..&...;0...D..50..60...0..~...70..~...70..~...70..~...70..Rich60..........PE..d....".g.........." ...).0...........3....................................... ............`.............................................`.......................@...................@y...............................x..@............@...............................text..../.......0.................. ..`.rdata..0Y...@...Z...4..............@..@.data....=.......0..................@....pdata..@...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3381792
Entropy (8bit):	6.094908167946797
Encrypted:	false
SSDEEP:	49152:Y4TKuk29SIU6i5fOjPWl+0rOh5PKToEGG9I+q4dNQbZQm9aGupuu9LoeiyPaRb84:YiV+CGQ4dtBMeiJRb8+1CPwDv3uFZjN
MD5:	BF83F8AD60CB9DB462CE62C73208A30D
SHA1:	F1BC7DBC1E5B00426A51878719196D78981674C4
SHA-256:	012866B68F458EC204B9BCE067AF8F4A488860774E7E17973C49E583B52B828D
SHA-512:	AE1BDDA1C174DDF4205AB19A25737FE523DCA6A9A339030CD8A95674C243D0011121067C007BE56DEF4EAEFFC40CBDADFDCBD1E61DF3404D6A3921D196DCD81E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3...3...3...K...3..[...3..[...3..[...3..[...3..U...3...3..{3..qZ...3..qZ..1..qZ...3..qZf..3..qZ...3..Rich.3..................PE..d....k.].........." ......$..........r....................................... 4.......4...`..............................................f...Z3.@.....3.\|.....1.......3. .....3..O..P-,.8............................-,..............P3..............................text...g.$.......$................. ..`.rdata.......0$.......$.............@..@.data...Ax....1..*....0.............@....pdata........1.......1.............@..@.idata...#...P3..$....2.............@..@.00cfg........3.......2.............@..@.rsrc...\|.....3.......2.............@..@.reloc...x....3..z....3.............@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\libffi-7.dll

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32792
Entropy (8bit):	6.372276555451265
Encrypted:	false
SSDEEP:	384:JYnlpDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYPoBhT/A4:JYe0Vn5Q28J8qsqMttktuTSTWDG4yhRe
MD5:	4424BAF6ED5340DF85482FA82B857B03
SHA1:	181B641BF21C810A486F855864CD4B8967C24C44
SHA-256:	8C1F7F64579D01FEDFDE07E0906B1F8E607C34D5E6424C87ABE431A2322EBA79
SHA-512:	8ADB94893ADA555DE2E82F006AB4D571FAD8A1B16AC19CA4D2EFC1065677F25D2DE5C981473FABD0398F6328C1BE1EBD4D36668EA67F8A5D25060F1980EE7E33
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3..{]A.{]A.{]A...A.{]A..\@.{]A..\@.{]A.{\A.{]A..X@.{]A..Y@.{]A..^@.{]A..Y@.{]A..^@.{]A..]@.{]A.._@.{]ARich.{]A........................PE..d.....\.........." .....F...$.......I...................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\libssl-1_1.dll

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	686112
Entropy (8bit):	5.528877787845415
Encrypted:	false
SSDEEP:	12288:3L6MSpHovlo4qL7a3ZV9CblMOoAXToRtrBZf3Fb85BO9K9pB3TLPDdOU2lvz8:wIAL7a3heSFZf2Pq63HJOU2lvz
MD5:	FE1F3632AF98E7B7A2799E3973BA03CF
SHA1:	353C7382E2DE3CCDD2A4911E9E158E7C78648496
SHA-256:	1CE7BA99E817C1C2D71BC88A1BDD6FCAD82AA5C3E519B91EBD56C96F22E3543B
SHA-512:	A0123DFE324D3EBF68A44AFAFCA7C6F33D918716F29B063C72C4A8BD2006B81FAEA6848F4F2423778D57296D7BF4F99A3638FC87B37520F0DCBEEFA3A2343DE0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8<..YRT.YRT.YRT.!.T.YRT.1SU.YRT.?SU.YRT.1WU.YRT.1VU.YRT.1QU.YRTf0SU.YRT.YST.XRTf0VU.YRTf0RU.YRTf0.T.YRTf0PU.YRTRich.YRT................PE..d....k.].........." ..... ...D.......$...............................................2....`..............................................N...%..........s........K...^.. .......D.......8........................... ................................................text...7........ .................. ..`.rdata...#...0...$...$..............@..@.data...1M...`...D...H..............@....pdata...S.......T..................@..@.idata..rV.......X..................@..@.00cfg.......p.......8..............@..@.rsrc...s............:..............@..@.reloc..!............B..............@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\mfc140u.dll

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5653536
Entropy (8bit):	6.729079283804055
Encrypted:	false
SSDEEP:	49152:ULnsrdZXUTQyJa9qgUUjlQNXkW8GCBTDgHsYogTYn3s3pQMqSj+vTCfEs7ATWYls:UoJUEUYS3zUQFLOAkGkzdnEVomFHKnP+
MD5:	CD1D99DF975EE5395174DF834E82B256
SHA1:	F395ADA2EFC6433B34D5FBC5948CB47C7073FA43
SHA-256:	D8CA1DEA862085F0204680230D29BFF4D168FFF675AB4700EEAF63704D995CB3
SHA-512:	397F725E79CA2C68799CF68DFB111A1570427F3D2175D740758C387BDAA508BC9014613E997B92FC96E884F66BB17F453F8AA035731AFD022D9A4E7095616F87
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.cu...&...&...&...'...&...'...&...'...&..&...&G..'...&G..'...&...'...&...&..&G..'...&G..'...&G..'...&G..'...&G..&...&G..'...&Rich...&................PE..d...9.:e.........." .....(-..X)......X,.......................................V.....&~V...`A..........................................:.....h.;.......?......`=..8....V. (...PU.0p..P.5.T...........................`...8............@-.P...(.:......................text....&-......(-................. ..`.rdata.......@-......,-.............@..@.data....6... <.......<.............@....pdata...8...`=..:....<.............@..@.didat..H.....?.......?.............@....rsrc.........?.......?.............@..@.reloc..0p...PU..r....T.............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.909456553599775
Encrypted:	false
SSDEEP:	1536:j3sHmR02IvVxv7WCyKm7c5Th4JBHTOvyyaZE:jnIvryCyKx5Th4J5OvyyO
MD5:	49AC12A1F10AB93FAFAB064FD0523A63
SHA1:	3AD6923AB0FB5D3DD9D22ED077DB15B42C2FBD4F
SHA-256:	BA033B79E858DBFCBA6BF8FB5AFE10DEFD1CB03957DBBC68E8E62E4DE6DF492D
SHA-512:	1BC0F50E0BB0A9D9DDDAD31390E5C73B0D11C2B0A8C5462065D477E93FF21F7EDC7AA2B2B36E478BE0A797A38F43E3FBEB6AAABEF0BADEC1D8D16EB73DF67255
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nT..5..5..5..#M2. 5..x@..(5..x@..&5..x@.."5..x@...5...k..(5..aM..;5..5...5...@..:5...@..+5...@^.+5...@..+5..Rich*5..................PE..d...._.g.........." .........h......\........................................@............`.........................................0...`.......@.... .......................0..(.......................................8............................................text...h........................... ..`.rdata..\I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\pyarmor_runtime_000000\pyarmor_runtime.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	630272
Entropy (8bit):	6.201282595671309
Encrypted:	false
SSDEEP:	12288:cs1ibNzQ0d7ctjdcg7fUoPpj50XnEYzk:ratctjdcg7fUoPpj50XnJ
MD5:	AFBFE5728BB94436F36057F201493974
SHA1:	DDC6E2B3AD0CC9DA77BD7DCE6D29CCC78294D63D
SHA-256:	583F588DFB2940C63F75CF4B358B1FAE1B69391BD90A77EF71B59E96E6087042
SHA-512:	57E1FD6192802D02710E473CCFBD88D166785092DBFF3C14FABAEA6646683E1884017B8E551ACE4E2EAA901B8707F9192619E773C181DEC747E96841FE3D254C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".............h..0..........f.....................................z........ .........................................].... ..03...........@...$..........................................@...(...................(+...............................text...............................`.P`.data....F... ...H..................@.`..rdata.......p.......P..............@.`@.pdata...$...@...$..................@.0@.xdata...&...p...(...8..............@.0@.bss.....f............................`..edata..]............`..............@.0@.idata..03... ...4...b..............@.0..CRT....X....`......................@.@..tls.........p......................@.@..reloc..............................@.0B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\pyexpat.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	189512
Entropy (8bit):	6.306301919858534
Encrypted:	false
SSDEEP:	3072:X/QzNxXNH/aml0Ocp9V69g7eoipCRF0W4XOoKmpgMBUI3CnOnL5MlTe1NE1IGVhb:XIzrNH/a4+L69g7eoKoYXOPmpgMBewMZ
MD5:	E684792507FAF113474A6D1217AEEAAD
SHA1:	F9486048EC025A9F469F52C1788A74E70975B431
SHA-256:	1035C85C840C1007D5F5BB62CA7358D6C85B5E4BF15155FE0857C6A17453F18A
SHA-512:	1A50BC231963D405F25879EE3560EB90F7B18D51640B9B4D848F18CAA9FEF14907F8935A86F093478BE0EE0E1261E4BCC8C697B486BC0617C5F77370337D48C3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~..#:i.p:i.p:i.p3.Jp0i.ph..q8i.ph..q1i.ph..q2i.ph..q8i.p...q8i.p_..q9i.p:i.pTi.p...q>i.p...q;i.p..&p;i.p...q;i.pRich:i.p........................PE..d.....].........." .................................................................3....`.............................................P...P...........................H............4..T............................4............... ...............................text............................... ..`.rdata..2.... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\python3.dll

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58952
Entropy (8bit):	5.849953914987793
Encrypted:	false
SSDEEP:	768:oS99q+0o22ByfbEap+VCBQ53gUiT5pLFdBk4/yFi1nuVwWBjChtFyrUdmd9RSxDD:79xiEAnUvdK1IGV0QyrI
MD5:	7ACEC875D5672E7AA148B8C40DF9AA49
SHA1:	96B8CFABE0CFA3DF32995919AC77CFDEEC26F1F2
SHA-256:	D96858E433F45917499DBF5E052E56F079FF9AE259FD3CAA025C3B1DAF852891
SHA-512:	1208DA62FE82B779EC822AD702F9CA4321B34EE590C28E10EFE9A2DB6D582BFDCAE01AB2431C1A98714EF0C60434D64C58F3DB31BF5886EFBB943ADC70D6E975
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............d..d..d.N.l..d.N.d..d.N..d.N.f..d.Rich.d.........PE..d.....].........." .....................................................................`.........................................` ..@...............................H............ ..T............................................................................text............................... ..`.rdata..d.... ......................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\python38.dll

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4183112
Entropy (8bit):	6.420172758698049
Encrypted:	false
SSDEEP:	49152:wV6CJES/Za2BaobNruDPYRQYK8JCNNtkAz+/Q46VqNo9NYxwCFIInKHJCMjntPNj:MxB/aDUQNtufeNFIKHoMjzkDU
MD5:	D2A8A5E7380D5F4716016777818A32C5
SHA1:	FB12F31D1D0758FE3E056875461186056121ED0C
SHA-256:	59AB345C565304F638EFFA7C0236F26041FD06E35041A75988E13995CD28ACE9
SHA-512:	AD1269D1367F587809E3FBE44AF703C464A88FA3B2AE0BF2AD6544B8ED938E4265AAB7E308D999E6C8297C0C85C608E3160796325286DB3188A3EDF040A02AB7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................7[.........................................B............c...........Rich............................PE..d.....].........." .........."...............................................B.....f.@...`.........................................@I8.....X.9.\|.....B.......?.P.....?.H.....B. t..p. .T............................. .................X............................text...$........................... ..`.rdata..............................@..@.data........09......"9.............@....pdata..P.....?......2=.............@..@.rsrc.........B......8?.............@..@.reloc.. t....B..v...D?.............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32\pythoncom38.dll

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	673280
Entropy (8bit):	6.0419437910215255
Encrypted:	false
SSDEEP:	6144:Ve+P6+MWPDCpiqo/r/wm/tx61waoXe1a84TkOz4ApSVIHs4ppdUKsGZ7QXlf:VelBcDh/wmVw1ayoFPppdUl
MD5:	F0392A9234F19A7312749E32B7C2AABC
SHA1:	3A06EB7FE07F4F72C43D44C84B0E8D0CF45B6B7B
SHA-256:	3890C952D049677351D50B940793E82FB9F065AC77A97CD228C187616BE1687E
SHA-512:	B81E1DE6083123CFEBF360F0FEFD0DC18FC6B361BB2B4A8249D71D77B9BB2E275C854998142A2774200D1864D3CAFC706F5D0CA9238E0EC859B3578922FCB698
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R0.~.Q.-.Q.-.Q.-.).-.Q.-D$.,.Q.-D$.,.Q.-D$.,.Q.-D$.,.Q.-.$.,.Q.-]).,.Q.-.%.,.Q.-]).,.Q.-.Q.-BP.-.$.,GQ.-.$.,.Q.-.$.,.Q.-Rich.Q.-........PE..d...x..g.........." ......................................................................`.........................................@`...c..............\....@...z............... ......T........................... ...8............................................text...3........................... ..`.rdata..T/.......0..................@..@.data....L..........................@....pdata...z...@...\|..................@..@.rsrc...\............ ..............@..@.reloc... ......."...$..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\pywin32_system32\pywintypes38.dll

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	136192
Entropy (8bit):	5.993915222442933
Encrypted:	false
SSDEEP:	3072:cXt1g7xR7WsXCBcyohpY/rjYarWSbJm/fEJTdXSwd0Lxwp:cXXg7xNFXC8Y/rxbbJmnEVdXSuQ
MD5:	7F960B22965D51F44D3046F3930D3471
SHA1:	DEFC4A353F6A14E316C1FE4085180CECA9EE6CE0
SHA-256:	D2DF2F815AB392812399143D6CB661C807449FA8409FD126F39F656769B8A728
SHA-512:	FA4484DBFA3E13F0FA1C4F1CF1DA0C3F76DE157586B49165A400EADBF9A7EFFAF318AA33A7A222F927222531107977FB7BE7CD62E4623B31B111E21AC4EDFD0C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........YE+I8+xI8+xI8+x@@.xE8+x.MyM8+x/W.xH8+x.M.y]8+x.M/yA8+x.M(yJ8+x.@/yH8+x.LyK8+x.@yB8+xI8x.8+x.M"yD8+x.M+yH8+x.M)yH8+xRichI8+x........................PE..d...,..g.........." .........................................................`............`.............................................lB......,....@..d.... ...............P..0....b..T............................c..8............................................text...Y........................... ..`.rdata..............................@..@.data....-.......(..................@....pdata....... ......................@..@.rsrc...d....@......................@..@.reloc..0....P......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\select.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	26696
Entropy (8bit):	6.101296746249305
Encrypted:	false
SSDEEP:	768:6kYtqIDCNdwhBfAqXuqzz5H1IGqGbWDG4y4:6TnDCNCh93X7zzR1IGqG2y4
MD5:	6AE54D103866AAD6F58E119D27552131
SHA1:	BC53A92A7667FD922CE29E98DFCF5F08F798A3D2
SHA-256:	63B81AF5D3576473C17AC929BEA0ADD5BF8D7EA95C946CAF66CBB9AD3F233A88
SHA-512:	FF23F3196A10892EA22B28AE929330C8B08AB64909937609B7AF7BFB1623CD2F02A041FD9FAB24E4BC1754276BDAFD02D832C2F642C8ECDCB233F639BDF66DD0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................)............................M................M......M......M.E....M......Rich...........PE..d.....].........." .........2......h...............................................a"....`..........................................?..L....@..x....p.......`.......N..H.......,....2..T............................3...............0...............................text...u........................... ..`.rdata.......0......."..............@..@.data........P.......:..............@....pdata.......`.......<..............@..@.rsrc........p.......@..............@..@.reloc..,............L..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1096264
Entropy (8bit):	5.343512979675051
Encrypted:	false
SSDEEP:	12288:EGe9qQOZ67191SnFRFotduNFBjCmN/XlyCAx9++bBlhJk93cgewrxEeBc0bB:EGe9GK4oYhCc/+9nbDhG2wrxc0bB
MD5:	4C0D43F1A31E76255CB592BB616683E7
SHA1:	0A9F3D77A6E064BAEBACACC780701117F09169AD
SHA-256:	0F84E9F0D0BF44D10527A9816FCAB495E3D797B09E7BBD1E6BD666CEB4B6C1A8
SHA-512:	B8176A180A441FE402E86F055AA5503356E7F49E984D70AB1060DEE4F5F17FCEC9C01F75BBFF75CE5F4EF212677A6525804BE53646CC0D7817B6ED5FD83FD778
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.0v..^%..^%..^%.f.%..^%Tv_$..^%Tv[$..^%TvZ$..^%Tv]$..^%.w_$..^%cx_$..^%.._%N.^%.wS$..^%.w^$..^%.w.%..^%.w\$..^%Rich..^%................PE..d.....].........." .....L...V.......*..............................................-.....`.........................................p...X..............................H........... )..T............................)...............`..p............................text...1J.......L.................. ..`.rdata..>-...`.......P..............@..@.data................~..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\win32api.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	133120
Entropy (8bit):	5.86120949149104
Encrypted:	false
SSDEEP:	3072:3wBdzUgdnhvjZXA2SRJzlRVFhLaNzvblJTqQvmP+0NfAdWe:3wsgdRjZXA2+tlRVgvZRqQ10Vy
MD5:	01196228998669ACFD2A4AA7E1E18A26
SHA1:	A7C3C59CB120EF75CA6F9A7A2E035783CD5933BB
SHA-256:	DA256A6EEB9C5512E869CA5452EC373A7C3AA8BE13AFEB76FD650738A5ADFBEC
SHA-512:	A2C627978B33A0FB8DDBEB7FF8C920F7BC357736D5C981A3F003ADF1CD8E6CB51B17FDF5847B98D024C3FF721550A5E8209B735E027110FF75ED56A10498C117
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V@m..@m..@m..I...Hm......Dm......Hm......Dm......Bm......Bm......Wm......Km..@m...l......Bm......Am......Am..Rich@m..................PE..d...O..g.........." ................8........................................P............`................................................d........0..T....................@..X....w..T............................<..8............0......d...@....................text...D........................... ..`.rdata.......0......................@..@.data...X(......."..................@....pdata..............................@..@.rsrc...T....0......................@..@.reloc..X....@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\win32trace.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.281734532194338
Encrypted:	false
SSDEEP:	384:tYGx6lLxGhN0H2So0JVPls+0T8DqqpqkW87P0bkZ5yn9g1BT:zl0WCaNkW87cSUuB
MD5:	3122A07137DEA2F663F0F5A57C68306A
SHA1:	9EA6A6DC321993F5EB1185F674B515BDF851718D
SHA-256:	B6AE09668425F318E2A56286F635EFC591B92C14870085A485A65A6E40F3A0C0
SHA-512:	98B2D850F79FCD4DF2D57C4692EFB08B550A20DDDB38C4A95CE794B78A1F84FD1AD7EA21A5845C364AC79523F668C4350628FDF7D7DABF4056DD07F25B67C6AE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r$(U6EF.6EF.6EF.?=..2EF.d0G.4EF.d0C.<EF.d0B.>EF.d0E.5EF..0G.4EF..1G.4EF.}=G.3EF.6EG.{EF..0O.7EF..0F.7EF..0D.7EF.Rich6EF.........PE..d...G..g.........." ................'....................................................`..........................................Q..T....Q..........\....p.......................G..T...........................PH..8............@...............................text....)......................... ..`.rdata.......@......................@..@.data...(....`.......L..............@....pdata.......p.......R..............@..@.rsrc...\............V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73442\win32ui.pyd

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1146880
Entropy (8bit):	6.055737484366553
Encrypted:	false
SSDEEP:	12288:A8kQJhn+6cxX9KOcol6NRn2Ri0VRxRz5jAs7FYyk2+wwZ8Oq:ANP6c8oiRnP2RFUsRY2+V8
MD5:	0E754914E42F2220C530A0212293BF51
SHA1:	242220538FBE59D141B44895FC8054FDB1A8358D
SHA-256:	CDFAF61B88C03F8C35BC0476A5CB85365B591787EE1B2FFEF264BFC570C9524A
SHA-512:	CDF127981996C2AFA94E09E0D9CEDF5D6F3512EF3F2505C9616EBD21F5B0BA4E5A1E1069AED84D1111A400BBCA8AED904948F91D47B961076A50528DD02A1E7A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.K;...;...;...2a].1....l..9....m..9...pa..5...il..3...il..?...il..-...;...3...il..<....l.......l..:....l1.:....l..:...Rich;...................PE..d...E..g.........." .........t.............................................. ............`..........................................1...T......h...............................`\......T.......................(...@...8............ ...0...........................text...0........................... ..`.rdata....... ......................@..@.data...............................@....pdata...............r..............@..@.rsrc...............................@..@.reloc..`\.......^..."..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\kyojenit

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:qn:qn
MD5:	3F1D1D8D87177D3D8D897D7E421F84D6
SHA1:	DD082D742A5CB751290F1DB2BD519C286AA86D95
SHA-256:	F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
SHA-512:	2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
Malicious:	false
Preview:	blat

C:\Users\user\AppData\Local\Temp\tmp4i57dvwl\gen_py\init.py

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	176
Entropy (8bit):	4.713840781302666
Encrypted:	false
SSDEEP:	3:S3yE25MOWrYXtHVE/DRFrgm5/gvJgXDLAUDA+ERo6+aEYqVS1f6gq1WGgVSBn:S3mSOWWHVUDjrgmxgRgzLXDA6Va8VeuR
MD5:	8C7CA775CF482C6027B4A2D3DB0F6A31
SHA1:	E3596A87DD6E81BA7CF43B0E8E80DA5BC823EA1A
SHA-256:	52C72CF96B12AE74D84F6C049775DA045FAE47C007DC834CA4DAC607B6F518EA
SHA-512:	19C7D229723249885B125121B3CC86E8C571360C1FB7F2AF92B251E6354A297B4C2B9A28E708F2394CA58C35B20987F8B65D9BD6543370F063BBD59DB4A186AC
Malicious:	false
Preview:	# Generated file - this directory may be deleted to reset the COM cache.....import win32com..if __path__[:-1] != win32com.__gen_path__: __path__.append(win32com.__gen_path__)..

C:\Users\user\AppData\Local\Temp\tmp4i57dvwl\gen_py\dicts.dat

Download File

Process:	C:\Users\user\Desktop\DeltaX.exe
File Type:	data
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.7219280948873625
Encrypted:	false
SSDEEP:	3:qW6:qW6
MD5:	2C7344F3031A5107275CE84AED227411
SHA1:	68ACAD72A154CBE8B2D597655FF84FD31D57C43B
SHA-256:	83CDA9FECC9C008B22C0C8E58CBCBFA577A3EF8EE9B2F983ED4A8659596D5C11
SHA-512:	F58362C70A2017875D231831AE5868DF22D0017B00098A28AACB5753432E8C4267AA7CBF6C5680FEB2DC9B7ABADE5654C3651685167CC26AA208A9EB71528BB6
Malicious:	false
Preview:	..K....}..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.996282067684745
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	DeltaX.exe
File size:	10'374'703 bytes
MD5:	8c02c616f0d561e49ae8c000c1c9bc7a
SHA1:	9709433a4028348c3d1bd0f6684d97e5d949e9c0
SHA256:	6dc4e9a65a2aa8622e224c4b1d55b5d1389143a3971a58c2393d20dc29f307b4
SHA512:	5c11b6ce69dded0d7ddcb1d6cbd9b145c1e6a88910059bf9ed55fa11f41971aafc1aae929215ef84d25c474bb40d91559cc7f7b3a3131c333babab5f55809309
SSDEEP:	196608:uIguWJysVYvsOtV1Z2azjvj8p5drY+0sroyMxxvjDDAxB9GQHSv0rEU4+W:HWJeVlj87dqQoyMxtDDAxpHBrF4X
TLSH:	ABA63373C6A2584AE5B90030D4B4A0B11A62F9690F109C2BCAB55F797F57FB47F788D0
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....bg.@.............(.x...2.................@.....................................X....`................................

File Icon


Icon Hash:	4a464cd47461e179

Static PE Info

General

Entrypoint:	0x1400010f6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6762E10C [Wed Dec 18 14:49:48 2024 UTC]
TLS Callbacks:	0x4000ccc0, 0x1, 0x4000cd80, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2b762c3d5d512cd6bf5a5baf230d4a2e

Entrypoint Preview

Instruction
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
mov dword ptr [ebp-04h], 000000FFh
dec eax
mov eax, dword ptr [0001F854h]
mov dword ptr [eax], 00000001h
call 00007EFE4CE1AE42h
mov dword ptr [ebp-04h], eax
nop
nop
mov eax, dword ptr [ebp-04h]
dec eax
add esp, 30h
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
mov dword ptr [ebp-04h], 000000FFh
dec eax
mov eax, dword ptr [0001F825h]
mov dword ptr [eax], 00000000h
call 00007EFE4CE1AE13h
mov dword ptr [ebp-04h], eax
nop
nop
mov eax, dword ptr [ebp-04h]
dec eax
add esp, 30h
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 70h
dec eax
mov dword ptr [ebp-10h], 00000000h
mov dword ptr [ebp-1Ch], 00000030h
mov eax, dword ptr [ebp-1Ch]
dec eax
mov eax, dword ptr [eax]
dec eax
mov dword ptr [ebp-28h], eax
dec eax
mov eax, dword ptr [ebp-28h]
dec eax
mov eax, dword ptr [eax+08h]
dec eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-04h], 00000000h
jmp 00007EFE4CE1AE23h
dec eax
mov eax, dword ptr [ebp-10h]
dec eax
cmp eax, dword ptr [ebp-18h]
jne 00007EFE4CE1AE0Bh
mov dword ptr [ebp-04h], 00000001h
jmp 00007EFE4CE1AE47h
mov ecx, 000003E8h
dec eax
mov eax, dword ptr [00034536h]
call eax
dec eax
mov eax, dword ptr [0001F7FDh]
dec eax
mov dword ptr [ebp-30h], eax
dec eax
mov eax, dword ptr [ebp-18h]
dec eax
mov dword ptr [ebp+00h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x35000	0x15f0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x39000	0xf494	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x24000	0xf18	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x49000	0x154	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1fb40	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x35580	0x4f0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17698	0x17800	3162e04946f8d70363991ef77146f968	False	0.4406582446808511	data	6.151760427259421	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x19000	0x130	0x200	11b0fb1eb27a7b33f30f63c84010d98b	False	0.189453125	data	1.3374538668500189	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x1a000	0x8360	0x8400	90488b6a86573a6cc98f474860f95d61	False	0.4765920928030303	data	6.541956983892695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
/4	0x23000	0x4	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x24000	0xf18	0x1000	1d55bf60c7a95ecb39a7a169edbdf562	False	0.460205078125	data	4.949066468343522	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x25000	0xf30	0x1000	d536cede0a0b44ac8e685a7f15b04085	False	0.228515625	shared library	4.273158269466835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x26000	0xeff0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x35000	0x15f0	0x1600	dac35fc335ee1f745ab20fbc17d1616b	False	0.33061079545454547	data	4.455839108298774	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x37000	0x60	0x200	32b18f38c3c4ba3205e8c160ed8fa8ed	False	0.06640625	data	0.29046607431271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x38000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x39000	0xf494	0xf600	8f1e755314f9e1a2a5c307c4e4ca9fc1	False	0.8035600863821138	data	7.555503971609621	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x49000	0x154	0x200	3b590444fe5db0d8f4418a97264a915b	False	0.529296875	data	3.743194766435929	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x39208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.585820895522388
RT_ICON	0x3a0b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7360108303249098
RT_ICON	0x3a958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.755057803468208
RT_ICON	0x3aec0	0x952c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9975384937676757
RT_ICON	0x443ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.3887966804979253
RT_ICON	0x46994	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.49530956848030017
RT_ICON	0x47a3c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.7207446808510638
RT_GROUP_ICON	0x47ea4	0x68	data	0.7019230769230769
RT_MANIFEST	0x47f0c	0x586	XML 1.0 document, ASCII text, with CRLF line terminators	0.44554455445544555

Imports

DLL	Import
ADVAPI32.dll	ConvertSidToStringSidW, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetTokenInformation, OpenProcessToken
COMCTL32.dll	LoadIconMetric
GDI32.dll	CreateFontIndirectW, DeleteObject, SelectObject
KERNEL32.dll	CloseHandle, CreateDirectoryW, CreateProcessW, DeleteCriticalSection, EnterCriticalSection, ExpandEnvironmentStringsW, FindClose, FindFirstFileExW, FormatMessageW, FreeLibrary, GetCommandLineW, GetCurrentProcess, GetEnvironmentVariableW, GetExitCodeProcess, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoW, GetTempPathW, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, LocalFree, MulDiv, MultiByteToWideChar, SetConsoleCtrlHandler, SetDllDirectoryW, SetEnvironmentVariableW, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte, __C_specific_handler
msvcrt.dll	___lc_codepage_func, ___mb_cur_max_func, __argc, __iob_func, __set_app_type, __setusermatherr, __wargv, __wgetmainargs, __winitenv, _amsg_exit, _cexit, _commode, _errno, _filelengthi64, _fileno, _findclose, _fileno, _fmode, _get_osfhandle, _getpid, _initterm, _lock, _onexit, _setmode, _snwprintf, _stat64, _strdup, _unlock, _wcmdln, _wcsdup, _wcsdup, _wfindfirst64, _wfindnext64, _wfopen, _wfullpath, _wputenv_s, _wremove, _wrmdir, _wstat64, _wtempnam, abort, calloc, clearerr, exit, fclose, feof, ferror, fflush, fgetpos, fprintf, fputc, fputwc, fread, free, fsetpos, fwprintf, fwrite, iswctype, localeconv, malloc, mbstowcs, memcmp, memcpy, memset, perror, realloc, setbuf, setlocale, signal, strcat, strchr, strcmp, strcpy, strerror, strlen, strncat, strncmp, strncpy, strtok, vfprintf, wcscat, wcschr, wcscmp, wcscpy, wcslen, wcsncpy, wcstombs
USER32.dll	CreateWindowExW, DestroyIcon, DialogBoxIndirectParamW, DrawTextW, EndDialog, GetClientRect, GetDC, GetDialogBaseUnits, GetWindowLongPtrW, InvalidateRect, MessageBoxA, MessageBoxW, MoveWindow, ReleaseDC, SendMessageW, SetWindowLongPtrW, SystemParametersInfoW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 10:25:06.717865944 CET	49731	443	192.168.2.4	54.230.112.122
Dec 19, 2024 10:25:06.717900038 CET	443	49731	54.230.112.122	192.168.2.4
Dec 19, 2024 10:25:06.718113899 CET	49731	443	192.168.2.4	54.230.112.122
Dec 19, 2024 10:25:06.718894958 CET	49731	443	192.168.2.4	54.230.112.122
Dec 19, 2024 10:25:06.718909025 CET	443	49731	54.230.112.122	192.168.2.4
Dec 19, 2024 10:25:08.178237915 CET	443	49731	54.230.112.122	192.168.2.4
Dec 19, 2024 10:25:08.179054022 CET	49731	443	192.168.2.4	54.230.112.122
Dec 19, 2024 10:25:08.179089069 CET	443	49731	54.230.112.122	192.168.2.4
Dec 19, 2024 10:25:08.181195021 CET	443	49731	54.230.112.122	192.168.2.4
Dec 19, 2024 10:25:08.181278944 CET	49731	443	192.168.2.4	54.230.112.122
Dec 19, 2024 10:25:08.181885004 CET	49731	443	192.168.2.4	54.230.112.122
Dec 19, 2024 10:25:08.182019949 CET	49731	443	192.168.2.4	54.230.112.122
Dec 19, 2024 10:25:08.187243938 CET	49732	443	192.168.2.4	54.230.112.122
Dec 19, 2024 10:25:08.187289000 CET	443	49732	54.230.112.122	192.168.2.4
Dec 19, 2024 10:25:08.187386990 CET	49732	443	192.168.2.4	54.230.112.122
Dec 19, 2024 10:25:08.187731028 CET	49732	443	192.168.2.4	54.230.112.122
Dec 19, 2024 10:25:08.187748909 CET	443	49732	54.230.112.122	192.168.2.4
Dec 19, 2024 10:25:09.591972113 CET	443	49732	54.230.112.122	192.168.2.4
Dec 19, 2024 10:25:09.592312098 CET	49732	443	192.168.2.4	54.230.112.122
Dec 19, 2024 10:25:09.592333078 CET	443	49732	54.230.112.122	192.168.2.4
Dec 19, 2024 10:25:09.593808889 CET	443	49732	54.230.112.122	192.168.2.4
Dec 19, 2024 10:25:09.593878984 CET	49732	443	192.168.2.4	54.230.112.122
Dec 19, 2024 10:25:09.594399929 CET	49732	443	192.168.2.4	54.230.112.122
Dec 19, 2024 10:25:09.594527006 CET	49732	443	192.168.2.4	54.230.112.122

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 10:25:06.575746059 CET	50965	53	192.168.2.4	1.1.1.1
Dec 19, 2024 10:25:06.713546991 CET	53	50965	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 10:25:06.575746059 CET	192.168.2.4	1.1.1.1	0xffa0	Standard query (0)	brave.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 10:25:06.713546991 CET	1.1.1.1	192.168.2.4	0xffa0	No error (0)	brave.com	54.230.112.122	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:25:06.713546991 CET	1.1.1.1	192.168.2.4	0xffa0	No error (0)	brave.com	54.230.112.35	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:25:06.713546991 CET	1.1.1.1	192.168.2.4	0xffa0	No error (0)	brave.com	54.230.112.55	A (IP address)	IN (0x0001)	false
Dec 19, 2024 10:25:06.713546991 CET	1.1.1.1	192.168.2.4	0xffa0	No error (0)	brave.com	54.230.112.8	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	04:25:02
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\DeltaX.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\DeltaX.exe"
Imagebase:	0x7ff654ca0000
File size:	10'374'703 bytes
MD5 hash:	8C02C616F0D561E49AE8C000C1C9BC7A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:25:04
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\DeltaX.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\DeltaX.exe"
Imagebase:	0x7ff654ca0000
File size:	10'374'703 bytes
MD5 hash:	8C02C616F0D561E49AE8C000C1C9BC7A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.7%
Total number of Nodes:	1140
Total number of Limit Nodes:	20

Executed Functions

Function 00007FF654CA1154 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_amsg_exit.MSVCRT ref: 00007FF654CA11F6
_initterm.MSVCRT ref: 00007FF654CA122B
_initterm.MSVCRT ref: 00007FF654CA125E
exit.MSVCRT ref: 00007FF654CA1358
_cexit.MSVCRT ref: 00007FF654CA1367

Strings

0, xrefs: 00007FF654CA1164

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: _initterm$_amsg_exit_cexitexit
String ID: 0
API String ID: 602970348-4108050209
Opcode ID: 6d6abd2140eb0b7f68bb3c504690dcf92132bdf22886463ef4a851639e3c59bc
Instruction ID: 4612fabad723a35932750a26ade81000d56b3253715170873d3ec5c8c1b4e406
Opcode Fuzzy Hash: 6d6abd2140eb0b7f68bb3c504690dcf92132bdf22886463ef4a851639e3c59bc
Instruction Fuzzy Hash: 8B6194A5F09B0689FB009B96E8E436833B0BB84B84F4844B6DE5DE77A5DE3CE4418750

Function 00007FF654CA8C60 Relevance: 6.9, Strings: 5, Instructions: 602COMMON

Download Yara Rule

Strings

invalid stored block lengths, xrefs: 00007FF654CA8F5E
too many length or distance symbols, xrefs: 00007FF654CA99D6
invalid literal/length code, xrefs: 00007FF654CAA372
incorrect data check, xrefs: 00007FF654CA8DA1
invalid block type, xrefs: 00007FF654CAA1E0

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID:
String ID: incorrect data check$invalid block type$invalid literal/length code$invalid stored block lengths$too many length or distance symbols
API String ID: 0-817236767
Opcode ID: ad7465917ce0bd69c915d26ccdd0654c50e183496f1a9639a8706ff0dce767b6
Instruction ID: 7425fac036edb0e2d28438c2113d62e9721003a965375a0cb7f411b3755a4ba5
Opcode Fuzzy Hash: ad7465917ce0bd69c915d26ccdd0654c50e183496f1a9639a8706ff0dce767b6
Instruction Fuzzy Hash: C842E2B3E192928BD3508F26D49893E7BB5FB84784F19417ADA4AD7784DF38E904DB00

Function 00007FF654CA9458 Relevance: 5.4, Strings: 4, Instructions: 369COMMON

Download Yara Rule

Strings

invalid distances set, xrefs: 00007FF654CAA93A
invalid bit length repeat, xrefs: 00007FF654CAA851
invalid code -- missing end-of-block, xrefs: 00007FF654CA9EAD
invalid literal/lengths set, xrefs: 00007FF654CAA806

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid distances set$invalid literal/lengths set
API String ID: 0-1153561608
Opcode ID: 47164a0fb7dc88aad6f9100fbe571ed17c27b01c48b102c533af20c39b644f9d
Instruction ID: 6f28f83da5bedae8d3af34aef5f86b0e215c9b0a4fa98f67d53df7a5d9072490
Opcode Fuzzy Hash: 47164a0fb7dc88aad6f9100fbe571ed17c27b01c48b102c533af20c39b644f9d
Instruction Fuzzy Hash: E1F1E4B2A186528BD7548F26D4D8A7E77F4FB84784F0A417ADB4A97780DF38E944CB00

Function 00007FF654CA85E0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF654CA8605
FindClose.KERNEL32 ref: 00007FF654CA8614

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e52f2938a18a37d305d9bb5fab71544ce8426dd77b6bb2e1cf10f581b4471b50
Instruction ID: 7d928cd83c8d8d6d00146a290b16316861d7f147436f1b685e0d7133dc2fa58e
Opcode Fuzzy Hash: e52f2938a18a37d305d9bb5fab71544ce8426dd77b6bb2e1cf10f581b4471b50
Instruction Fuzzy Hash: 25F0E569E2D68182F7E09B60F44876923A0EBC43B8F880775DA7D916D4CFBCC14ACB00

Function 00007FF654CA1C80 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF654CA76B0: strlen.MSVCRT ref: 00007FF654CA7723
Part of subcall function 00007FF654CA76B0: strlen.MSVCRT ref: 00007FF654CA7753
Part of subcall function 00007FF654CA76B0: strlen.MSVCRT ref: 00007FF654CA7769
Part of subcall function 00007FF654CA76B0: strcpy.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF654CA1CB3), ref: 00007FF654CA777A
Part of subcall function 00007FF654CA76B0: strtok.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF654CA1CB3), ref: 00007FF654CA7784

malloc.MSVCRT ref: 00007FF654CA1CF0
fread.MSVCRT ref: 00007FF654CA1D51
free.MSVCRT ref: 00007FF654CA1D79
fclose.MSVCRT ref: 00007FF654CA1D9B
fclose.MSVCRT ref: 00007FF654CA1DAA

Strings

fwrite, xrefs: 00007FF654CA1E0A
fseek, xrefs: 00007FF654CA1E2A
Failed to extract %s: failed to open archive file!, xrefs: 00007FF654CA1DE2
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF654CA1E23
fopen, xrefs: 00007FF654CA1E42
fread, xrefs: 00007FF654CA1D65
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF654CA1E03
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF654CA1D5E
malloc, xrefs: 00007FF654CA1E62
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF654CA1E5B
Failed to extract %s: failed to open target file!, xrefs: 00007FF654CA1E3B

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: strlen$fclose$freadfreemallocstrcpystrtok
String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 790192563-666925554
Opcode ID: 2eb8a89695d0905b6aac32925b17d146fc58dee4761c266095f8ad691f51bfc2
Instruction ID: 5d8936f683f5ecfed94953b87fe6d7f503a50193c404997fd602b43de507e3d5
Opcode Fuzzy Hash: 2eb8a89695d0905b6aac32925b17d146fc58dee4761c266095f8ad691f51bfc2
Instruction Fuzzy Hash: 41419CA5F0960250FB559B22D8F02B92271AFC5B94FCC45B3DE1EAB3D2EE2CE5458300

Function 00007FF654CA7270 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wputenv_s.MSVCRT ref: 00007FF654CA72C1
free.MSVCRT ref: 00007FF654CA72CC
GetTempPathW.KERNEL32 ref: 00007FF654CA72F0
_getpid.MSVCRT(?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA72F6
_wtempnam.MSVCRT ref: 00007FF654CA731F
free.MSVCRT ref: 00007FF654CA7334
free.MSVCRT ref: 00007FF654CA735E

Part of subcall function 00007FF654CA6FE0: GetEnvironmentVariableW.KERNEL32 ref: 00007FF654CA700C

Part of subcall function 00007FF654CA7110: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF654CA714B
Part of subcall function 00007FF654CA7110: free.MSVCRT ref: 00007FF654CA7156
Part of subcall function 00007FF654CA7110: _wfullpath.MSVCRT ref: 00007FF654CA717E
Part of subcall function 00007FF654CA7110: wcschr.MSVCRT(?,?,?,00000000,00007FF654CA72AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA71AD
Part of subcall function 00007FF654CA7110: wcsncpy.MSVCRT ref: 00007FF654CA71DB
Part of subcall function 00007FF654CA7110: CreateDirectoryW.KERNEL32(?,?,?,00000000,00007FF654CA72AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA71E5
Part of subcall function 00007FF654CA7110: wcschr.MSVCRT(?,?,?,00000000,00007FF654CA72AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA71F0
Part of subcall function 00007FF654CA7110: CreateDirectoryW.KERNEL32(?,?,?,00000000,00007FF654CA72AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA7202

Strings

_MEI%d, xrefs: 00007FF654CA72FB
TMP, xrefs: 00007FF654CA72B7
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF654CA7380
TMP, xrefs: 00007FF654CA7294, 00007FF654CA734C, 00007FF654CA73B3, 00007FF654CA73DD, 00007FF654CA7409

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free$CreateDirectoryEnvironmentwcschr$ExpandPathStringsTempVariable_getpid_wfullpath_wputenv_s_wtempnamwcsncpy
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 2180377646-1116378104
Opcode ID: a3b2ec564969b41e7f7f1f3776da53e2cae86a4f4f371a759b53bcdcc7010f3f
Instruction ID: f62146a0d111edc9aa6a38346515cddbce1d3ae4a64bb84879afd9183c586abf
Opcode Fuzzy Hash: a3b2ec564969b41e7f7f1f3776da53e2cae86a4f4f371a759b53bcdcc7010f3f
Instruction Fuzzy Hash: FB415B91E4A50301FA55A723ADB56B652726FC5BD1F8C84B7EC0EE7792ED3CE4498200

Function 00007FF654CA1710 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF654CA8AE0: malloc.MSVCRT ref: 00007FF654CA8A49

malloc.MSVCRT ref: 00007FF654CA1788
malloc.MSVCRT ref: 00007FF654CA179E
fread.MSVCRT ref: 00007FF654CA17CD
ferror.MSVCRT ref: 00007FF654CA17DE
fwrite.MSVCRT ref: 00007FF654CA1867
ferror.MSVCRT ref: 00007FF654CA1882
free.MSVCRT ref: 00007FF654CA1905
free.MSVCRT ref: 00007FF654CA190D

Strings

Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF654CA1A07
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF654CA18E9
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF654CA1A5E
1.2.12, xrefs: 00007FF654CA173F
malloc, xrefs: 00007FF654CA1A46, 00007FF654CA1A65
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF654CA1A3F
_MEIPASS2, xrefs: 00007FF654CA1712

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: malloc$ferrorfree$freadfwrite
String ID: 1.2.12$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$_MEIPASS2$malloc
API String ID: 1635854594-2461342963
Opcode ID: ca8c180e82fc02696001b4b772ca5b4f9595369572e3e3818e5851be8c36e41a
Instruction ID: dedc42404c983bce25259a1f689a528bbd32b3ea96a0acd360ce2955a4666e2d
Opcode Fuzzy Hash: ca8c180e82fc02696001b4b772ca5b4f9595369572e3e3818e5851be8c36e41a
Instruction Fuzzy Hash: A28195A6A0C69181E720CB26E4A03AA63B0FFC47A4F984172DEDDA77D5DE7CD485C700

Function 00007FF654CA8440 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF654CA8477
OpenProcessToken.ADVAPI32 ref: 00007FF654CA8488
free.MSVCRT ref: 00007FF654CA84A0
CloseHandle.KERNEL32 ref: 00007FF654CA84B0
_snwprintf.MSVCRT ref: 00007FF654CA84D8
LocalFree.KERNEL32 ref: 00007FF654CA84E1
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF654CA8507
CreateDirectoryW.KERNEL32 ref: 00007FF654CA851B
GetTokenInformation.KERNELBASE(00000000,00000005(TokenIntegrityLevel),?,?,?,00007FFE209EC150,00007FF654CA732D,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA8561
GetLastError.KERNEL32 ref: 00007FF654CA8567
calloc.MSVCRT ref: 00007FF654CA8582
GetTokenInformation.KERNELBASE(?,?,?,00007FFE209EC150,00007FF654CA732D,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA85A8
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF654CA85BD

Strings

S-1-3-4, xrefs: 00007FF654CA84BB
D:(A;;FA;;;%s), xrefs: 00007FF654CA84CA

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen_snwprintfcallocfree
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 1339360106-2855260032
Opcode ID: fe406d8fb547cea20d7bfb8102cc3596c6133abc484eadb2eb76a5d76b1726db
Instruction ID: 6feeda8b429cc0ac5ab239d524766e68f7f5bd45a70907752286bcdf451545fb
Opcode Fuzzy Hash: fe406d8fb547cea20d7bfb8102cc3596c6133abc484eadb2eb76a5d76b1726db
Instruction Fuzzy Hash: BD318FA160864242E7109B52B8A47AA7371AFC5BA4F584276EE6DA3BD4DF3CD405C700

Function 00007FF654CAE5E0 Relevance: 25.9, APIs: 17, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strdup.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF654CA4082,00000000,?,00007FF654CA2124), ref: 00007FF654CAE616
setlocale.MSVCRT ref: 00007FF654CAE62E
mbstowcs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF654CA4082,00000000,?,00007FF654CA2124), ref: 00007FF654CAE665
mbstowcs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF654CA4082,00000000,?,00007FF654CA2124), ref: 00007FF654CAE6D6
setlocale.MSVCRT ref: 00007FF654CAE741
free.MSVCRT ref: 00007FF654CAE74D
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF654CA4082,00000000,?,00007FF654CA2124), ref: 00007FF654CAE981
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF654CA4082,00000000,?,00007FF654CA2124), ref: 00007FF654CAE9F5
realloc.MSVCRT ref: 00007FF654CAEA10
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF654CA4082,00000000,?,00007FF654CA2124), ref: 00007FF654CAEA39
setlocale.MSVCRT ref: 00007FF654CAEA4A
free.MSVCRT ref: 00007FF654CAEA56
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF654CA4082,00000000,?,00007FF654CA2124), ref: 00007FF654CAEA80
realloc.MSVCRT ref: 00007FF654CAEA9B
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF654CA4082,00000000,?,00007FF654CA2124), ref: 00007FF654CAEABF
setlocale.MSVCRT ref: 00007FF654CAEAD0
free.MSVCRT ref: 00007FF654CAEADC

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: wcstombs$setlocale$free$mbstowcsrealloc$_strdup
String ID:
API String ID: 918573998-0
Opcode ID: a83cf2a6e7cdc1dd5fd551beaeb6a114339be945ac12246f5548f53177ceeab4
Instruction ID: f4cd77e1830dbf52755837107e1a0d5ee60df2f5d932de03dbce69b9c962df6c
Opcode Fuzzy Hash: a83cf2a6e7cdc1dd5fd551beaeb6a114339be945ac12246f5548f53177ceeab4
Instruction Fuzzy Hash: 9CF140A6F04B1588FB509BAAC4912BC37B0FB85B88F884476DE4CA7799DF38D451C360

Function 00007FF654CA1E80 Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF654CA7D30: malloc.MSVCRT ref: 00007FF654CA7D4E
Part of subcall function 00007FF654CA7D30: free.MSVCRT ref: 00007FF654CA7E25

fread.MSVCRT ref: 00007FF654CA1EF3
malloc.MSVCRT ref: 00007FF654CA1F52
fread.MSVCRT ref: 00007FF654CA1F73
ferror.MSVCRT ref: 00007FF654CA1F90
fclose.MSVCRT ref: 00007FF654CA2000

Strings

fseek, xrefs: 00007FF654CA208C
Failed to seek to cookie position!, xrefs: 00007FF654CA2085
Failed to read cookie!, xrefs: 00007FF654CA2048
Error on file., xrefs: 00007FF654CA2077
fread, xrefs: 00007FF654CA204F, 00007FF654CA2069
Could not read full TOC!, xrefs: 00007FF654CA2062
malloc, xrefs: 00007FF654CA20A1
Cannot read Table of Contents., xrefs: 00007FF654CA1FA7
Could not allocate buffer for TOC!, xrefs: 00007FF654CA209A

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: freadmalloc$fcloseferrorfree
String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$fread$fseek$malloc
API String ID: 1320676746-1463511288
Opcode ID: e3634c2f215a7801dd9328adda742cb27553f91e41f206a36010a9a902b352bd
Instruction ID: babdc14d796f17458553065fe2034b09e9d09d4541117d9d885cdfc4dc8efd52
Opcode Fuzzy Hash: e3634c2f215a7801dd9328adda742cb27553f91e41f206a36010a9a902b352bd
Instruction Fuzzy Hash: 91514DB2B0961296EA18CB16D5E027967B1BFC8744F888077DA0E97B95DF3DE4A1C700

Function 00007FF654CA79C0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 89
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF654CA8210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246

SetConsoleCtrlHandler.KERNEL32 ref: 00007FF654CA7A06
GetStartupInfoW.KERNEL32 ref: 00007FF654CA7A28
_fileno.MSVCRT ref: 00007FF654CA7A6C
_get_osfhandle.MSVCRT ref: 00007FF654CA7A7A
_fileno.MSVCRT ref: 00007FF654CA7A8E
_get_osfhandle.MSVCRT ref: 00007FF654CA7A95
_fileno.MSVCRT ref: 00007FF654CA7AA9
_get_osfhandle.MSVCRT ref: 00007FF654CA7AB0
GetCommandLineW.KERNEL32 ref: 00007FF654CA7ABA
CreateProcessW.KERNEL32 ref: 00007FF654CA7B02
WaitForSingleObject.KERNEL32 ref: 00007FF654CA7B19
GetExitCodeProcess.KERNEL32 ref: 00007FF654CA7B2C

Strings

Error creating child process!, xrefs: 00007FF654CA7B48
CreateProcessW, xrefs: 00007FF654CA7B4F

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: _fileno_get_osfhandle$Process$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 1833775142-3524285272
Opcode ID: 8ef660b42063669becf1bd41f8a29df173ea005990595a1a776f16ce8dcaa147
Instruction ID: 987aecc7d3df137f483188ecc238f26ea64b04d5271b215a9f71ed6878d3b341
Opcode Fuzzy Hash: 8ef660b42063669becf1bd41f8a29df173ea005990595a1a776f16ce8dcaa147
Instruction Fuzzy Hash: F2415072A0878285EB209B65F8A43EA7370FBC5794F484136DA8D97795DF7CD088CB40

Function 00007FF654CA16D0 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 285
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF654CA8160: free.MSVCRT ref: 00007FF654CA81C7
Part of subcall function 00007FF654CA8160: free.MSVCRT ref: 00007FF654CA81D4

Part of subcall function 00007FF654CA21B0: calloc.MSVCRT ref: 00007FF654CA21BE

Part of subcall function 00007FF654CA42F0: GetModuleFileNameW.KERNEL32 ref: 00007FF654CA4312

Part of subcall function 00007FF654CA6FE0: GetEnvironmentVariableW.KERNEL32 ref: 00007FF654CA700C

free.MSVCRT ref: 00007FF654CA3C27

Part of subcall function 00007FF654CA70D0: SetEnvironmentVariableW.KERNEL32 ref: 00007FF654CA70EB
Part of subcall function 00007FF654CA70D0: free.MSVCRT ref: 00007FF654CA70F6

SetDllDirectoryW.KERNEL32 ref: 00007FF654CA3C93
strcmp.MSVCRT ref: 00007FF654CA3CBF
strcpy.MSVCRT ref: 00007FF654CA3D05

Strings

Cannot side-load external archive %s (code %d)!, xrefs: 00007FF654CA3FA9
Error opening archive ZNdewcHn8K from executable (%s) or external archive (%s), xrefs: 00007FF654CA3F2C
_PYI_ONEDIR_MODE, xrefs: 00007FF654CA3BF3, 00007FF654CA3C2C
_MEIPASS2, xrefs: 00007FF654CA3BD8
Failed to convert DLL search path!, xrefs: 00007FF654CA3FF7

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free$EnvironmentVariable$DirectoryFileModuleNamecallocstrcmpstrcpy
String ID: Cannot side-load external archive %s (code %d)!$Error opening archive ZNdewcHn8K from executable (%s) or external archive (%s)$Failed to convert DLL search path!$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 4056350997-3668766296
Opcode ID: 8037da94f03f8b8fec9e8aa24b1861a1d75888de2a0157cbc5161594d342ec19
Instruction ID: 723f92a87f2936aa3c76af61cbceb6ba315cc9e1c360b81ee62241ca0de7e46b
Opcode Fuzzy Hash: 8037da94f03f8b8fec9e8aa24b1861a1d75888de2a0157cbc5161594d342ec19
Instruction Fuzzy Hash: 98C1A6A1A1D64250FA10DB2398B01BA6674AFC4BC4F4C40B3EE4EE7BE6DE3CE5458700

Function 00007FF654CA7490 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF654CA8210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246

wcslen.MSVCRT ref: 00007FF654CA74E0
wcscat.MSVCRT ref: 00007FF654CA750E
_wrmdir.MSVCRT ref: 00007FF654CA752C
wcscat.MSVCRT ref: 00007FF654CA755E

Strings

_MEIPASS2, xrefs: 00007FF654CA7497

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: wcscat$ByteCharMultiWide_wrmdirwcslen
String ID: _MEIPASS2
API String ID: 3789554339-3944641314
Opcode ID: 3889d0a8454738bdc02ac1a27fcd313a3c6fda00dcb1aeb9c18716f4fec953fa
Instruction ID: beaedefb14458b0954ffeb20603008eba5b88a3865c958cf3aaa40ff8adcf9fd
Opcode Fuzzy Hash: 3889d0a8454738bdc02ac1a27fcd313a3c6fda00dcb1aeb9c18716f4fec953fa
Instruction Fuzzy Hash: 3521D0D2B4954244EA10A613A8A46BA52B2BFC5BE0FCC85B3ED1DA77C6ED3CD4458314

Function 00007FF654CA76B0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 102
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF654CA7723
strlen.MSVCRT ref: 00007FF654CA7753
strlen.MSVCRT ref: 00007FF654CA7769
strcpy.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF654CA1CB3), ref: 00007FF654CA777A
strtok.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF654CA1CB3), ref: 00007FF654CA7784

Part of subcall function 00007FF654CA8210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246

Part of subcall function 00007FF654CAF1BB: free.MSVCRT ref: 00007FF654CAF1FF
Part of subcall function 00007FF654CAF1BB: memset.MSVCRT ref: 00007FF654CAF21C

Strings

WARNING: file already exists but should not: %s, xrefs: 00007FF654CA782B

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: strlen$ByteCharMultiWidefreememsetstrcpystrtok
String ID: WARNING: file already exists but should not: %s
API String ID: 901113649-146164175
Opcode ID: 22a9787840595a1d560ab590334c00c77606adf5d77760e485accf00cc5aaf83
Instruction ID: f7f63d71ed15e4af07ef2cc17e75bf3c3cc54be8e5d1a378b3937fb2516d657b
Opcode Fuzzy Hash: 22a9787840595a1d560ab590334c00c77606adf5d77760e485accf00cc5aaf83
Instruction Fuzzy Hash: AA31A091B4954244FA21E713E8A57FA52626FC5BC4F8C40B3ED0DE77C6DE2CE149C650

Function 00007FF654CA75D0 Relevance: 9.1, APIs: 6, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcscmp.MSVCRT ref: 00007FF654CA761A
wcscat.MSVCRT ref: 00007FF654CA7630

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: wcscatwcscmp
String ID:
API String ID: 3846154227-0
Opcode ID: d9fc9803e7bfdff9322b61788698340c51d4f1b4d93720d135f91fe10f214957
Instruction ID: dc6887e6ccc5f1225daad81d0523fa5e873dcda5db4dd2fa1c2f15dd1e19a61b
Opcode Fuzzy Hash: d9fc9803e7bfdff9322b61788698340c51d4f1b4d93720d135f91fe10f214957
Instruction Fuzzy Hash: D4116DD0B8D54345FA59AB2798B43B912B16FC4BC4F4C80B3DD0EE6282EE2CE5068224

Function 00007FF654CA86B0 Relevance: 5.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT ref: 00007FF654CA870E
malloc.MSVCRT ref: 00007FF654CA8784

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: mallocmemcpy
String ID:
API String ID: 4276657696-0
Opcode ID: 61eaa1ab35641a1ad6f539a3031d6a572ba3cd1bcdd971e16e585366fc5a0095
Instruction ID: a40ddd9499e9f0b48b1ab8b457dfb608d0f8a8bd7d3bcf7594292a81887e1267
Opcode Fuzzy Hash: 61eaa1ab35641a1ad6f539a3031d6a572ba3cd1bcdd971e16e585366fc5a0095
Instruction Fuzzy Hash: A231AEB6B255418BE660CA27E49466AB6B1FB84B80F185035DB4AD7B40EE3CF880CB00

Function 00007FF654CA7D30 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF654CA7D4E
free.MSVCRT ref: 00007FF654CA7E25

Strings

_MEIPASS2, xrefs: 00007FF654CA7D32

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: freemalloc
String ID: _MEIPASS2
API String ID: 3061335427-3944641314
Opcode ID: da46ef3b5912aebcfa8d404ac62b0d1d0bad185323e599ae2328ef0c0b4c6286
Instruction ID: 5b0c06c5fc477e7d01a1bfbc06f031b5b856a8db3b8c6ecb1eb4e27287fd294e
Opcode Fuzzy Hash: da46ef3b5912aebcfa8d404ac62b0d1d0bad185323e599ae2328ef0c0b4c6286
Instruction Fuzzy Hash: 412108A2B0A11205FE10951399A47FAD6667F85BC4F8C0473DE0DEB7C1ED3CE942C240

Function 00007FF654CA6170 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.MSVCRT ref: 00007FF654CA617E

Strings

calloc, xrefs: 00007FF654CA6194
Cannot allocate memory for SPLASH_STATUS., xrefs: 00007FF654CA618D

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: calloc
String ID: Cannot allocate memory for SPLASH_STATUS.$calloc
API String ID: 2635317215-799113134
Opcode ID: daeeb61d3e57278251d27ce958a3713753ff428d5e00cabe7585f6002fde9d4c
Instruction ID: 14d1bdee05f23941bb96d06a4412261f5947c08b2419bf668f690ed2517d87c9
Opcode Fuzzy Hash: daeeb61d3e57278251d27ce958a3713753ff428d5e00cabe7585f6002fde9d4c
Instruction Fuzzy Hash: A6E0C2E1F0860680EA14AB00D4E91F92B70EFC4340FCC40B6DA5CB7BA2EE3CE5458700

Function 00007FF654CAF300 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

fsetpos.MSVCRT ref: 00007FF654CAF3A5

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fsetpos
String ID:
API String ID: 850078086-0
Opcode ID: 1b41710901f17b2eeca1497c090281577d230925116f41a5d4b4f06b87e02d06
Instruction ID: b104fdc5b6c141cf6f9acb5d5b09d47a2712c4bd0829fc231079b8ff7df6f3fc
Opcode Fuzzy Hash: 1b41710901f17b2eeca1497c090281577d230925116f41a5d4b4f06b87e02d06
Instruction Fuzzy Hash: 51114DB6A05B06C9EB10DF66C4A10BC33B0AF84798F544AB6EA1DA7799DF38D0508360

Function 00007FF654CA20B0 Relevance: 3.0, APIs: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00007FF654CA2138
fclose.MSVCRT ref: 00007FF654CA2158

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fclosestrcpy
String ID:
API String ID: 3396940900-0
Opcode ID: 971efec496ac2d361f2b672ee238c628acabd71029eeb8cfc9f8320c43482ae7
Instruction ID: 3796415255b77e960a134fc900405ab017e41298186196f1cfaf81f32bc4ce62
Opcode Fuzzy Hash: 971efec496ac2d361f2b672ee238c628acabd71029eeb8cfc9f8320c43482ae7
Instruction Fuzzy Hash: A0118EA5B0814280FB549A72E9A53F912619FD4BC4F9C8173DD0EE778ADE2CE8C9C310

Function 00007FF654CAF1BB Relevance: 2.6, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CAEFD0: wcslen.MSVCRT ref: 00007FF654CAF006

free.MSVCRT ref: 00007FF654CAF1FF
memset.MSVCRT ref: 00007FF654CAF21C

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: freememsetwcslen
String ID:
API String ID: 2332356550-0
Opcode ID: 16ca566369b86500749d9f98ec16c1cf0d74b93f9dbbc66e3a29c3db3259c6e1
Instruction ID: 00bee5ed386922b5bf0a7c5e12d49da0a74c4ced8ab3b4f24a2bb71e0cfb6ff3
Opcode Fuzzy Hash: 16ca566369b86500749d9f98ec16c1cf0d74b93f9dbbc66e3a29c3db3259c6e1
Instruction Fuzzy Hash: 2231EAA6F00B1489EB10CF7AD48109C3BB1FB98BA8B148566EE1C53B6CDF34C591C790

Function 00007FF654CAEE10 Relevance: 2.5, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF654CAEE67
memcpy.MSVCRT ref: 00007FF654CAEEDA

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 28245664c572555644c21b5e65988328f64a065fd9a3e6ebb93e0ea27bb1dba2
Instruction ID: a757d76789d26065d29f647b99451c2c7016f4da10d737462df58c0f5c0fc47a
Opcode Fuzzy Hash: 28245664c572555644c21b5e65988328f64a065fd9a3e6ebb93e0ea27bb1dba2
Instruction Fuzzy Hash: 3721E876B40B8689DB70CF6AD8843ED33B1EB49BA8F514266CE3C5BB98DE34C5408340

Function 00007FF654CAEEF0 Relevance: 2.5, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF654CAEF45
memcpy.MSVCRT ref: 00007FF654CAEFB6

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 3e7cd3d59118b199465456136e8bc5aa6b3bf50dbcff2041c2c4c44bafb46f53
Instruction ID: 745c858ff35faf353da0d1162648ca15ea873b2c068f9e624094dbb401a66716
Opcode Fuzzy Hash: 3e7cd3d59118b199465456136e8bc5aa6b3bf50dbcff2041c2c4c44bafb46f53
Instruction Fuzzy Hash: 8321E576B40B8689DB20CF6AD8843ED37B1EB49B98F518166CE2C5BB98DE34C6448740

Function 00007FF654CA43B0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CA8210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246

_wfopen.MSVCRT ref: 00007FF654CA43F5

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: ByteCharMultiWide_wfopen
String ID:
API String ID: 372205238-0
Opcode ID: e249028c2137e21c272be09ebad8c35b62695eafe249120916a556fd3ad7a81d
Instruction ID: ce7b9c4f3f1a137ca05e3566820a6583da373b9eeb85fd7be1711753db72d2db
Opcode Fuzzy Hash: e249028c2137e21c272be09ebad8c35b62695eafe249120916a556fd3ad7a81d
Instruction Fuzzy Hash: A9E0D8D1B4C21102F9146213BD647FA92225F8AFC4F488132EF0CABB8A8D1DD243CB00

Function 00007FF654CA9330 Relevance: 1.4, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF654CA936E

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8ecaa912455c69dac76f6531f9098773f1cfe53416ab283d50a917500fe93d8f
Instruction ID: 4661e98657bf537db85acc512dec81c563c70da0efd4cdcba8dd89635027c305
Opcode Fuzzy Hash: 8ecaa912455c69dac76f6531f9098773f1cfe53416ab283d50a917500fe93d8f
Instruction Fuzzy Hash: 4751B377A182528BE7608E26E098A2F77F4FF847D4F198476DA4697A84CF38D844CB00

Function 00007FF654CACBA0 Relevance: 1.3, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF654CACC5A

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 623919cd236f253b3d7bc4f578d470e9102edac5acaca204977424f4e3dbef8b
Instruction ID: 574f1b3ce3b82e9b44adfb3d838f31a46a3e68b46195a73d1774baacd5146e6e
Opcode Fuzzy Hash: 623919cd236f253b3d7bc4f578d470e9102edac5acaca204977424f4e3dbef8b
Instruction Fuzzy Hash: 0E315DA6F0471599F7109BA6D4903BC37B0AB80B88F9840B6DE4CA7B98DF3CD691C750

Function 00007FF654CA8AE0 Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF654CA8A49

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 0fc86e8ee51b5bdc1f5f7082c9320d3be715a44251d05dfd6912ed91f5c13a9f
Instruction ID: 9ced9d583d56a81cae4a990e0d4cd5c51dcbbd51bab2b6840cf302b74af97891
Opcode Fuzzy Hash: 0fc86e8ee51b5bdc1f5f7082c9320d3be715a44251d05dfd6912ed91f5c13a9f
Instruction Fuzzy Hash: 722162A2A09A0247EB658B5694A033936A1AFC4B94F6D4176C91DA77D0DF39DC83C350

Non-executed Functions

Function 00007FF654CA4410 Relevance: 291.1, APIs: 55, Strings: 111, Instructions: 566libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00000000,?,00007FF654CA3AAD), ref: 00007FF654CA442A
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4446
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4462
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA447E
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA449A
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA44B6
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA44D2
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA44EE
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA450A
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4532
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA454E
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA456A
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4586
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA45A2
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA45BE
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA45DA
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA45F6
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4612
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA462E
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA464A
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4666
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4682
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA469E
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA46BA
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA46D6
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA46F2
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA470E
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA472A
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4746
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4762
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA477E
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA479A
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA47B6
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA47D2
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA47EE
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA480A
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4826
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4842
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA485E
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA487A
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4896
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA48B2
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA48CE
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA48EA
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4906
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4922
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA493E
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA495A
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4976
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4992
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA49AE
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA49CA
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA49E6
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4A02
GetProcAddress.KERNEL32(?,00007FF654CA3AAD), ref: 00007FF654CA4A2A

Strings

Py_VerboseFlag, xrefs: 00007FF654CA44E4
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF654CA4D60
PySys_SetPath, xrefs: 00007FF654CA48C4
Failed to get address for Py_DontWriteBytecodeFlag, xrefs: 00007FF654CA4A81
PyLong_AsLong, xrefs: 00007FF654CA4774
Failed to get address for PySys_SetObject, xrefs: 00007FF654CA4E80
PyMarshal_ReadObjectFromString, xrefs: 00007FF654CA48FC
Failed to get address for PyErr_Print, xrefs: 00007FF654CA4C58
PyUnicode_Join, xrefs: 00007FF654CA49DC
Failed to get address for Py_DecodeLocale, xrefs: 00007FF654CA4E08
Py_DecodeLocale, xrefs: 00007FF654CA4934
Py_SetProgramName, xrefs: 00007FF654CA45EC
Failed to get address for Py_GetPath, xrefs: 00007FF654CA4B80
Failed to get address for PyImport_ImportModule, xrefs: 00007FF654CA4CB8
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF654CA4E38
Failed to get address for PyList_New, xrefs: 00007FF654CA4C88
PyObject_CallFunction, xrefs: 00007FF654CA47AC
PyErr_NormalizeException, xrefs: 00007FF654CA46CC
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF654CA4EC8
Py_SetPath, xrefs: 00007FF654CA45B4
PyObject_GetAttrString, xrefs: 00007FF654CA4800
Failed to get address for PyUnicode_FromString, xrefs: 00007FF654CA4E20
Failed to get address for PySys_SetArgvEx, xrefs: 00007FF654CA4DC0
Py_DecRef, xrefs: 00007FF654CA4544
Failed to get address for Py_VerboseFlag, xrefs: 00007FF654CA4A96
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF654CA4CD0
Failed to get address for Py_Finalize, xrefs: 00007FF654CA4B20
Failed to get address for Py_DecRef, xrefs: 00007FF654CA4B38
PyObject_SetAttrString, xrefs: 00007FF654CA47E4
Py_OptimizeFlag, xrefs: 00007FF654CA44C8
PyErr_Clear, xrefs: 00007FF654CA4640
Py_NoSiteFlag, xrefs: 00007FF654CA4490
Failed to get address for PyErr_Fetch, xrefs: 00007FF654CA4C40
Py_SetPythonHome, xrefs: 00007FF654CA4608
Failed to get address for Py_BuildValue, xrefs: 00007FF654CA4B50
Failed to get address for PyLong_AsLong, xrefs: 00007FF654CA4D00
PyImport_ExecCodeModule, xrefs: 00007FF654CA4704
PySys_AddWarnOption, xrefs: 00007FF654CA4854
Py_GetPath, xrefs: 00007FF654CA45D0
Py_IgnoreEnvironmentFlag, xrefs: 00007FF654CA4474
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF654CA4D90
PyErr_Fetch, xrefs: 00007FF654CA4694
Py_IncRef, xrefs: 00007FF654CA457C
Py_NoUserSiteDirectory, xrefs: 00007FF654CA44AC
Failed to get address for Py_UTF8Mode, xrefs: 00007FF654CA4A3C
PyUnicode_AsUTF8, xrefs: 00007FF654CA49C0
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF654CA4EB0
PyImport_ImportModule, xrefs: 00007FF654CA4720
Failed to get address for PyErr_Restore, xrefs: 00007FF654CA4C28
PyImport_AddModule, xrefs: 00007FF654CA46E8
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF654CA4EF8
Py_DontWriteBytecodeFlag, xrefs: 00007FF654CA4423
Failed to get address for Py_Initialize, xrefs: 00007FF654CA4BB0
PyRun_SimpleStringFlags, xrefs: 00007FF654CA4838
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF654CA4D48
GetProcAddress, xrefs: 00007FF654CA4A43, 00007FF654CA4A5E, 00007FF654CA4A73, 00007FF654CA4A88, 00007FF654CA4A9D, 00007FF654CA4AB2, 00007FF654CA4AC7, 00007FF654CA4ADF, 00007FF654CA4AF7, 00007FF654CA4B0F, 00007FF654CA4B27, 00007FF654CA4B3F, 00007FF654CA4B57, 00007FF654CA4B6F, 00007FF654CA4B87, 00007FF654CA4B9F, 00007FF654CA4BB7, 00007FF654CA4BCF, 00007FF654CA4BE7, 00007FF654CA4BFF, 00007FF654CA4C17, 00007FF654CA4C2F, 00007FF654CA4C47, 00007FF654CA4C5F, 00007FF654CA4C77, 00007FF654CA4C8F, 00007FF654CA4CA7, 00007FF654CA4CBF, 00007FF654CA4CD7, 00007FF654CA4CEF, 00007FF654CA4D07, 00007FF654CA4D1F, 00007FF654CA4D37, 00007FF654CA4D4F, 00007FF654CA4D67, 00007FF654CA4D7F, 00007FF654CA4D97, 00007FF654CA4DAF, 00007FF654CA4DC7, 00007FF654CA4DDF, 00007FF654CA4DF7, 00007FF654CA4E0F, 00007FF654CA4E27, 00007FF654CA4E3F, 00007FF654CA4E57, 00007FF654CA4E6F, 00007FF654CA4E87, 00007FF654CA4E9F, 00007FF654CA4EB7, 00007FF654CA4ECF, 00007FF654CA4EE7, 00007FF654CA4EFF, 00007FF654CA4F17, 00007FF654CA4F2F, 00007FF654CA4F47
Failed to get address for Py_IgnoreEnvironmentFlag, xrefs: 00007FF654CA4AF0
PyErr_Occurred, xrefs: 00007FF654CA465C
Failed to get address for Py_FileSystemDefaultEncoding, xrefs: 00007FF654CA4A6C
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF654CA4C70
Py_FileSystemDefaultEncoding, xrefs: 00007FF654CA443C
Py_UTF8Mode, xrefs: 00007FF654CA4A20
Failed to get address for Py_IncRef, xrefs: 00007FF654CA4B08
PySys_SetObject, xrefs: 00007FF654CA48A8
Failed to get address for Py_NoSiteFlag, xrefs: 00007FF654CA4AD8
Failed to get address for PyErr_Clear, xrefs: 00007FF654CA4C10
PyDict_GetItemString, xrefs: 00007FF654CA4624
Failed to get address for PyUnicode_Decode, xrefs: 00007FF654CA4EE0
Py_Finalize, xrefs: 00007FF654CA4560
Py_FrozenFlag, xrefs: 00007FF654CA4458
PyUnicode_Replace, xrefs: 00007FF654CA49F8
Py_UnbufferedStdioFlag, xrefs: 00007FF654CA4500
Failed to get address for PyUnicode_Join, xrefs: 00007FF654CA4E98
PyUnicode_Decode, xrefs: 00007FF654CA4988
PyEval_EvalCode, xrefs: 00007FF654CA48E0
Failed to get address for PySys_SetPath, xrefs: 00007FF654CA4E68
PyErr_Print, xrefs: 00007FF654CA4678
PyObject_CallFunctionObjArgs, xrefs: 00007FF654CA47C8
Failed to get address for PySys_AddWarnOption, xrefs: 00007FF654CA4DD8
Failed to get address for Py_UnbufferedStdioFlag, xrefs: 00007FF654CA4F28
PyList_Append, xrefs: 00007FF654CA473C
PyModule_GetDict, xrefs: 00007FF654CA4790
Failed to get address for Py_SetPythonHome, xrefs: 00007FF654CA4BE0
Failed to get address for Py_FrozenFlag, xrefs: 00007FF654CA4A57
Failed to get address for PyObject_CallFunction, xrefs: 00007FF654CA4D18
Failed to get address for PyUnicode_Replace, xrefs: 00007FF654CA4F40
Failed to get address for PyEval_EvalCode, xrefs: 00007FF654CA4E50
Failed to get address for PyList_Append, xrefs: 00007FF654CA4CA0
PySys_GetObject, xrefs: 00007FF654CA488C
PyUnicode_FromFormat, xrefs: 00007FF654CA496C
PyMem_RawFree, xrefs: 00007FF654CA4950
PyObject_Str, xrefs: 00007FF654CA481C
Failed to get address for PySys_GetObject, xrefs: 00007FF654CA4DA8
PyErr_Restore, xrefs: 00007FF654CA46B0
Py_BuildValue, xrefs: 00007FF654CA4528
Failed to get address for Py_NoUserSiteDirectory, xrefs: 00007FF654CA4AC0
Py_Initialize, xrefs: 00007FF654CA4598
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF654CA4DF0
Failed to get address for PyModule_GetDict, xrefs: 00007FF654CA4D30
Failed to get address for PyMem_RawFree, xrefs: 00007FF654CA4F10
PyList_New, xrefs: 00007FF654CA4758
Failed to get address for Py_SetProgramName, xrefs: 00007FF654CA4B68
Failed to get address for PyImport_AddModule, xrefs: 00007FF654CA4CE8
Failed to get address for PyDict_GetItemString, xrefs: 00007FF654CA4BC8
Failed to get address for Py_OptimizeFlag, xrefs: 00007FF654CA4AAB
PyUnicode_FromString, xrefs: 00007FF654CA4918
Failed to get address for PyErr_Occurred, xrefs: 00007FF654CA4BF8
Failed to get address for Py_SetPath, xrefs: 00007FF654CA4B98
Failed to get address for PyObject_Str, xrefs: 00007FF654CA4D78
PyUnicode_DecodeFSDefault, xrefs: 00007FF654CA49A4
PySys_SetArgvEx, xrefs: 00007FF654CA4870

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
API String ID: 190572456-3109299426
Opcode ID: 4916de274225d75524e548f11a2fa4b69452b516a84e6ab57919398c0b26c71a
Instruction ID: 82984f45b2155a2aa39184cfb74638ee80bfdb5d574a0626826153511e8dae7a
Opcode Fuzzy Hash: 4916de274225d75524e548f11a2fa4b69452b516a84e6ab57919398c0b26c71a
Instruction Fuzzy Hash: 8E52A0E0E1DA0791EA49DB16FAF00B42275AFC4381B8C91F3C45EA27A2EF6CE545D315

Function 00007FF654CA2560 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 00007FF654CA2593
MulDiv.KERNEL32 ref: 00007FF654CA25B0
MulDiv.KERNEL32 ref: 00007FF654CA25C9
SystemParametersInfoW.USER32 ref: 00007FF654CA260F
LoadIconMetric.COMCTL32 ref: 00007FF654CA2643
CreateWindowExW.USER32 ref: 00007FF654CA26A1
CreateWindowExW.USER32 ref: 00007FF654CA26FB
CreateWindowExW.USER32 ref: 00007FF654CA275C
CreateWindowExW.USER32 ref: 00007FF654CA27BE
SendMessageW.USER32 ref: 00007FF654CA27E1
SendMessageW.USER32 ref: 00007FF654CA27F9
SendMessageW.USER32 ref: 00007FF654CA2814
SendMessageW.USER32 ref: 00007FF654CA2831
SendMessageW.USER32 ref: 00007FF654CA284C
SendMessageW.USER32 ref: 00007FF654CA2867
SendMessageW.USER32 ref: 00007FF654CA2882
SendMessageW.USER32 ref: 00007FF654CA2896
SendMessageW.USER32 ref: 00007FF654CA28AB
GetClientRect.USER32 ref: 00007FF654CA28B6
CreateFontIndirectW.GDI32 ref: 00007FF654CA28D8

Strings

BUTTON, xrefs: 00007FF654CA2774
Failed to vqmkBiYr script '%ls' due to unhandled exception: %ls, xrefs: 00007FF654CA256B
Close, xrefs: 00007FF654CA2764
STATIC, xrefs: 00007FF654CA263C
EDIT, xrefs: 00007FF654CA2712
, xrefs: 00007FF654CA25FD

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: MessageSend$Create$Window$BaseClientDialogFontIconIndirectInfoLoadMetricParametersRectSystemUnits
String ID: $BUTTON$Close$EDIT$Failed to vqmkBiYr script '%ls' due to unhandled exception: %ls$STATIC
API String ID: 3223904152-2049099994
Opcode ID: f946fc37740113d1f7e6e8a1de48a3746edf2e82bfe78e13903bb1f18fd90df2
Instruction ID: 709febca6ca9bb1fff722a10e6abc08a1bf68adee4d3bfccb26f7a8030932bae
Opcode Fuzzy Hash: f946fc37740113d1f7e6e8a1de48a3746edf2e82bfe78e13903bb1f18fd90df2
Instruction Fuzzy Hash: EB91BD76218B9082E7108F61E4A479A7770F788BC8F14413AEE8C5BB98CF7EC085CB50

Function 00007FF654CA7E50 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00007FF654CA7E92
WideCharToMultiByte.KERNEL32 ref: 00007FF654CA7ED2
GetLastError.KERNEL32 ref: 00007FF654CA7F18

Strings

PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF654CA7F43
No error messages generated., xrefs: 00007FF654CA7EF0
PyInstaller: FormatMessageW failed., xrefs: 00007FF654CA7F03
WideCharToMultiByte, xrefs: 00007FF654CA7E56, 00007FF654CA7F37
FormatMessageW, xrefs: 00007FF654CA7EF7
Failed to encode wchar_t as UTF-8., xrefs: 00007FF654CA7F30

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: ByteCharErrorFormatLastMessageMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 1653872744-2573406579
Opcode ID: cbdb8eea67fde94177a7de486669295192c3b68fd3ad581342b718ce3b64fd12
Instruction ID: 17ace3ffe9bc72564030de6aadc604497a6a47deef951c714ff299baa734e2c8
Opcode Fuzzy Hash: cbdb8eea67fde94177a7de486669295192c3b68fd3ad581342b718ce3b64fd12
Instruction Fuzzy Hash: 5021AEB1A18A4381F7609B15F8E07A62271AFC5394F8C41BAE94DA2AA4DF3CD589C700

Function 00007FF654CA15E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF654CA15F7
LoadLibraryA.KERNEL32 ref: 00007FF654CA1608
GetProcAddress.KERNEL32 ref: 00007FF654CA1626
GetProcAddress.KERNEL32 ref: 00007FF654CA1635

Strings

libgcc_s_dw2-1.dll, xrefs: 00007FF654CA15ED
__register_frame_info, xrefs: 00007FF654CA1615
__deregister_frame_info, xrefs: 00007FF654CA1628

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: e6b7f3097ed1fa55bbfab8c2ac934be5e0bcb191cc89f52011f527b87621e30f
Instruction ID: 1f0784ae3fc797d470a0edd04e01738fd937e673f3f285ace8211833898c514f
Opcode Fuzzy Hash: e6b7f3097ed1fa55bbfab8c2ac934be5e0bcb191cc89f52011f527b87621e30f
Instruction Fuzzy Hash: B701BAA4A4AA5B91EA119B06F9A017423B4AF88794F8C41B3C84EE7364EF2CE546C300

Function 00007FF654CB508A Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 1364COMMON

Download Yara Rule

Strings

NaN, xrefs: 00007FF654CB51BE
Infinity, xrefs: 00007FF654CB518D

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID:
String ID: Infinity$NaN
API String ID: 0-4285296124
Opcode ID: ec4959e25b3a233c40df6fe2cbcd1797900df63c317f93c6ae3b59cfffbb73f8
Instruction ID: a0a86ad1bd87730252e6bb342f09852a2edcecc35cc192d76e1b530284448896
Opcode Fuzzy Hash: ec4959e25b3a233c40df6fe2cbcd1797900df63c317f93c6ae3b59cfffbb73f8
Instruction Fuzzy Hash: 49E219B2A04B458EE751CF79C4942AC37B1FB8578CF548266EA0DA7B59DF38E481CB40

Function 00007FF654CA9640 Relevance: 3.9, Strings: 3, Instructions: 138COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF654CAA772
incorrect header check, xrefs: 00007FF654CAA3CB
unknown compression method, xrefs: 00007FF654CAA179

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size$unknown compression method
API String ID: 0-1186847913
Opcode ID: d51e19eb2a5d66987ad539d3f96753dfa09b1ab6df977b44f91825f4f2a35776
Instruction ID: 2bfa163b76fa5cb7486f636007f5835faf6bf1e9c253d7819f77c368b2dd6b51
Opcode Fuzzy Hash: d51e19eb2a5d66987ad539d3f96753dfa09b1ab6df977b44f91825f4f2a35776
Instruction Fuzzy Hash: 8951C4B2A186128BE7648E26D4EC57E36B5EF84344F19817ADB1AD7780DF3CE904DB04

Function 00007FF654CA9660 Relevance: 1.5, APIs: 1, Instructions: 253COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00007FF654CA9820

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: ab0a6b18e32699958ec78ff02d5a0d2387750140b9c869829991cde5e5795802
Instruction ID: 76fef823cd1ffdd41cc5cb9dee76c7370260e906de2684464c63258a0e071735
Opcode Fuzzy Hash: ab0a6b18e32699958ec78ff02d5a0d2387750140b9c869829991cde5e5795802
Instruction Fuzzy Hash: 57B1B6B2E083514AE7618F16D0A9B3E7AB5EF85784F19457ADF499BB80DF39D800CB40

Function 00007FF654CAB2A0 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3db726857f4e012455a8f3608d8def5699ee7c479c0fb5f7e8890c9e2af20ea6
Instruction ID: 7c337a4640c50058c412664c0e0cd41d548537c4011215fc11084aeb874a98c2
Opcode Fuzzy Hash: 3db726857f4e012455a8f3608d8def5699ee7c479c0fb5f7e8890c9e2af20ea6
Instruction Fuzzy Hash: 5DD1D572A1C69286D7258F16E0A467E77B0FBC4744F484176EB8AA3B94EF3DD844CB00

Function 00007FF654CABE20 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ac91676b8285db99ac092ed0f9aacb70baec7d96c70589df18768542e35690
Instruction ID: af845014eec887f8036c4e35a8988647dd551fd836ee2100f23940a745fecf55
Opcode Fuzzy Hash: 58ac91676b8285db99ac092ed0f9aacb70baec7d96c70589df18768542e35690
Instruction Fuzzy Hash: 49A128B7B241A047EA50CB2AD46467A77B2F78A7D0F88D262DF8957788CA3DE415C700

Function 00007FF654CA6100 Relevance: 166.6, APIs: 31, Strings: 64, Instructions: 348libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CA7950: LoadLibraryExW.KERNEL32 ref: 00007FF654CA7971
Part of subcall function 00007FF654CA7950: free.MSVCRT ref: 00007FF654CA797D

GetProcAddress.KERNEL32 ref: 00007FF654CA680B
GetProcAddress.KERNEL32 ref: 00007FF654CA6827
GetProcAddress.KERNEL32 ref: 00007FF654CA6843
GetProcAddress.KERNEL32 ref: 00007FF654CA685F
GetProcAddress.KERNEL32 ref: 00007FF654CA687B
GetProcAddress.KERNEL32 ref: 00007FF654CA6897
GetProcAddress.KERNEL32 ref: 00007FF654CA68B3
GetProcAddress.KERNEL32 ref: 00007FF654CA68CF
GetProcAddress.KERNEL32 ref: 00007FF654CA68EB
GetProcAddress.KERNEL32 ref: 00007FF654CA6907
GetProcAddress.KERNEL32 ref: 00007FF654CA6923
GetProcAddress.KERNEL32 ref: 00007FF654CA693F
GetProcAddress.KERNEL32 ref: 00007FF654CA695B
GetProcAddress.KERNEL32 ref: 00007FF654CA6977
GetProcAddress.KERNEL32 ref: 00007FF654CA6993
GetProcAddress.KERNEL32 ref: 00007FF654CA69AF
GetProcAddress.KERNEL32 ref: 00007FF654CA69CB
GetProcAddress.KERNEL32 ref: 00007FF654CA69E7
GetProcAddress.KERNEL32 ref: 00007FF654CA6A03
GetProcAddress.KERNEL32 ref: 00007FF654CA6A1F
GetProcAddress.KERNEL32 ref: 00007FF654CA6A3B
GetProcAddress.KERNEL32 ref: 00007FF654CA6A57
GetProcAddress.KERNEL32 ref: 00007FF654CA6A73
GetProcAddress.KERNEL32 ref: 00007FF654CA6A8F
GetProcAddress.KERNEL32 ref: 00007FF654CA6AAB
GetProcAddress.KERNEL32 ref: 00007FF654CA6AC7
GetProcAddress.KERNEL32 ref: 00007FF654CA6AE3
GetProcAddress.KERNEL32 ref: 00007FF654CA6AFF
GetProcAddress.KERNEL32 ref: 00007FF654CA6B1B
GetProcAddress.KERNEL32 ref: 00007FF654CA6B37
GetProcAddress.KERNEL32 ref: 00007FF654CA6B53

Strings

Tcl_CreateThread, xrefs: 00007FF654CA68C5
Tcl_Init, xrefs: 00007FF654CA6804
Failed to get address for Tcl_Init, xrefs: 00007FF654CA6B6F
Tcl_EvalFile, xrefs: 00007FF654CA6AA1
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF654CA6B8F
Tcl_DeleteInterp, xrefs: 00007FF654CA68A9
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF654CA6CE8
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF654CA6D78
Failed to get address for Tcl_EvalEx, xrefs: 00007FF654CA6E08
Tcl_ConditionFinalize, xrefs: 00007FF654CA6935
Tcl_EvalEx, xrefs: 00007FF654CA6ABD
Tcl_ThreadQueueEvent, xrefs: 00007FF654CA6989
Tcl_EvalObjv, xrefs: 00007FF654CA6AD9
Tcl_ThreadAlert, xrefs: 00007FF654CA69A5
Tcl_GetVar2, xrefs: 00007FF654CA69C1
Tcl_FindExecutable, xrefs: 00007FF654CA6839
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF654CA6D18
Tcl_MutexLock, xrefs: 00007FF654CA68FD
Tcl_CreateInterp, xrefs: 00007FF654CA681D
Failed to get address for Tcl_EvalFile, xrefs: 00007FF654CA6DA8
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF654CA6CB8
Failed to get address for Tcl_Free, xrefs: 00007FF654CA6DC0
Tcl_DoOneEvent, xrefs: 00007FF654CA6855
Tcl_ConditionWait, xrefs: 00007FF654CA696D
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF654CA6CD0
Tk_GetNumMainWindows, xrefs: 00007FF654CA6B49
Tcl_NewStringObj, xrefs: 00007FF654CA6A31
Failed to get address for Tcl_SetVar2, xrefs: 00007FF654CA6D00
Tcl_SetVar2Ex, xrefs: 00007FF654CA6A69
Failed to get address for Tcl_MutexLock, xrefs: 00007FF654CA6C88
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF654CA6C70
Failed to get address for Tcl_Alloc, xrefs: 00007FF654CA6DD8
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF654CA6DF0
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF654CA6BCE
GetProcAddress, xrefs: 00007FF654CA6B76, 00007FF654CA6B96, 00007FF654CA6BAB, 00007FF654CA6BC0, 00007FF654CA6BD5, 00007FF654CA6BEA, 00007FF654CA6BFF, 00007FF654CA6C17, 00007FF654CA6C2F, 00007FF654CA6C47, 00007FF654CA6C5F, 00007FF654CA6C77, 00007FF654CA6C8F, 00007FF654CA6CA7, 00007FF654CA6CBF, 00007FF654CA6CD7, 00007FF654CA6CEF, 00007FF654CA6D07, 00007FF654CA6D1F, 00007FF654CA6D37, 00007FF654CA6D4F, 00007FF654CA6D67, 00007FF654CA6D7F, 00007FF654CA6D97, 00007FF654CA6DAF, 00007FF654CA6DC7, 00007FF654CA6DDF, 00007FF654CA6DF7, 00007FF654CA6E0F, 00007FF654CA6E27, 00007FF654CA6E3F
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF654CA6C10
Failed to get address for Tcl_GetVar2, xrefs: 00007FF654CA6CA0
Tcl_SetVar2, xrefs: 00007FF654CA69DD
Tcl_MutexUnlock, xrefs: 00007FF654CA6919
Tcl_FinalizeThread, xrefs: 00007FF654CA688D
Tcl_Free, xrefs: 00007FF654CA6B11
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF654CA6C28
Tcl_Alloc, xrefs: 00007FF654CA6AF5
Tcl_Finalize, xrefs: 00007FF654CA6871
Failed to get address for Tcl_GetString, xrefs: 00007FF654CA6D48
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF654CA6D30
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF654CA6D60
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF654CA6C40
LOADER: Failed to load tcl/tk libraries, xrefs: 00007FF654CA6150
Tcl_CreateObjCommand, xrefs: 00007FF654CA69F9
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF654CA6BF8
Failed to get address for Tk_Init, xrefs: 00007FF654CA6E20
Tcl_NewByteArrayObj, xrefs: 00007FF654CA6A4D
Tk_Init, xrefs: 00007FF654CA6B2D
Tcl_GetCurrentThread, xrefs: 00007FF654CA68E1
Failed to get address for Tcl_CreateThread, xrefs: 00007FF654CA6BE3
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF654CA6D90
Tcl_GetString, xrefs: 00007FF654CA6A15
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF654CA6BA4
Tcl_ConditionNotify, xrefs: 00007FF654CA6951
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF654CA6C58
Failed to get address for Tcl_Finalize, xrefs: 00007FF654CA6BB9
Tcl_GetObjResult, xrefs: 00007FF654CA6A85
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF654CA6E38

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: AddressProc$LibraryLoadfree
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$LOADER: Failed to load tcl/tk libraries$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 4213687213-1453502826
Opcode ID: 12046f0df8fa877728ee4941feaf5612ec9e4b955045cb1a8f9a13e301cd7c08
Instruction ID: 973cf5e1eb3db5a902a6e7c684a0dc43147a4d93fd2fd0fd87dbf93562d895e1
Opcode Fuzzy Hash: 12046f0df8fa877728ee4941feaf5612ec9e4b955045cb1a8f9a13e301cd7c08
Instruction Fuzzy Hash: 0202E3E4E0AB0790EA55DB15F9F40B427B4AFC4380B8C94B7C44EA77A5EE6CE54AC310

Function 00007FF654CA3680 Relevance: 33.5, APIs: 6, Strings: 13, Instructions: 254COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF654CA37C4

Strings

format_exception, xrefs: 00007FF654CA3948
Could not get __main__ module's dict., xrefs: 00007FF654CA3902
Failed to unmarshal code object for %s, xrefs: 00007FF654CA37FC
__file__, xrefs: 00007FF654CA3764
__main__, xrefs: 00007FF654CA36A7
%s%c%s.py, xrefs: 00007FF654CA3739
traceback, xrefs: 00007FF654CA391F
pyi-disable-windowed-traceback, xrefs: 00007FF654CA3882
_pyi_main_co, xrefs: 00007FF654CA379D
Traceback is disabled via bootloader option., xrefs: 00007FF654CA3899
Could not get __main__ module., xrefs: 00007FF654CA38F1
\, xrefs: 00007FF654CA3731
Absolute path to script exceeds PATH_MAX, xrefs: 00007FF654CA37E6

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free
String ID: %s%c%s.py$Absolute path to script exceeds PATH_MAX$Could not get __main__ module's dict.$Could not get __main__ module.$Failed to unmarshal code object for %s$Traceback is disabled via bootloader option.$\$__file__$__main__$_pyi_main_co$format_exception$pyi-disable-windowed-traceback$traceback
API String ID: 1294909896-4198433784
Opcode ID: 3a04efc8f6b0c85cf8dfc67f3231cc18b95e8f3610fca39b876c7c2b14a4cb32
Instruction ID: a12c2918d72dbe00be560d38cb66e38bb3fa5c46d70aec42375497fa29625e06
Opcode Fuzzy Hash: 3a04efc8f6b0c85cf8dfc67f3231cc18b95e8f3610fca39b876c7c2b14a4cb32
Instruction Fuzzy Hash: B5B105A5A09A0A85EA04DB57E8B41792370BFC9FC5F8844B3DD1EA77B1EE3CE4059700

Function 00007FF654CAE270 Relevance: 25.7, APIs: 17, Instructions: 223COMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00007FF654CAE28F
_strdup.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE2A6
setlocale.MSVCRT ref: 00007FF654CAE2BE
mbstowcs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE2F5
mbstowcs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE366
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE46D
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE4A6
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE4D5
realloc.MSVCRT ref: 00007FF654CAE4F0
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE51C
setlocale.MSVCRT ref: 00007FF654CAE52D
free.MSVCRT ref: 00007FF654CAE539
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE562
realloc.MSVCRT ref: 00007FF654CAE57D
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE5A1
setlocale.MSVCRT ref: 00007FF654CAE5B2
free.MSVCRT ref: 00007FF654CAE5BE

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: wcstombs$setlocale$freembstowcsrealloc$_strdup
String ID:
API String ID: 1093732947-0
Opcode ID: 18a3bf99bbea6804c92c0b9e4b21d59020ad17d25526b3b34f8233c8396aa3f0
Instruction ID: 48c3d16ae4a0d8245a67ff6491d3204a8a2541cc9008ad528d788b2e1e2ea89d
Opcode Fuzzy Hash: 18a3bf99bbea6804c92c0b9e4b21d59020ad17d25526b3b34f8233c8396aa3f0
Instruction Fuzzy Hash: 22A140A6F05B5588FB409BA6D8902BD33B0BB85B88F844576DE4CA7799EF3CD4018360

Function 00007FF654CA5550 Relevance: 25.6, APIs: 2, Strings: 15, Instructions: 140COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CA6FE0: GetEnvironmentVariableW.KERNEL32 ref: 00007FF654CA700C

free.MSVCRT ref: 00007FF654CA5720
free.MSVCRT ref: 00007FF654CA5735

Strings

Failed to convert pypath to wchar_t, xrefs: 00007FF654CA57AA
Error detected starting Python VM., xrefs: 00007FF654CA5764
Invalid value for PYTHONUTF8=%s; disabling utf-8 mode!, xrefs: 00007FF654CA5753
base_library.zip, xrefs: 00007FF654CA5634
sys.path (based on %s) exceeds buffer[%d] space, xrefs: 00007FF654CA5780
lib-dynload, xrefs: 00007FF654CA5622
Failed to convert pyhome to wchar_t, xrefs: 00007FF654CA57B8
\, xrefs: 00007FF654CA5654
Failed to convert progname to wchar_t, xrefs: 00007FF654CA579C
;, xrefs: 00007FF654CA564C
%s%c%s%c%s%c%s%c%s, xrefs: 00007FF654CA563B
\, xrefs: 00007FF654CA566E
PYTHONUTF8, xrefs: 00007FF654CA555A
;, xrefs: 00007FF654CA5661
Failed to convert argv to wchar_t, xrefs: 00007FF654CA578E

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free$EnvironmentVariable
String ID: %s%c%s%c%s%c%s%c%s$;$;$Error detected starting Python VM.$Failed to convert argv to wchar_t$Failed to convert progname to wchar_t$Failed to convert pyhome to wchar_t$Failed to convert pypath to wchar_t$Invalid value for PYTHONUTF8=%s; disabling utf-8 mode!$PYTHONUTF8$\$\$base_library.zip$lib-dynload$sys.path (based on %s) exceeds buffer[%d] space
API String ID: 471908985-2552457735
Opcode ID: c48456801aa9cd7d8cc58aca705c0cba2a25958533fc06219b0b3206e7b935ed
Instruction ID: c5265b3b3413d4e9f1c6cb2bef02cd0de2cf1d92495f50b3756175d3fd4c8a5b
Opcode Fuzzy Hash: c48456801aa9cd7d8cc58aca705c0cba2a25958533fc06219b0b3206e7b935ed
Instruction Fuzzy Hash: F3613EA5E19A1685FA149B12E8F42B92370AFC4B84F8C80B3D94EF77A5DF2CE545C704

Function 00007FF654CA31B0 Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 202stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CA3140: strcpy.MSVCRT(?,?,_MEIPASS2,?,00007FF654CA362C), ref: 00007FF654CA3183

strcmp.MSVCRT ref: 00007FF654CA333C
strcmp.MSVCRT ref: 00007FF654CA335F

Part of subcall function 00007FF654CA7840: fread.MSVCRT ref: 00007FF654CA78B1
Part of subcall function 00007FF654CA7840: ferror.MSVCRT ref: 00007FF654CA78C1
Part of subcall function 00007FF654CA7840: clearerr.MSVCRT(?,00000000,?,00007FF654CA3267,?,00000000,?,00000000,?,?,_MEIPASS2,?,00007FF654CA362C), ref: 00007FF654CA78CD
Part of subcall function 00007FF654CA7840: fclose.MSVCRT ref: 00007FF654CA7909
Part of subcall function 00007FF654CA7840: fclose.MSVCRT ref: 00007FF654CA7911

Strings

malloc, xrefs: 00007FF654CA34E8
Error extracting %s, xrefs: 00007FF654CA3501
%s%s%s%s%s, xrefs: 00007FF654CA322C
%s%s%s%s%s%s%s, xrefs: 00007FF654CA32AA
Archive not found: %s, xrefs: 00007FF654CA34B7
Error copying %s, xrefs: 00007FF654CA34D0
%s%s%s.exe, xrefs: 00007FF654CA33A6
%s%s%s.pkg, xrefs: 00007FF654CA32D8
%s%s%s, xrefs: 00007FF654CA33C8
Archive path exceeds PATH_MAX, xrefs: 00007FF654CA34A0
_MEIPASS2, xrefs: 00007FF654CA31B7
Error opening archive %s, xrefs: 00007FF654CA34E1

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fclosestrcmp$clearerrferrorfreadstrcpy
String ID: %s%s%s$%s%s%s%s%s$%s%s%s%s%s%s%s$%s%s%s.exe$%s%s%s.pkg$Archive not found: %s$Archive path exceeds PATH_MAX$Error copying %s$Error extracting %s$Error opening archive %s$_MEIPASS2$malloc
API String ID: 2929065527-1083822304
Opcode ID: 1bf022133e02d134ef5717c222b468332fb72b96faf3dfb86209f937b62aaa32
Instruction ID: c4b7c286565264d354afc042142f1fca079c9f0df6d692b30c39b3c4c317a512
Opcode Fuzzy Hash: 1bf022133e02d134ef5717c222b468332fb72b96faf3dfb86209f937b62aaa32
Instruction Fuzzy Hash: 058143A1A08A4251FA109B66E8B41FA6674AFC47D4F4841B3EE4DE7BE6DE3CE545C300

Function 00007FF654CA4FB0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 138stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 00007FF654CA506F
mbstowcs.MSVCRT(00000000,00004078,00000000,?,?,?,_MEIPASS2,00007FF654CA56C4), ref: 00007FF654CA509F

Strings

pyi-, xrefs: 00007FF654CA503C
Failed to convert Wflag %s using mbstowcs (invalid multibyte string), xrefs: 00007FF654CA51B9
_MEIPASS2, xrefs: 00007FF654CA4FB0

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: mbstowcsstrncmp
String ID: Failed to convert Wflag %s using mbstowcs (invalid multibyte string)$_MEIPASS2$pyi-
API String ID: 1807066385-1485234868
Opcode ID: 4cd6353d8287d9ebdc7f42e50edfcd29b2454bf44d82fac0beb1f5a7f2d26726
Instruction ID: 8896b3b46835a2ba052d1b17a90308db01e8038b6a0ce010468dfe7c4a314018
Opcode Fuzzy Hash: 4cd6353d8287d9ebdc7f42e50edfcd29b2454bf44d82fac0beb1f5a7f2d26726
Instruction Fuzzy Hash: 855171A5A0860681FB149F27D8A43792371AFC5B80F8880B7CD1EA73E1DE3DE4419750

Function 00007FF654CA7110 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CA8210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246

ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF654CA714B
free.MSVCRT ref: 00007FF654CA7156

Part of subcall function 00007FF654CA8650: wcslen.MSVCRT ref: 00007FF654CA8659

_wfullpath.MSVCRT ref: 00007FF654CA717E
wcschr.MSVCRT(?,?,?,00000000,00007FF654CA72AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA71AD
wcsncpy.MSVCRT ref: 00007FF654CA71DB
CreateDirectoryW.KERNEL32(?,?,?,00000000,00007FF654CA72AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA71E5
wcschr.MSVCRT(?,?,?,00000000,00007FF654CA72AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA71F0
CreateDirectoryW.KERNEL32(?,?,?,00000000,00007FF654CA72AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA7202
_wcsdup.MSVCRT ref: 00007FF654CA721B

Strings

LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF654CA7260
LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF654CA7250
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF654CA7230

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: CreateDirectorywcschr$ByteCharEnvironmentExpandMultiStringsWide_wcsdup_wfullpathfreewcslenwcsncpy
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 274989731-3498232454
Opcode ID: d414b3e691f8c4d26ce76b45fbcb3174c9ed9ce5588de55e0f29948b1c7c796a
Instruction ID: 74490da21c68abeb4f98825352fe761e65e5eb0397b104ffbe40d1d688640675
Opcode Fuzzy Hash: d414b3e691f8c4d26ce76b45fbcb3174c9ed9ce5588de55e0f29948b1c7c796a
Instruction Fuzzy Hash: B531F791B4D64285FA65A76698B43FA11A26FC8BC1FCC4476DE0EFB7C5ED2CE0458310

Function 00007FF654CA1AF0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 103COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF654CA1B2E
fread.MSVCRT ref: 00007FF654CA1B7C
free.MSVCRT ref: 00007FF654CA1BA1
fclose.MSVCRT ref: 00007FF654CA1BB2

Strings

fseek, xrefs: 00007FF654CA1C44
Failed to extract %s: failed to open archive file!, xrefs: 00007FF654CA1C15
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF654CA1C3D
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF654CA1C5A
fread, xrefs: 00007FF654CA1B92
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF654CA1B8B
malloc, xrefs: 00007FF654CA1C61

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fclosefreadfreemalloc
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 3295367466-3659356012
Opcode ID: 17395cb0609f390432f450284fee7c978720a2aa7aeaa7cb82b717c276d2117a
Instruction ID: 572f06128dd524eefc0dfb7737fbcec5e7b6fca825b2bf5b9956e42b6949d000
Opcode Fuzzy Hash: 17395cb0609f390432f450284fee7c978720a2aa7aeaa7cb82b717c276d2117a
Instruction Fuzzy Hash: 4031CEE2B0965655FB059B12E8B06BA2374AF847D8FCC40B3DD0DA6791EE3CE549C300

Function 00007FF654CA5410 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00007FF654CA542B
_strdup.MSVCRT ref: 00007FF654CA5433
calloc.MSVCRT ref: 00007FF654CA5457
setlocale.MSVCRT ref: 00007FF654CA5479
free.MSVCRT ref: 00007FF654CA54C0
free.MSVCRT ref: 00007FF654CA54D7
free.MSVCRT ref: 00007FF654CA54DF
setlocale.MSVCRT ref: 00007FF654CA5509
free.MSVCRT ref: 00007FF654CA5511

Strings

out of memory, xrefs: 00007FF654CA5528
Fatal error: unable to decode the command line argument #%i, xrefs: 00007FF654CA54E6

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free$setlocale$_strdupcalloc
String ID: Fatal error: unable to decode the command line argument #%i$out of memory
API String ID: 3058678114-3355598041
Opcode ID: b3a94ae4ac6b4f6312338ae72a3d926f4a238985db292fd2604171276d9b9414
Instruction ID: b37cbe9adbc706a66e8b13a9d33bc4c771da5d6c849319b5a869130fa528bd46
Opcode Fuzzy Hash: b3a94ae4ac6b4f6312338ae72a3d926f4a238985db292fd2604171276d9b9414
Instruction Fuzzy Hash: 8F21C192B0961251FA15E716D8B13BD6661AFC4B84FCCC4B6DD4EAB782EE3CE8458310

Function 00007FF654CA29E0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF654CA2A08
memset.MSVCRT ref: 00007FF654CA2A56
_wcsdup.MSVCRT ref: 00007FF654CA2A76
_wcsdup.MSVCRT ref: 00007FF654CA2A86
DialogBoxIndirectParamW.USER32 ref: 00007FF654CA2AA8
free.MSVCRT ref: 00007FF654CA2AB8
free.MSVCRT ref: 00007FF654CA2AC5
free.MSVCRT ref: 00007FF654CA2AD2
DeleteObject.GDI32 ref: 00007FF654CA2AE4
DestroyIcon.USER32 ref: 00007FF654CA2AF7

Strings

Unhandled exception in script, xrefs: 00007FF654CA2A18

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free$_wcsdup$DeleteDestroyDialogHandleIconIndirectModuleObjectParammemset
String ID: Unhandled exception in script
API String ID: 2803985813-2699770090
Opcode ID: f526219bed773062a0d0eb333ccd5c88dea8aa0be73e6a7d34a87cd471690584
Instruction ID: f65e00833b24fff55ad8e33450edaa6d9902ffb8a622caae0893211575ac7eb8
Opcode Fuzzy Hash: f526219bed773062a0d0eb333ccd5c88dea8aa0be73e6a7d34a87cd471690584
Instruction Fuzzy Hash: 48218171A09A8281EA25DB52F8A46FA7370BFC5B80F884076EE4EA3B45DE3CD0458710

Function 00007FF654CA5EE0 Relevance: 18.1, APIs: 9, Strings: 3, Instructions: 131stringCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF654CA5F09
memcpy.MSVCRT ref: 00007FF654CA5F4D
strlen.MSVCRT ref: 00007FF654CA5F67
strlen.MSVCRT ref: 00007FF654CA5F74
strlen.MSVCRT ref: 00007FF654CA5FA0
free.MSVCRT ref: 00007FF654CA5FF3
strncpy.MSVCRT ref: 00007FF654CA604D
strncpy.MSVCRT ref: 00007FF654CA607A
strncpy.MSVCRT ref: 00007FF654CA60E9

Strings

SPLASH: Cannot extract requirement %s., xrefs: 00007FF654CA60B3
SPLASH: Cannot find requirement %s in archive., xrefs: 00007FF654CA5FDF
_MEIPASS2, xrefs: 00007FF654CA5EE7

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: strlenstrncpy$callocfreememcpy
String ID: SPLASH: Cannot extract requirement %s.$SPLASH: Cannot find requirement %s in archive.$_MEIPASS2
API String ID: 4189425833-927121926
Opcode ID: e6d1f26a4508f2d6b54d28664a714fd9177c36a59f672facb49a808df95541a7
Instruction ID: 3838584349d1490d4bcda8e338be0a0421b1023dce89942d3d894a3b134a78bb
Opcode Fuzzy Hash: e6d1f26a4508f2d6b54d28664a714fd9177c36a59f672facb49a808df95541a7
Instruction Fuzzy Hash: FD41F69170865255EA14EA23D8A47FA6374BFC4BC4F8C81B2EE1DA7786DE3CE145C314

Function 00007FF654CA2350 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF654CA2371
SelectObject.GDI32 ref: 00007FF654CA23C8
DrawTextW.USER32 ref: 00007FF654CA23EB
SelectObject.GDI32 ref: 00007FF654CA2401
ReleaseDC.USER32 ref: 00007FF654CA2411
MoveWindow.USER32 ref: 00007FF654CA245D
MoveWindow.USER32 ref: 00007FF654CA249C
MoveWindow.USER32 ref: 00007FF654CA24ED
MoveWindow.USER32 ref: 00007FF654CA252A

Strings

P%, xrefs: 00007FF654CA23D1

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: fea85488d9d1cac119e4a29d1ca9f633e5fae16107e641c76dad77d3c19cf46f
Instruction ID: 5a3431e8b08e52a4e24999c880935af3c735b4784b6e8aa00516d9c09925fbb2
Opcode Fuzzy Hash: fea85488d9d1cac119e4a29d1ca9f633e5fae16107e641c76dad77d3c19cf46f
Instruction Fuzzy Hash: F44187762156A18AD7208F36E44877977B1F788F99F084232EE8987B58DF3CD185CB20

Function 00007FF654CA5CC0 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 124stringCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 00007FF654CA5D08
strncpy.MSVCRT ref: 00007FF654CA5D1E

Part of subcall function 00007FF654CA40E0: strlen.MSVCRT ref: 00007FF654CA412F
Part of subcall function 00007FF654CA40E0: strncat.MSVCRT ref: 00007FF654CA4149

calloc.MSVCRT ref: 00007FF654CA5D59
malloc.MSVCRT ref: 00007FF654CA5D79
malloc.MSVCRT ref: 00007FF654CA5D99
memcpy.MSVCRT ref: 00007FF654CA5DD7
memcpy.MSVCRT ref: 00007FF654CA5DEC
memcpy.MSVCRT ref: 00007FF654CA5E01
free.MSVCRT ref: 00007FF654CA5E23

Strings

Cannot allocate memory for necessary files., xrefs: 00007FF654CA5E6F
_MEIPASS2, xrefs: 00007FF654CA5CC2

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: memcpy$mallocstrncpy$callocfreestrlenstrncat
String ID: Cannot allocate memory for necessary files.$_MEIPASS2
API String ID: 257583877-1389504347
Opcode ID: 3bb8c8111f3117a67a20ab620bc2b59a0c8817dcbebb759f212a3c23a2c28dbc
Instruction ID: 8d1787d98f764d605fcd2b9c2f1131e514017fab3f9d5bc73a880ffff7624449
Opcode Fuzzy Hash: 3bb8c8111f3117a67a20ab620bc2b59a0c8817dcbebb759f212a3c23a2c28dbc
Instruction Fuzzy Hash: 0241E3B2B0524146EA28DA22D5A42ED7772BF847D0F888472CF1EA37C5EE7CE5458310

Function 00007FF654CA7840 Relevance: 15.1, APIs: 10, Instructions: 75fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CA43B0: _wfopen.MSVCRT ref: 00007FF654CA43F5

Part of subcall function 00007FF654CA76B0: strlen.MSVCRT ref: 00007FF654CA7723
Part of subcall function 00007FF654CA76B0: strlen.MSVCRT ref: 00007FF654CA7753
Part of subcall function 00007FF654CA76B0: strlen.MSVCRT ref: 00007FF654CA7769
Part of subcall function 00007FF654CA76B0: strcpy.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF654CA1CB3), ref: 00007FF654CA777A
Part of subcall function 00007FF654CA76B0: strtok.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF654CA1CB3), ref: 00007FF654CA7784

fread.MSVCRT ref: 00007FF654CA78B1
ferror.MSVCRT ref: 00007FF654CA78C1
clearerr.MSVCRT(?,00000000,?,00007FF654CA3267,?,00000000,?,00000000,?,?,_MEIPASS2,?,00007FF654CA362C), ref: 00007FF654CA78CD
fwrite.MSVCRT ref: 00007FF654CA78E3
ferror.MSVCRT ref: 00007FF654CA78F0
clearerr.MSVCRT(?,00000000,?,00007FF654CA3267,?,00000000,?,00000000,?,?,_MEIPASS2,?,00007FF654CA362C), ref: 00007FF654CA78FC
fclose.MSVCRT ref: 00007FF654CA7909
fclose.MSVCRT ref: 00007FF654CA7911
fclose.MSVCRT ref: 00007FF654CA7934
fclose.MSVCRT ref: 00007FF654CA7941

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fclose$strlen$clearerrferror$_wfopenfreadfwritestrcpystrtok
String ID:
API String ID: 4076046571-0
Opcode ID: 66eaf6115f00770fdaf54dc94ed29b1f7162dcf97e56a77bd725569914621a69
Instruction ID: fdf851524041cf60aa971b2870663fcfe0cc434886bc99e8c92c91708060d421
Opcode Fuzzy Hash: 66eaf6115f00770fdaf54dc94ed29b1f7162dcf97e56a77bd725569914621a69
Instruction Fuzzy Hash: CE214C91F0E25301F815A6639AB13B952A61FC6BE4F4C01B3ED0EFB7C6EE1CE8014691

Function 00007FF654CB207B Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 176stringCOMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF654CB211E
fwprintf.MSVCRT ref: 00007FF654CB2153
memset.MSVCRT ref: 00007FF654CB223A
strlen.MSVCRT ref: 00007FF654CB2252

Part of subcall function 00007FF654CB814E: ___mb_cur_max_func.MSVCRT ref: 00007FF654CB8184
Part of subcall function 00007FF654CB814E: ___lc_codepage_func.MSVCRT ref: 00007FF654CB818B

fwprintf.MSVCRT ref: 00007FF654CB217B

Part of subcall function 00007FF654CB1FF0: fputwc.MSVCRT ref: 00007FF654CB2040

Strings

%-*.*S, xrefs: 00007FF654CB2149
%.*S, xrefs: 00007FF654CB2171
%*.*S, xrefs: 00007FF654CB2114

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fwprintf$___lc_codepage_func___mb_cur_max_funcfputwcmemsetstrlen
String ID: %*.*S$%-*.*S$%.*S
API String ID: 1485978544-2115465065
Opcode ID: c93050da29d2b53cde75ff4ecec3a5117cbc28d906d175e1e5974c7ea21a5eeb
Instruction ID: cff94670349e4770835808b7bccbc8572527a6fc23849749fdb466b07f7ad649
Opcode Fuzzy Hash: c93050da29d2b53cde75ff4ecec3a5117cbc28d906d175e1e5974c7ea21a5eeb
Instruction Fuzzy Hash: D9810BB6A04B458AEB14CF6AC8942AC37F0F788B9CB458566EE5D97B58DF38D440CB40

Function 00007FF654CA8040 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF654CA8088
WideCharToMultiByte.KERNEL32 ref: 00007FF654CA80DA
calloc.MSVCRT ref: 00007FF654CA80F0

Strings

Out of memory., xrefs: 00007FF654CA8101
Failed to get UTF-8 buffer size., xrefs: 00007FF654CA8140
win32_utils_to_utf8, xrefs: 00007FF654CA8108
WideCharToMultiByte, xrefs: 00007FF654CA8127, 00007FF654CA8147
Failed to encode wchar_t as UTF-8., xrefs: 00007FF654CA8120

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: ByteCharMultiWide$calloc
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 1374691127-27947307
Opcode ID: ea88749d0a14f64099691da4aeb15603b84fc63f6c062682654e53545a88106d
Instruction ID: 580e308a626259bb97198b4daae4dde7f46a5b023a7520462a3ef9cc856cef53
Opcode Fuzzy Hash: ea88749d0a14f64099691da4aeb15603b84fc63f6c062682654e53545a88106d
Instruction Fuzzy Hash: D021A1A1A18B4285FA14DB66E8F037662B0AFC4394F8C8177DA4EAAAD1DF7CD044C310

Function 00007FF654CA7F50 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF654CA7F92
calloc.MSVCRT ref: 00007FF654CA7FA2
WideCharToMultiByte.KERNEL32 ref: 00007FF654CA7FD7

Strings

win32_wcs_to_mbs, xrefs: 00007FF654CA802E
Out of memory., xrefs: 00007FF654CA8027
Failed to encode filename as ANSI., xrefs: 00007FF654CA8010
Failed to get ANSI buffer size., xrefs: 00007FF654CA7FF0
WideCharToMultiByte, xrefs: 00007FF654CA7FF7, 00007FF654CA8017

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: ByteCharMultiWide$calloc
String ID: Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$Out of memory.$WideCharToMultiByte$win32_wcs_to_mbs
API String ID: 1374691127-3831141058
Opcode ID: c974b491895e7bda57dd440c625f49c5a3727ada228be6d7fc02953d331cde25
Instruction ID: 4465dabc60b6ba3ba377ccd988cd8adaf7ff57e94bdfe8c70497c4725ac4c57d
Opcode Fuzzy Hash: c974b491895e7bda57dd440c625f49c5a3727ada228be6d7fc02953d331cde25
Instruction Fuzzy Hash: 4D21D1A1A1C74245E7509B56E8F036666B1EFC4394F88417BE94EB66D5DF7CD104C300

Function 00007FF654CA7B70 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 57stringCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF654CA7B8B
_strdup.MSVCRT ref: 00007FF654CA7BBC
_errno.MSVCRT ref: 00007FF654CA7BF0
strerror.MSVCRT ref: 00007FF654CA7BF8
_errno.MSVCRT ref: 00007FF654CA7C15
strerror.MSVCRT ref: 00007FF654CA7C1D

Strings

LOADER: failed to strdup argv[%d]: %s, xrefs: 00007FF654CA7BFF
LOADER: failed to allocate argv_pyi: %s, xrefs: 00007FF654CA7C22

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: _errnostrerror$_strdupcalloc
String ID: LOADER: failed to allocate argv_pyi: %s$LOADER: failed to strdup argv[%d]: %s
API String ID: 4278403329-2782260415
Opcode ID: 945d6d8d56f37cfe0361321e39814a85846aa9c2cc1a836560a03a797768b115
Instruction ID: 47778568f69772fe3bc2d4f5ee564081688bd911694d37ab6ce697b9a629c490
Opcode Fuzzy Hash: 945d6d8d56f37cfe0361321e39814a85846aa9c2cc1a836560a03a797768b115
Instruction Fuzzy Hash: F111DFE1A1A64285F7119B52E8F01B97671BFC4740F9C41BACD0DA33A1EE3CE484C300

Function 00007FF654CA8210 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246
MultiByteToWideChar.KERNEL32 ref: 00007FF654CA8288
calloc.MSVCRT ref: 00007FF654CA829E

Strings

MultiByteToWideChar, xrefs: 00007FF654CA82CF, 00007FF654CA82EF
win32_utils_from_utf8, xrefs: 00007FF654CA82B2
Out of memory., xrefs: 00007FF654CA82AB
Failed to get wchar_t buffer size., xrefs: 00007FF654CA82E8
Failed to decode wchar_t from UTF-8, xrefs: 00007FF654CA82C8
%s%s: %s, xrefs: 00007FF654CA8210

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: ByteCharMultiWide$calloc
String ID: %s%s: %s$Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 1374691127-2292745976
Opcode ID: e25d75c4397cd3946ce71200e75b93b7a887f4a347cf1552ce9ec0bda547e504
Instruction ID: 1a86a265c6b070f7596c4c3ecf98d12c87cc4de1c4d3bd552fcbcb96baa33454
Opcode Fuzzy Hash: e25d75c4397cd3946ce71200e75b93b7a887f4a347cf1552ce9ec0bda547e504
Instruction Fuzzy Hash: 3B1193E1F09A4245FA24DB66E8B02B522B19FC8798F8C4277D94DA76D1EE3CE045C320

Function 00007FF654CA57D0 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF654CA57EB
free.MSVCRT ref: 00007FF654CA58BC

Strings

strict, xrefs: 00007FF654CA57F0
_MEIPASS, xrefs: 00007FF654CA5820
Module object for %s is NULL!, xrefs: 00007FF654CA58CB
Failed to get _MEIPASS as PyObject., xrefs: 00007FF654CA58F1
_MEIPASS2, xrefs: 00007FF654CA57D0
utf-8, xrefs: 00007FF654CA57F7

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: freestrlen
String ID: Failed to get _MEIPASS as PyObject.$Module object for %s is NULL!$_MEIPASS$_MEIPASS2$strict$utf-8
API String ID: 322734593-568040347
Opcode ID: 6d413cf45324b08ffd4bc974ac5a2fa952e0ec21fb8adde832674f877a8c338b
Instruction ID: e9478405bfe89d8356fdc044c51e20c3a9de5755dfd6bc7600f40dbc39bedd85
Opcode Fuzzy Hash: 6d413cf45324b08ffd4bc974ac5a2fa952e0ec21fb8adde832674f877a8c338b
Instruction Fuzzy Hash: B9316EA1B09A4691EA149B57E8A40B96330BFC4B94F8C84B3DD1EE77A1EE3CE445D301

Function 00007FF654CA6520 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 157COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF654CA66A9

Strings

_image_data, xrefs: 00007FF654CA6687
exit, xrefs: 00007FF654CA65D2
tclInit, xrefs: 00007FF654CA657B
tcl_findLibrary, xrefs: 00007FF654CA659D
source, xrefs: 00007FF654CA6619
rename ::source ::_source, xrefs: 00007FF654CA65F0

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free
String ID: _image_data$exit$rename ::source ::_source$source$tclInit$tcl_findLibrary
API String ID: 1294909896-1126984729
Opcode ID: f715ec876722e12cdb0f662df770872b06380997f3a1ed7aba2766a90e7ae60b
Instruction ID: 9643b123931b93ecfc1a13828861565f0810a3f814ace5edbc3fe8db6b0e578e
Opcode Fuzzy Hash: f715ec876722e12cdb0f662df770872b06380997f3a1ed7aba2766a90e7ae60b
Instruction Fuzzy Hash: 7071FAB6618A4695EB109F62E8A83693370FB88F85F488073DE5EA7364DF3CD509C740

Function 00007FF654CA5910 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 56stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF654CA5925

Strings

strict, xrefs: 00007FF654CA592A
path, xrefs: 00007FF654CA5976
Failed to append to sys.path, xrefs: 00007FF654CA59A0
%U?%llu, xrefs: 00007FF654CA594A
Installing PYZ: Could not get sys.path, xrefs: 00007FF654CA59BC
utf-8, xrefs: 00007FF654CA5934

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: strlen
String ID: %U?%llu$Failed to append to sys.path$Installing PYZ: Could not get sys.path$path$strict$utf-8
API String ID: 39653677-2762566162
Opcode ID: d933acb19d688c888bbabfb13c8229aa91e53fac741f948bdaf742cd5b545c31
Instruction ID: 257fbcc23c0b2da53f40a2928bfc369a0eb1dba8bb13b3ef2f7d882ebe2718e4
Opcode Fuzzy Hash: d933acb19d688c888bbabfb13c8229aa91e53fac741f948bdaf742cd5b545c31
Instruction Fuzzy Hash: F11133A6E0991685FA00DB6AE8A40A96370AFC4FD4B8C8173DD1DE7761EE3CE546C700

Function 00007FF654CB2378 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF654CB241B
fwprintf.MSVCRT ref: 00007FF654CB2450

Part of subcall function 00007FF654CB1FF0: fputwc.MSVCRT ref: 00007FF654CB2040

Strings

%-*.*s, xrefs: 00007FF654CB2446
%.*s, xrefs: 00007FF654CB246E
%*.*s, xrefs: 00007FF654CB2411

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fwprintf$fputwc
String ID: %*.*s$%-*.*s$%.*s
API String ID: 2988249585-4054516066
Opcode ID: b02ba0fa6d73b1136932df1615eabb89f2fc48cd2a4aa50ad3fcf4feca9b3b31
Instruction ID: 56f9b3c771380ba5e434f42c949319a640f5cf67ea75b5c02e06c19b2a15a7b8
Opcode Fuzzy Hash: b02ba0fa6d73b1136932df1615eabb89f2fc48cd2a4aa50ad3fcf4feca9b3b31
Instruction Fuzzy Hash: 9671FCB6A04B89CADB24CF2AC4945AC77F0F788B9CB458566EE4D97B58DF38D400CB40

Function 00007FF654CA6F10 Relevance: 8.8, APIs: 7, Instructions: 67stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF654CA6F30
strlen.MSVCRT ref: 00007FF654CA6F47
strlen.MSVCRT ref: 00007FF654CA6F5C
malloc.MSVCRT ref: 00007FF654CA6F6A

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: strlen$malloc
String ID:
API String ID: 3157260142-0
Opcode ID: b55e16029522fecb1b93b6b8568f11f36e77bc886cc5cb275ce0ddd000ea1ea0
Instruction ID: 649894e7a07060035aba572be40f29fdaeebe30295591872a16ee8c8711d47b8
Opcode Fuzzy Hash: b55e16029522fecb1b93b6b8568f11f36e77bc886cc5cb275ce0ddd000ea1ea0
Instruction Fuzzy Hash: 4311C282B0A14208FC5AEA5359F47BB45A11FD5FD8D8C80B2ED4DAB781FE3CA4468360

Function 00007FF654CA2920 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF654CA2949
EndDialog.USER32 ref: 00007FF654CA2978
GetWindowLongPtrW.USER32 ref: 00007FF654CA2985
InvalidateRect.USER32 ref: 00007FF654CA29A5
SetWindowLongPtrW.USER32 ref: 00007FF654CA29C4

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: DialogLongWindow$InvalidateRect
String ID:
API String ID: 1200242243-0
Opcode ID: 89cb7d82cb1b40587ec4d78b90bde32f8ec055dd5bdbf5a296f83f89b3663874
Instruction ID: cc460658e1ce59e7c95f55528b7dd1d069b67309fb220763fa14eefccef88c29
Opcode Fuzzy Hash: 89cb7d82cb1b40587ec4d78b90bde32f8ec055dd5bdbf5a296f83f89b3663874
Instruction Fuzzy Hash: 5901C0A0E1D17B42F65CA33778E56BC11B1AFD9B11F9C44B3D94FE5B988C2C68C24201

Function 00007FF654CAD850 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

CCG , xrefs: 00007FF654CAD878

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: a2009b416c13826995d1c9318a92a1b9d2e4341e694bba52663129bfcb9c8ac9
Instruction ID: 26bed0aa39a31060e47e90cc69aba9865991b2ed665222cafed5457c9debdff5
Opcode Fuzzy Hash: a2009b416c13826995d1c9318a92a1b9d2e4341e694bba52663129bfcb9c8ac9
Instruction Fuzzy Hash: 734175B6A096028AF7208B65C4E43BC3272EFC5718F188677CA2DE77D4DE3CD9419241

Function 00007FF654CA2C10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CA8210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246

MessageBoxW.USER32 ref: 00007FF654CA2C93
MessageBoxA.USER32 ref: 00007FF654CA2CBB

Strings

Failed to get UTF-8 buffer size., xrefs: 00007FF654CA2C16
WideCharToMultiByte, xrefs: 00007FF654CA2C18

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Failed to get UTF-8 buffer size.$WideCharToMultiByte
API String ID: 1878133881-785100509
Opcode ID: f8b2052244f997f8cf142d2b4763022da063b563fc09b0a30e2edc3fc9052039
Instruction ID: 7dc9d71577be989c89177034a91cf21993150ee6a6a911859f43416f3186c8a1
Opcode Fuzzy Hash: f8b2052244f997f8cf142d2b4763022da063b563fc09b0a30e2edc3fc9052039
Instruction Fuzzy Hash: 0801F5B279879041FB345B62B8547FA6290BB89FD8F888035CE4D67B85CD3DD5858B40

Function 00007FF654CA42F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF654CA4312

Part of subcall function 00007FF654CA8040: WideCharToMultiByte.KERNEL32 ref: 00007FF654CA8088

Strings

GetModuleFileNameW, xrefs: 00007FF654CA434F
Failed to convert executable path to UTF-8., xrefs: 00007FF654CA4360
Failed to get executable path., xrefs: 00007FF654CA4348

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: ByteCharFileModuleMultiNameWide
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 1532159127-1977442011
Opcode ID: f4bf1276b97d64210b6653597ec094bb76e5d053494305fba7f19c3c38b4cda7
Instruction ID: e4688c0613782778e6b8853051936c5d7a0aef4b84b9e59e4f6a74800fa88d29
Opcode Fuzzy Hash: f4bf1276b97d64210b6653597ec094bb76e5d053494305fba7f19c3c38b4cda7
Instruction Fuzzy Hash: 53F0AFD1B1C15392FA556622A8B53F902B1AFC47C4F8C40B3D84EE67C6DD0EE5469310

Function 00007FF654CA2B10 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF654CA2B78
free.MSVCRT ref: 00007FF654CA2B80
free.MSVCRT ref: 00007FF654CA2B88

Part of subcall function 00007FF654CA8210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246

Strings

Failed to obtain/convert traceback!, xrefs: 00007FF654CA2BA2

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free$ByteCharMultiWide
String ID: Failed to obtain/convert traceback!
API String ID: 3219091393-982972847
Opcode ID: 8df6a8358dac60a212556b377cd368c0f9cc8a804325971415c7063dd2af1f98
Instruction ID: 45b0259018f5ba383fbd1b91b62b7673d542c93eb8ca9fedd33e035a73825927
Opcode Fuzzy Hash: 8df6a8358dac60a212556b377cd368c0f9cc8a804325971415c7063dd2af1f98
Instruction Fuzzy Hash: 51017191B5966206FD1DA5A719B2AFA50610FC5BD0D9C48B6ED0FABF82EC2CE4454310

Function 00007FF654CACDD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF654CACECE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF654CACEC4
Unknown error, xrefs: 00007FF654CACE6A

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 4b8c868c6939ec88d1abe8f8504a39c26f50d9ef9e938201b9fa1182f5e26e6d
Instruction ID: 160d08a1c4d8db08604566c55807b5423ddb61cdb3b3430b03f1b9281f6d1cac
Opcode Fuzzy Hash: 4b8c868c6939ec88d1abe8f8504a39c26f50d9ef9e938201b9fa1182f5e26e6d
Instruction Fuzzy Hash: F8215E66A04F849AD7128F68D8813E97371FF99798F484622EE8C67728DF38D255C300

Function 00007FF654CA2E50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF654CA2E97

Part of subcall function 00007FF654CA2C10: MessageBoxW.USER32 ref: 00007FF654CA2C93

Strings

Fatal error detected, xrefs: 00007FF654CA2ECB
%s%s: %s, xrefs: 00007FF654CA2EB4

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: Message_errno
String ID: %s%s: %s$Fatal error detected
API String ID: 1796756983-2410924014
Opcode ID: 80f6f717bb9969ece7152c8fde9cb11b8c043fce6b7f1340054d38df66cc8f43
Instruction ID: 0f0c90e1c03a1cbd28842ec4c07fd859d7d71d6edf2705573b18a42781d13223
Opcode Fuzzy Hash: 80f6f717bb9969ece7152c8fde9cb11b8c043fce6b7f1340054d38df66cc8f43
Instruction Fuzzy Hash: 7501A2A261CA8091E224DB11F8907EA6374FBC47C0F948132EFCD63B598E3CD246CB40

Function 00007FF654CACE29 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF654CACECE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF654CACEC4
Argument singularity (SIGN), xrefs: 00007FF654CACE29

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 50bb6e3b89c3acdd8da2640c7def1cf69755cc37c592828175fc8adef2d15e3e
Instruction ID: 5ff4d119244352cb4b47f4a5cee92e8a1fd84872159f6b7ed742f4f700e91d03
Opcode Fuzzy Hash: 50bb6e3b89c3acdd8da2640c7def1cf69755cc37c592828175fc8adef2d15e3e
Instruction Fuzzy Hash: 5E01B166904F888AD711CF69C8802AA3330FF8D798F488322EF8C27724DF28C184C300

Function 00007FF654CACE1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF654CACECE

Strings

Argument domain error (DOMAIN), xrefs: 00007FF654CACE1C
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF654CACEC4

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 3ea1ec97f37694b9006fc54621547460099b2c1b8ca40b1c9d9b39adf94a092d
Instruction ID: 9a56ce93665c2303d4ab2f912c12740723eec1c522abf357ec411255b23e2c6a
Opcode Fuzzy Hash: 3ea1ec97f37694b9006fc54621547460099b2c1b8ca40b1c9d9b39adf94a092d
Instruction Fuzzy Hash: C501B166904F888AD711CF69C8902AA3330FF8D799F484322EF8C27724DF28C144C300

Function 00007FF654CACE50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF654CACECE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF654CACEC4
Total loss of significance (TLOSS), xrefs: 00007FF654CACE50

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 48690192945bf7f32f1c5466faad3cff15a9c142b134f494af273dc6dbb7eaa3
Instruction ID: 29756801927750c44cda4c2788db84519a6c331a57eeaa591c7bb19d9feb123c
Opcode Fuzzy Hash: 48690192945bf7f32f1c5466faad3cff15a9c142b134f494af273dc6dbb7eaa3
Instruction Fuzzy Hash: 9C01B166904F888AD712CF29C8802AA3334FF8D798F488322EF8C27764DF28C185C300

Function 00007FF654CACE43 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF654CACECE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF654CACEC4
Partial loss of significance (PLOSS), xrefs: 00007FF654CACE43

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 671409083fba1ed317bee3cf4e306283cdb16a53cc92c70d1fd336fd5438df01
Instruction ID: 983412851e244faf7d01a7a946043e183935905247246f44830078ee0125b515
Opcode Fuzzy Hash: 671409083fba1ed317bee3cf4e306283cdb16a53cc92c70d1fd336fd5438df01
Instruction Fuzzy Hash: 2901B166904F888AD711CF29C8902AA3330FF8D798F484722EF8C27724DF28C144C300

Function 00007FF654CACE36 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF654CACECE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF654CACEC4
Overflow range error (OVERFLOW), xrefs: 00007FF654CACE36

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 74916eb7a76916125411d7b1f6d0d259c89befd042e1e24e2dfbcfe61768ada9
Instruction ID: 60de4da7dd1c44de1050296ae39041b32620e19bdb2a7de74b7412cd955e8f8b
Opcode Fuzzy Hash: 74916eb7a76916125411d7b1f6d0d259c89befd042e1e24e2dfbcfe61768ada9
Instruction Fuzzy Hash: EA01B166904F888AD711CF29C8902AA3330FF8D798F484322EF8C67764DF28C144C300

Function 00007FF654CACE5D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF654CACECE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF654CACEC4
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF654CACE5D

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 828440ead5f24b7a3bcef289b9b0c651ba51a82a4e2612c4078c08dbf4f376dd
Instruction ID: fb016fedc043421df838e72b29ba9651d528aa472941d7cb9bfbb3d4e921c6d2
Opcode Fuzzy Hash: 828440ead5f24b7a3bcef289b9b0c651ba51a82a4e2612c4078c08dbf4f376dd
Instruction Fuzzy Hash: FB019E66904F888AD7128F29C8802AA3330FF8D798F484322EF8C27724DF28C185C300

Function 00007FF654CA61B0 Relevance: 5.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF654CA61CD
free.MSVCRT ref: 00007FF654CA61DE
free.MSVCRT ref: 00007FF654CA61EF
free.MSVCRT ref: 00007FF654CA61F7

Memory Dump Source

Source File: 00000000.00000002.1776766274.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000000.00000002.1776715346.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776795614.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776820435.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776849485.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776879128.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776908837.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1776934926.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: af07cd424250413d133a4ab32c21d85a647da0b60d227f0190338946df3b41f5
Instruction ID: 0698d354b4b25a07765c8f99eb973767fad330d26104eb627c8afaab40cd2894
Opcode Fuzzy Hash: af07cd424250413d133a4ab32c21d85a647da0b60d227f0190338946df3b41f5
Instruction Fuzzy Hash: 7FF08295F1A51240FD19E662E8B07BC2A345FC1B40F8C85B2CF4EB7682CE2CE4424310

Analysis Process: DeltaX.exePID: 7376, Parent PID: 7344COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	894
Total number of Limit Nodes:	32

Executed Functions

Function 66F86560 Relevance: 118.2, APIs: 51, Strings: 16, Instructions: 911librarystringloaderCOMMON

Download Yara Rule

APIs

PySys_GetObject.PYTHON38 ref: 66F86581
PyTuple_GetItem.PYTHON38 ref: 66F8659B
PyLong_AsLong.PYTHON38 ref: 66F865B0
PyTuple_GetItem.PYTHON38 ref: 66F865C0
PyLong_AsLong.PYTHON38 ref: 66F865CE
PySys_GetObject.PYTHON38 ref: 66F865DD
PyLong_AsVoidPtr.PYTHON38 ref: 66F865E9
GetProcAddress.KERNEL32 ref: 66F8660E
GetProcAddress.KERNEL32 ref: 66F8662C
GetProcAddress.KERNEL32 ref: 66F8664A
PyModule_Create2.PYTHON38 ref: 66F86674
PyModule_GetName.PYTHON38 ref: 66F86689
strrchr.MSVCRT ref: 66F866AE
malloc.MSVCRT ref: 66F866C4
memcpy.MSVCRT ref: 66F866DE
PyBytes_FromStringAndSize.PYTHON38 ref: 66F86731
PyBytes_AsString.PYTHON38 ref: 66F8674B
malloc.MSVCRT ref: 66F8675F
PyCFunction_NewEx.PYTHON38 ref: 66F867AA
PyCFunction_NewEx.PYTHON38 ref: 66F867ED
PyCFunction_NewEx.PYTHON38 ref: 66F86830
PyBytes_FromStringAndSize.PYTHON38 ref: 66F8685A
PyBytes_AsString.PYTHON38 ref: 66F86870
_time64.MSVCRT ref: 66F8694D
srand.MSVCRT ref: 66F86955
strstr.MSVCRT ref: 66F86AFC
strncmp.MSVCRT ref: 66F86B38
PyErr_Format.PYTHON38 ref: 66F86BAB
_Py_Dealloc.PYTHON38 ref: 66F86BDA
_Py_Dealloc.PYTHON38 ref: 66F86BE9
malloc.MSVCRT ref: 66F86C0A
free.MSVCRT ref: 66F86C74
malloc.MSVCRT ref: 66F86C80
memcpy.MSVCRT ref: 66F86CA3
free.MSVCRT ref: 66F86CD2
malloc.MSVCRT ref: 66F86CDE
memcpy.MSVCRT ref: 66F86D01
PyErr_Format.PYTHON38 ref: 66F87348

Part of subcall function 66F9D940: memcmp.MSVCRT ref: 66F9D973
Part of subcall function 66F9D940: memcmp.MSVCRT ref: 66F9D990
Part of subcall function 66F9D940: memcmp.MSVCRT ref: 66F9D9B2
Part of subcall function 66F9D940: memcmp.MSVCRT ref: 66F9D9D2
Part of subcall function 66F9D940: memcmp.MSVCRT ref: 66F9D9F2
Part of subcall function 66F9D940: memcmp.MSVCRT ref: 66F9DA12
Part of subcall function 66F9D940: memcmp.MSVCRT ref: 66F9DA32
Part of subcall function 66F9D940: memcmp.MSVCRT ref: 66F9DA52

Part of subcall function 66F9D6B0: memcmp.MSVCRT ref: 66F9D6E3
Part of subcall function 66F9D6B0: memcmp.MSVCRT ref: 66F9D703
Part of subcall function 66F9D6B0: memcmp.MSVCRT ref: 66F9D725
Part of subcall function 66F9D6B0: memcmp.MSVCRT ref: 66F9D745
Part of subcall function 66F9D6B0: memcmp.MSVCRT ref: 66F9D765
Part of subcall function 66F9D6B0: memcmp.MSVCRT ref: 66F9D785
Part of subcall function 66F9D6B0: memcmp.MSVCRT ref: 66F9D7A5
Part of subcall function 66F9D6B0: memcmp.MSVCRT ref: 66F9D7C5

Part of subcall function 66F9D0E0: strcmp.MSVCRT ref: 66F9D10B
Part of subcall function 66F9D0E0: strcmp.MSVCRT ref: 66F9D135
Part of subcall function 66F9D0E0: strcmp.MSVCRT ref: 66F9D154
Part of subcall function 66F9D0E0: strcmp.MSVCRT ref: 66F9D173
Part of subcall function 66F9D0E0: strcmp.MSVCRT ref: 66F9D192
Part of subcall function 66F9D0E0: strcmp.MSVCRT ref: 66F9D1AD
Part of subcall function 66F9D0E0: strcmp.MSVCRT ref: 66F9D1C8
Part of subcall function 66F9D0E0: strcmp.MSVCRT ref: 66F9D1E3

Part of subcall function 66F9D380: strcmp.MSVCRT ref: 66F9D3AB
Part of subcall function 66F9D380: strcmp.MSVCRT ref: 66F9D3CF
Part of subcall function 66F9D380: strcmp.MSVCRT ref: 66F9D3EB
Part of subcall function 66F9D380: strcmp.MSVCRT ref: 66F9D40A
Part of subcall function 66F9D380: strcmp.MSVCRT ref: 66F9D429
Part of subcall function 66F9D380: strcmp.MSVCRT ref: 66F9D444
Part of subcall function 66F9D380: strcmp.MSVCRT ref: 66F9D45F
Part of subcall function 66F9D380: strcmp.MSVCRT ref: 66F9D47A

Part of subcall function 66F9D230: strcmp.MSVCRT ref: 66F9D25B
Part of subcall function 66F9D230: strcmp.MSVCRT ref: 66F9D285
Part of subcall function 66F9D230: strcmp.MSVCRT ref: 66F9D2A4
Part of subcall function 66F9D230: strcmp.MSVCRT ref: 66F9D2C3
Part of subcall function 66F9D230: strcmp.MSVCRT ref: 66F9D2E2
Part of subcall function 66F9D230: strcmp.MSVCRT ref: 66F9D2FD
Part of subcall function 66F9D230: strcmp.MSVCRT ref: 66F9D318
Part of subcall function 66F9D230: strcmp.MSVCRT ref: 66F9D333

PyBytes_AsStringAndSize.PYTHON38 ref: 66F86E78

Strings

C_LEAVE_CO_OBJECT_INDEX, xrefs: 66F86808
PyCell_Set, xrefs: 66F86631
dllhandle, xrefs: 66F865D0
%s (%d:%d), xrefs: 66F86BA4, 66F86DC5, 66F86E34, 66F86FA5, 66F872DD, 66F87341
sha256, xrefs: 66F869EC
C_ENTER_CO_OBJECT_INDEX, xrefs: 66F867C5
.pyarmor.ikey, xrefs: 66F86E50
aes, xrefs: 66F869B8
PyCell_New, xrefs: 66F86613
version_info, xrefs: 66F86573
sprng, xrefs: 66F869D2
000000, xrefs: 66F86B2B
pyarmor_runtime_, xrefs: 66F86AF0, 66F86B0C
PyCell_Get, xrefs: 66F86607
C_ASSERT_ARMORED_INDEX, xrefs: 66F86774
,*, xrefs: 66F87333

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: strcmp$memcmp$Bytes_Stringmalloc$AddressFunction_Long_ProcSizememcpy$DeallocErr_FormatFromItemLongModule_ObjectSys_Tuple_free$Create2NameVoid_time64srandstrncmpstrrchrstrstr
String ID: %s (%d:%d)$,*$.pyarmor.ikey$000000$C_ASSERT_ARMORED_INDEX$C_ENTER_CO_OBJECT_INDEX$C_LEAVE_CO_OBJECT_INDEX$PyCell_Get$PyCell_New$PyCell_Set$aes$dllhandle$pyarmor_runtime_$sha256$sprng$version_info
API String ID: 1610873308-3717260241
Opcode ID: 8ace705db764757fec76ecfa4cca4fd90099bd285529a006ed0375af6e3566cd
Instruction ID: ba0671170f199a6fcd344bc9cd6982eca266d08f77bade4080d707d4ab4488c4
Opcode Fuzzy Hash: 8ace705db764757fec76ecfa4cca4fd90099bd285529a006ed0375af6e3566cd
Instruction Fuzzy Hash: 9E820F72719B84C2EB01CB26E84435D3BB2FB49B88F8580AAEE5D0B794DF39E555C350

Function 66F87560 Relevance: 28.5, APIs: 15, Strings: 1, Instructions: 467
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 66F875D0
PyErr_Format.PYTHON38 ref: 66F87945
PyErr_Format.PYTHON38 ref: 66F879AD
PyErr_Format.PYTHON38 ref: 66F87A7D

Strings

%s (%d:%d), xrefs: 66F87866, 66F8793B, 66F879A3, 66F87A73, 66F87AE3, 66F87B63, 66F87BEF, 66F87CC0

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_Format$malloc
String ID: %s (%d:%d)
API String ID: 1817594650-1595188566
Opcode ID: 4ac074a4df80c3886279f237d81a6164cce285b2daffb49a8b902e7caa7da149
Instruction ID: 96287a0bb9e6e5ee956589da3d6ccc4c4a0de0d61f7620510b31cfad1f860c96
Opcode Fuzzy Hash: 4ac074a4df80c3886279f237d81a6164cce285b2daffb49a8b902e7caa7da149
Instruction Fuzzy Hash: 0E0299B2B19B4082FF15CB2AD48472D3772EB56B88F94459ACE2D0B7A1DF39E150C760

Function 00007FF654CA1154 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_amsg_exit.MSVCRT ref: 00007FF654CA11F6
_initterm.MSVCRT ref: 00007FF654CA122B
_initterm.MSVCRT ref: 00007FF654CA125E
exit.MSVCRT ref: 00007FF654CA1358
_cexit.MSVCRT ref: 00007FF654CA1367

Strings

0, xrefs: 00007FF654CA1164

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: _initterm$_amsg_exit_cexitexit
String ID: 0
API String ID: 602970348-4108050209
Opcode ID: 6d6abd2140eb0b7f68bb3c504690dcf92132bdf22886463ef4a851639e3c59bc
Instruction ID: 4612fabad723a35932750a26ade81000d56b3253715170873d3ec5c8c1b4e406
Opcode Fuzzy Hash: 6d6abd2140eb0b7f68bb3c504690dcf92132bdf22886463ef4a851639e3c59bc
Instruction Fuzzy Hash: 8B6194A5F09B0689FB009B96E8E436833B0BB84B84F4844B6DE5DE77A5DE3CE4418750

Function 66F85850 Relevance: 63.3, APIs: 30, Strings: 6, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyEval_GetFrame.PYTHON38 ref: 66F854C2
PyUnicode_FromFormat.PYTHON38 ref: 66F854DF
Py_DecRef.PYTHON38 ref: 66F854F3
PyUnicode_AsUTF8.PYTHON38 ref: 66F85904
PyImport_GetModuleDict.PYTHON38 ref: 66F85938
PyDict_GetItem.PYTHON38 ref: 66F85946
PyModule_GetDict.PYTHON38 ref: 66F85957
PyDict_GetItemString.PYTHON38 ref: 66F8596A
PyImport_ExecCodeModuleObject.PYTHON38 ref: 66F8598D
PyErr_Occurred.PYTHON38 ref: 66F85996

Part of subcall function 66F8F750: VirtualAlloc.KERNEL32 ref: 66F8F7A9
Part of subcall function 66F8F750: memcpy.MSVCRT ref: 66F8F7CC

Strings

__main__, xrefs: 66F858F8
%s (%d:%d), xrefs: 66F861CC
, xrefs: 66F8587B
__mp_main__, xrefs: 66F8591E
__spec__, xrefs: 66F8595D
<frozen %U>, xrefs: 66F854D8, 66F85523, 67023192

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: DictDict_Import_ItemModuleUnicode_$AllocCodeErr_Eval_ExecFormatFrameFromModule_ObjectOccurredStringVirtualmemcpy
String ID: $%s (%d:%d)$<frozen %U>$__main__$__mp_main__$__spec__
API String ID: 3240200909-2782528897
Opcode ID: db3bbc8ce2dc25059c250b18394c3a52027a2ee373e96a4f4f185882a6659b56
Instruction ID: 94d5e87fc850224974b9346cbd144078ae336d07e205854aaf8dd14c89593fa8
Opcode Fuzzy Hash: db3bbc8ce2dc25059c250b18394c3a52027a2ee373e96a4f4f185882a6659b56
Instruction Fuzzy Hash: 5CD1AA32B1AB80C6FF058F66E8643687771FB89F99F0845AADA6E07725DF29C054C350

Function 00007FF654CA3680 Relevance: 33.5, APIs: 6, Strings: 13, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00007FF654CA37C4

Strings

Failed to unmarshal code object for %s, xrefs: 00007FF654CA37FC
traceback, xrefs: 00007FF654CA391F
pyi-disable-windowed-traceback, xrefs: 00007FF654CA3882
__file__, xrefs: 00007FF654CA3764
Could not get __main__ module's dict., xrefs: 00007FF654CA3902
format_exception, xrefs: 00007FF654CA3948
Absolute path to script exceeds PATH_MAX, xrefs: 00007FF654CA37E6
_pyi_main_co, xrefs: 00007FF654CA379D
__main__, xrefs: 00007FF654CA36A7
\, xrefs: 00007FF654CA3731
Could not get __main__ module., xrefs: 00007FF654CA38F1
%s%c%s.py, xrefs: 00007FF654CA3739
Traceback is disabled via bootloader option., xrefs: 00007FF654CA3899

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free
String ID: %s%c%s.py$Absolute path to script exceeds PATH_MAX$Could not get __main__ module's dict.$Could not get __main__ module.$Failed to unmarshal code object for %s$Traceback is disabled via bootloader option.$\$__file__$__main__$_pyi_main_co$format_exception$pyi-disable-windowed-traceback$traceback
API String ID: 1294909896-4198433784
Opcode ID: 12c52ad3206ff2ca4a686c2b5d6f2d74fd5d28bb8a815d9899b5b4b4f58fce32
Instruction ID: a12c2918d72dbe00be560d38cb66e38bb3fa5c46d70aec42375497fa29625e06
Opcode Fuzzy Hash: 12c52ad3206ff2ca4a686c2b5d6f2d74fd5d28bb8a815d9899b5b4b4f58fce32
Instruction Fuzzy Hash: B5B105A5A09A0A85EA04DB57E8B41792370BFC9FC5F8844B3DD1EA77B1EE3CE4059700

Function 66F85861 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyUnicode_AsUTF8.PYTHON38 ref: 66F85904
PyImport_GetModuleDict.PYTHON38 ref: 66F85938
PyDict_GetItem.PYTHON38 ref: 66F85946
PyModule_GetDict.PYTHON38 ref: 66F85957
PyDict_GetItemString.PYTHON38 ref: 66F8596A
PyImport_ExecCodeModuleObject.PYTHON38 ref: 66F8598D
PyErr_Occurred.PYTHON38 ref: 66F85996

Strings

__main__, xrefs: 66F858F8
%s (%d:%d), xrefs: 66F85EAC
, xrefs: 66F8587B
__mp_main__, xrefs: 66F8591E
__spec__, xrefs: 66F8595D

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: DictDict_Import_ItemModule$CodeErr_ExecModule_ObjectOccurredStringUnicode_
String ID: $%s (%d:%d)$__main__$__mp_main__$__spec__
API String ID: 4088344453-4025645406
Opcode ID: 513e9e035e8bfa4f1a755c1bbacd14e2794831eec675c11f6f24c33b77d09f19
Instruction ID: 91b9f1b8619ca420024f8a307cfd60020474cd34f91eac12201592baaf686658
Opcode Fuzzy Hash: 513e9e035e8bfa4f1a755c1bbacd14e2794831eec675c11f6f24c33b77d09f19
Instruction Fuzzy Hash: BC81AC32B16B8086FF55CF66E8A03697371EB85B99F4845AADE6E07B15DF29C041C310

Function 00007FF654CA5550 Relevance: 28.6, APIs: 2, Strings: 17, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF654CA6FE0: GetEnvironmentVariableW.KERNEL32 ref: 00007FF654CA700C

free.MSVCRT ref: 00007FF654CA5720
free.MSVCRT ref: 00007FF654CA5735

Strings

;, xrefs: 00007FF654CA564C
\, xrefs: 00007FF654CA566E
Error detected starting Python VM., xrefs: 00007FF654CA5764
Failed to convert pyhome to wchar_t, xrefs: 00007FF654CA57B8
C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI73442\lib-dynload;C:\Users\jone, xrefs: 00007FF654CA5686
C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI73442\lib-dynload;C:\Users\user\AppData\Local\Temp\_MEI73442, xrefs: 00007FF654CA5619
Invalid value for PYTHONUTF8=%s; disabling utf-8 mode!, xrefs: 00007FF654CA5753
sys.path (based on %s) exceeds buffer[%d] space, xrefs: 00007FF654CA5780
Failed to convert pypath to wchar_t, xrefs: 00007FF654CA57AA
Failed to convert argv to wchar_t, xrefs: 00007FF654CA578E
base_library.zip, xrefs: 00007FF654CA5634
%s%c%s%c%s%c%s%c%s, xrefs: 00007FF654CA563B
lib-dynload, xrefs: 00007FF654CA5622
;, xrefs: 00007FF654CA5661
\, xrefs: 00007FF654CA5654
Failed to convert progname to wchar_t, xrefs: 00007FF654CA579C
PYTHONUTF8, xrefs: 00007FF654CA555A

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free$EnvironmentVariable
String ID: %s%c%s%c%s%c%s%c%s$;$;$C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI73442\lib-dynload;C:\Users\jone$C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI73442\lib-dynload;C:\Users\user\AppData\Local\Temp\_MEI73442$Error detected starting Python VM.$Failed to convert argv to wchar_t$Failed to convert progname to wchar_t$Failed to convert pyhome to wchar_t$Failed to convert pypath to wchar_t$Invalid value for PYTHONUTF8=%s; disabling utf-8 mode!$PYTHONUTF8$\$\$base_library.zip$lib-dynload$sys.path (based on %s) exceeds buffer[%d] space
API String ID: 471908985-2295976025
Opcode ID: c48456801aa9cd7d8cc58aca705c0cba2a25958533fc06219b0b3206e7b935ed
Instruction ID: c5265b3b3413d4e9f1c6cb2bef02cd0de2cf1d92495f50b3756175d3fd4c8a5b
Opcode Fuzzy Hash: c48456801aa9cd7d8cc58aca705c0cba2a25958533fc06219b0b3206e7b935ed
Instruction Fuzzy Hash: F3613EA5E19A1685FA149B12E8F42B92370AFC4B84F8C80B3D94EF77A5DF2CE545C704

Function 00007FF654CA1710 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF654CA8AE0: malloc.MSVCRT ref: 00007FF654CA8A49

malloc.MSVCRT ref: 00007FF654CA1788
malloc.MSVCRT ref: 00007FF654CA179E
fread.MSVCRT ref: 00007FF654CA17CD
ferror.MSVCRT ref: 00007FF654CA17DE
fwrite.MSVCRT ref: 00007FF654CA1867
ferror.MSVCRT ref: 00007FF654CA1882
free.MSVCRT ref: 00007FF654CA1905
free.MSVCRT ref: 00007FF654CA190D

Strings

Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF654CA1A5E
1.2.12, xrefs: 00007FF654CA173F
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF654CA1A07
_MEIPASS2, xrefs: 00007FF654CA1712
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF654CA18E9
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF654CA1A3F
malloc, xrefs: 00007FF654CA1A46, 00007FF654CA1A65

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: malloc$ferrorfree$freadfwrite
String ID: 1.2.12$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$_MEIPASS2$malloc
API String ID: 1635854594-2461342963
Opcode ID: 5d83aac17ced31a7c1805e244f49a19b62b07cc991f9975bd614b182ebb2c88a
Instruction ID: dedc42404c983bce25259a1f689a528bbd32b3ea96a0acd360ce2955a4666e2d
Opcode Fuzzy Hash: 5d83aac17ced31a7c1805e244f49a19b62b07cc991f9975bd614b182ebb2c88a
Instruction Fuzzy Hash: A28195A6A0C69181E720CB26E4A03AA63B0FFC47A4F984172DEDDA77D5DE7CD485C700

Function 00007FF654CAE5E0 Relevance: 25.9, APIs: 17, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strdup.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF654CA4082,00000000,?,00007FF654CA2124), ref: 00007FF654CAE616
setlocale.MSVCRT ref: 00007FF654CAE62E
mbstowcs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF654CA4082,00000000,?,00007FF654CA2124), ref: 00007FF654CAE665
mbstowcs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF654CA4082,00000000,?,00007FF654CA2124), ref: 00007FF654CAE6D6
setlocale.MSVCRT ref: 00007FF654CAE741
free.MSVCRT ref: 00007FF654CAE74D
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF654CA4082,00000000,?,00007FF654CA2124), ref: 00007FF654CAE981
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF654CA4082,00000000,?,00007FF654CA2124), ref: 00007FF654CAE9F5
realloc.MSVCRT ref: 00007FF654CAEA10
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF654CA4082,00000000,?,00007FF654CA2124), ref: 00007FF654CAEA39
setlocale.MSVCRT ref: 00007FF654CAEA4A
free.MSVCRT ref: 00007FF654CAEA56
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF654CA4082,00000000,?,00007FF654CA2124), ref: 00007FF654CAEA80
realloc.MSVCRT ref: 00007FF654CAEA9B
wcstombs.MSVCRT(?,?,?,?,?,00002078,?,?,?,00007FF654CA4082,00000000,?,00007FF654CA2124), ref: 00007FF654CAEABF
setlocale.MSVCRT ref: 00007FF654CAEAD0
free.MSVCRT ref: 00007FF654CAEADC

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: wcstombs$setlocale$free$mbstowcsrealloc$_strdup
String ID:
API String ID: 918573998-0
Opcode ID: a83cf2a6e7cdc1dd5fd551beaeb6a114339be945ac12246f5548f53177ceeab4
Instruction ID: f4cd77e1830dbf52755837107e1a0d5ee60df2f5d932de03dbce69b9c962df6c
Opcode Fuzzy Hash: a83cf2a6e7cdc1dd5fd551beaeb6a114339be945ac12246f5548f53177ceeab4
Instruction Fuzzy Hash: 9CF140A6F04B1588FB509BAAC4912BC37B0FB85B88F884476DE4CA7799DF38D451C360

Function 00007FF654CA1E80 Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF654CA7D30: malloc.MSVCRT ref: 00007FF654CA7D4E
Part of subcall function 00007FF654CA7D30: free.MSVCRT ref: 00007FF654CA7E25

fread.MSVCRT ref: 00007FF654CA1EF3
malloc.MSVCRT ref: 00007FF654CA1F52
fread.MSVCRT ref: 00007FF654CA1F73
ferror.MSVCRT ref: 00007FF654CA1F90
fclose.MSVCRT ref: 00007FF654CA2000

Strings

Could not read full TOC!, xrefs: 00007FF654CA2062
Failed to seek to cookie position!, xrefs: 00007FF654CA2085
Cannot read Table of Contents., xrefs: 00007FF654CA1FA7
fread, xrefs: 00007FF654CA204F, 00007FF654CA2069
Could not allocate buffer for TOC!, xrefs: 00007FF654CA209A
Failed to read cookie!, xrefs: 00007FF654CA2048
fseek, xrefs: 00007FF654CA208C
Error on file., xrefs: 00007FF654CA2077
malloc, xrefs: 00007FF654CA20A1

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: freadmalloc$fcloseferrorfree
String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$fread$fseek$malloc
API String ID: 1320676746-1463511288
Opcode ID: 11665d2b36410fafcdd0b93d8076e27d90fdf4b13ae36a9fc73be4023cf48d23
Instruction ID: babdc14d796f17458553065fe2034b09e9d09d4541117d9d885cdfc4dc8efd52
Opcode Fuzzy Hash: 11665d2b36410fafcdd0b93d8076e27d90fdf4b13ae36a9fc73be4023cf48d23
Instruction Fuzzy Hash: 91514DB2B0961296EA18CB16D5E027967B1BFC8744F888077DA0E97B95DF3DE4A1C700

Function 66FFF2C0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 123
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.MSVCRT ref: 66FFF31E
CreateFileMappingA.KERNEL32 ref: 66FFF375
MapViewOfFile.KERNEL32 ref: 66FFF3A1
CloseHandle.KERNEL32 ref: 66FFF3AD
GetLastError.KERNEL32 ref: 66FFF3B8
_errno.MSVCRT ref: 66FFF3C0

Strings

@, xrefs: 66FFF47D
, xrefs: 66FFF2FC
@, xrefs: 66FFF424

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: File_errno$CloseCreateErrorHandleLastMappingView
String ID: $@$@
API String ID: 896588047-3743272326
Opcode ID: 8bce634052248ac0fe09119566a57010313dbdf8e4743f0df6502e78c6b4aa78
Instruction ID: e52eec593fddd049e3133b1fc536c989496648b384d660d646d9b8e591064491
Opcode Fuzzy Hash: 8bce634052248ac0fe09119566a57010313dbdf8e4743f0df6502e78c6b4aa78
Instruction Fuzzy Hash: 64412073E3665086F7914B26EC0174AA151BB8ABB8F490322DE79177F0EB3CC842C341

Function 00007FF654CA1AF0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF654CA1B2E
fread.MSVCRT ref: 00007FF654CA1B7C
free.MSVCRT ref: 00007FF654CA1BA1
fclose.MSVCRT ref: 00007FF654CA1BB2

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF654CA1C3D
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF654CA1C5A
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF654CA1B8B
Failed to extract %s: failed to open archive file!, xrefs: 00007FF654CA1C15
fread, xrefs: 00007FF654CA1B92
fseek, xrefs: 00007FF654CA1C44
malloc, xrefs: 00007FF654CA1C61

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fclosefreadfreemalloc
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 3295367466-3659356012
Opcode ID: 9e0dd351f8b021831cc2584e7f4dd04d9fd565d43a08166a570ebe01350c0405
Instruction ID: 572f06128dd524eefc0dfb7737fbcec5e7b6fca825b2bf5b9956e42b6949d000
Opcode Fuzzy Hash: 9e0dd351f8b021831cc2584e7f4dd04d9fd565d43a08166a570ebe01350c0405
Instruction Fuzzy Hash: 4031CEE2B0965655FB059B12E8B06BA2374AF847D8FCC40B3DD0DA6791EE3CE549C300

Function 00007FF654CA16D0 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 285
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF654CA8160: free.MSVCRT ref: 00007FF654CA81C7
Part of subcall function 00007FF654CA8160: free.MSVCRT ref: 00007FF654CA81D4

Part of subcall function 00007FF654CA21B0: calloc.MSVCRT ref: 00007FF654CA21BE

Part of subcall function 00007FF654CA42F0: GetModuleFileNameW.KERNEL32 ref: 00007FF654CA4312

Part of subcall function 00007FF654CA6FE0: GetEnvironmentVariableW.KERNEL32 ref: 00007FF654CA700C

free.MSVCRT ref: 00007FF654CA3C27

Part of subcall function 00007FF654CA70D0: SetEnvironmentVariableW.KERNEL32 ref: 00007FF654CA70EB
Part of subcall function 00007FF654CA70D0: free.MSVCRT ref: 00007FF654CA70F6

SetDllDirectoryW.KERNEL32 ref: 00007FF654CA3C93
strcmp.MSVCRT ref: 00007FF654CA3CBF
strcpy.MSVCRT ref: 00007FF654CA3D05

Strings

_PYI_ONEDIR_MODE, xrefs: 00007FF654CA3BF3, 00007FF654CA3C2C
Failed to convert DLL search path!, xrefs: 00007FF654CA3FF7
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF654CA3FA9
_MEIPASS2, xrefs: 00007FF654CA3BD8
Error opening archive ZNdewcHn8K from executable (%s) or external archive (%s), xrefs: 00007FF654CA3F2C

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free$EnvironmentVariable$DirectoryFileModuleNamecallocstrcmpstrcpy
String ID: Cannot side-load external archive %s (code %d)!$Error opening archive ZNdewcHn8K from executable (%s) or external archive (%s)$Failed to convert DLL search path!$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 4056350997-3668766296
Opcode ID: 5b42ffc26fe656d3dc18153cefd1910fe32b185476038c5a3808a836f78a1520
Instruction ID: 723f92a87f2936aa3c76af61cbceb6ba315cc9e1c360b81ee62241ca0de7e46b
Opcode Fuzzy Hash: 5b42ffc26fe656d3dc18153cefd1910fe32b185476038c5a3808a836f78a1520
Instruction Fuzzy Hash: 98C1A6A1A1D64250FA10DB2398B01BA6674AFC4BC4F4C40B3EE4EE7BE6DE3CE5458700

Function 00007FF654CA57D0 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 84
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00007FF654CA57EB
free.MSVCRT ref: 00007FF654CA58BC

Strings

utf-8, xrefs: 00007FF654CA57F7
strict, xrefs: 00007FF654CA57F0
_MEIPASS2, xrefs: 00007FF654CA57D0
Module object for %s is NULL!, xrefs: 00007FF654CA58CB
Failed to get _MEIPASS as PyObject., xrefs: 00007FF654CA58F1
_MEIPASS, xrefs: 00007FF654CA5820

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: freestrlen
String ID: Failed to get _MEIPASS as PyObject.$Module object for %s is NULL!$_MEIPASS$_MEIPASS2$strict$utf-8
API String ID: 322734593-568040347
Opcode ID: 9e845a276c51c4464c120e7fb7b1e0ba1285ac3300ef2d75e6443f80687ba065
Instruction ID: e9478405bfe89d8356fdc044c51e20c3a9de5755dfd6bc7600f40dbc39bedd85
Opcode Fuzzy Hash: 9e845a276c51c4464c120e7fb7b1e0ba1285ac3300ef2d75e6443f80687ba065
Instruction Fuzzy Hash: B9316EA1B09A4691EA149B57E8A40B96330BFC4B94F8C84B3DD1EE77A1EE3CE445D301

Function 00007FF654CA7D30 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF654CA7D4E
free.MSVCRT ref: 00007FF654CA7E25

Strings

_MEIPASS2, xrefs: 00007FF654CA7D32

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: freemalloc
String ID: _MEIPASS2
API String ID: 3061335427-3944641314
Opcode ID: 47c5326f12971c907186fce21dcd40d8267512280e1e237bd1ecb972a3a23034
Instruction ID: 5b0c06c5fc477e7d01a1bfbc06f031b5b856a8db3b8c6ecb1eb4e27287fd294e
Opcode Fuzzy Hash: 47c5326f12971c907186fce21dcd40d8267512280e1e237bd1ecb972a3a23034
Instruction Fuzzy Hash: 412108A2B0A11205FE10951399A47FAD6667F85BC4F8C0473DE0DEB7C1ED3CE942C240

Function 00007FF654CA6170 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF654CA617E

Strings

calloc, xrefs: 00007FF654CA6194
Cannot allocate memory for SPLASH_STATUS., xrefs: 00007FF654CA618D

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: calloc
String ID: Cannot allocate memory for SPLASH_STATUS.$calloc
API String ID: 2635317215-799113134
Opcode ID: daeeb61d3e57278251d27ce958a3713753ff428d5e00cabe7585f6002fde9d4c
Instruction ID: 14d1bdee05f23941bb96d06a4412261f5947c08b2419bf668f690ed2517d87c9
Opcode Fuzzy Hash: daeeb61d3e57278251d27ce958a3713753ff428d5e00cabe7585f6002fde9d4c
Instruction Fuzzy Hash: A6E0C2E1F0860680EA14AB00D4E91F92B70EFC4340FCC40B6DA5CB7BA2EE3CE5458700

Function 00007FF654CAF300 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

fsetpos.MSVCRT ref: 00007FF654CAF3A5

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fsetpos
String ID:
API String ID: 850078086-0
Opcode ID: 1b41710901f17b2eeca1497c090281577d230925116f41a5d4b4f06b87e02d06
Instruction ID: b104fdc5b6c141cf6f9acb5d5b09d47a2712c4bd0829fc231079b8ff7df6f3fc
Opcode Fuzzy Hash: 1b41710901f17b2eeca1497c090281577d230925116f41a5d4b4f06b87e02d06
Instruction Fuzzy Hash: 51114DB6A05B06C9EB10DF66C4A10BC33B0AF84798F544AB6EA1DA7799DF38D0508360

Function 00007FF654CA20B0 Relevance: 3.0, APIs: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 00007FF654CA2138
fclose.MSVCRT ref: 00007FF654CA2158

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fclosestrcpy
String ID:
API String ID: 3396940900-0
Opcode ID: 189eab3eda584426b79a923873d08d7fcad8c28c9a176b0606dae0b493bfce30
Instruction ID: 3796415255b77e960a134fc900405ab017e41298186196f1cfaf81f32bc4ce62
Opcode Fuzzy Hash: 189eab3eda584426b79a923873d08d7fcad8c28c9a176b0606dae0b493bfce30
Instruction Fuzzy Hash: A0118EA5B0814280FB549A72E9A53F912619FD4BC4F9C8173DD0EE778ADE2CE8C9C310

Function 00007FF654CA7950 Relevance: 3.0, APIs: 2, Instructions: 20libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CA8210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246

LoadLibraryExW.KERNEL32 ref: 00007FF654CA7971
free.MSVCRT ref: 00007FF654CA797D

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWidefree
String ID:
API String ID: 3231889924-0
Opcode ID: ac1678f2e02d1b72cbc567d5e7bac802729ecc80d491b3a74ede665a07012b31
Instruction ID: c0ab7ddcea750955aba7ef1ff668c353a1a2ec9070326e29f9057cb02cd6c640
Opcode Fuzzy Hash: ac1678f2e02d1b72cbc567d5e7bac802729ecc80d491b3a74ede665a07012b31
Instruction Fuzzy Hash: 1FD0C741FAA1A602EE88A2672CAAABA10101F89BC0ECC8474CC0E97701EC2C80824700

Function 00007FF654CAF1BB Relevance: 2.6, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CAEFD0: wcslen.MSVCRT ref: 00007FF654CAF006

free.MSVCRT ref: 00007FF654CAF1FF
memset.MSVCRT ref: 00007FF654CAF21C

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: freememsetwcslen
String ID:
API String ID: 2332356550-0
Opcode ID: 16ca566369b86500749d9f98ec16c1cf0d74b93f9dbbc66e3a29c3db3259c6e1
Instruction ID: 00bee5ed386922b5bf0a7c5e12d49da0a74c4ced8ab3b4f24a2bb71e0cfb6ff3
Opcode Fuzzy Hash: 16ca566369b86500749d9f98ec16c1cf0d74b93f9dbbc66e3a29c3db3259c6e1
Instruction Fuzzy Hash: 2231EAA6F00B1489EB10CF7AD48109C3BB1FB98BA8B148566EE1C53B6CDF34C591C790

Function 67000940 Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 6700097E

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fe5837323282d315a15794c740daf0bac631d7c30206fff776a4dc5a47e3ca90
Instruction ID: cd783cb35b1c5ccd56b387b9dc9809c4c0e09b979c626c1b103b450ba26739f9
Opcode Fuzzy Hash: fe5837323282d315a15794c740daf0bac631d7c30206fff776a4dc5a47e3ca90
Instruction Fuzzy Hash: 43F01C7237D52085F6310D29D600FAA7594575BBF0E94811699BC0ABF4D55FC6818F22

Function 00007FF654CA43B0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CA8210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246

_wfopen.MSVCRT ref: 00007FF654CA43F5

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: ByteCharMultiWide_wfopen
String ID:
API String ID: 372205238-0
Opcode ID: e249028c2137e21c272be09ebad8c35b62695eafe249120916a556fd3ad7a81d
Instruction ID: ce7b9c4f3f1a137ca05e3566820a6583da373b9eeb85fd7be1711753db72d2db
Opcode Fuzzy Hash: e249028c2137e21c272be09ebad8c35b62695eafe249120916a556fd3ad7a81d
Instruction Fuzzy Hash: A9E0D8D1B4C21102F9146213BD647FA92225F8AFC4F488132EF0CABB8A8D1DD243CB00

Function 66FFD980 Relevance: 1.5, APIs: 1, Instructions: 213COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 66FFDC22

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 87d80e122543ab82afe693d9a7a50df2d0bf7f3205f6cf244ec925fd0e59c24c
Instruction ID: cc6605d32a8233596066b01f0e67003fd64ba0751052047c5fa452c7b4720335
Opcode Fuzzy Hash: 87d80e122543ab82afe693d9a7a50df2d0bf7f3205f6cf244ec925fd0e59c24c
Instruction Fuzzy Hash: 1E9197B2A29B9486EB558F26D45035D3BA0F745FECF18411ACF9D1B3A9DB38C496C380

Function 00007FF654CACBA0 Relevance: 1.3, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00007FF654CACC5A

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 623919cd236f253b3d7bc4f578d470e9102edac5acaca204977424f4e3dbef8b
Instruction ID: 574f1b3ce3b82e9b44adfb3d838f31a46a3e68b46195a73d1774baacd5146e6e
Opcode Fuzzy Hash: 623919cd236f253b3d7bc4f578d470e9102edac5acaca204977424f4e3dbef8b
Instruction Fuzzy Hash: 0E315DA6F0471599F7109BA6D4903BC37B0AB80B88F9840B6DE4CA7B98DF3CD691C750

Function 00007FF654CA8AE0 Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00007FF654CA8A49

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 0fc86e8ee51b5bdc1f5f7082c9320d3be715a44251d05dfd6912ed91f5c13a9f
Instruction ID: 9ced9d583d56a81cae4a990e0d4cd5c51dcbbd51bab2b6840cf302b74af97891
Opcode Fuzzy Hash: 0fc86e8ee51b5bdc1f5f7082c9320d3be715a44251d05dfd6912ed91f5c13a9f
Instruction Fuzzy Hash: 722162A2A09A0247EB658B5694A033936A1AFC4B94F6D4176C91DA77D0DF39DC83C350

Function 00007FF654CAA970 Relevance: 1.3, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF654CAA998

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 91393a4a38c2f9ca34023a88416337a771a7b0123113a7f946b122cb324d8598
Instruction ID: a180d695fb52b41f9e0bf69a82406a42087f8a2e0a32023fe358829ae4b58fd3
Opcode Fuzzy Hash: 91393a4a38c2f9ca34023a88416337a771a7b0123113a7f946b122cb324d8598
Instruction Fuzzy Hash: 42F01CA2A05A1182DB509B7BD89036923B0EF88FA8F191272CE4D97394EE25CC81C280

Function 66FFDE00 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

malloc.MSVCRT(?,?,00000000,?,66FE0C70,00000000,?,?,66F93BB6,?,?,?,?,?,?), ref: 66FFDE0F

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 1bf828e095ce4e9032b00840eccc91d5e23d29e85e168ad2e099bbb74118d7cc
Instruction ID: 8f0ba91d47a1758a7b6ac7e434d4990a1de01463283f716b81bd24b7a461b6f6
Opcode Fuzzy Hash: 1bf828e095ce4e9032b00840eccc91d5e23d29e85e168ad2e099bbb74118d7cc
Instruction Fuzzy Hash: 34D01266B9BA5581E50D9B573C5039895576B5EBF1F4CC0308E4D97315FC2844D34310

Non-executed Functions

Function 66F93330 Relevance: 72.1, APIs: 35, Strings: 6, Instructions: 355networkstringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 66F93352
WSAStartup.WS2_32 ref: 66F93364
gethostbyname.WS2_32 ref: 66F933A9
socket.WS2_32 ref: 66F933E6
htons.WS2_32 ref: 66F9340D
ioctlsocket.WS2_32 ref: 66F93442
connect.WS2_32 ref: 66F9345A
ioctlsocket.WS2_32 ref: 66F9347C
send.WS2_32 ref: 66F934B4
WSAGetLastError.WS2_32 ref: 66F934BD
closesocket.WS2_32 ref: 66F934C8
WSACleanup.WS2_32 ref: 66F934CE
SetLastError.KERNEL32 ref: 66F934D6
recv.WS2_32 ref: 66F9352C
closesocket.WS2_32 ref: 66F93544
WSACleanup.WS2_32 ref: 66F9354A
strstr.MSVCRT ref: 66F9355A
strstr.MSVCRT ref: 66F93585
toupper.MSVCRT ref: 66F9359A
toupper.MSVCRT ref: 66F935A9
toupper.MSVCRT ref: 66F935B8
toupper.MSVCRT ref: 66F935C7
strstr.MSVCRT ref: 66F93628
memcmp.MSVCRT ref: 66F936DF
memcmp.MSVCRT ref: 66F936FD
_mktime64.MSVCRT ref: 66F937A4
gethostbyname.WS2_32 ref: 66F937DE
WSAGetLastError.WS2_32 ref: 66F937F7
ioctlsocket.WS2_32 ref: 66F93814
WSAGetLastError.WS2_32 ref: 66F93816
WSAGetLastError.WS2_32 ref: 66F93820
WSACleanup.WS2_32 ref: 66F93828
SetLastError.KERNEL32 ref: 66F93830
select.WS2_32 ref: 66F938AA
ioctlsocket.WS2_32 ref: 66F938C6

Strings

HEAD /%s HTTP/1.1Host: %sUser-Agent: PYARMOR.COREConnection: close, xrefs: 66F93387, 66F937BF
and,, xrefs: 66F9333B
Dec, xrefs: 66F936ED
or,, xrefs: 66F93336
http://, xrefs: 66F93339
Nov, xrefs: 66F936CF

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: ErrorLast$ioctlsockettoupper$Cleanupstrstr$closesocketgethostbynamememcmp$Startup_mktime64connecthtonsrecvselectsendsocketstrchr
String ID: Dec$HEAD /%s HTTP/1.1Host: %sUser-Agent: PYARMOR.COREConnection: close$Nov$and,$http://$or,
API String ID: 3493847099-1714119496
Opcode ID: 42489d4b48dd1ba86145c690c31f5d26bf968e15ce3ea48600c44bee7116b454
Instruction ID: d76999b93ba649e746c1b3042c1f0762a8ca73d85845fe0afe183f76ff09b861
Opcode Fuzzy Hash: 42489d4b48dd1ba86145c690c31f5d26bf968e15ce3ea48600c44bee7116b454
Instruction Fuzzy Hash: 6FE14533A0CAD186F714CB34E44475ABBB1F389B98F048225CA6D47799EB3DC946CB51

Function 66F945C0 Relevance: 63.4, APIs: 30, Strings: 6, Instructions: 406memorystringCOMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32 ref: 66F94689
GetProcessHeap.KERNEL32 ref: 66F946C4
HeapAlloc.KERNEL32 ref: 66F946D9
GetAdaptersAddresses.IPHLPAPI ref: 66F94709
strlen.MSVCRT ref: 66F94737
GetProcessHeap.KERNEL32 ref: 66F9475B
HeapFree.KERNEL32 ref: 66F94766
malloc.MSVCRT ref: 66F947F2

Strings

NetCfgInstanceId, xrefs: 66F94C04
01234567, xrefs: 66F9461C
:[sc, xrefs: 66F94609
Characteristics, xrefs: 66F94C5E
89abcdef, xrefs: 66F9462E
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}, xrefs: 66F94B1E

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Heap$Process$AdaptersAddressesAllocComputerFreeNamemallocstrlen
String ID: 01234567$89abcdef$:[sc$Characteristics$NetCfgInstanceId$SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
API String ID: 1478035857-3618987999
Opcode ID: 58c956fca055b189b8c71f584b7d8aadf6d42f2ceb1ac7bde637e8721036a808
Instruction ID: 52763bc0bb4e5b6b4d8eb9910064e3114784c22fa63c2909a5e96c61abf6598c
Opcode Fuzzy Hash: 58c956fca055b189b8c71f584b7d8aadf6d42f2ceb1ac7bde637e8721036a808
Instruction Fuzzy Hash: 35F18E7271978086F724CB26B84079FBBA5F79AB88F448229DF9947B58DB3DC105CB10

Function 66F89C60 Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 476COMMON

Download Yara Rule

APIs

PyList_Append.PYTHON38 ref: 66F89C85
PyErr_Occurred.PYTHON38 ref: 66F8A148
PyErr_SetString.PYTHON38 ref: 66F8AFD2

Strings

bad marshal data (index list too large), xrefs: 66F8AFC5
EOF read where object expected, xrefs: 66F8B52F

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_$AppendList_OccurredString
String ID: EOF read where object expected$bad marshal data (index list too large)
API String ID: 2605687773-1134984
Opcode ID: d61d1595cc4b94d6aa42ff5966654c35fb5a56767a83485c02c2fa030b00a6b4
Instruction ID: 6d7547fbfbc69c77759aeed3a0040f8c2f9ad8ff62175bab5d84107e6ea3a4fd
Opcode Fuzzy Hash: d61d1595cc4b94d6aa42ff5966654c35fb5a56767a83485c02c2fa030b00a6b4
Instruction Fuzzy Hash: C8128C33609BC486EB648F25E99835AB7B1F789B88F448959CEAD47798EF3DC014C740

Function 00007FF654CA2560 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 00007FF654CA2593
MulDiv.KERNEL32 ref: 00007FF654CA25B0
MulDiv.KERNEL32 ref: 00007FF654CA25C9
SystemParametersInfoW.USER32 ref: 00007FF654CA260F
LoadIconMetric.COMCTL32 ref: 00007FF654CA2643
CreateWindowExW.USER32 ref: 00007FF654CA26A1
CreateWindowExW.USER32 ref: 00007FF654CA26FB
CreateWindowExW.USER32 ref: 00007FF654CA275C
CreateWindowExW.USER32 ref: 00007FF654CA27BE
SendMessageW.USER32 ref: 00007FF654CA27E1
SendMessageW.USER32 ref: 00007FF654CA27F9
SendMessageW.USER32 ref: 00007FF654CA2814
SendMessageW.USER32 ref: 00007FF654CA2831
SendMessageW.USER32 ref: 00007FF654CA284C
SendMessageW.USER32 ref: 00007FF654CA2867
SendMessageW.USER32 ref: 00007FF654CA2882
SendMessageW.USER32 ref: 00007FF654CA2896
SendMessageW.USER32 ref: 00007FF654CA28AB
GetClientRect.USER32 ref: 00007FF654CA28B6
CreateFontIndirectW.GDI32 ref: 00007FF654CA28D8

Strings

Failed to vqmkBiYr script '%ls' due to unhandled exception: %ls, xrefs: 00007FF654CA256B
STATIC, xrefs: 00007FF654CA263C
, xrefs: 00007FF654CA25FD
Close, xrefs: 00007FF654CA2764
EDIT, xrefs: 00007FF654CA2712
BUTTON, xrefs: 00007FF654CA2774

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: MessageSend$Create$Window$BaseClientDialogFontIconIndirectInfoLoadMetricParametersRectSystemUnits
String ID: $BUTTON$Close$EDIT$Failed to vqmkBiYr script '%ls' due to unhandled exception: %ls$STATIC
API String ID: 3223904152-2049099994
Opcode ID: f946fc37740113d1f7e6e8a1de48a3746edf2e82bfe78e13903bb1f18fd90df2
Instruction ID: 709febca6ca9bb1fff722a10e6abc08a1bf68adee4d3bfccb26f7a8030932bae
Opcode Fuzzy Hash: f946fc37740113d1f7e6e8a1de48a3746edf2e82bfe78e13903bb1f18fd90df2
Instruction Fuzzy Hash: EB91BD76218B9082E7108F61E4A479A7770F788BC8F14413AEE8C5BB98CF7EC085CB50

Function 66F838D6 Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 418stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 66F83989
free.MSVCRT ref: 66F8399E
malloc.MSVCRT ref: 66F839AA
memcpy.MSVCRT ref: 66F839CC
_Py_Dealloc.PYTHON38 ref: 66F839F2

Strings

N+, xrefs: 66F8429D
%s (%d:%d), xrefs: 66F83D9F, 66F83E26, 66F83E8B, 66F83F51, 66F842AB

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Deallocfreemallocmemcpystrcmp
String ID: %s (%d:%d)$N+
API String ID: 2421945241-2748867177
Opcode ID: bfc3ea11b4ea52dbcc71e7982e5d219b1f2feea5074215385fbb6bb86aa917be
Instruction ID: 4fe9b6d4a79930aaf8960c4037a2cd52bc182e7d00192f4b2d051ba766038e10
Opcode Fuzzy Hash: bfc3ea11b4ea52dbcc71e7982e5d219b1f2feea5074215385fbb6bb86aa917be
Instruction Fuzzy Hash: 6BF1EF73708B8086EB10CF29D8903597771EB96BA9F48825ADEAD4B3A4DF3DC551C720

Function 66F82C80 Relevance: 42.3, APIs: 20, Strings: 4, Instructions: 282librarystringloaderCOMMON

Download Yara Rule

APIs

PyEval_GetGlobals.PYTHON38 ref: 66F82CE4
PyFunction_NewWithQualName.PYTHON38 ref: 66F82CF3
_PyObject_CallFunction_SizeT.PYTHON38 ref: 66F82D2F
_Py_Dealloc.PYTHON38 ref: 66F82D71
PyErr_Format.PYTHON38 ref: 66F82E4A
GetProcAddress.KERNEL32 ref: 66F82E6A
strlen.MSVCRT ref: 66F82E82
PyErr_Format.PYTHON38 ref: 66F83147

Part of subcall function 66F8E850: PyList_New.PYTHON38 ref: 66F8E88A
Part of subcall function 66F8E850: PyMem_Free.PYTHON38 ref: 66F8E8C3

_Py_Dealloc.PYTHON38 ref: 66F82F99
_Py_Dealloc.PYTHON38 ref: 66F82FAD
_Py_Dealloc.PYTHON38 ref: 66F82FD9
_Py_Dealloc.PYTHON38 ref: 66F83003
_Py_Dealloc.PYTHON38 ref: 66F83013

Strings

/proc/se, xrefs: 66F82DA0
%s (%d:%d), xrefs: 66F82E43, 66F83071, 66F830D6, 66F83140
lf/exe, xrefs: 66F82DB2
z(, xrefs: 66F830C8

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Dealloc$Err_FormatFunction_$AddressCallEval_FreeGlobalsList_Mem_NameObject_ProcQualSizeWithstrlen
String ID: %s (%d:%d)$/proc/se$lf/exe$z(
API String ID: 4028440157-3850701646
Opcode ID: 67a44e418211ee00871a3260e99db8160e0c740df772b11043ac3c43ae521917
Instruction ID: 1d5f0c56159bfd8c29402811fbe73bd13ba8b0652e1ed453e53b4d81596bbc18
Opcode Fuzzy Hash: 67a44e418211ee00871a3260e99db8160e0c740df772b11043ac3c43ae521917
Instruction Fuzzy Hash: 0DB1AC73B18A80C6FB008B69D8883583772EB9AF98F84415ADD6D077A5CF2EC641C790

Function 66F91E90 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 156memoryfileCOMMON

Download Yara Rule

APIs

_snprintf.MSVCRT ref: 66F91EDC
CreateFileA.KERNEL32 ref: 66F91F10
GlobalAlloc.KERNEL32 ref: 66F91F2A
DeviceIoControl.KERNEL32 ref: 66F91FA4
GlobalFree.KERNEL32 ref: 66F91FBA
_snprintf.MSVCRT ref: 66F91FF7
CreateFileA.KERNEL32 ref: 66F92024
GlobalAlloc.KERNEL32 ref: 66F92045
GlobalAlloc.KERNEL32 ref: 66F92054
DeviceIoControl.KERNEL32 ref: 66F9209C
GlobalFree.KERNEL32 ref: 66F920B5
GlobalFree.KERNEL32 ref: 66F920BA
CloseHandle.KERNEL32 ref: 66F920C4
GlobalFree.KERNEL32 ref: 66F920E6

Part of subcall function 66F91B40: GetLastError.KERNEL32 ref: 66F91B44
Part of subcall function 66F91B40: FormatMessageA.KERNEL32 ref: 66F91B75
Part of subcall function 66F91B40: LocalFree.KERNEL32 ref: 66F91B96

Strings

SCSIDISK, xrefs: 66F91F54
../src/platforms/windows/hdinfo.c, xrefs: 66F91FC7
/%d:, xrefs: 66F91E96
\\.\Scsi%d, xrefs: 66F91EA5
Empty serial number, xrefs: 66F91FC0
\\.\PhysicalDrive%d, xrefs: 66F91FEB

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Global$Free$Alloc$ControlCreateDeviceFile_snprintf$CloseErrorFormatHandleLastLocalMessage
String ID: ../src/platforms/windows/hdinfo.c$/%d:$Empty serial number$SCSIDISK$\\.\PhysicalDrive%d$\\.\Scsi%d
API String ID: 1119308327-3953537554
Opcode ID: 07e4e21e60358c920845821d35dbe081e418f415c29be2bf8939be607358a8d9
Instruction ID: 743f16cc10964eb205508d7efd5a5b80e6e6cf0190e5cffddc76ef5be1137caf
Opcode Fuzzy Hash: 07e4e21e60358c920845821d35dbe081e418f415c29be2bf8939be607358a8d9
Instruction Fuzzy Hash: 0051B13231868486F7509B22F81875ABB66F788BE8F444225DE6D07BD4DF3EC5498750

Function 66F93050 Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 149networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 66F930AF
gethostbyname.WS2_32 ref: 66F930C0
socket.WS2_32 ref: 66F930ED
setsockopt.WS2_32 ref: 66F93125
setsockopt.WS2_32 ref: 66F93148
htons.WS2_32 ref: 66F9316B
sendto.WS2_32 ref: 66F931E9
recvfrom.WS2_32 ref: 66F9322E
ntohl.WS2_32 ref: 66F9324F
ntohl.WS2_32 ref: 66F93259
closesocket.WS2_32 ref: 66F9327E
WSACleanup.WS2_32 ref: 66F93284
WSAGetLastError.WS2_32 ref: 66F93290
closesocket.WS2_32 ref: 66F9329B
WSACleanup.WS2_32 ref: 66F932A1
SetLastError.KERNEL32 ref: 66F932B0
WSAGetLastError.WS2_32 ref: 66F932D0
WSACleanup.WS2_32 ref: 66F932D8
SetLastError.KERNEL32 ref: 66F932E7

Strings

and,, xrefs: 66F93057
or,, xrefs: 66F93052
http://, xrefs: 66F93055

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: ErrorLast$Cleanup$closesocketntohlsetsockopt$Startupgethostbynamehtonsrecvfromsendtosocket
String ID: and,$http://$or,
API String ID: 1750001962-2642771825
Opcode ID: f5621a20867676ab835add618566f5f6156720f60fa33ed51b47ff061c77da8f
Instruction ID: 76cd5265e4e4398ad14c20c019bad0c1345411464435ddc19e23acca00ac1282
Opcode Fuzzy Hash: f5621a20867676ab835add618566f5f6156720f60fa33ed51b47ff061c77da8f
Instruction Fuzzy Hash: A9515D3260968086F7108B65F80835AB7A1F789BB8F140328EABC47BE5DF7DC548CB40

Function 66F89AA0 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 179COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON38 ref: 66F89AB1
_PyLong_New.PYTHON38 ref: 66F89AE4
PyErr_Occurred.PYTHON38 ref: 66F89B3F
PyErr_Occurred.PYTHON38 ref: 66F89B87
PyErr_Occurred.PYTHON38 ref: 66F89BAC
_PyLong_New.PYTHON38 ref: 66F8A599
PyErr_Occurred.PYTHON38 ref: 66F8A8D3
PyErr_Occurred.PYTHON38 ref: 66F8A8F6
_Py_Dealloc.PYTHON38 ref: 66F8ADE7
PyErr_SetString.PYTHON38 ref: 66F8AE01
PyErr_SetString.PYTHON38 ref: 66F8AEEC

Strings

bad marshal data (unnormalized long data), xrefs: 66F8AFA4
bad marshal data (long size out of range), xrefs: 66F8AEDF
bad marshal data (digit out of range in long), xrefs: 66F8ADF4

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_$Occurred$Long_String$Dealloc
String ID: bad marshal data (digit out of range in long)$bad marshal data (long size out of range)$bad marshal data (unnormalized long data)
API String ID: 3848820501-2912230410
Opcode ID: 5bc338cac9ccb4e0e947c84c94b1f62be5f405781a060c7ef0a2f9ef0408a9cc
Instruction ID: 2ef7eec8fe95fd10496c1c059d5dfcc07b6e1d8c586d8b73495f33b13aab8365
Opcode Fuzzy Hash: 5bc338cac9ccb4e0e947c84c94b1f62be5f405781a060c7ef0a2f9ef0408a9cc
Instruction Fuzzy Hash: 11617E33709690CBFA04CF28C45C72A37B6FB89B89F469498C92A57354DF3AD646C390

Function 66F90832 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON38 ref: 66F9086B

Strings

exceptions must derive from BaseException, xrefs: 66F90861
exception causes must derive from BaseException, xrefs: 66F908CA
calling %R should have returned an instance of BaseException, not %R, xrefs: 66F90ADA

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_String
String ID: calling %R should have returned an instance of BaseException, not %R$exception causes must derive from BaseException$exceptions must derive from BaseException
API String ID: 1450464846-2865718950
Opcode ID: 4a023e350da011ab2ad22bf4473dd0211eaa449f9ae131f9e8648b057b904b9f
Instruction ID: febf28f8a3a747cff02bb30bad1b68555ae802a840ee94888f8f698ed6fa540b
Opcode Fuzzy Hash: 4a023e350da011ab2ad22bf4473dd0211eaa449f9ae131f9e8648b057b904b9f
Instruction Fuzzy Hash: 70519333B48A44C6FB098F2AE9583297362B785FD8F484128CE6D07725DFB9C155C390

Function 66F92240 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 171fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 66F92265
wsprintfA.USER32 ref: 66F92277
CreateFileA.KERNEL32 ref: 66F922A4
memset.MSVCRT ref: 66F922E3
DeviceIoControl.KERNEL32 ref: 66F92319
CloseHandle.KERNEL32 ref: 66F92326
isxdigit.MSVCRT ref: 66F923A3
isxdigit.MSVCRT ref: 66F923D0
isprint.MSVCRT ref: 66F923FB
memcpy.MSVCRT ref: 66F9248B
CloseHandle.KERNEL32 ref: 66F92493

Strings

/%d:, xrefs: 66F92246
\\.\PhysicalDrive%d, xrefs: 66F92270

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: CloseHandleisxdigitmemset$ControlCreateDeviceFileisprintmemcpywsprintf
String ID: /%d:$\\.\PhysicalDrive%d
API String ID: 2355516209-72258043
Opcode ID: 33d7d6228dc422a040bcb7331baf9b637b32cd73d9d028aaf22a700db3a584d4
Instruction ID: 07286e8b0068f2c44d44e269f31427a47554ecf7652daa96c44c477022c3a46f
Opcode Fuzzy Hash: 33d7d6228dc422a040bcb7331baf9b637b32cd73d9d028aaf22a700db3a584d4
Instruction Fuzzy Hash: 09514B7362C68086F701CB36E84475FBB92BB86798F444215EEA947B99DB7EC14CCB10

Function 66FA43A0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 110encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 66FA43F6
CryptAcquireContextA.ADVAPI32 ref: 66FA4416
CryptGenRandom.ADVAPI32 ref: 66FA4427
CryptReleaseContext.ADVAPI32 ref: 66FA443D
clock.MSVCRT ref: 66FA4480
clock.MSVCRT ref: 66FA4493
clock.MSVCRT ref: 66FA449C
clock.MSVCRT ref: 66FA44B3

Strings

src/prngs/rng_get_bytes.c, xrefs: 66FA4500
(, xrefs: 66FA43FE
Microsoft Base Cryptographic Provider v1.0, xrefs: 66FA43E5, 66FA440C
out != NULL, xrefs: 66FA4507

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Cryptclock$Context$Acquire$RandomRelease
String ID: ($Microsoft Base Cryptographic Provider v1.0$out != NULL$src/prngs/rng_get_bytes.c
API String ID: 2525729555-3762154145
Opcode ID: 793d620e323749c494c65408393a792c2461284f5025dbfa7414b8457e5158e6
Instruction ID: 79d166363c91b5acaa4023ffb375a2610c9bf038cbaf023096194428447e26ec
Opcode Fuzzy Hash: 793d620e323749c494c65408393a792c2461284f5025dbfa7414b8457e5158e6
Instruction Fuzzy Hash: FB31EF32718B80C6F710CF6AB84434ABBA6B789B98F404421DE4983764EF7AC486C361

Function 66FFF770 Relevance: 12.0, APIs: 8, Instructions: 50COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 66FFF784
RtlLookupFunctionEntry.KERNEL32 ref: 66FFF79B
RtlVirtualUnwind.KERNEL32 ref: 66FFF7DD
SetUnhandledExceptionFilter.KERNEL32 ref: 66FFF821
UnhandledExceptionFilter.KERNEL32 ref: 66FFF82E
GetCurrentProcess.KERNEL32 ref: 66FFF834
TerminateProcess.KERNEL32 ref: 66FFF842
abort.MSVCRT ref: 66FFF848

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
String ID:
API String ID: 4278921479-0
Opcode ID: f288b9e1baaae890ae0828b563388bd0882b53e54600ca77df703d032c6bcad7
Instruction ID: 470fadc75d9850c4d6deed3dcb911b30c4929598db38c774f759f90e21840ba5
Opcode Fuzzy Hash: f288b9e1baaae890ae0828b563388bd0882b53e54600ca77df703d032c6bcad7
Instruction Fuzzy Hash: 4821167221DB04D5FB008B65F88439933BAB70CB9CF844126D95E13725EF39C265C760

Function 00007FFDFB133EA4 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 280COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFB1311B8: GetLastError.KERNEL32 ref: 00007FFDFB320566
Part of subcall function 00007FFDFB1311B8: TlsGetValue.KERNEL32 ref: 00007FFDFB320570
Part of subcall function 00007FFDFB1311B8: SetLastError.KERNEL32 ref: 00007FFDFB32057B

SwitchToFiber.KERNEL32 ref: 00007FFDFB1F2D61
CreateFiber.KERNEL32 ref: 00007FFDFB1F2E47
memmove.VCRUNTIME140 ref: 00007FFDFB1F2EA3
SwitchToFiber.KERNEL32 ref: 00007FFDFB1F2EC9

Strings

..\s\crypto\async\async.c, xrefs: 00007FFDFB1F2C81, 00007FFDFB1F2C98, 00007FFDFB1F2CE0, 00007FFDFB1F2DAB, 00007FFDFB1F2E75, 00007FFDFB1F2EE1, 00007FFDFB1F2F61, 00007FFDFB1F2FA3, 00007FFDFB1F2FCB, 00007FFDFB1F2FF7, 00007FFDFB1F301F, 00007FFDFB1F3063
*, xrefs: 00007FFDFB1F2C9F

Memory Dump Source

Source File: 00000001.00000002.1767214909.00007FFDFB131000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFDFB130000, based on PE: true

Associated: 00000001.00000002.1767197166.00007FFDFB130000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB13D000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB195000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1A9000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1BA000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1C0000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1CE000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB371000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB39E000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3CF000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3F5000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB41A000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767756432.00007FFDFB441000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767781456.00007FFDFB447000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB449000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB465000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb130000_DeltaX.jbxd

Similarity

API ID: Fiber$ErrorLastSwitch$CreateValuememmove
String ID: *$..\s\crypto\async\async.c
API String ID: 3019965278-1471988776
Opcode ID: 45e357ca4cf0a53423c2a2d7082731b4d95f49ecae19fd680e47bbb8d304c6ef
Instruction ID: 1865e777cc8ed7815df5cb3aabdf46075316fa90fabd26817f3154cda1fbd141
Opcode Fuzzy Hash: 45e357ca4cf0a53423c2a2d7082731b4d95f49ecae19fd680e47bbb8d304c6ef
Instruction Fuzzy Hash: 98C16C72B0AB4386EB20EB22E4609A977A0FF44B48F544435EA6D477E9EF3CE555C340

Function 66F83AC1 Relevance: 7.7, APIs: 5, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa7f4218ea1f66b95b148c455017a003c0d2cfb5ffa9dfc77694273e211ec8d
Instruction ID: de437f0f8149d4e54606e9ccbd6c3f5a7e9f9801fc98892e3a7ee448a4cfdc98
Opcode Fuzzy Hash: 2aa7f4218ea1f66b95b148c455017a003c0d2cfb5ffa9dfc77694273e211ec8d
Instruction Fuzzy Hash: A3A105737149D9A7CB02CF69D00019FBBB1F706B0EB99C049EB5A4A122D732D95BC751

Function 66FFF690 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 66FFF6D5
GetCurrentProcessId.KERNEL32 ref: 66FFF6E0
GetCurrentThreadId.KERNEL32 ref: 66FFF6E9
GetTickCount.KERNEL32 ref: 66FFF6F1
QueryPerformanceCounter.KERNEL32 ref: 66FFF6FE

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: f40b1da27bc48723bde3b5c45379760af47dace5d55662387a80838995845961
Instruction ID: a18b87706231706de217299e19b4846ccdfb428762e38bff72ff2597060366ad
Opcode Fuzzy Hash: f40b1da27bc48723bde3b5c45379760af47dace5d55662387a80838995845961
Instruction Fuzzy Hash: 74114F3B669A1086FB504B35F808319A262B7487B8F085730DD6C437B4EE3DC59AC710

Function 00007FF654CA6100 Relevance: 166.6, APIs: 31, Strings: 64, Instructions: 348libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CA7950: LoadLibraryExW.KERNEL32 ref: 00007FF654CA7971
Part of subcall function 00007FF654CA7950: free.MSVCRT ref: 00007FF654CA797D

GetProcAddress.KERNEL32 ref: 00007FF654CA680B
GetProcAddress.KERNEL32 ref: 00007FF654CA6827
GetProcAddress.KERNEL32 ref: 00007FF654CA6843
GetProcAddress.KERNEL32 ref: 00007FF654CA685F
GetProcAddress.KERNEL32 ref: 00007FF654CA687B
GetProcAddress.KERNEL32 ref: 00007FF654CA6897
GetProcAddress.KERNEL32 ref: 00007FF654CA68B3
GetProcAddress.KERNEL32 ref: 00007FF654CA68CF
GetProcAddress.KERNEL32 ref: 00007FF654CA68EB
GetProcAddress.KERNEL32 ref: 00007FF654CA6907
GetProcAddress.KERNEL32 ref: 00007FF654CA6923
GetProcAddress.KERNEL32 ref: 00007FF654CA693F
GetProcAddress.KERNEL32 ref: 00007FF654CA695B
GetProcAddress.KERNEL32 ref: 00007FF654CA6977
GetProcAddress.KERNEL32 ref: 00007FF654CA6993
GetProcAddress.KERNEL32 ref: 00007FF654CA69AF
GetProcAddress.KERNEL32 ref: 00007FF654CA69CB
GetProcAddress.KERNEL32 ref: 00007FF654CA69E7
GetProcAddress.KERNEL32 ref: 00007FF654CA6A03
GetProcAddress.KERNEL32 ref: 00007FF654CA6A1F
GetProcAddress.KERNEL32 ref: 00007FF654CA6A3B
GetProcAddress.KERNEL32 ref: 00007FF654CA6A57
GetProcAddress.KERNEL32 ref: 00007FF654CA6A73
GetProcAddress.KERNEL32 ref: 00007FF654CA6A8F
GetProcAddress.KERNEL32 ref: 00007FF654CA6AAB
GetProcAddress.KERNEL32 ref: 00007FF654CA6AC7
GetProcAddress.KERNEL32 ref: 00007FF654CA6AE3
GetProcAddress.KERNEL32 ref: 00007FF654CA6AFF
GetProcAddress.KERNEL32 ref: 00007FF654CA6B1B
GetProcAddress.KERNEL32 ref: 00007FF654CA6B37
GetProcAddress.KERNEL32 ref: 00007FF654CA6B53

Strings

Tk_Init, xrefs: 00007FF654CA6B2D
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF654CA6D30
Failed to get address for Tcl_GetVar2, xrefs: 00007FF654CA6CA0
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF654CA6D60
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF654CA6C28
Tcl_ConditionNotify, xrefs: 00007FF654CA6951
Failed to get address for Tk_Init, xrefs: 00007FF654CA6E20
Tcl_ThreadQueueEvent, xrefs: 00007FF654CA6989
Tcl_GetObjResult, xrefs: 00007FF654CA6A85
Failed to get address for Tcl_EvalEx, xrefs: 00007FF654CA6E08
Tcl_DeleteInterp, xrefs: 00007FF654CA68A9
Tcl_ThreadAlert, xrefs: 00007FF654CA69A5
Tcl_SetVar2Ex, xrefs: 00007FF654CA6A69
Tcl_Alloc, xrefs: 00007FF654CA6AF5
Tcl_Init, xrefs: 00007FF654CA6804
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF654CA6D90
LOADER: Failed to load tcl/tk libraries, xrefs: 00007FF654CA6150
Tcl_MutexLock, xrefs: 00007FF654CA68FD
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF654CA6C70
Failed to get address for Tcl_Free, xrefs: 00007FF654CA6DC0
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF654CA6D18
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF654CA6B8F
Tcl_NewStringObj, xrefs: 00007FF654CA6A31
Tcl_CreateThread, xrefs: 00007FF654CA68C5
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF654CA6C10
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF654CA6BCE
Failed to get address for Tcl_CreateThread, xrefs: 00007FF654CA6BE3
Failed to get address for Tcl_EvalFile, xrefs: 00007FF654CA6DA8
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF654CA6C40
Tcl_CreateObjCommand, xrefs: 00007FF654CA69F9
Tcl_Free, xrefs: 00007FF654CA6B11
Failed to get address for Tcl_MutexLock, xrefs: 00007FF654CA6C88
Tcl_ConditionWait, xrefs: 00007FF654CA696D
Tcl_GetVar2, xrefs: 00007FF654CA69C1
Tcl_SetVar2, xrefs: 00007FF654CA69DD
Failed to get address for Tcl_Finalize, xrefs: 00007FF654CA6BB9
GetProcAddress, xrefs: 00007FF654CA6B76, 00007FF654CA6B96, 00007FF654CA6BAB, 00007FF654CA6BC0, 00007FF654CA6BD5, 00007FF654CA6BEA, 00007FF654CA6BFF, 00007FF654CA6C17, 00007FF654CA6C2F, 00007FF654CA6C47, 00007FF654CA6C5F, 00007FF654CA6C77, 00007FF654CA6C8F, 00007FF654CA6CA7, 00007FF654CA6CBF, 00007FF654CA6CD7, 00007FF654CA6CEF, 00007FF654CA6D07, 00007FF654CA6D1F, 00007FF654CA6D37, 00007FF654CA6D4F, 00007FF654CA6D67, 00007FF654CA6D7F, 00007FF654CA6D97, 00007FF654CA6DAF, 00007FF654CA6DC7, 00007FF654CA6DDF, 00007FF654CA6DF7, 00007FF654CA6E0F, 00007FF654CA6E27, 00007FF654CA6E3F
Tcl_ConditionFinalize, xrefs: 00007FF654CA6935
Tcl_MutexUnlock, xrefs: 00007FF654CA6919
Failed to get address for Tcl_SetVar2, xrefs: 00007FF654CA6D00
Tk_GetNumMainWindows, xrefs: 00007FF654CA6B49
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF654CA6CD0
Tcl_GetCurrentThread, xrefs: 00007FF654CA68E1
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF654CA6D78
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF654CA6BA4
Tcl_CreateInterp, xrefs: 00007FF654CA681D
Tcl_DoOneEvent, xrefs: 00007FF654CA6855
Failed to get address for Tcl_Init, xrefs: 00007FF654CA6B6F
Tcl_NewByteArrayObj, xrefs: 00007FF654CA6A4D
Failed to get address for Tcl_Alloc, xrefs: 00007FF654CA6DD8
Failed to get address for Tcl_GetString, xrefs: 00007FF654CA6D48
Tcl_EvalFile, xrefs: 00007FF654CA6AA1
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF654CA6E38
Tcl_EvalEx, xrefs: 00007FF654CA6ABD
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF654CA6BF8
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF654CA6CB8
Tcl_Finalize, xrefs: 00007FF654CA6871
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF654CA6C58
Tcl_EvalObjv, xrefs: 00007FF654CA6AD9
Tcl_FinalizeThread, xrefs: 00007FF654CA688D
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF654CA6CE8
Tcl_GetString, xrefs: 00007FF654CA6A15
Tcl_FindExecutable, xrefs: 00007FF654CA6839
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF654CA6DF0

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: AddressProc$LibraryLoadfree
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$LOADER: Failed to load tcl/tk libraries$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 4213687213-1453502826
Opcode ID: 1c815d3e7de6c3911d1ed5474632c0ec2993e8d45509a061944c3f9f4ef79aaf
Instruction ID: 973cf5e1eb3db5a902a6e7c684a0dc43147a4d93fd2fd0fd87dbf93562d895e1
Opcode Fuzzy Hash: 1c815d3e7de6c3911d1ed5474632c0ec2993e8d45509a061944c3f9f4ef79aaf
Instruction Fuzzy Hash: 0202E3E4E0AB0790EA55DB15F9F40B427B4AFC4380B8C94B7C44EA77A5EE6CE54AC310

Function 66F928C0 Relevance: 75.7, APIs: 27, Strings: 16, Instructions: 436filestringCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 66F928FE

Part of subcall function 66F92510: strlen.MSVCRT ref: 66F92533

fprintf.MSVCRT ref: 66F92937

Part of subcall function 66F92730: strlen.MSVCRT ref: 66F9274A

fputc.MSVCRT ref: 66F92969

Part of subcall function 66F91BB0: GetProcessHeap.KERNEL32 ref: 66F91BD3
Part of subcall function 66F91BB0: HeapAlloc.KERNEL32 ref: 66F91BE7
Part of subcall function 66F91BB0: GetAdaptersAddresses.IPHLPAPI ref: 66F91C0C
Part of subcall function 66F91BB0: GetProcessHeap.KERNEL32 ref: 66F91C7F
Part of subcall function 66F91BB0: HeapFree.KERNEL32 ref: 66F91C89

fprintf.MSVCRT ref: 66F92998

Part of subcall function 66F919C0: GetProcessHeap.KERNEL32 ref: 66F919E1
Part of subcall function 66F919C0: HeapAlloc.KERNEL32 ref: 66F919F6
Part of subcall function 66F919C0: memcpy.MSVCRT ref: 66F91A6C
Part of subcall function 66F919C0: GetProcessHeap.KERNEL32 ref: 66F91A8A
Part of subcall function 66F919C0: HeapFree.KERNEL32 ref: 66F91A95

fputc.MSVCRT ref: 66F929CB

Part of subcall function 66F91D40: GetProcessHeap.KERNEL32 ref: 66F91D63
Part of subcall function 66F91D40: HeapAlloc.KERNEL32 ref: 66F91D77
Part of subcall function 66F91D40: GetAdaptersAddresses.IPHLPAPI ref: 66F91D9F
Part of subcall function 66F91D40: inet_ntoa.WS2_32 ref: 66F91DD7
Part of subcall function 66F91D40: GetProcessHeap.KERNEL32 ref: 66F91DF2
Part of subcall function 66F91D40: HeapFree.KERNEL32 ref: 66F91DFC

fprintf.MSVCRT ref: 66F929FA
fputc.MSVCRT ref: 66F92A0E

Part of subcall function 66F92140: GetProcessHeap.KERNEL32 ref: 66F9215B
Part of subcall function 66F92140: HeapAlloc.KERNEL32 ref: 66F9216F
Part of subcall function 66F92140: GetNetworkParams.IPHLPAPI ref: 66F921A7
Part of subcall function 66F92140: GetProcessHeap.KERNEL32 ref: 66F921C9
Part of subcall function 66F92140: HeapFree.KERNEL32 ref: 66F921D3

fprintf.MSVCRT ref: 66F92A3D
fwrite.MSVCRT ref: 66F92A5E
strchr.MSVCRT ref: 66F92A8B
fwrite.MSVCRT ref: 66F92AC3
fprintf.MSVCRT ref: 66F92AEB
strchr.MSVCRT ref: 66F92AF8
fprintf.MSVCRT ref: 66F92B19
fputc.MSVCRT ref: 66F92B32
fwrite.MSVCRT ref: 66F92B53
malloc.MSVCRT ref: 66F92B5D
fwrite.MSVCRT ref: 66F92EF7
fwrite.MSVCRT ref: 66F92F18
fwrite.MSVCRT ref: 66F92F39
fwrite.MSVCRT ref: 66F92F5A

Strings

Failed to get domain name., xrefs: 66F92F45
%02x:, xrefs: 66F92E0E
Default Mac address: "%s", xrefs: 66F9298B
Hardware informations got by PyArmor:, xrefs: 66F928E6
Failed to get ip address., xrefs: 66F92F24
Serial number of default harddisk: "%s", xrefs: 66F9292A
>", xrefs: 66F92EB7
Domain name: "%s", xrefs: 66F92A30
Serial number with disk name: , xrefs: 66F92AAE
Ip address: "%s", xrefs: 66F929ED
Failed to get mac address., xrefs: 66F92F03
Change logsv6.2.0(r21): Remove trailing dot from harddisk serial numberv6.4.2(r34): Support binding multiple mac addressesv6.5.3(r37): Support binding named harddiskv6.7.5(r45): Support mmc/sd card in Linux, xrefs: 66F92A49
"%s", xrefs: 66F92ACD, 66F92B0C
Multiple Mac addresses: "<, xrefs: 66F92B3E
%02x, xrefs: 66F92E6D
Failed to get harddisk information., xrefs: 66F92EE2

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Heap$Processfwrite$fprintf$AllocFreefputc$AdaptersAddressesstrchrstrlen$NetworkParamsinet_ntoamallocmemcpy
String ID: "%s"$Change logsv6.2.0(r21): Remove trailing dot from harddisk serial numberv6.4.2(r34): Support binding multiple mac addressesv6.5.3(r37): Support binding named harddiskv6.7.5(r45): Support mmc/sd card in Linux$%02x$%02x:$>"$Default Mac address: "%s"$Domain name: "%s"$Failed to get domain name.$Failed to get harddisk information.$Failed to get ip address.$Failed to get mac address.$Hardware informations got by PyArmor:$Ip address: "%s"$Multiple Mac addresses: "<$Serial number of default harddisk: "%s"$Serial number with disk name:
API String ID: 3427000353-3771683696
Opcode ID: eb22b472ff73d2eda26802c2464a32e64e5a8e708135cba05a01e7ada9dbe044
Instruction ID: 2efac3af79a9896d73cabf1364f0e988bc7123ea9ccfc99ada51f737d46b5b68
Opcode Fuzzy Hash: eb22b472ff73d2eda26802c2464a32e64e5a8e708135cba05a01e7ada9dbe044
Instruction Fuzzy Hash: 43029D36329B848AFB50CB25E45439E77A6F789BA8F008226DF9D47798DF3AC144C711

Function 66F833ED Relevance: 57.9, APIs: 25, Strings: 8, Instructions: 171COMMON

Download Yara Rule

APIs

PyImport_GetModuleDict.PYTHON38 ref: 66F833ED
PyDict_GetItemString.PYTHON38 ref: 66F83400
PyModule_GetDict.PYTHON38 ref: 66F8340E
PyDict_GetItemString.PYTHON38 ref: 66F83427
PyObject_GetAttrString.PYTHON38 ref: 66F8344D
PyList_GetItem.PYTHON38 ref: 66F83461
_PyObject_CallFunction_SizeT.PYTHON38 ref: 66F834A6
_PyObject_CallMethod_SizeT.PYTHON38 ref: 66F834D7
_PyObject_CallMethod_SizeT.PYTHON38 ref: 66F834E9
_Py_Dealloc.PYTHON38 ref: 66F834F5
PyErr_Clear.PYTHON38 ref: 66F83580
getenv.MSVCRT ref: 66F8358D
PyUnicode_FromFormat.PYTHON38(?,?,?,?,?,?), ref: 66F835AA
_PyObject_CallFunction_SizeT.PYTHON38(?,?,?,?,?,?), ref: 66F835D7
_PyObject_CallMethod_SizeT.PYTHON38 ref: 66F83605
_PyObject_CallMethod_SizeT.PYTHON38 ref: 66F83617
_Py_Dealloc.PYTHON38 ref: 66F83623
PyList_GetItem.PYTHON38 ref: 66F83685
_Py_Dealloc.PYTHON38 ref: 66F83824

Strings

close, xrefs: 66F834DF, 66F8360D, 66F8372C
%U/%s, xrefs: 66F8369D
%s/%s, xrefs: 66F836C6
__path__, xrefs: 66F8341D
_path, xrefs: 66F83443
read, xrefs: 66F834C6, 66F835F4, 66F83713
%U/../%s, xrefs: 66F83479
PYARMOR_RKEY, xrefs: 66F83586

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Object_$CallSize$ItemMethod_$DeallocString$DictDict_Function_List_$AttrClearErr_FormatFromImport_ModuleModule_Unicode_getenv
String ID: %U/%s$%U/../%s$%s/%s$PYARMOR_RKEY$__path__$_path$close$read
API String ID: 2543034039-1237617226
Opcode ID: e1b016914b5e7b6b87f589857cac34d34ac1e87f9f39a1f90c3dcef8a817df11
Instruction ID: 41add89dbbe9bf8f26cbe69c37cb58bea8ea31a311c0844cf22015d33ce1c5e7
Opcode Fuzzy Hash: e1b016914b5e7b6b87f589857cac34d34ac1e87f9f39a1f90c3dcef8a817df11
Instruction Fuzzy Hash: 73618D7375AA10C5FE05DBAAEC0835523A2BB49B98F88546ACC1D07331EF3EC959C320

Function 66F88290 Relevance: 51.0, APIs: 24, Strings: 5, Instructions: 203COMMON

Download Yara Rule

APIs

PyTuple_Size.PYTHON38 ref: 66F882B1
PyTuple_New.PYTHON38 ref: 66F882BD
_PyObject_LookupAttr.PYTHON38 ref: 66F8831F
_PyObject_GetAttrId.PYTHON38 ref: 66F88333
PyModule_GetFilenameObject.PYTHON38 ref: 66F8835F
PyUnicode_FromString.PYTHON38 ref: 66F8836F
_PyErr_Clear.PYTHON38 ref: 66F883A9
PyErr_SetImportError.PYTHON38 ref: 66F883CF
_Py_Dealloc.PYTHON38 ref: 66F883EE

Strings

%U.%U, xrefs: 66F88442
cannot import name %R from %R (%S), xrefs: 66F884FA
cannot import name %R from %R (unknown location), xrefs: 66F883B5
cannot import name %R from partially initialized module %R (most likely due to a circular import) (%S), xrefs: 66F88515
<unknown module name>, xrefs: 66F88368

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: AttrErr_Object_Tuple_$ClearDeallocErrorFilenameFromImportLookupModule_ObjectSizeStringUnicode_
String ID: %U.%U$<unknown module name>$cannot import name %R from %R (%S)$cannot import name %R from %R (unknown location)$cannot import name %R from partially initialized module %R (most likely due to a circular import) (%S)
API String ID: 597108667-3215622635
Opcode ID: 0b636d72b52868ff50777b4f11f57c09960b1768b104a63cbea96283873e2f0c
Instruction ID: 6a1bef322f754a089a92e14643885b679f49611553ac64e985aa3a23e200488b
Opcode Fuzzy Hash: 0b636d72b52868ff50777b4f11f57c09960b1768b104a63cbea96283873e2f0c
Instruction Fuzzy Hash: 84717D33B19B84E6EA049F26E85875A63B5B78AFD8F480069DD6E07725DF3DC254C310

Function 66F8D390 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 453fileCOMMON

Download Yara Rule

APIs

_Py_hashtable_get_entry.PYTHON38 ref: 66F8D431
fwrite.MSVCRT ref: 66F8D5F2
fwrite.MSVCRT ref: 66F8D635
PyErr_SetString.PYTHON38 ref: 66F8D8E9

Strings

too many objects, xrefs: 66F8D8DF

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: fwrite$Err_Py_hashtable_get_entryString
String ID: too many objects
API String ID: 3930244777-4209268247
Opcode ID: fa090c08b0fb60d478c04ae38b7f57fd07667f6f36716c4d4720667f9f138815
Instruction ID: 3445bb55771246d038600982ed6e33b8494ebfa53518db68460a91c6272470a6
Opcode Fuzzy Hash: fa090c08b0fb60d478c04ae38b7f57fd07667f6f36716c4d4720667f9f138815
Instruction Fuzzy Hash: 5F128DB2614B8086EB04CFA9E05439977B1FB49FE8F50422BDA5E5B798DF38C591C390

Function 66F91060 Relevance: 35.3, APIs: 16, Strings: 4, Instructions: 254COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON38 ref: 66F911AB
_Py_Dealloc.PYTHON38 ref: 66F911F1
PyTuple_New.PYTHON38 ref: 66F912F6
PyDict_GetItem.PYTHON38 ref: 66F913DF
PyDict_DelItem.PYTHON38 ref: 66F91407
PyErr_SetString.PYTHON38 ref: 66F91434

Strings

missing required positional arguments, xrefs: 66F911A1
Can't remove argname from kwargs, xrefs: 66F91286
missing kwonly required arguments, xrefs: 66F9142A
too many positional arguments, xrefs: 66F91494

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Dict_Err_ItemString$DeallocTuple_
String ID: Can't remove argname from kwargs$missing kwonly required arguments$missing required positional arguments$too many positional arguments
API String ID: 2174600326-1903473336
Opcode ID: 28cc82da182a29a76e7f28fab56373e72e4e9c72db14733914b3ecd1a03fffa2
Instruction ID: 39f5c187b5645ac5abdba47f8c7c0571aa516d8d23a9755a5d76dc16f8cc622d
Opcode Fuzzy Hash: 28cc82da182a29a76e7f28fab56373e72e4e9c72db14733914b3ecd1a03fffa2
Instruction Fuzzy Hash: 00B14932619B84D2FB25CF25E84435A7379F79ABA8F558221CEAD43B68CF39C095C710

Function 66F8FC70 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 175COMMON

Download Yara Rule

APIs

PyObject_GetIter.PYTHON38 ref: 66F8FCBF
PyIter_Next.PYTHON38 ref: 66F8FD06
PyErr_Occurred.PYTHON38 ref: 66F8FD0E
_Py_Dealloc.PYTHON38 ref: 66F8FD48
_Py_Dealloc.PYTHON38 ref: 66F8FD59
Py_DecRef.PYTHON38 ref: 66F8FD62
Py_DecRef.PYTHON38 ref: 66F8FDAD
PyIter_Next.PYTHON38 ref: 66F8FDC3
PyErr_Format.PYTHON38 ref: 66F8FDE9
_Py_Dealloc.PYTHON38 ref: 66F8FE33
PyErr_ExceptionMatches.PYTHON38 ref: 66F8FE4A
PySequence_Check.PYTHON38 ref: 66F8FE6D
PyErr_Format.PYTHON38 ref: 66F8FE8D
PyErr_Occurred.PYTHON38 ref: 66F8FEC2
Py_DecRef.PYTHON38 ref: 66F8FF0E

Strings

not enough values to unpack (expected %d, got %d), xrefs: 66F8FEAD
cannot unpack non-iterable %.200s object, xrefs: 66F8FE7F
too many values to unpack (expected %d), xrefs: 66F8FDDF

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_$Dealloc$FormatIter_NextOccurred$CheckExceptionIterMatchesObject_Sequence_
String ID: cannot unpack non-iterable %.200s object$not enough values to unpack (expected %d, got %d)$too many values to unpack (expected %d)
API String ID: 4253435814-2953850414
Opcode ID: 4ae758f1f6122f153df45a04735c8f5d02a2d18b035e85410d30d0ce1831f0bc
Instruction ID: bb78d9aa872d7f79b0593d89aaf6ced5b041ff7bc4566f42d27c636bd3e8b73e
Opcode Fuzzy Hash: 4ae758f1f6122f153df45a04735c8f5d02a2d18b035e85410d30d0ce1831f0bc
Instruction Fuzzy Hash: F961AD33B1AA44CAEA849F29E8483186372FBD9FD9F544569CE2D47325DF39C195C320

Function 66F89CA5 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 164COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON38 ref: 66F89CB6
_Py_CheckFunctionResult.PYTHON38 ref: 66F8A3C0

Strings

bad marshal data (index list too large), xrefs: 66F8B255
bad marshal data (set size out of range), xrefs: 66F8AC19
NULL object in marshal data for set, xrefs: 66F8B042

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: CheckErr_FunctionOccurredResult
String ID: NULL object in marshal data for set$bad marshal data (index list too large)$bad marshal data (set size out of range)
API String ID: 3781139737-600355161
Opcode ID: c8f67c40486653046e2c3ca47707ff543f13426e1b356efa78fb6efdf85ecb2c
Instruction ID: 464bdc2f7a25b6c66c3618ccf06e207b2930d8099563bd73cbd52f408807669e
Opcode Fuzzy Hash: c8f67c40486653046e2c3ca47707ff543f13426e1b356efa78fb6efdf85ecb2c
Instruction Fuzzy Hash: F7619033609A80C3FB54CB6AE44835E73B1F785BA4F418599C96E47798DF39C546C360

Function 66F88810 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

_PyFloat_Unpack8.PYTHON38 ref: 66F88841
PyBuffer_FillInfo.PYTHON38 ref: 66F88896
PyMemoryView_FromBuffer.PYTHON38 ref: 66F888A4
_PyObject_CallMethodId_SizeT.PYTHON38 ref: 66F888C4
PyNumber_AsSsize_t.PYTHON38 ref: 66F888E3
PyErr_SetString.PYTHON38 ref: 66F88A11

Strings

read() returned too much data: %zd bytes requested, %zd returned, xrefs: 66F889E5
marshal data too short, xrefs: 66F88A07
EOF read where not expected, xrefs: 66F88972

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: BufferBuffer_CallErr_FillFloat_FromInfoMemoryMethodNumber_Object_SizeSsize_tStringUnpack8View_
String ID: EOF read where not expected$marshal data too short$read() returned too much data: %zd bytes requested, %zd returned
API String ID: 3670709071-4172231876
Opcode ID: 3eca95e28352e075eee955ad36ce1df736b194464b845e13c39b76958bb8f106
Instruction ID: 5406d9df5b56de47d205fa6819b22a080f04a4a945e288e7c69c2a40f8f8aa95
Opcode Fuzzy Hash: 3eca95e28352e075eee955ad36ce1df736b194464b845e13c39b76958bb8f106
Instruction Fuzzy Hash: C5517832729A04D6FF05CF69E8483182372A789FA9F504369C97D137A8DF39C59AC361

Function 00007FFDFB1366B8 Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 205stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB2DBB1D
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB2DBB5D
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB2DBB81
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB2DBB9A
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB2DBBB6
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB2DBBCF

Strings

ENCRYPTED, xrefs: 00007FFDFB2DBB8D
, xrefs: 00007FFDFB2DBBAC
, xrefs: 00007FFDFB2DBBC5
,, xrefs: 00007FFDFB2DBC5D
Proc-Type:, xrefs: 00007FFDFB2DBB16
..\s\crypto\pem\pem_lib.c, xrefs: 00007FFDFB2DBB37, 00007FFDFB2DBBEA, 00007FFDFB2DBC2C, 00007FFDFB2DBCA2, 00007FFDFB2DBCEB, 00007FFDFB2DBD1B, 00007FFDFB2DBDCA
DEK-Info:, xrefs: 00007FFDFB2DBC0A

Memory Dump Source

Source File: 00000001.00000002.1767214909.00007FFDFB131000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFDFB130000, based on PE: true

Associated: 00000001.00000002.1767197166.00007FFDFB130000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB13D000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB195000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1A9000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1BA000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1C0000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1CE000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB371000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB39E000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3CF000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3F5000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB41A000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767756432.00007FFDFB441000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767781456.00007FFDFB447000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB449000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB465000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb130000_DeltaX.jbxd

Similarity

API ID: strspn$strncmp
String ID: $ $ ,$..\s\crypto\pem\pem_lib.c$DEK-Info:$ENCRYPTED$Proc-Type:
API String ID: 1384302209-3505811795
Opcode ID: e90065c7be01b739f3bd4072d943918714ba8c1968184f16852b7dcd88a8af2c
Instruction ID: a3250c143e5fb5508f899a40ad4adc88ede6996e3cdf1c329cd650b805e27ff6
Opcode Fuzzy Hash: e90065c7be01b739f3bd4072d943918714ba8c1968184f16852b7dcd88a8af2c
Instruction Fuzzy Hash: 6591B265B0F65786E7249F11E434ABD77A1AF08B88F844030CA6D86AEDEF3DE546C700

Function 00007FF654CA1C80 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CA76B0: strlen.MSVCRT ref: 00007FF654CA7723
Part of subcall function 00007FF654CA76B0: strlen.MSVCRT ref: 00007FF654CA7753
Part of subcall function 00007FF654CA76B0: strlen.MSVCRT ref: 00007FF654CA7769
Part of subcall function 00007FF654CA76B0: strcpy.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF654CA1CB3), ref: 00007FF654CA777A
Part of subcall function 00007FF654CA76B0: strtok.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF654CA1CB3), ref: 00007FF654CA7784

malloc.MSVCRT ref: 00007FF654CA1CF0
fread.MSVCRT ref: 00007FF654CA1D51
free.MSVCRT ref: 00007FF654CA1D79
fclose.MSVCRT ref: 00007FF654CA1D9B
fclose.MSVCRT ref: 00007FF654CA1DAA

Strings

Failed to extract %s: failed to open target file!, xrefs: 00007FF654CA1E3B
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF654CA1E23
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF654CA1E5B
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF654CA1D5E
fwrite, xrefs: 00007FF654CA1E0A
Failed to extract %s: failed to open archive file!, xrefs: 00007FF654CA1DE2
fread, xrefs: 00007FF654CA1D65
fopen, xrefs: 00007FF654CA1E42
fseek, xrefs: 00007FF654CA1E2A
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF654CA1E03
malloc, xrefs: 00007FF654CA1E62

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: strlen$fclose$freadfreemallocstrcpystrtok
String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 790192563-666925554
Opcode ID: 0650b55fdc532a3c314f5b9d4dd76ba0dd67bca11ed56b8b8d39f3fa91f93a94
Instruction ID: 5d8936f683f5ecfed94953b87fe6d7f503a50193c404997fd602b43de507e3d5
Opcode Fuzzy Hash: 0650b55fdc532a3c314f5b9d4dd76ba0dd67bca11ed56b8b8d39f3fa91f93a94
Instruction Fuzzy Hash: 41419CA5F0960250FB559B22D8F02B92271AFC5B94FCC45B3DE1EAB3D2EE2CE5458300

Function 66F88A40 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 120COMMON

Download Yara Rule

APIs

PyBuffer_FillInfo.PYTHON38 ref: 66F88AC6
PyMemoryView_FromBuffer.PYTHON38 ref: 66F88AD4
_PyObject_CallMethodId_SizeT.PYTHON38 ref: 66F88AF4
PyNumber_AsSsize_t.PYTHON38 ref: 66F88B13
PyErr_SetString.PYTHON38 ref: 66F88C41

Strings

read() returned too much data: %zd bytes requested, %zd returned, xrefs: 66F88C15
marshal data too short, xrefs: 66F88C37
EOF read where not expected, xrefs: 66F88BA2

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: BufferBuffer_CallErr_FillFromInfoMemoryMethodNumber_Object_SizeSsize_tStringView_
String ID: EOF read where not expected$marshal data too short$read() returned too much data: %zd bytes requested, %zd returned
API String ID: 3120701247-4172231876
Opcode ID: 936f3972695df17d923b0cd6dabc38f08f1a4f489ded14f4527c1b8a5bc998e0
Instruction ID: 80fae3de215552da353d4150ba323bc849d43b01c92d992e7f86c9359f7a527e
Opcode Fuzzy Hash: 936f3972695df17d923b0cd6dabc38f08f1a4f489ded14f4527c1b8a5bc998e0
Instruction Fuzzy Hash: DE416CB2719A44D2FE04CB69D8483082372A789FB9F944319CA3D473E5DF39C656C360

Function 00007FF654CA7270 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 118COMMON

Download Yara Rule

APIs

_wputenv_s.MSVCRT ref: 00007FF654CA72C1
free.MSVCRT ref: 00007FF654CA72CC
GetTempPathW.KERNEL32 ref: 00007FF654CA72F0
_getpid.MSVCRT(?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA72F6
_wtempnam.MSVCRT ref: 00007FF654CA731F
free.MSVCRT ref: 00007FF654CA7334
free.MSVCRT ref: 00007FF654CA735E

Part of subcall function 00007FF654CA6FE0: GetEnvironmentVariableW.KERNEL32 ref: 00007FF654CA700C

Part of subcall function 00007FF654CA7110: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF654CA714B
Part of subcall function 00007FF654CA7110: free.MSVCRT ref: 00007FF654CA7156
Part of subcall function 00007FF654CA7110: _wfullpath.MSVCRT ref: 00007FF654CA717E
Part of subcall function 00007FF654CA7110: wcschr.MSVCRT(?,?,?,00000000,00007FF654CA72AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA71AD
Part of subcall function 00007FF654CA7110: wcsncpy.MSVCRT ref: 00007FF654CA71DB
Part of subcall function 00007FF654CA7110: CreateDirectoryW.KERNEL32(?,?,?,00000000,00007FF654CA72AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA71E5
Part of subcall function 00007FF654CA7110: wcschr.MSVCRT(?,?,?,00000000,00007FF654CA72AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA71F0
Part of subcall function 00007FF654CA7110: CreateDirectoryW.KERNEL32(?,?,?,00000000,00007FF654CA72AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA7202

Strings

LOADER: Failed to set the TMP environment variable., xrefs: 00007FF654CA7380
TMP, xrefs: 00007FF654CA7294, 00007FF654CA734C, 00007FF654CA73B3, 00007FF654CA73DD, 00007FF654CA7409
TMP, xrefs: 00007FF654CA72B7
_MEI%d, xrefs: 00007FF654CA72FB

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free$CreateDirectoryEnvironmentwcschr$ExpandPathStringsTempVariable_getpid_wfullpath_wputenv_s_wtempnamwcsncpy
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 2180377646-1116378104
Opcode ID: 5c4b10aed0aea61ccbc9035126b4b601bd2dedeeab183b41183b05d6da6e050d
Instruction ID: f62146a0d111edc9aa6a38346515cddbce1d3ae4a64bb84879afd9183c586abf
Opcode Fuzzy Hash: 5c4b10aed0aea61ccbc9035126b4b601bd2dedeeab183b41183b05d6da6e050d
Instruction Fuzzy Hash: FB415B91E4A50301FA55A723ADB56B652726FC5BD1F8C84B7EC0EE7792ED3CE4498200

Function 66F88DA0 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

PyBuffer_FillInfo.PYTHON38 ref: 66F88E22
PyMemoryView_FromBuffer.PYTHON38 ref: 66F88E34
_PyObject_CallMethodId_SizeT.PYTHON38 ref: 66F88E58
PyNumber_AsSsize_t.PYTHON38 ref: 66F88E7A
PyErr_Occurred.PYTHON38 ref: 66F88E93
PyErr_Format.PYTHON38 ref: 66F88EBE
PyErr_SetString.PYTHON38 ref: 66F88F81

Strings

read() returned too much data: %zd bytes requested, %zd returned, xrefs: 66F88EB4
marshal data too short, xrefs: 66F88F77
EOF read where not expected, xrefs: 66F88F59

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_$BufferBuffer_CallFillFormatFromInfoMemoryMethodNumber_Object_OccurredSizeSsize_tStringView_
String ID: EOF read where not expected$marshal data too short$read() returned too much data: %zd bytes requested, %zd returned
API String ID: 2192429850-4172231876
Opcode ID: 07277b65a59be4b753c614c0202c736ff9f12106d3464e1bc0326f5e957a5f6a
Instruction ID: bd3b84fc69c9513d84d28faa8ed2957b0cbeb0af704760227e98b37447ab39cd
Opcode Fuzzy Hash: 07277b65a59be4b753c614c0202c736ff9f12106d3464e1bc0326f5e957a5f6a
Instruction Fuzzy Hash: 2D41A073319A04D6FE148F66E8483596372BB58BE8F8846698E3E47760DF3DC194C360

Function 66F8329E Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 94COMMON

Download Yara Rule

APIs

_PyObject_CallFunction_SizeT.PYTHON38 ref: 66F832E8
PyErr_Clear.PYTHON38 ref: 66F83304
PyErr_Format.PYTHON38 ref: 66F83364
_PyObject_CallMethod_SizeT.PYTHON38(?,?,?,?,?,?), ref: 66F833A3
_PyObject_CallMethod_SizeT.PYTHON38(?,?,?,?,?,?), ref: 66F833B5
PySys_GetObject.PYTHON38 ref: 66F83517
_Py_Dealloc.PYTHON38 ref: 66F83573
getenv.MSVCRT ref: 66F83647

Strings

close, xrefs: 66F833AB
executable, xrefs: 66F83510
%U.%s, xrefs: 66F83523
%U/%s, xrefs: 66F832BF
%s/%s, xrefs: 66F83652
%s (%d:%d), xrefs: 66F8335D
read, xrefs: 66F83392
PYARMOR_RKEY, xrefs: 66F83640

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: CallObject_Size$Err_Method_$ClearDeallocFormatFunction_ObjectSys_getenv
String ID: %U.%s$%U/%s$%s (%d:%d)$%s/%s$PYARMOR_RKEY$close$executable$read
API String ID: 2643494441-891831584
Opcode ID: f1e9cc0939e1be94a31a7c904e7eda209acd20ea79d6dff75c61349203f42e4d
Instruction ID: 0e73371ab166e256a0892b585c144ba63e4b61b50368bb7f737f8491852f140f
Opcode Fuzzy Hash: f1e9cc0939e1be94a31a7c904e7eda209acd20ea79d6dff75c61349203f42e4d
Instruction Fuzzy Hash: 86310173749A58C1FF01DB9AEC443592362AB49BD8F84446ACD1D07770EF2ECA12C360

Function 66F8FF30 Relevance: 27.2, APIs: 18, Instructions: 153COMMON

Download Yara Rule

APIs

PyObject_Call.PYTHON38 ref: 66F8FFE2
PyErr_CheckSignals.PYTHON38 ref: 66F90017
_Py_Dealloc.PYTHON38 ref: 66F90035
_Py_Dealloc.PYTHON38 ref: 66F90043
_Py_Dealloc.PYTHON38 ref: 66F90053

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Dealloc$CallCheckErr_Object_Signals
String ID:
API String ID: 356930793-0
Opcode ID: 661eba1ea82d98063ec9171325e7be6dd56c8cebdfa07e83017ac80fe8b02245
Instruction ID: a64dc1d9d1b4e1941bf83ce4521108904637978546aa99a4301eec53fff47731
Opcode Fuzzy Hash: 661eba1ea82d98063ec9171325e7be6dd56c8cebdfa07e83017ac80fe8b02245
Instruction Fuzzy Hash: A251D733B5AA40DAFB495F32994C328B371ABABFD5F084258DE1906B25DF39C154C350

Function 66F91BB0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 66F91BD3
HeapAlloc.KERNEL32 ref: 66F91BE7
GetAdaptersAddresses.IPHLPAPI ref: 66F91C0C
GetProcessHeap.KERNEL32 ref: 66F91C7F
HeapFree.KERNEL32 ref: 66F91C89
GetProcessHeap.KERNEL32 ref: 66F91CA0
HeapFree.KERNEL32 ref: 66F91CAA
GetProcessHeap.KERNEL32 ref: 66F91CB1
HeapAlloc.KERNEL32 ref: 66F91CBB
GetAdaptersAddresses.IPHLPAPI ref: 66F91CD7

Strings

../src/platforms/windows/hdinfo.c, xrefs: 66F91D07
%02x:%02x:%02x:%02x:%02x:%02x, xrefs: 66F91C49
Too small size, xrefs: 66F91D00

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Heap$Process$AdaptersAddressesAllocFree
String ID: %02x:%02x:%02x:%02x:%02x:%02x$../src/platforms/windows/hdinfo.c$Too small size
API String ID: 1283795797-3992030336
Opcode ID: b9ecc508961badcf67c57339c1eeb25e59cfe75f2fea1e6ca6f543c3f17c6b54
Instruction ID: a84e10c400ba51bba6dbee66a7cc4ab580e96fdb8d60e6c698fff64026ecd24c
Opcode Fuzzy Hash: b9ecc508961badcf67c57339c1eeb25e59cfe75f2fea1e6ca6f543c3f17c6b54
Instruction Fuzzy Hash: D531C9227085508AF715DBBABC107AEBB96A7897D8F044336AD6C837D4EA3CC541D710

Function 00007FF654CA8440 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF654CA8477
OpenProcessToken.ADVAPI32 ref: 00007FF654CA8488
free.MSVCRT ref: 00007FF654CA84A0
CloseHandle.KERNEL32 ref: 00007FF654CA84B0
_snwprintf.MSVCRT ref: 00007FF654CA84D8
LocalFree.KERNEL32 ref: 00007FF654CA84E1
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF654CA8507
CreateDirectoryW.KERNEL32 ref: 00007FF654CA851B
GetTokenInformation.ADVAPI32(00000000,00000005(TokenIntegrityLevel),?,?,?,00007FFE209EC150,00007FF654CA732D,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA8561
GetLastError.KERNEL32 ref: 00007FF654CA8567
calloc.MSVCRT ref: 00007FF654CA8582
GetTokenInformation.ADVAPI32(?,?,?,00007FFE209EC150,00007FF654CA732D,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA85A8
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF654CA85BD

Strings

S-1-3-4, xrefs: 00007FF654CA84BB
D:(A;;FA;;;%s), xrefs: 00007FF654CA84CA

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen_snwprintfcallocfree
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 1339360106-2855260032
Opcode ID: fe406d8fb547cea20d7bfb8102cc3596c6133abc484eadb2eb76a5d76b1726db
Instruction ID: 6feeda8b429cc0ac5ab239d524766e68f7f5bd45a70907752286bcdf451545fb
Opcode Fuzzy Hash: fe406d8fb547cea20d7bfb8102cc3596c6133abc484eadb2eb76a5d76b1726db
Instruction Fuzzy Hash: BD318FA160864242E7109B52B8A47AA7371AFC5BA4F584276EE6DA3BD4DF3CD405C700

Function 66F81DF0 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 90stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 66F81E39
strncmp.MSVCRT ref: 66F81E5F
strncmp.MSVCRT ref: 66F81E7F
strncmp.MSVCRT ref: 66F81E9C
strncmp.MSVCRT ref: 66F81EB9
strncmp.MSVCRT ref: 66F81ED6
PyErr_Format.PYTHON38 ref: 66F81F3D
strlen.MSVCRT ref: 66F81FAB
memcpy.MSVCRT ref: 66F81FBF
free.MSVCRT ref: 66F81FC7
strncmp.MSVCRT ref: 66F81FD5
PyErr_Format.PYTHON38 ref: 66F82057
strncmp.MSVCRT ref: 66F82105
strncmp.MSVCRT ref: 66F82143
strncmp.MSVCRT ref: 66F8235C
strncmp.MSVCRT ref: 66F8241C
strncmp.MSVCRT ref: 66F824DC
_errno.MSVCRT ref: 66F827A5
_errno.MSVCRT ref: 66F827B7

Strings

*IFMAC:, xrefs: 66F81E6F
*IFIPV4:, xrefs: 66F81E8C
*HARDDISK:, xrefs: 66F81E4F
%s (%d:%d), xrefs: 66F81F36
*MID:, xrefs: 66F81E2C
5(, xrefs: 66F81F28
*IFIPV6:, xrefs: 66F81EA9
*DOMAIN:, xrefs: 66F81EC6

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: strncmp$Err_Format_errno$freememcpystrlen
String ID: %s (%d:%d)$*DOMAIN:$*HARDDISK:$*IFIPV4:$*IFIPV6:$*IFMAC:$*MID:$5(
API String ID: 3958490578-1731549688
Opcode ID: 3680ad2c6e9ce4542123035bb5878db8c477c5f00d64d280c243a012d2a8abc0
Instruction ID: a32d9cda8ba9c105160391164478276016c5f235be937ce4635c4661f56a7db5
Opcode Fuzzy Hash: 3680ad2c6e9ce4542123035bb5878db8c477c5f00d64d280c243a012d2a8abc0
Instruction Fuzzy Hash: FB21F12532865095FF50CB22EC48B5626A1BB4ABE9FC0555ACD2C4B7D0DF2FD245C331

Function 00007FF654CAE270 Relevance: 25.7, APIs: 17, Instructions: 223COMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00007FF654CAE28F
_strdup.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE2A6
setlocale.MSVCRT ref: 00007FF654CAE2BE
mbstowcs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE2F5
mbstowcs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE366
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE46D
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE4A6
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE4D5
realloc.MSVCRT ref: 00007FF654CAE4F0
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE51C
setlocale.MSVCRT ref: 00007FF654CAE52D
free.MSVCRT ref: 00007FF654CAE539
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE562
realloc.MSVCRT ref: 00007FF654CAE57D
wcstombs.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,00007FF654CA40C0), ref: 00007FF654CAE5A1
setlocale.MSVCRT ref: 00007FF654CAE5B2
free.MSVCRT ref: 00007FF654CAE5BE

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: wcstombs$setlocale$freembstowcsrealloc$_strdup
String ID:
API String ID: 1093732947-0
Opcode ID: 18a3bf99bbea6804c92c0b9e4b21d59020ad17d25526b3b34f8233c8396aa3f0
Instruction ID: 48c3d16ae4a0d8245a67ff6491d3204a8a2541cc9008ad528d788b2e1e2ea89d
Opcode Fuzzy Hash: 18a3bf99bbea6804c92c0b9e4b21d59020ad17d25526b3b34f8233c8396aa3f0
Instruction Fuzzy Hash: 22A140A6F05B5588FB409BA6D8902BD33B0BB85B88F844576DE4CA7799EF3CD4018360

Function 66F8F8F0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

PyList_New.PYTHON38 ref: 66F8F929
PyTuple_New.PYTHON38 ref: 66F8F993
PyList_New.PYTHON38 ref: 66F8F9F2
_PyList_Extend.PYTHON38 ref: 66F8FA40
_Py_Dealloc.PYTHON38 ref: 66F8FA54
PyDict_New.PYTHON38 ref: 66F8FA60
PyDict_Update.PYTHON38 ref: 66F8FADF
_Py_Dealloc.PYTHON38 ref: 66F8FAF5

Strings

Invalid type for op_build, xrefs: 66F8FB4C

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: List_$DeallocDict_$ExtendTuple_Update
String ID: Invalid type for op_build
API String ID: 3794787204-1006902009
Opcode ID: 6a5439ea67cc0a07edc4bc5cae7ea3351b7d5feb805250f2303c0f84ff580a8b
Instruction ID: 018ec28ebe7e8c78debdb33660995fa2c75e44fa731002115d8be06d64a029af
Opcode Fuzzy Hash: 6a5439ea67cc0a07edc4bc5cae7ea3351b7d5feb805250f2303c0f84ff580a8b
Instruction Fuzzy Hash: 9051DF73B1BA059AFA888F69AC543692371ABC9FE8F5480A9CD1D43718EE2DC146C350

Function 66F90D80 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON38 ref: 66F90DC7
PyUnicode_New.PYTHON38 ref: 66F90DE4
PyObject_Format.PYTHON38 ref: 66F90F0E
_Py_Dealloc.PYTHON38 ref: 66F90F33
_Py_Dealloc.PYTHON38 ref: 66F90FC8

Strings

Too many format strings, xrefs: 66F90DBD

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Dealloc$Err_FormatObject_StringUnicode_
String ID: Too many format strings
API String ID: 3094464462-2091874682
Opcode ID: adb419af5e2eedd341bd9b8ca218522e090d333e3a0d68c60dacbd5504573659
Instruction ID: 43c34416b8672bfe8095ba20bb8b5cadc19bb25acf242af9875e110f065ad4da
Opcode Fuzzy Hash: adb419af5e2eedd341bd9b8ca218522e090d333e3a0d68c60dacbd5504573659
Instruction Fuzzy Hash: 9351C433B19A44D2FF149F25A988329B362E784BCDF444629CE1D47B14EFB9C655C390

Function 66F81A30 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 170COMMON

Download Yara Rule

APIs

PyEval_GetFrame.PYTHON38 ref: 66F81A3E
PyUnicode_AsUTF8.PYTHON38 ref: 66F81A96
PyModule_GetDict.PYTHON38 ref: 66F81AAD
PyDict_GetItemString.PYTHON38 ref: 66F81AC6
PyCFunction_GetSelf.PYTHON38 ref: 66F81AD4
PyErr_Format.PYTHON38 ref: 66F81B3A

Strings

__dict__, xrefs: 66F81B8A
__pyarmor__, xrefs: 66F81ABC
protection exception (%d), xrefs: 66F81B57, 66F81C66
%s (%d:%d), xrefs: 66F81B25

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: DictDict_Err_Eval_FormatFrameFunction_ItemModule_SelfStringUnicode_
String ID: %s (%d:%d)$__dict__$__pyarmor__$protection exception (%d)
API String ID: 3372622024-629680938
Opcode ID: d9dbc4243d0aa4038ba619429e61402baed0799e43e4d4327ebb9ec8415299dc
Instruction ID: a71c04fc0aae93c3799fc96dca216ea9e0315738c9af84e45599746ad86d4864
Opcode Fuzzy Hash: d9dbc4243d0aa4038ba619429e61402baed0799e43e4d4327ebb9ec8415299dc
Instruction Fuzzy Hash: A5519D72B09A4586FE05CB66D8487A83771EB89FD8F494269CE3D07361EE29C199C310

Function 00007FF654CA4FB0 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 138stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 00007FF654CA506F
mbstowcs.MSVCRT(00000000,C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI73442\lib-dynload;C:\Users\jone,C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI73442\lib-dynload;C:\Users\user\AppData\Local\Temp\_MEI73442,?,?,?,_MEIPASS2,00007FF654CA56C4), ref: 00007FF654CA509F

Strings

C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI73442\lib-dynload;C:\Users\jone, xrefs: 00007FF654CA4FBD
C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI73442\lib-dynload;C:\Users\user\AppData\Local\Temp\_MEI73442, xrefs: 00007FF654CA4FBC
Failed to convert Wflag %s using mbstowcs (invalid multibyte string), xrefs: 00007FF654CA51B9
_MEIPASS2, xrefs: 00007FF654CA4FB0
pyi-, xrefs: 00007FF654CA503C

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: mbstowcsstrncmp
String ID: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI73442\lib-dynload;C:\Users\jone$C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI73442\lib-dynload;C:\Users\user\AppData\Local\Temp\_MEI73442$Failed to convert Wflag %s using mbstowcs (invalid multibyte string)$_MEIPASS2$pyi-
API String ID: 1807066385-2997176521
Opcode ID: 4cd6353d8287d9ebdc7f42e50edfcd29b2454bf44d82fac0beb1f5a7f2d26726
Instruction ID: 8896b3b46835a2ba052d1b17a90308db01e8038b6a0ce010468dfe7c4a314018
Opcode Fuzzy Hash: 4cd6353d8287d9ebdc7f42e50edfcd29b2454bf44d82fac0beb1f5a7f2d26726
Instruction Fuzzy Hash: 855171A5A0860681FB149F27D8A43792371AFC5B80F8880B7CD1EA73E1DE3DE4419750

Function 00007FF654CA79C0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 89processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CA8210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246

SetConsoleCtrlHandler.KERNEL32 ref: 00007FF654CA7A06
GetStartupInfoW.KERNEL32 ref: 00007FF654CA7A28
_fileno.MSVCRT ref: 00007FF654CA7A6C
_get_osfhandle.MSVCRT ref: 00007FF654CA7A7A
_fileno.MSVCRT ref: 00007FF654CA7A8E
_get_osfhandle.MSVCRT ref: 00007FF654CA7A95
_fileno.MSVCRT ref: 00007FF654CA7AA9
_get_osfhandle.MSVCRT ref: 00007FF654CA7AB0
GetCommandLineW.KERNEL32 ref: 00007FF654CA7ABA
CreateProcessW.KERNEL32 ref: 00007FF654CA7B02
WaitForSingleObject.KERNEL32 ref: 00007FF654CA7B19
GetExitCodeProcess.KERNEL32 ref: 00007FF654CA7B2C

Strings

Error creating child process!, xrefs: 00007FF654CA7B48
CreateProcessW, xrefs: 00007FF654CA7B4F

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: _fileno_get_osfhandle$Process$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 1833775142-3524285272
Opcode ID: 8ef660b42063669becf1bd41f8a29df173ea005990595a1a776f16ce8dcaa147
Instruction ID: 987aecc7d3df137f483188ecc238f26ea64b04d5271b215a9f71ed6878d3b341
Opcode Fuzzy Hash: 8ef660b42063669becf1bd41f8a29df173ea005990595a1a776f16ce8dcaa147
Instruction Fuzzy Hash: F2415072A0878285EB209B65F8A43EA7370FBC5794F484136DA8D97795DF7CD088CB40

Function 66F91700 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

PyFunction_NewWithQualName.PYTHON38 ref: 66F9176A
PyTuple_GetItem.PYTHON38 ref: 66F91796
PyCFunction_NewEx.PYTHON38 ref: 66F917BD
PyTuple_SetItem.PYTHON38 ref: 66F917D7
PyCFunction_NewEx.PYTHON38 ref: 66F91889
Py_BuildValue.PYTHON38 ref: 66F918A5
_Py_Dealloc.PYTHON38 ref: 66F91923

Strings

(O), xrefs: 66F9189E

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Function_$ItemTuple_$BuildDeallocNameQualValueWith
String ID: (O)
API String ID: 239567734-4232840684
Opcode ID: caf2b0332e50d200b9cdd988d2f284a0eb3577fbac5d22b41583abf0419b7acc
Instruction ID: 7abde04ce337e40c57d33cc810fe7211bf1e6d753d84551ae0fe7dd8339f0bef
Opcode Fuzzy Hash: caf2b0332e50d200b9cdd988d2f284a0eb3577fbac5d22b41583abf0419b7acc
Instruction Fuzzy Hash: 40419133A49A40C2FB1ACF26E84876A736AFB49BC4F448231DE6D06B55DF39C191D351

Function 66F885F0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

PyBuffer_FillInfo.PYTHON38 ref: 66F88643
PyMemoryView_FromBuffer.PYTHON38 ref: 66F88655
_PyObject_CallMethodId_SizeT.PYTHON38 ref: 66F88679
PyNumber_AsSsize_t.PYTHON38 ref: 66F8869B
PyErr_Occurred.PYTHON38 ref: 66F886C4
PyErr_Format.PYTHON38 ref: 66F886EF
PyMem_Realloc.PYTHON38 ref: 66F88723
_Py_Dealloc.PYTHON38 ref: 66F88768
PyMem_Malloc.PYTHON38 ref: 66F88793
PyErr_NoMemory.PYTHON38 ref: 66F887A5

Strings

read() returned too much data: %zd bytes requested, %zd returned, xrefs: 66F886DF
EOF read where not expected, xrefs: 66F88747

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_$Mem_Memory$BufferBuffer_CallDeallocFillFormatFromInfoMallocMethodNumber_Object_OccurredReallocSizeSsize_tView_
String ID: EOF read where not expected$read() returned too much data: %zd bytes requested, %zd returned
API String ID: 3190434935-3742967138
Opcode ID: 6be31fb123a86346381b4fef954e3e12630b7a4ac16b367fb1982ec1dd5f3ed5
Instruction ID: 0b9d6975c4c3f00fe63cd4eeefa1fbed60f5443a653d76024f7c2f33c90b2104
Opcode Fuzzy Hash: 6be31fb123a86346381b4fef954e3e12630b7a4ac16b367fb1982ec1dd5f3ed5
Instruction Fuzzy Hash: E7418072729A04D6FB01DB65E8043582372B749FE9F8442298D3D477A4EF3DC59AC360

Function 66F9DC90 Relevance: 21.3, APIs: 5, Strings: 9, Instructions: 319COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 66F9DED0
calloc.MSVCRT ref: 66F9DEE7
free.MSVCRT ref: 66F9DF28
free.MSVCRT ref: 66F9DF30

Strings

modulus != NULL, xrefs: 66F9E36A
kB != NULL, xrefs: 66F9E383
B != NULL, xrefs: 66F9E3CE
kA != NULL, xrefs: 66F9E39C
P != NULL, xrefs: 66F9DE41
src/pk/ecc/ltc_ecc_mul2add.c, xrefs: 66F9E363, 66F9E37C, 66F9E395, 66F9E3AE, 66F9E3C7, 66F9E3E0
src/pk/ecc/ltc_ecc_map.c, xrefs: 66F9DE3A
A != NULL, xrefs: 66F9E3E7
C != NULL, xrefs: 66F9E3B5

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: callocfree
String ID: A != NULL$B != NULL$C != NULL$P != NULL$kA != NULL$kB != NULL$modulus != NULL$src/pk/ecc/ltc_ecc_map.c$src/pk/ecc/ltc_ecc_mul2add.c
API String ID: 306872129-190324370
Opcode ID: 15ba9e8f4dea9953f3ed2897a35c1b83790b875f13c39b799915dfb9f58af935
Instruction ID: fae5e1af9e5e0411e458929fb1ffda9a4499f2da679062149abb185e3896474a
Opcode Fuzzy Hash: 15ba9e8f4dea9953f3ed2897a35c1b83790b875f13c39b799915dfb9f58af935
Instruction Fuzzy Hash: 69C1CF32B08AC0C6EB50DF62E84879AB765FB88BD9F415222DE8D97718EF79C444C750

Function 66F9F730 Relevance: 21.3, APIs: 9, Strings: 5, Instructions: 254COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 66F9F80C
free.MSVCRT ref: 66F9F864
malloc.MSVCRT ref: 66F9F89C
free.MSVCRT ref: 66F9F8F1
free.MSVCRT ref: 66F9F8FB
memcmp.MSVCRT ref: 66F9F9ED
memcmp.MSVCRT ref: 66F9FBB2
memcmp.MSVCRT ref: 66F9FBDB
free.MSVCRT ref: 66F9FBF0

Strings

src/pk/rsa/rsa_verify_hash.c, xrefs: 66F9F980, 66F9F999, 66F9F9B2, 66F9F9CB
stat != NULL, xrefs: 66F9F9A0
sig != NULL, xrefs: 66F9F9B9
key != NULL, xrefs: 66F9F987
hash != NULL, xrefs: 66F9F9D2

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: free$memcmp$malloc
String ID: hash != NULL$key != NULL$sig != NULL$src/pk/rsa/rsa_verify_hash.c$stat != NULL
API String ID: 2896619906-237625700
Opcode ID: 256103562b279499cccbc6ff03a37f4163cfeaf89722f50143bfc127f4f2139c
Instruction ID: 1cb6d1df11fcd6ec2ae403ee78684078e8e0057743cb67e00ae7bf8c30116e56
Opcode Fuzzy Hash: 256103562b279499cccbc6ff03a37f4163cfeaf89722f50143bfc127f4f2139c
Instruction Fuzzy Hash: 8EB1AD726096C1CAF7A0CF12E94479ABBA0F3C8798F004216EE8997B58DB7DC449CB51

Function 00007FF654CA31B0 Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 202stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CA3140: strcpy.MSVCRT(?,?,_MEIPASS2,?,00007FF654CA362C), ref: 00007FF654CA3183

strcmp.MSVCRT ref: 00007FF654CA333C
strcmp.MSVCRT ref: 00007FF654CA335F

Part of subcall function 00007FF654CA7840: fread.MSVCRT ref: 00007FF654CA78B1
Part of subcall function 00007FF654CA7840: ferror.MSVCRT ref: 00007FF654CA78C1
Part of subcall function 00007FF654CA7840: clearerr.MSVCRT(?,00000000,?,00007FF654CA3267,?,00000000,?,00000000,?,?,_MEIPASS2,?,00007FF654CA362C), ref: 00007FF654CA78CD
Part of subcall function 00007FF654CA7840: fclose.MSVCRT ref: 00007FF654CA7909
Part of subcall function 00007FF654CA7840: fclose.MSVCRT ref: 00007FF654CA7911

Strings

%s%s%s%s%s, xrefs: 00007FF654CA322C
Error copying %s, xrefs: 00007FF654CA34D0
%s%s%s%s%s%s%s, xrefs: 00007FF654CA32AA
Error extracting %s, xrefs: 00007FF654CA3501
%s%s%s, xrefs: 00007FF654CA33C8
_MEIPASS2, xrefs: 00007FF654CA31B7
Archive path exceeds PATH_MAX, xrefs: 00007FF654CA34A0
Error opening archive %s, xrefs: 00007FF654CA34E1
malloc, xrefs: 00007FF654CA34E8
Archive not found: %s, xrefs: 00007FF654CA34B7
%s%s%s.pkg, xrefs: 00007FF654CA32D8
%s%s%s.exe, xrefs: 00007FF654CA33A6

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fclosestrcmp$clearerrferrorfreadstrcpy
String ID: %s%s%s$%s%s%s%s%s$%s%s%s%s%s%s%s$%s%s%s.exe$%s%s%s.pkg$Archive not found: %s$Archive path exceeds PATH_MAX$Error copying %s$Error extracting %s$Error opening archive %s$_MEIPASS2$malloc
API String ID: 2929065527-1083822304
Opcode ID: 9436801669d51a629e3fcac19a4da0c11387a79bf2d9244b869e701ab383b238
Instruction ID: c4b7c286565264d354afc042142f1fca079c9f0df6d692b30c39b3c4c317a512
Opcode Fuzzy Hash: 9436801669d51a629e3fcac19a4da0c11387a79bf2d9244b869e701ab383b238
Instruction Fuzzy Hash: 058143A1A08A4251FA109B66E8B41FA6674AFC47D4F4841B3EE4DE7BE6DE3CE545C300

Function 00007FF654CA7110 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CA8210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246

ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF654CA714B
free.MSVCRT ref: 00007FF654CA7156

Part of subcall function 00007FF654CA8650: wcslen.MSVCRT ref: 00007FF654CA8659

_wfullpath.MSVCRT ref: 00007FF654CA717E
wcschr.MSVCRT(?,?,?,00000000,00007FF654CA72AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA71AD
wcsncpy.MSVCRT ref: 00007FF654CA71DB
CreateDirectoryW.KERNEL32(?,?,?,00000000,00007FF654CA72AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA71E5
wcschr.MSVCRT(?,?,?,00000000,00007FF654CA72AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA71F0
CreateDirectoryW.KERNEL32(?,?,?,00000000,00007FF654CA72AB,?,?,?,00000000,?,00000012,00000000,00000000,00007FF654CA746B), ref: 00007FF654CA7202
_wcsdup.MSVCRT ref: 00007FF654CA721B

Strings

LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF654CA7250
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF654CA7230
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF654CA7260

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: CreateDirectorywcschr$ByteCharEnvironmentExpandMultiStringsWide_wcsdup_wfullpathfreewcslenwcsncpy
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 274989731-3498232454
Opcode ID: d414b3e691f8c4d26ce76b45fbcb3174c9ed9ce5588de55e0f29948b1c7c796a
Instruction ID: 74490da21c68abeb4f98825352fe761e65e5eb0397b104ffbe40d1d688640675
Opcode Fuzzy Hash: d414b3e691f8c4d26ce76b45fbcb3174c9ed9ce5588de55e0f29948b1c7c796a
Instruction Fuzzy Hash: B531F791B4D64285FA65A76698B43FA11A26FC8BC1FCC4476DE0EFB7C5ED2CE0458310

Function 66F90B7E Relevance: 21.1, APIs: 14, Instructions: 96COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON38 ref: 66F90BC1
PyErr_Fetch.PYTHON38 ref: 66F90BFF
PyErr_NormalizeException.PYTHON38 ref: 66F90C17
PyException_SetTraceback.PYTHON38 ref: 66F90C39
_Py_Dealloc.PYTHON38 ref: 66F90C5B
PyErr_NormalizeException.PYTHON38 ref: 66F90C6A
PyException_SetContext.PYTHON38 ref: 66F90C79
PyErr_Restore.PYTHON38 ref: 66F90C8E
PyErr_Restore.PYTHON38 ref: 66F90CBB
_Py_Dealloc.PYTHON38 ref: 66F90CC3
PyEval_GetFrame.PYTHON38 ref: 66F90CD0
PyErr_Restore.PYTHON38 ref: 66F90CF8
PyTraceBack_Here.PYTHON38 ref: 66F90D03
PyErr_Fetch.PYTHON38 ref: 66F90D17

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_$Restore$DeallocExceptionException_FetchNormalize$Back_ContextEval_FrameHereOccurredTraceTraceback
String ID:
API String ID: 4214459649-0
Opcode ID: 8e921b868482a4647cf288f8b5169c51234217630db6041e9c0b008727c7077d
Instruction ID: c42bd45544004a0d88d93d823ccd79dde6b6163585614337aca3c002cc19e9ec
Opcode Fuzzy Hash: 8e921b868482a4647cf288f8b5169c51234217630db6041e9c0b008727c7077d
Instruction Fuzzy Hash: 48414477208BC0D5EA25DB56F80839AB322FB8ABD4F54801ADE9D43B28CF39C145CB51

Function 66F91D40 Relevance: 19.6, APIs: 13, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 66F91D63
HeapAlloc.KERNEL32 ref: 66F91D77
GetAdaptersAddresses.IPHLPAPI ref: 66F91D9F
inet_ntoa.WS2_32 ref: 66F91DD7
GetProcessHeap.KERNEL32 ref: 66F91DF2
HeapFree.KERNEL32 ref: 66F91DFC
GetProcessHeap.KERNEL32 ref: 66F91E10
HeapFree.KERNEL32 ref: 66F91E1A
GetProcessHeap.KERNEL32 ref: 66F91E20
HeapAlloc.KERNEL32 ref: 66F91E2A
GetAdaptersAddresses.IPHLPAPI ref: 66F91E49

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Heap$Process$AdaptersAddressesAllocFree$inet_ntoa
String ID:
API String ID: 4108032510-0
Opcode ID: 9f0ede1b55dc2dd9832a026050341d10ef431b5a01c9a94c5069eab152c385c4
Instruction ID: 90b0384b59742507a37e99905f458bcecdd804941c3dc0b7323dc8af50c3d7d4
Opcode Fuzzy Hash: 9f0ede1b55dc2dd9832a026050341d10ef431b5a01c9a94c5069eab152c385c4
Instruction Fuzzy Hash: 3621EA2271964046FB04EB77BC1075AB696AB89FD8F088336ED2C477E4EE39D442C750

Function 00007FF654CA5410 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00007FF654CA542B
_strdup.MSVCRT ref: 00007FF654CA5433
calloc.MSVCRT ref: 00007FF654CA5457
setlocale.MSVCRT ref: 00007FF654CA5479
free.MSVCRT ref: 00007FF654CA54C0
free.MSVCRT ref: 00007FF654CA54D7
free.MSVCRT ref: 00007FF654CA54DF
setlocale.MSVCRT ref: 00007FF654CA5509
free.MSVCRT ref: 00007FF654CA5511

Strings

Fatal error: unable to decode the command line argument #%i, xrefs: 00007FF654CA54E6
out of memory, xrefs: 00007FF654CA5528

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free$setlocale$_strdupcalloc
String ID: Fatal error: unable to decode the command line argument #%i$out of memory
API String ID: 3058678114-3355598041
Opcode ID: b3a94ae4ac6b4f6312338ae72a3d926f4a238985db292fd2604171276d9b9414
Instruction ID: b37cbe9adbc706a66e8b13a9d33bc4c771da5d6c849319b5a869130fa528bd46
Opcode Fuzzy Hash: b3a94ae4ac6b4f6312338ae72a3d926f4a238985db292fd2604171276d9b9414
Instruction Fuzzy Hash: 8F21C192B0961251FA15E716D8B13BD6661AFC4B84FCCC4B6DD4EAB782EE3CE8458310

Function 00007FF654CA29E0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF654CA2A08
memset.MSVCRT ref: 00007FF654CA2A56
_wcsdup.MSVCRT ref: 00007FF654CA2A76
_wcsdup.MSVCRT ref: 00007FF654CA2A86
DialogBoxIndirectParamW.USER32 ref: 00007FF654CA2AA8
free.MSVCRT ref: 00007FF654CA2AB8
free.MSVCRT ref: 00007FF654CA2AC5
free.MSVCRT ref: 00007FF654CA2AD2
DeleteObject.GDI32 ref: 00007FF654CA2AE4
DestroyIcon.USER32 ref: 00007FF654CA2AF7

Strings

Unhandled exception in script, xrefs: 00007FF654CA2A18

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free$_wcsdup$DeleteDestroyDialogHandleIconIndirectModuleObjectParammemset
String ID: Unhandled exception in script
API String ID: 2803985813-2699770090
Opcode ID: f526219bed773062a0d0eb333ccd5c88dea8aa0be73e6a7d34a87cd471690584
Instruction ID: f65e00833b24fff55ad8e33450edaa6d9902ffb8a622caae0893211575ac7eb8
Opcode Fuzzy Hash: f526219bed773062a0d0eb333ccd5c88dea8aa0be73e6a7d34a87cd471690584
Instruction Fuzzy Hash: 48218171A09A8281EA25DB52F8A46FA7370BFC5B80F884076EE4EA3B45DE3CD0458710

Function 66F88FA0 Relevance: 18.3, APIs: 12, Instructions: 252fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 66F8904D

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: fwrite
String ID:
API String ID: 3559309478-0
Opcode ID: 714a94cc15264e56acb3af836d6436b7d2c318e9dc132846ab81ddfae765e9b2
Instruction ID: a8fa46b59dfc88532f4231ab1f7e160090fbf278d630022c8c1a9359dc7c1218
Opcode Fuzzy Hash: 714a94cc15264e56acb3af836d6436b7d2c318e9dc132846ab81ddfae765e9b2
Instruction Fuzzy Hash: F5A1AFB2204B4082DB14CFA9E15439977B6F759FE8F50522ACE6E5B398DF38C594C380

Function 00007FF654CA5EE0 Relevance: 18.1, APIs: 9, Strings: 3, Instructions: 131stringCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF654CA5F09
memcpy.MSVCRT ref: 00007FF654CA5F4D
strlen.MSVCRT ref: 00007FF654CA5F67
strlen.MSVCRT ref: 00007FF654CA5F74
strlen.MSVCRT ref: 00007FF654CA5FA0
free.MSVCRT ref: 00007FF654CA5FF3
strncpy.MSVCRT ref: 00007FF654CA604D
strncpy.MSVCRT ref: 00007FF654CA607A
strncpy.MSVCRT ref: 00007FF654CA60E9

Strings

SPLASH: Cannot extract requirement %s., xrefs: 00007FF654CA60B3
_MEIPASS2, xrefs: 00007FF654CA5EE7
SPLASH: Cannot find requirement %s in archive., xrefs: 00007FF654CA5FDF

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: strlenstrncpy$callocfreememcpy
String ID: SPLASH: Cannot extract requirement %s.$SPLASH: Cannot find requirement %s in archive.$_MEIPASS2
API String ID: 4189425833-927121926
Opcode ID: 0278ade198d4d4fb4f4b46b933373953a4129a425002dc51c7dac0e2962247a5
Instruction ID: 3838584349d1490d4bcda8e338be0a0421b1023dce89942d3d894a3b134a78bb
Opcode Fuzzy Hash: 0278ade198d4d4fb4f4b46b933373953a4129a425002dc51c7dac0e2962247a5
Instruction Fuzzy Hash: FD41F69170865255EA14EA23D8A47FA6374BFC4BC4F8C81B2EE1DA7786DE3CE145C314

Function 66F919C0 Relevance: 18.1, APIs: 12, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 66F919E1
HeapAlloc.KERNEL32 ref: 66F919F6
memcpy.MSVCRT ref: 66F91A6C
GetProcessHeap.KERNEL32 ref: 66F91A8A
HeapFree.KERNEL32 ref: 66F91A95
GetProcessHeap.KERNEL32 ref: 66F91AAA
HeapFree.KERNEL32 ref: 66F91AB5
GetProcessHeap.KERNEL32 ref: 66F91AD0
HeapFree.KERNEL32 ref: 66F91ADB
GetProcessHeap.KERNEL32 ref: 66F91AE5
HeapAlloc.KERNEL32 ref: 66F91AF0
GetAdaptersAddresses.IPHLPAPI ref: 66F91B0C

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Heap$Process$Free$Alloc$AdaptersAddressesmemcpy
String ID:
API String ID: 1739390247-0
Opcode ID: 8b7173cbf525848e8b2f0710f6e2e3af896d06d9160effeb2f956b6adda84d23
Instruction ID: b0b9927c07ace571f078fcd1ffdbb95e1fda3534197f14f11e2e96082ff7875a
Opcode Fuzzy Hash: 8b7173cbf525848e8b2f0710f6e2e3af896d06d9160effeb2f956b6adda84d23
Instruction Fuzzy Hash: 4331F8337156818AFB44DB76AC04B9D73A69B89BD8F488235EE1C87754EF38C989C700

Function 66FFFB50 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 283memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?,?,?,66F81278), ref: 66FFFC7D

Strings

Unknown pseudo relocation bit size %d., xrefs: 66FFFDEA
Unknown pseudo relocation protocol version %d., xrefs: 66FFFDFE

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: ProtectVirtual
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
API String ID: 544645111-395989641
Opcode ID: f6de90c3a48d35dd0d7869126c3aa8fe806ab83cd1bc7bc40e79d601065f5849
Instruction ID: 39fbf0baec1b8abd043aa2b36262368f6d4932739c842dbc001fe2b9be0774d3
Opcode Fuzzy Hash: f6de90c3a48d35dd0d7869126c3aa8fe806ab83cd1bc7bc40e79d601065f5849
Instruction Fuzzy Hash: 79912232B366428BFB948B65D89070D6762A7CA7A8F508516CF2C977F8DA3DC183C711

Function 66F93980 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 117stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 66F9399A
malloc.MSVCRT ref: 66F939A6
memcpy.MSVCRT ref: 66F939C5
strchr.MSVCRT ref: 66F93AA4
free.MSVCRT ref: 66F93AD6

Strings

and,, xrefs: 66F939D3
or,, xrefs: 66F939DA
http://, xrefs: 66F93A31
local, xrefs: 66F93A13

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: freemallocmemcpystrchrstrlen
String ID: and,$http://$local$or,
API String ID: 3771145599-2506292620
Opcode ID: fffd6cc5c076cb560c0c2160982a51acd8c4d7517aa773c66e178a1a6288fccf
Instruction ID: b09a291707bef11e2d6e0858693b72db96e8daf93168a0d5c87ee60488b2fc67
Opcode Fuzzy Hash: fffd6cc5c076cb560c0c2160982a51acd8c4d7517aa773c66e178a1a6288fccf
Instruction Fuzzy Hash: 1E31272770968896FE50CE23990036A2B51E746BF8F844B258E3C177D4EF3AC84AC321

Function 00007FF654CA2350 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF654CA2371
SelectObject.GDI32 ref: 00007FF654CA23C8
DrawTextW.USER32 ref: 00007FF654CA23EB
SelectObject.GDI32 ref: 00007FF654CA2401
ReleaseDC.USER32 ref: 00007FF654CA2411
MoveWindow.USER32 ref: 00007FF654CA245D
MoveWindow.USER32 ref: 00007FF654CA249C
MoveWindow.USER32 ref: 00007FF654CA24ED
MoveWindow.USER32 ref: 00007FF654CA252A

Strings

P%, xrefs: 00007FF654CA23D1

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: fea85488d9d1cac119e4a29d1ca9f633e5fae16107e641c76dad77d3c19cf46f
Instruction ID: 5a3431e8b08e52a4e24999c880935af3c735b4784b6e8aa00516d9c09925fbb2
Opcode Fuzzy Hash: fea85488d9d1cac119e4a29d1ca9f633e5fae16107e641c76dad77d3c19cf46f
Instruction Fuzzy Hash: F44187762156A18AD7208F36E44877977B1F788F99F084232EE8987B58DF3CD185CB20

Function 66F89C00 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON38 ref: 66F89C11
PyList_New.PYTHON38 ref: 66F8A468

Strings

bad marshal data (list size out of range), xrefs: 66F8A95C
NULL object in marshal data for list, xrefs: 66F8AFF3

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_List_Occurred
String ID: NULL object in marshal data for list$bad marshal data (list size out of range)
API String ID: 1902535023-3453879413
Opcode ID: 7068d00fd5fc174c97d1d790006e4ee2cda09aa94e9709285f5ba7c3c173cf4a
Instruction ID: 7ec92c6c5a780edb53887041a04ceb5106b585184bcbc56c6e49694fedc5ec98
Opcode Fuzzy Hash: 7068d00fd5fc174c97d1d790006e4ee2cda09aa94e9709285f5ba7c3c173cf4a
Instruction Fuzzy Hash: 38316732709A80C7FE04CF19E88835A63B2FB85B95F118499CD2E0B3A4EF3AC555C390

Function 66F89E54 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON38 ref: 66F89E65
PyTuple_New.PYTHON38 ref: 66F8A403

Strings

bad marshal data (tuple size out of range), xrefs: 66F8AC3A
NULL object in marshal data for tuple, xrefs: 66F8AE3C

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_OccurredTuple_
String ID: NULL object in marshal data for tuple$bad marshal data (tuple size out of range)
API String ID: 3674511531-3094253248
Opcode ID: 33dc34a28eb63f0420196389db7f1adaa6b5a59f8a0d32986827911ff0d1f688
Instruction ID: e9fe73f7e62c5c5c0d802c83627c9ff2b6b4e7e1127fc9b216f076fa855621a5
Opcode Fuzzy Hash: 33dc34a28eb63f0420196389db7f1adaa6b5a59f8a0d32986827911ff0d1f688
Instruction Fuzzy Hash: 9B217C32709A40C7FE14CF29D58C71A23B6FB89B94F518498CD1E173A8DE3AD145C390

Function 66F98380 Relevance: 16.9, APIs: 3, Strings: 8, Instructions: 356stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 66F98546

Strings

?, xrefs: 66F9859C
MD5, xrefs: 66F985D7
@, xrefs: 66F984FD
8, xrefs: 66F98879
src/hashes/md5.c, xrefs: 66F98497, 66F984B0
md != NULL, xrefs: 66F9849E
in != NULL, xrefs: 66F984B7
?, xrefs: 66F98429

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: strlen
String ID: 8$?$?$@$MD5$in != NULL$md != NULL$src/hashes/md5.c
API String ID: 39653677-3461814546
Opcode ID: 59980e96bab5f09518a5dcd9d66e48bf7f3f68a7c3a5db963c42a737ce733e52
Instruction ID: 09f8f9e19cd2ac6bba381aea28b70d756a71339cb0c4fa554243a5a8fc9b1db9
Opcode Fuzzy Hash: 59980e96bab5f09518a5dcd9d66e48bf7f3f68a7c3a5db963c42a737ce733e52
Instruction Fuzzy Hash: 7DD1FEB3A18281ABF715CB1AE454B2EBFA0E791388F504A09CFA20BB45D77DD445CB52

Function 00007FF654CA5CC0 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 124stringCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 00007FF654CA5D08
strncpy.MSVCRT ref: 00007FF654CA5D1E

Part of subcall function 00007FF654CA40E0: strlen.MSVCRT ref: 00007FF654CA412F
Part of subcall function 00007FF654CA40E0: strncat.MSVCRT ref: 00007FF654CA4149

calloc.MSVCRT ref: 00007FF654CA5D59
malloc.MSVCRT ref: 00007FF654CA5D79
malloc.MSVCRT ref: 00007FF654CA5D99
memcpy.MSVCRT ref: 00007FF654CA5DD7
memcpy.MSVCRT ref: 00007FF654CA5DEC
memcpy.MSVCRT ref: 00007FF654CA5E01
free.MSVCRT ref: 00007FF654CA5E23

Strings

_MEIPASS2, xrefs: 00007FF654CA5CC2
Cannot allocate memory for necessary files., xrefs: 00007FF654CA5E6F

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: memcpy$mallocstrncpy$callocfreestrlenstrncat
String ID: Cannot allocate memory for necessary files.$_MEIPASS2
API String ID: 257583877-1389504347
Opcode ID: dcdcf1ad8441f74bd5f484d301417646872c8ea22c2ab649397ffc669518642c
Instruction ID: 8d1787d98f764d605fcd2b9c2f1131e514017fab3f9d5bc73a880ffff7624449
Opcode Fuzzy Hash: dcdcf1ad8441f74bd5f484d301417646872c8ea22c2ab649397ffc669518642c
Instruction Fuzzy Hash: 0241E3B2B0524146EA28DA22D5A42ED7772BF847D0F888472CF1EA37C5EE7CE5458310

Function 66F9D230 Relevance: 16.6, APIs: 8, Strings: 3, Instructions: 99stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 66F9D25B
strcmp.MSVCRT ref: 66F9D285
strcmp.MSVCRT ref: 66F9D2A4
strcmp.MSVCRT ref: 66F9D2C3
strcmp.MSVCRT ref: 66F9D2E2
strcmp.MSVCRT ref: 66F9D2FD
strcmp.MSVCRT ref: 66F9D318
strcmp.MSVCRT ref: 66F9D333

Strings

src/misc/crypt/crypt_find_hash.c, xrefs: 66F9D361
name != NULL, xrefs: 66F9D368
aes, xrefs: 66F9D233

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: strcmp
String ID: aes$name != NULL$src/misc/crypt/crypt_find_hash.c
API String ID: 1004003707-455514378
Opcode ID: 9f9ec8a7de5766cfade81fec29086a0005c32b77326fbf79db292890a566154b
Instruction ID: 7b29fdb6e09e31ce8b372b50d64107c8a8d03313bf39faaab4acda562b5daa4b
Opcode Fuzzy Hash: 9f9ec8a7de5766cfade81fec29086a0005c32b77326fbf79db292890a566154b
Instruction Fuzzy Hash: CB31983170AA8A4AFF59CE62DAD4BBD6311EF45BD8F504211CF6D8B944EF28D109C321

Function 66F89EE0 Relevance: 16.6, APIs: 11, Instructions: 85COMMON

Download Yara Rule

APIs

PyDict_New.PYTHON38 ref: 66F89EE0
PyList_Append.PYTHON38 ref: 66F8A176
PyDict_SetItem.PYTHON38 ref: 66F8A1D6
_Py_Dealloc.PYTHON38 ref: 66F8A1FB

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Dict_$AppendDeallocItemList_
String ID:
API String ID: 2970173465-0
Opcode ID: 13ef8c274b68a0f393cfd0dd411798b1bcd771080739aa67edb9211dcdedb3ce
Instruction ID: 5868c44794bcfbfb9ab949d820784cb6b4525efb69f7c8284c2ee066e9820a75
Opcode Fuzzy Hash: 13ef8c274b68a0f393cfd0dd411798b1bcd771080739aa67edb9211dcdedb3ce
Instruction Fuzzy Hash: EB316A32B0AA8087FE548F26E95835963F4FB8AB95F4884A8CE5E46754EF3E8141C310

Function 66F92140 Relevance: 16.6, APIs: 11, Instructions: 78memorynetworkCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 66F9215B
HeapAlloc.KERNEL32 ref: 66F9216F
GetNetworkParams.IPHLPAPI ref: 66F921A7
GetProcessHeap.KERNEL32 ref: 66F921C9
HeapFree.KERNEL32 ref: 66F921D3
GetProcessHeap.KERNEL32 ref: 66F921F0
HeapFree.KERNEL32 ref: 66F921FA
GetProcessHeap.KERNEL32 ref: 66F92201
HeapAlloc.KERNEL32 ref: 66F9220B
GetProcessHeap.KERNEL32 ref: 66F92226
HeapFree.KERNEL32 ref: 66F92230

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Heap$Process$Free$Alloc$NetworkParams
String ID:
API String ID: 3483679945-0
Opcode ID: 7ad505b3a7de0c2a1a590e8c2f802425ba64086e80456d639e239c01a286d689
Instruction ID: d6274f1036476717d52b77c2640097b9c33660b2e21e4dc9b2364c50d841b838
Opcode Fuzzy Hash: 7ad505b3a7de0c2a1a590e8c2f802425ba64086e80456d639e239c01a286d689
Instruction Fuzzy Hash: D811081272554585FA14DBB77C00BAAEB526BCEBD8F0882379D2C973E5EE39C1438310

Function 66F84D5B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 66F8E850: PyList_New.PYTHON38 ref: 66F8E88A
Part of subcall function 66F8E850: PyMem_Free.PYTHON38 ref: 66F8E8C3

_PyDict_GetItemIdWithError.PYTHON38 ref: 66F8F33A
_Py_CheckFunctionResult.PYTHON38 ref: 66F8F3D7
_Py_Dealloc.PYTHON38 ref: 66F8F405
_PyObject_MakeTpCall.PYTHON38 ref: 66F8F440
_Py_Dealloc.PYTHON38 ref: 66F8F452
_PyLong_AsInt.PYTHON38 ref: 66F8F483
PyImport_ImportModuleLevelObject.PYTHON38 ref: 66F8F4B0

Strings

__import__ not found, xrefs: 66F8F467

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Dealloc$CallCheckDict_ErrorFreeFunctionImportImport_ItemLevelList_Long_MakeMem_ModuleObjectObject_ResultWith
String ID: __import__ not found
API String ID: 3239429168-2199325508
Opcode ID: 69df2478730bbf397de619e03f0d570ce7e2c45be5edd48ed93e082266fdfa7e
Instruction ID: 91d7a7a15087c638c66b09f00dd62928d07150e9e6f800b720a2d04ffab96a6f
Opcode Fuzzy Hash: 69df2478730bbf397de619e03f0d570ce7e2c45be5edd48ed93e082266fdfa7e
Instruction Fuzzy Hash: 15519F33716B448AEA858F2AEA44359A371F7C9FE9F44006ADE1E47B64DF39C195C310

Function 66F81660 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON38 ref: 66F816ED
PyErr_Occurred.PYTHON38 ref: 66F8178E

Strings

%s (%d:%d), xrefs: 66F816DB

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_$FormatOccurred
String ID: %s (%d:%d)
API String ID: 4038069558-1595188566
Opcode ID: 4bd8c9fc301770ba8758a391c4fdd217cc08a388c3e49bcf0effea84071363ef
Instruction ID: f5b70300ba9996b3f99f9a1508344f9170ededf7e84b8049ab08667f9ebb5505
Opcode Fuzzy Hash: 4bd8c9fc301770ba8758a391c4fdd217cc08a388c3e49bcf0effea84071363ef
Instruction Fuzzy Hash: 9D411333B1878182EB04CB59E85536E7771F78ABD8F89426DCEAE07B25CE29C141C750

Function 670000A0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 670000F9
signal.MSVCRT ref: 67000152
signal.MSVCRT ref: 670001AE
signal.MSVCRT ref: 67000263

Strings

CCG , xrefs: 670000B5

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: signal
String ID: CCG
API String ID: 1946981877-1584390748
Opcode ID: 12f7bdf2ff622a9129fd616f39148eef126af7f08d92e0a44bc2d5e83231ebf8
Instruction ID: bbe9cd2f269efccffdf89385beac01b13edaa3c546fcedc12f2cbdf61d362118
Opcode Fuzzy Hash: 12f7bdf2ff622a9129fd616f39148eef126af7f08d92e0a44bc2d5e83231ebf8
Instruction Fuzzy Hash: 2031823077D4058AFB194EB988607A910929B9E338F548A26CB7DC73E1FE69D5C54333

Function 66F898E0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON38 ref: 66F898F0
PyUnicode_DecodeUTF8.PYTHON38 ref: 66F8A0BF

Strings

bad marshal data (string size out of range), xrefs: 66F8A88A
surrogatepass, xrefs: 66F8A0B5

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: DecodeErr_OccurredUnicode_
String ID: bad marshal data (string size out of range)$surrogatepass
API String ID: 1138423624-4021928140
Opcode ID: ffc3fdf5d164e5c4e6a4ef55206fc67a0b21d8f961f11ecb69c699365fa9f1a6
Instruction ID: 448ddac48928a901f7530d49ecea8ebcd6e36cb97a0705a530efd1b943777d10
Opcode Fuzzy Hash: ffc3fdf5d164e5c4e6a4ef55206fc67a0b21d8f961f11ecb69c699365fa9f1a6
Instruction Fuzzy Hash: 3D31AE33709A9087F611CF19D48875A73B6FB88BA0F01C598CE5A17758DF3AD686C380

Function 66F87FB0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 65stringCOMMON

Download Yara Rule

APIs

PyErr_SetFromWindowsErr.PYTHON38 ref: 66F87FDE
PyErr_Fetch.PYTHON38 ref: 66F87FF3
PyErr_Restore.PYTHON38 ref: 66F88008
PyObject_Str.PYTHON38 ref: 66F88018
strerror.MSVCRT ref: 66F88025
PyErr_Format.PYTHON38 ref: 66F88061

Strings

%s (%d:%d), xrefs: 66F88054

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_$FetchFormatFromObject_RestoreWindowsstrerror
String ID: %s (%d:%d)
API String ID: 2858978339-1595188566
Opcode ID: fcc91ca7e521a33297c532549300778566aefd768eb892d5943477e1cc5354f1
Instruction ID: 90155649b92196330e38c7cdf82bbd728b7e8881c9d1326faddd6ccba49cb780
Opcode Fuzzy Hash: fcc91ca7e521a33297c532549300778566aefd768eb892d5943477e1cc5354f1
Instruction Fuzzy Hash: C421D333A19A44C2FB01CB19E8543997771EB8AB98F95502ACE6E13361CE3EC545C390

Function 00007FF654CA7E50 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00007FF654CA7E92
WideCharToMultiByte.KERNEL32 ref: 00007FF654CA7ED2
GetLastError.KERNEL32 ref: 00007FF654CA7F18

Strings

FormatMessageW, xrefs: 00007FF654CA7EF7
Failed to encode wchar_t as UTF-8., xrefs: 00007FF654CA7F30
WideCharToMultiByte, xrefs: 00007FF654CA7E56, 00007FF654CA7F37
PyInstaller: FormatMessageW failed., xrefs: 00007FF654CA7F03
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF654CA7F43
No error messages generated., xrefs: 00007FF654CA7EF0

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: ByteCharErrorFormatLastMessageMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 1653872744-2573406579
Opcode ID: cbdb8eea67fde94177a7de486669295192c3b68fd3ad581342b718ce3b64fd12
Instruction ID: 17ace3ffe9bc72564030de6aadc604497a6a47deef951c714ff299baa734e2c8
Opcode Fuzzy Hash: cbdb8eea67fde94177a7de486669295192c3b68fd3ad581342b718ce3b64fd12
Instruction Fuzzy Hash: 5021AEB1A18A4381F7609B15F8E07A62271AFC5394F8C41BAE94DA2AA4DF3CD589C700

Function 66F8E510 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON38 ref: 66F8E51F
fread.MSVCRT ref: 66F8E542
PyMem_Free.PYTHON38 ref: 66F8E562
PyErr_Occurred.PYTHON38 ref: 66F8E572
PyErr_Format.PYTHON38 ref: 66F8E5A2
PyErr_NoMemory.PYTHON38 ref: 66F8E5D0

Strings

read() returned too much data: %zd bytes requested, %zd returned, xrefs: 66F8E598
EOF read where not expected, xrefs: 66F8E5B7

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_$Mem_$FormatFreeMallocMemoryOccurredfread
String ID: EOF read where not expected$read() returned too much data: %zd bytes requested, %zd returned
API String ID: 28673812-3742967138
Opcode ID: fc56d96de3c5d5125a3c1009fc05114574b7dba2801ec61b2e0e290047db93e5
Instruction ID: b18fa9fecf76308c7c109f7eeb945d1971a29c86d3f3c7107f7dd89daf3f9354
Opcode Fuzzy Hash: fc56d96de3c5d5125a3c1009fc05114574b7dba2801ec61b2e0e290047db93e5
Instruction Fuzzy Hash: F111E53272C684C2FA108BAEEC483151372A749BE9F540225CD6D8B3A2EF2DC655C320

Function 66F8E5E0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON38 ref: 66F8E5EF
fread.MSVCRT ref: 66F8E612
PyMem_Free.PYTHON38 ref: 66F8E625
PyErr_Occurred.PYTHON38 ref: 66F8E635
PyErr_Format.PYTHON38 ref: 66F8E665
PyErr_NoMemory.PYTHON38 ref: 66F8E690

Strings

read() returned too much data: %zd bytes requested, %zd returned, xrefs: 66F8E65B
EOF read where not expected, xrefs: 66F8E677

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_$Mem_$FormatFreeMallocMemoryOccurredfread
String ID: EOF read where not expected$read() returned too much data: %zd bytes requested, %zd returned
API String ID: 28673812-3742967138
Opcode ID: a64d3ec6dffc6bc87783c48ba7dbf8fed9385366a788c72028b083562a66a690
Instruction ID: c82fa6136501d7c42354f2f5cab0d18c66f9636ea6201b2b57b825b9ea1d7be1
Opcode Fuzzy Hash: a64d3ec6dffc6bc87783c48ba7dbf8fed9385366a788c72028b083562a66a690
Instruction Fuzzy Hash: 62118032B29544C2FE049B9AEC587551332A74AFF8F550269CE2D073F0DE3E9A55C360

Function 66F9EED0 Relevance: 15.5, APIs: 2, Strings: 8, Instructions: 455COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 66F9EF73
free.MSVCRT ref: 66F9F021

Strings

ltc_mp.name != NULL, xrefs: 66F9F55C
in != NULL, xrefs: 66F9F353
src/pk/rsa/rsa_import.c, xrefs: 66F9F31A, 66F9F333, 66F9F34C
src/pk/rsa/rsa_make_key.c, xrefs: 66F9F53C, 66F9F555, 66F9F56E
key != NULL, xrefs: 66F9F543
size > 0, xrefs: 66F9F575
ltc_mp.name != NULL, xrefs: 66F9F321
key != NULL, xrefs: 66F9F33A

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: callocfree
String ID: in != NULL$key != NULL$key != NULL$ltc_mp.name != NULL$ltc_mp.name != NULL$size > 0$src/pk/rsa/rsa_import.c$src/pk/rsa/rsa_make_key.c
API String ID: 306872129-2031961738
Opcode ID: 3d80d0657239a8b1e0c08d4430391272175d215dc6dc5e04f746c81100b7715a
Instruction ID: ec58151dfc91b7aa8c8d78e148e07bfb74d6b09c5e53d5738f592a2ddb05e935
Opcode Fuzzy Hash: 3d80d0657239a8b1e0c08d4430391272175d215dc6dc5e04f746c81100b7715a
Instruction Fuzzy Hash: 0D122A72618B80C6E7A0CF26E84479AB7A4F785BDCF105216EF8987B58DF79C485CB40

Function 00007FFDFB23BD30 Relevance: 15.2, APIs: 1, Strings: 9, Instructions: 238stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB23BDCB

Strings

OPENSSL_finish, xrefs: 00007FFDFB23BE52
%-8d, xrefs: 00007FFDFB23C07C
..\s\crypto\conf\conf_mod.c, xrefs: 00007FFDFB23BE93, 00007FFDFB23BED8, 00007FFDFB23BF2E, 00007FFDFB23BF58, 00007FFDFB23BF71, 00007FFDFB23BFE2, 00007FFDFB23C011, 00007FFDFB23C027, 00007FFDFB23C03F, 00007FFDFB23C066
, retcode=, xrefs: 00007FFDFB23C0A6
OPENSSL_init, xrefs: 00007FFDFB23BE35
path, xrefs: 00007FFDFB23BDF5
module=, xrefs: 00007FFDFB23BEB4, 00007FFDFB23BEEE, 00007FFDFB23C0B7
, path=, xrefs: 00007FFDFB23BEA5
, value=, xrefs: 00007FFDFB23C09F

Memory Dump Source

Source File: 00000001.00000002.1767214909.00007FFDFB1CE000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFDFB130000, based on PE: true

Associated: 00000001.00000002.1767197166.00007FFDFB130000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB131000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB13D000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB195000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1A9000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1BA000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1C0000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB371000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB39E000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3CF000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3F5000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB41A000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767756432.00007FFDFB441000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767781456.00007FFDFB447000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB449000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB465000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb130000_DeltaX.jbxd

Similarity

API ID: strncmp
String ID: %-8d$, path=$, retcode=$, value=$..\s\crypto\conf\conf_mod.c$OPENSSL_finish$OPENSSL_init$module=$path
API String ID: 1114863663-3652895664
Opcode ID: 7fa605a8ceb3b8543fbe42aa065cf00a204794484b58e037f1995578e6de5600
Instruction ID: 85cf23a8d8a4ecc7a644a4059001b0ad38249f6b1c2924fc6673a9255759d506
Opcode Fuzzy Hash: 7fa605a8ceb3b8543fbe42aa065cf00a204794484b58e037f1995578e6de5600
Instruction Fuzzy Hash: 9EA18022B0AB8781FB10AF55A864AB92290BF45B94F484135DD6D4BBFDEF3CE5858700

Function 66F9D6B0 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 177COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 66F9D6E3
memcmp.MSVCRT ref: 66F9D703
memcmp.MSVCRT ref: 66F9D725
memcmp.MSVCRT ref: 66F9D745
memcmp.MSVCRT ref: 66F9D765
memcmp.MSVCRT ref: 66F9D785
memcmp.MSVCRT ref: 66F9D7A5
memcmp.MSVCRT ref: 66F9D7C5

Strings

src/misc/crypt/crypt_register_hash.c, xrefs: 66F9D917
hash != NULL, xrefs: 66F9D91E

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: memcmp
String ID: hash != NULL$src/misc/crypt/crypt_register_hash.c
API String ID: 1475443563-1465673959
Opcode ID: 9a90915ac5f4da8954f2ad70a48be5c947d567dac467927d737f303674bc135e
Instruction ID: afb447b03221eefe439e58e1c30396767b66d353a57912a9853f1c6e1a4db918
Opcode Fuzzy Hash: 9a90915ac5f4da8954f2ad70a48be5c947d567dac467927d737f303674bc135e
Instruction Fuzzy Hash: FF617936710B4497F718CB26E984B9A7368F308B98F608126CF9987750EF39E55AC361

Function 66F9D940 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 66F9D973
memcmp.MSVCRT ref: 66F9D990
memcmp.MSVCRT ref: 66F9D9B2
memcmp.MSVCRT ref: 66F9D9D2
memcmp.MSVCRT ref: 66F9D9F2
memcmp.MSVCRT ref: 66F9DA12
memcmp.MSVCRT ref: 66F9DA32
memcmp.MSVCRT ref: 66F9DA52

Strings

prng != NULL, xrefs: 66F9DB76
src/misc/crypt/crypt_register_prng.c, xrefs: 66F9DB6F

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: memcmp
String ID: prng != NULL$src/misc/crypt/crypt_register_prng.c
API String ID: 1475443563-58737364
Opcode ID: c6a8de877113159093499213b2593711bf42504d00cabf3efa59fe949496abca
Instruction ID: 55daeb96d8f846e8affc7ca32b28baeabe346f96c69836d81dd41c10b211b38b
Opcode Fuzzy Hash: c6a8de877113159093499213b2593711bf42504d00cabf3efa59fe949496abca
Instruction Fuzzy Hash: 1A51C032750B8497FB20CF12D888B9A7768F748BD4F558226CF2983740EB78E15AC761

Function 66F9D380 Relevance: 15.1, APIs: 8, Strings: 2, Instructions: 108stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 66F9D3AB
strcmp.MSVCRT ref: 66F9D3CF
strcmp.MSVCRT ref: 66F9D3EB
strcmp.MSVCRT ref: 66F9D40A
strcmp.MSVCRT ref: 66F9D429
strcmp.MSVCRT ref: 66F9D444
strcmp.MSVCRT ref: 66F9D45F
strcmp.MSVCRT ref: 66F9D47A

Strings

name != NULL, xrefs: 66F9D4AF
src/misc/crypt/crypt_find_prng.c, xrefs: 66F9D4A8

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: strcmp
String ID: name != NULL$src/misc/crypt/crypt_find_prng.c
API String ID: 1004003707-2030105502
Opcode ID: 4bf116380656867f60f687a57c1ea56dcad2253d0b0618ff4441cd8545de75a5
Instruction ID: c63226697e81839960dc316d9eb0e5b1ece4af981e754f4ad30f04b889bf4b64
Opcode Fuzzy Hash: 4bf116380656867f60f687a57c1ea56dcad2253d0b0618ff4441cd8545de75a5
Instruction Fuzzy Hash: CF31C421706A464AFF28CF679AD47BD6311FF46BDCF504221DF2A8B944EB18E10AC721

Function 66F9D0E0 Relevance: 15.1, APIs: 8, Strings: 2, Instructions: 99stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 66F9D10B
strcmp.MSVCRT ref: 66F9D135
strcmp.MSVCRT ref: 66F9D154
strcmp.MSVCRT ref: 66F9D173
strcmp.MSVCRT ref: 66F9D192
strcmp.MSVCRT ref: 66F9D1AD
strcmp.MSVCRT ref: 66F9D1C8
strcmp.MSVCRT ref: 66F9D1E3

Strings

name != NULL, xrefs: 66F9D218
src/misc/crypt/crypt_find_cipher.c, xrefs: 66F9D211

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: strcmp
String ID: name != NULL$src/misc/crypt/crypt_find_cipher.c
API String ID: 1004003707-679692990
Opcode ID: 98fa63aa5d99f17d4e734f52645fbab0fc417d6f86a0a1cb9aed78f4e7356562
Instruction ID: c4f0bdbeb95d9e733d773e43a850bd2e7fb575324c72e254ef09f2126d62f7a2
Opcode Fuzzy Hash: 98fa63aa5d99f17d4e734f52645fbab0fc417d6f86a0a1cb9aed78f4e7356562
Instruction Fuzzy Hash: 1C31CA6270698B4AFF28CE52CED47B96311EF46BD8F508211CF298B944EF24D14AC721

Function 00007FF654CA7840 Relevance: 15.1, APIs: 10, Instructions: 75fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CA43B0: _wfopen.MSVCRT ref: 00007FF654CA43F5

Part of subcall function 00007FF654CA76B0: strlen.MSVCRT ref: 00007FF654CA7723
Part of subcall function 00007FF654CA76B0: strlen.MSVCRT ref: 00007FF654CA7753
Part of subcall function 00007FF654CA76B0: strlen.MSVCRT ref: 00007FF654CA7769
Part of subcall function 00007FF654CA76B0: strcpy.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF654CA1CB3), ref: 00007FF654CA777A
Part of subcall function 00007FF654CA76B0: strtok.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF654CA1CB3), ref: 00007FF654CA7784

fread.MSVCRT ref: 00007FF654CA78B1
ferror.MSVCRT ref: 00007FF654CA78C1
clearerr.MSVCRT(?,00000000,?,00007FF654CA3267,?,00000000,?,00000000,?,?,_MEIPASS2,?,00007FF654CA362C), ref: 00007FF654CA78CD
fwrite.MSVCRT ref: 00007FF654CA78E3
ferror.MSVCRT ref: 00007FF654CA78F0
clearerr.MSVCRT(?,00000000,?,00007FF654CA3267,?,00000000,?,00000000,?,?,_MEIPASS2,?,00007FF654CA362C), ref: 00007FF654CA78FC
fclose.MSVCRT ref: 00007FF654CA7909
fclose.MSVCRT ref: 00007FF654CA7911
fclose.MSVCRT ref: 00007FF654CA7934
fclose.MSVCRT ref: 00007FF654CA7941

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fclose$strlen$clearerrferror$_wfopenfreadfwritestrcpystrtok
String ID:
API String ID: 4076046571-0
Opcode ID: 0ca4ef915f0a775d2389a04320ec273b6ce6437d5a5171d2091505cce8856d3f
Instruction ID: fdf851524041cf60aa971b2870663fcfe0cc434886bc99e8c92c91708060d421
Opcode Fuzzy Hash: 0ca4ef915f0a775d2389a04320ec273b6ce6437d5a5171d2091505cce8856d3f
Instruction Fuzzy Hash: CE214C91F0E25301F815A6639AB13B952A61FC6BE4F4C01B3ED0EFB7C6EE1CE8014691

Function 00007FF654CB207B Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 176stringCOMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF654CB211E
fwprintf.MSVCRT ref: 00007FF654CB2153
memset.MSVCRT ref: 00007FF654CB223A
strlen.MSVCRT ref: 00007FF654CB2252

Part of subcall function 00007FF654CB814E: ___mb_cur_max_func.MSVCRT ref: 00007FF654CB8184
Part of subcall function 00007FF654CB814E: ___lc_codepage_func.MSVCRT ref: 00007FF654CB818B

fwprintf.MSVCRT ref: 00007FF654CB217B

Part of subcall function 00007FF654CB1FF0: fputwc.MSVCRT ref: 00007FF654CB2040

Strings

%.*S, xrefs: 00007FF654CB2171
%-*.*S, xrefs: 00007FF654CB2149
%*.*S, xrefs: 00007FF654CB2114

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fwprintf$___lc_codepage_func___mb_cur_max_funcfputwcmemsetstrlen
String ID: %*.*S$%-*.*S$%.*S
API String ID: 1485978544-2115465065
Opcode ID: c93050da29d2b53cde75ff4ecec3a5117cbc28d906d175e1e5974c7ea21a5eeb
Instruction ID: cff94670349e4770835808b7bccbc8572527a6fc23849749fdb466b07f7ad649
Opcode Fuzzy Hash: c93050da29d2b53cde75ff4ecec3a5117cbc28d906d175e1e5974c7ea21a5eeb
Instruction Fuzzy Hash: D9810BB6A04B458AEB14CF6AC8942AC37F0F788B9CB458566EE5D97B58DF38D440CB40

Function 66F813C0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 167COMMON

Download Yara Rule

APIs

PySys_GetObject.PYTHON38 ref: 66F8158B
PyUnicode_AsUTF8AndSize.PYTHON38 ref: 66F8159B
getenv.MSVCRT ref: 66F815BB

Strings

_PARLANG, xrefs: 66F81584, 66F8162C
LANG, xrefs: 66F815B4
PYARMOR_LANG, xrefs: 66F81565

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: ObjectSizeSys_Unicode_getenv
String ID: LANG$PYARMOR_LANG$_PARLANG
API String ID: 223123148-1822377752
Opcode ID: ede8a0e8718e638b0a6be7f9cf91a3111d91eaccac3b5b90de33bd3baee64b1e
Instruction ID: fb53a0cc38223e12ebc18f7713e6a0148a524c19e3b9c49a3df797d3235a5add
Opcode Fuzzy Hash: ede8a0e8718e638b0a6be7f9cf91a3111d91eaccac3b5b90de33bd3baee64b1e
Instruction Fuzzy Hash: E551F6A2A0C29187FB01CB19D5803A93BB3B786B9DF49C29ACA7D47356D729C495C360

Function 00007FF654CA8040 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF654CA8088
WideCharToMultiByte.KERNEL32 ref: 00007FF654CA80DA
calloc.MSVCRT ref: 00007FF654CA80F0

Strings

Failed to get UTF-8 buffer size., xrefs: 00007FF654CA8140
Failed to encode wchar_t as UTF-8., xrefs: 00007FF654CA8120
WideCharToMultiByte, xrefs: 00007FF654CA8127, 00007FF654CA8147
win32_utils_to_utf8, xrefs: 00007FF654CA8108
Out of memory., xrefs: 00007FF654CA8101

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: ByteCharMultiWide$calloc
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 1374691127-27947307
Opcode ID: ea88749d0a14f64099691da4aeb15603b84fc63f6c062682654e53545a88106d
Instruction ID: 580e308a626259bb97198b4daae4dde7f46a5b023a7520462a3ef9cc856cef53
Opcode Fuzzy Hash: ea88749d0a14f64099691da4aeb15603b84fc63f6c062682654e53545a88106d
Instruction Fuzzy Hash: D021A1A1A18B4285FA14DB66E8F037662B0AFC4394F8C8177DA4EAAAD1DF7CD044C310

Function 00007FF654CA7F50 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF654CA7F92
calloc.MSVCRT ref: 00007FF654CA7FA2
WideCharToMultiByte.KERNEL32 ref: 00007FF654CA7FD7

Strings

Failed to get ANSI buffer size., xrefs: 00007FF654CA7FF0
WideCharToMultiByte, xrefs: 00007FF654CA7FF7, 00007FF654CA8017
Out of memory., xrefs: 00007FF654CA8027
Failed to encode filename as ANSI., xrefs: 00007FF654CA8010
win32_wcs_to_mbs, xrefs: 00007FF654CA802E

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: ByteCharMultiWide$calloc
String ID: Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$Out of memory.$WideCharToMultiByte$win32_wcs_to_mbs
API String ID: 1374691127-3831141058
Opcode ID: c974b491895e7bda57dd440c625f49c5a3727ada228be6d7fc02953d331cde25
Instruction ID: 4465dabc60b6ba3ba377ccd988cd8adaf7ff57e94bdfe8c70497c4725ac4c57d
Opcode Fuzzy Hash: c974b491895e7bda57dd440c625f49c5a3727ada228be6d7fc02953d331cde25
Instruction Fuzzy Hash: 4D21D1A1A1C74245E7509B56E8F036666B1EFC4394F88417BE94EB66D5DF7CD104C300

Function 00007FF654CA7B70 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 57stringCOMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF654CA7B8B
_strdup.MSVCRT ref: 00007FF654CA7BBC
_errno.MSVCRT ref: 00007FF654CA7BF0
strerror.MSVCRT ref: 00007FF654CA7BF8
_errno.MSVCRT ref: 00007FF654CA7C15
strerror.MSVCRT ref: 00007FF654CA7C1D

Strings

LOADER: failed to allocate argv_pyi: %s, xrefs: 00007FF654CA7C22
LOADER: failed to strdup argv[%d]: %s, xrefs: 00007FF654CA7BFF

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: _errnostrerror$_strdupcalloc
String ID: LOADER: failed to allocate argv_pyi: %s$LOADER: failed to strdup argv[%d]: %s
API String ID: 4278403329-2782260415
Opcode ID: 945d6d8d56f37cfe0361321e39814a85846aa9c2cc1a836560a03a797768b115
Instruction ID: 47778568f69772fe3bc2d4f5ee564081688bd911694d37ab6ce697b9a629c490
Opcode Fuzzy Hash: 945d6d8d56f37cfe0361321e39814a85846aa9c2cc1a836560a03a797768b115
Instruction Fuzzy Hash: F111DFE1A1A64285F7119B52E8F01B97671BFC4740F9C41BACD0DA33A1EE3CE484C300

Function 66FA75A0 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 168COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 66FA7613
malloc.MSVCRT ref: 66FA761D

Strings

seed != NULL, xrefs: 66FA77D0
src/pk/pkcs1/pkcs_1_mgf1.c, xrefs: 66FA77C9, 66FA77E2
mask != NULL, xrefs: 66FA77E9

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: malloc
String ID: mask != NULL$seed != NULL$src/pk/pkcs1/pkcs_1_mgf1.c
API String ID: 2803490479-2931318352
Opcode ID: 5802c16ceb22e0697a4cc36ec6c5506e4db02ae271dec38180cd6864647f904c
Instruction ID: 83205c2e0985c773e91e5655228572ac53ca5d95c8f462ba2bf58d90009b40dc
Opcode Fuzzy Hash: 5802c16ceb22e0697a4cc36ec6c5506e4db02ae271dec38180cd6864647f904c
Instruction Fuzzy Hash: 0A51F27AB183908BEB11CF359904F7EBB65EB467C8F048014CE5647B08EB39E516CB20

Function 00007FF654CA8210 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246
MultiByteToWideChar.KERNEL32 ref: 00007FF654CA8288
calloc.MSVCRT ref: 00007FF654CA829E

Strings

win32_utils_from_utf8, xrefs: 00007FF654CA82B2
Failed to get wchar_t buffer size., xrefs: 00007FF654CA82E8
Failed to decode wchar_t from UTF-8, xrefs: 00007FF654CA82C8
%s%s: %s, xrefs: 00007FF654CA8210
MultiByteToWideChar, xrefs: 00007FF654CA82CF, 00007FF654CA82EF
Out of memory., xrefs: 00007FF654CA82AB

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: ByteCharMultiWide$calloc
String ID: %s%s: %s$Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 1374691127-2292745976
Opcode ID: e25d75c4397cd3946ce71200e75b93b7a887f4a347cf1552ce9ec0bda547e504
Instruction ID: 1a86a265c6b070f7596c4c3ecf98d12c87cc4de1c4d3bd552fcbcb96baa33454
Opcode Fuzzy Hash: e25d75c4397cd3946ce71200e75b93b7a887f4a347cf1552ce9ec0bda547e504
Instruction Fuzzy Hash: 3B1193E1F09A4245FA24DB66E8B02B522B19FC8798F8C4277D94DA76D1EE3CE045C320

Function 66F89950 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

PyUnicode_FromKindAndData.PYTHON38 ref: 66F89999
PyErr_SetString.PYTHON38 ref: 66F8A2F9

Strings

EOF read where object expected, xrefs: 66F8A2EC

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: DataErr_FromKindStringUnicode_
String ID: EOF read where object expected
API String ID: 3898585613-3634523442
Opcode ID: 12b60aab1b1ecbd908c0c9e25cf520ede2315fe8f49d1c43c69bcb33044c900e
Instruction ID: b92663c606a92cdd0727bd886f188317bbc05f3c9639ee2cc4a4cc658c0c59cd
Opcode Fuzzy Hash: 12b60aab1b1ecbd908c0c9e25cf520ede2315fe8f49d1c43c69bcb33044c900e
Instruction Fuzzy Hash: 1631AE333096808AFA11CF19D48875A37B5FB88BD4F418598CE5E17398DF3AD586C790

Function 66F88C60 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 66F88CB9
PyOS_string_to_double.PYTHON38 ref: 66F88CCB
PyErr_SetString.PYTHON38 ref: 66F88D23

Strings

EOF read where object expected, xrefs: 66F88D19
marshal data too short, xrefs: 66F88D6C

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_S_string_to_doubleStringmemcpy
String ID: EOF read where object expected$marshal data too short
API String ID: 1651926552-3827827332
Opcode ID: 6686ed67ce2cd4d8a9d388cb7dfffe3d1e60d80091aae381cae9746d654e5bd5
Instruction ID: d6306265677b518e8035a6125656d6cea411ab89020ee939eaf37ed947832088
Opcode Fuzzy Hash: 6686ed67ce2cd4d8a9d388cb7dfffe3d1e60d80091aae381cae9746d654e5bd5
Instruction Fuzzy Hash: B831AE7271AA04D5FF15DF29E8003682372BB59BD8F544266CE2D07768DF2CC5A6C390

Function 66F83790 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

_PyObject_CallMethod_SizeT.PYTHON38 ref: 66F837ED
_PyObject_CallMethod_SizeT.PYTHON38 ref: 66F837FF
_Py_Dealloc.PYTHON38 ref: 66F8380B
_Py_Dealloc.PYTHON38 ref: 66F83883

Strings

close, xrefs: 66F837F5
%U.%s, xrefs: 66F83796
read, xrefs: 66F837DC

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: CallDeallocMethod_Object_Size
String ID: %U.%s$close$read
API String ID: 3129687173-1885073756
Opcode ID: 606ed7b1692c76c641d5613d1b6d66393b10fb6f7be18d701976a0a0b2ea412d
Instruction ID: 8a8028a88a1267b23771365ad2bae8ac642df27304e0506721fcc1a2e735f1fc
Opcode Fuzzy Hash: 606ed7b1692c76c641d5613d1b6d66393b10fb6f7be18d701976a0a0b2ea412d
Instruction Fuzzy Hash: CF11CE63749610C1FE019BAAFC0835563A2BB09BE8F88546A9D1C06734DF3EC959C360

Function 00007FF654CA15E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF654CA15F7
LoadLibraryA.KERNEL32 ref: 00007FF654CA1608
GetProcAddress.KERNEL32 ref: 00007FF654CA1626
GetProcAddress.KERNEL32 ref: 00007FF654CA1635

Strings

libgcc_s_dw2-1.dll, xrefs: 00007FF654CA15ED
__register_frame_info, xrefs: 00007FF654CA1615
__deregister_frame_info, xrefs: 00007FF654CA1628

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: e6b7f3097ed1fa55bbfab8c2ac934be5e0bcb191cc89f52011f527b87621e30f
Instruction ID: 1f0784ae3fc797d470a0edd04e01738fd937e673f3f285ace8211833898c514f
Opcode Fuzzy Hash: e6b7f3097ed1fa55bbfab8c2ac934be5e0bcb191cc89f52011f527b87621e30f
Instruction Fuzzy Hash: B701BAA4A4AA5B91EA119B06F9A017423B4AF88794F8C41B3C84EE7364EF2CE546C300

Function 66FA1C30 Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 127COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 66FA1CA1
free.MSVCRT ref: 66FA1D9F

Strings

public_key_len != NULL, xrefs: 66FA1E30
src/pk/asn1/der/sequence/der_decode_subject_public_key_info.c, xrefs: 66FA1E29, 66FA1E42, 66FA1E5B
inlen != 0, xrefs: 66FA1E49
in != NULL, xrefs: 66FA1E62

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: callocfree
String ID: in != NULL$inlen != 0$public_key_len != NULL$src/pk/asn1/der/sequence/der_decode_subject_public_key_info.c
API String ID: 306872129-3913984646
Opcode ID: f7497d6656fa43165a627de98dea7d9b3e09a65f69f9b472af60d34e42e87eec
Instruction ID: cadfe95afb1ccc79284d72b2fdcd415659d98b5f5ec100a438c8503d216c4bd5
Opcode Fuzzy Hash: f7497d6656fa43165a627de98dea7d9b3e09a65f69f9b472af60d34e42e87eec
Instruction Fuzzy Hash: C34145763187C0CAFB70CF15E8807DAB7A5F388798F40421ACA984BA98DBBDD045CB51

Function 66F8E6A0 Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

_Py_fstat_noraise.PYTHON38 ref: 66F8E6BD
PyMem_Malloc.PYTHON38 ref: 66F8E6E6
PyList_New.PYTHON38 ref: 66F8E711
PyMem_Free.PYTHON38 ref: 66F8E743
fread.MSVCRT ref: 66F8E76E
PyMarshal_ReadObjectFromString.PYTHON38 ref: 66F8E779
PyMem_Free.PYTHON38 ref: 66F8E787

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Mem_$Free$FromList_MallocMarshal_ObjectPy_fstat_noraiseReadStringfread
String ID:
API String ID: 308550609-0
Opcode ID: 173b2679fa090a7d00211a9dfe8eec30b66ab2835932efa8dd22830a9bffd1aa
Instruction ID: 2b605346f52c3a10455e0f0c87876471b95143797fa09b5225297ca7475f13a4
Opcode Fuzzy Hash: 173b2679fa090a7d00211a9dfe8eec30b66ab2835932efa8dd22830a9bffd1aa
Instruction Fuzzy Hash: 98218D32B19B8085FA118B65F848369A774EBC6BEDF480129EE5D47B65DF3CC195C700

Function 00007FF654CA6520 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 157COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF654CA66A9

Strings

rename ::source ::_source, xrefs: 00007FF654CA65F0
tcl_findLibrary, xrefs: 00007FF654CA659D
source, xrefs: 00007FF654CA6619
exit, xrefs: 00007FF654CA65D2
tclInit, xrefs: 00007FF654CA657B
_image_data, xrefs: 00007FF654CA6687

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free
String ID: _image_data$exit$rename ::source ::_source$source$tclInit$tcl_findLibrary
API String ID: 1294909896-1126984729
Opcode ID: f715ec876722e12cdb0f662df770872b06380997f3a1ed7aba2766a90e7ae60b
Instruction ID: 9643b123931b93ecfc1a13828861565f0810a3f814ace5edbc3fe8db6b0e578e
Opcode Fuzzy Hash: f715ec876722e12cdb0f662df770872b06380997f3a1ed7aba2766a90e7ae60b
Instruction Fuzzy Hash: 7071FAB6618A4695EB109F62E8A83693370FB88F85F488073DE5EA7364DF3CD509C740

Function 66FFF950 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 156COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 66FFF9FB

Strings

VirtualProtect failed with code 0x%x, xrefs: 66FFFADA
VirtualQuery failed for %d bytes at address %p, xrefs: 66FFFB28
Address %p has no image-section, xrefs: 66FFFB39

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
API String ID: 1804819252-2123141913
Opcode ID: 98524c9a6126829ac2c8b2cde8f722641c52e9f3b3b3acac046996fe8f5d46c9
Instruction ID: 4a09a67f79bf3fe13deff55902b245e799be2e601cabb264a2af125825f7cdcd
Opcode Fuzzy Hash: 98524c9a6126829ac2c8b2cde8f722641c52e9f3b3b3acac046996fe8f5d46c9
Instruction Fuzzy Hash: 0151CF73B26B41C6EB508F25E84079D77A2B788BA8F498226DE2D477A4DB38C546C310

Function 00007FFDFB132405 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 113stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FFDFB31F4F9
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB31F514
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB31F52D

Strings

file, xrefs: 00007FFDFB31F4C1, 00007FFDFB31F506
T, xrefs: 00007FFDFB31F5AD
..\s\crypto\store\store_lib.c, xrefs: 00007FFDFB31F58E, 00007FFDFB31F5A6

Memory Dump Source

Source File: 00000001.00000002.1767214909.00007FFDFB131000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFDFB130000, based on PE: true

Associated: 00000001.00000002.1767197166.00007FFDFB130000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB13D000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB195000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1A9000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1BA000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1C0000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1CE000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB371000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB39E000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3CF000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3F5000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB41A000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767756432.00007FFDFB441000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767781456.00007FFDFB447000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB449000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB465000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb130000_DeltaX.jbxd

Similarity

API ID: _stricmpstrchrstrncmp
String ID: ..\s\crypto\store\store_lib.c$T$file
API String ID: 3017659097-909561481
Opcode ID: 503d7c060f9ca88cb13353a6b662c23f936918faa0af8a7225bb6e83a0b4d6aa
Instruction ID: 0ac58eb0b34d2e6c00ccb214ed3e6be47ae9a331909e9d6a8962aa64a6440621
Opcode Fuzzy Hash: 503d7c060f9ca88cb13353a6b662c23f936918faa0af8a7225bb6e83a0b4d6aa
Instruction Fuzzy Hash: 84419432B4AA5796EB11EF11E8609A973A4FB89B88F444035DE5D077E8EF3CE545C700

Function 00007FF654CA7490 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CA8210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246

wcslen.MSVCRT ref: 00007FF654CA74E0
wcscat.MSVCRT ref: 00007FF654CA750E
_wrmdir.MSVCRT ref: 00007FF654CA752C
wcscat.MSVCRT ref: 00007FF654CA755E

Strings

_MEIPASS2, xrefs: 00007FF654CA7497

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: wcscat$ByteCharMultiWide_wrmdirwcslen
String ID: _MEIPASS2
API String ID: 3789554339-3944641314
Opcode ID: 32073048c59e9077f6f36a3fca34749367cfe369c6483e236f106b3387b7c847
Instruction ID: beaedefb14458b0954ffeb20603008eba5b88a3865c958cf3aaa40ff8adcf9fd
Opcode Fuzzy Hash: 32073048c59e9077f6f36a3fca34749367cfe369c6483e236f106b3387b7c847
Instruction Fuzzy Hash: 3521D0D2B4954244EA10A613A8A46BA52B2BFC5BE0FCC85B3ED1DA77C6ED3CD4458314

Function 66F89800 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON38 ref: 66F898D4

Strings

recursion limit exceeded, xrefs: 66F89F40
EOF read where object expected, xrefs: 66F898C7
bad marshal data (unknown type code), xrefs: 66F89F17

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_String
String ID: EOF read where object expected$bad marshal data (unknown type code)$recursion limit exceeded
API String ID: 1450464846-1585441539
Opcode ID: 2752d80ef754a57dd89e269fd23386fa7e4a22bd889e594f6e97b0ecfba3df9e
Instruction ID: 69397e9ce6372de11e6ffdb94e1ddc9aec278d808e0419eb0358cd18c94b7750
Opcode Fuzzy Hash: 2752d80ef754a57dd89e269fd23386fa7e4a22bd889e594f6e97b0ecfba3df9e
Instruction Fuzzy Hash: BA318B32218A85C1FB21CF1DE8843A97371FB987A9F919525DE5E173A0DF39C196C350

Function 00007FF654CA5910 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 56stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF654CA5925

Strings

utf-8, xrefs: 00007FF654CA5934
strict, xrefs: 00007FF654CA592A
%U?%llu, xrefs: 00007FF654CA594A
path, xrefs: 00007FF654CA5976
Failed to append to sys.path, xrefs: 00007FF654CA59A0
Installing PYZ: Could not get sys.path, xrefs: 00007FF654CA59BC

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: strlen
String ID: %U?%llu$Failed to append to sys.path$Installing PYZ: Could not get sys.path$path$strict$utf-8
API String ID: 39653677-2762566162
Opcode ID: d933acb19d688c888bbabfb13c8229aa91e53fac741f948bdaf742cd5b545c31
Instruction ID: 257fbcc23c0b2da53f40a2928bfc369a0eb1dba8bb13b3ef2f7d882ebe2718e4
Opcode Fuzzy Hash: d933acb19d688c888bbabfb13c8229aa91e53fac741f948bdaf742cd5b545c31
Instruction Fuzzy Hash: F11133A6E0991685FA00DB6AE8A40A96370AFC4FD4B8C8173DD1DE7761EE3CE546C700

Function 66F89C30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON38 ref: 66F89C3B
PyBytes_FromStringAndSize.PYTHON38 ref: 66F8A4E8
memcpy.MSVCRT ref: 66F8A525

Strings

bad marshal data (bytes object size out of range), xrefs: 66F8A97D

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Bytes_Err_FromOccurredSizeStringmemcpy
String ID: bad marshal data (bytes object size out of range)
API String ID: 2675459810-66224825
Opcode ID: 8b815e33c6a9e9321f1ac26222c8e409a2144161d952660b83f976bbb467b547
Instruction ID: 6e6b5267d098d4ed37c503bf90278393d3bfa6a41325dfc64eb33c1c2f428f16
Opcode Fuzzy Hash: 8b815e33c6a9e9321f1ac26222c8e409a2144161d952660b83f976bbb467b547
Instruction Fuzzy Hash: 99113A32309690C6EA14DB19D488B1A3376F799B84F518599CE1E0B358DF39D546C390

Function 66F905D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON38 ref: 66F905FD
_Py_Dealloc.PYTHON38 ref: 66F90613
PyNumber_Positive.PYTHON38 ref: 66F90624
PyNumber_Invert.PYTHON38 ref: 66F90630
PyNumber_Negative.PYTHON38 ref: 66F90640

Strings

Invalid operator, xrefs: 66F905F3

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Number_$DeallocErr_InvertNegativePositiveString
String ID: Invalid operator
API String ID: 4031754375-2676212410
Opcode ID: 97daef6cd2902c1118f03a607b0348390dd8c4d7e0cdc8180edd343b47f8e1ea
Instruction ID: 2afa321a4b2a6e7066d765ad370a2a957ca1bba1e3a9790e62ee440b756d5ea1
Opcode Fuzzy Hash: 97daef6cd2902c1118f03a607b0348390dd8c4d7e0cdc8180edd343b47f8e1ea
Instruction Fuzzy Hash: D2F06232668900D1FE548F79E84832D6372A7CBB5DF450619D92D42275CFB9C1D4CBA1

Function 00007FFDFB1346C9 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 217COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFDFB2B40AA
memmove.VCRUNTIME140 ref: 00007FFDFB2B4105

Strings

), xrefs: 00007FFDFB2B4189
assertion failed: EVP_CIPHER_iv_length(cipher) <= 16, xrefs: 00007FFDFB2B40C9
assertion failed: EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp), xrefs: 00007FFDFB2B4086
..\s\crypto\evp\p5_crpt.c, xrefs: 00007FFDFB2B3EBB, 00007FFDFB2B3F3D, 00007FFDFB2B407F, 00007FFDFB2B40C2, 00007FFDFB2B4191

Memory Dump Source

Source File: 00000001.00000002.1767214909.00007FFDFB131000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFDFB130000, based on PE: true

Associated: 00000001.00000002.1767197166.00007FFDFB130000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB13D000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB195000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1A9000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1BA000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1C0000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1CE000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB371000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB39E000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3CF000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3F5000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB41A000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767756432.00007FFDFB441000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767781456.00007FFDFB447000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB449000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB465000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb130000_DeltaX.jbxd

Similarity

API ID: memmove
String ID: )$..\s\crypto\evp\p5_crpt.c$assertion failed: EVP_CIPHER_iv_length(cipher) <= 16$assertion failed: EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
API String ID: 2162964266-3025833483
Opcode ID: d4c1e3f06c2810839b8112079928d9e6766f37ae9ec5cf3b44562ddb7b1bd44c
Instruction ID: 04eee987a736165c46177c7e860c9a6663074601ea587c27a7bda678321cc069
Opcode Fuzzy Hash: d4c1e3f06c2810839b8112079928d9e6766f37ae9ec5cf3b44562ddb7b1bd44c
Instruction Fuzzy Hash: 49919762F1E94749EB60EB1594A1FBA6390EF447C4F449031E96D87AEDEF3CE4458B00

Function 67000B20 Relevance: 9.1, APIs: 6, Instructions: 137stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 67000B3D
_stat64.MSVCRT ref: 67000B8B
malloc.MSVCRT ref: 67000CA3
memcpy.MSVCRT ref: 67000CB8
_stat64.MSVCRT ref: 67000CCB
free.MSVCRT ref: 67000CE0

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: _stat64$freemallocmemcpystrlen
String ID:
API String ID: 4289191721-0
Opcode ID: 80b34f1c5fdd88b2ce448e724f3a28e93e51d86314deed038756465e35ae143c
Instruction ID: f062ce7101a7301369fca3413351cf8643b74da5f83adf6f5a57257d18a817f8
Opcode Fuzzy Hash: 80b34f1c5fdd88b2ce448e724f3a28e93e51d86314deed038756465e35ae143c
Instruction Fuzzy Hash: F9519E3212C69088F7108F21909076E77E6E79EBB8F548012DBA407759DB7EC085C762

Function 00007FF654CA76B0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 102stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF654CA7723
strlen.MSVCRT ref: 00007FF654CA7753
strlen.MSVCRT ref: 00007FF654CA7769
strcpy.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF654CA1CB3), ref: 00007FF654CA777A
strtok.MSVCRT(00000000,?,?,00000000,?,00000012,00007FF654CA1CB3), ref: 00007FF654CA7784

Part of subcall function 00007FF654CA8210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246

Part of subcall function 00007FF654CAF1BB: free.MSVCRT ref: 00007FF654CAF1FF
Part of subcall function 00007FF654CAF1BB: memset.MSVCRT ref: 00007FF654CAF21C

Strings

WARNING: file already exists but should not: %s, xrefs: 00007FF654CA782B

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: strlen$ByteCharMultiWidefreememsetstrcpystrtok
String ID: WARNING: file already exists but should not: %s
API String ID: 901113649-146164175
Opcode ID: 7072ae6d0657243b1b059db1da13a8eaa9e493386cd5a882feb7df409dbc5b21
Instruction ID: f7f63d71ed15e4af07ef2cc17e75bf3c3cc54be8e5d1a378b3937fb2516d657b
Opcode Fuzzy Hash: 7072ae6d0657243b1b059db1da13a8eaa9e493386cd5a882feb7df409dbc5b21
Instruction Fuzzy Hash: AA31A091B4954244FA21E713E8A57FA52626FC5BC4F8C40B3ED0DE77C6DE2CE149C650

Function 00007FFDFB35FA80 Relevance: 9.1, APIs: 7, Instructions: 327stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,00000000,?,00007FFDFB35F9EB,?,?,00000000,00007FFDFB35EF27), ref: 00007FFDFB35FB9A
strchr.VCRUNTIME140(?,00000000,?,00007FFDFB35F9EB,?,?,00000000,00007FFDFB35EF27), ref: 00007FFDFB35FBC8
strchr.VCRUNTIME140(?,00000000,?,00007FFDFB35F9EB,?,?,00000000,00007FFDFB35EF27), ref: 00007FFDFB35FBDC
strchr.VCRUNTIME140(?,00000000,?,00007FFDFB35F9EB,?,?,00000000,00007FFDFB35EF27), ref: 00007FFDFB35FDB4
strchr.VCRUNTIME140(?,00000000,?,00007FFDFB35F9EB,?,?,00000000,00007FFDFB35EF27), ref: 00007FFDFB35FDC4

Memory Dump Source

Source File: 00000001.00000002.1767214909.00007FFDFB1CE000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFDFB130000, based on PE: true

Associated: 00000001.00000002.1767197166.00007FFDFB130000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB131000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB13D000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB195000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1A9000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1BA000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1C0000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB371000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB39E000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3CF000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3F5000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB41A000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767756432.00007FFDFB441000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767781456.00007FFDFB447000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB449000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB465000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb130000_DeltaX.jbxd

Similarity

API ID: strchr
String ID:
API String ID: 2830005266-0
Opcode ID: b47ed86f5467abe1a2b598f8d36dc161c19d63e871b7563a1b6bed335e2f929c
Instruction ID: 584477234f7b2e9b259b099500e5c3da6cb3cc254591e764dcdc37ef7395dea6
Opcode Fuzzy Hash: b47ed86f5467abe1a2b598f8d36dc161c19d63e871b7563a1b6bed335e2f929c
Instruction Fuzzy Hash: 9EB12022B4A58743FB51AB29D0A4A7863D1EB45BA0F494131DF6C477EADE2DFCC68300

Function 66F8FB90 Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

PyEval_GetGlobals.PYTHON38 ref: 66F8FBA1
PyDict_SetItem.PYTHON38 ref: 66F8FC19
PyDict_GetItem.PYTHON38 ref: 66F8FC3D
PyDict_DelItem.PYTHON38 ref: 66F8FC56

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Dict_Item$Eval_Globals
String ID:
API String ID: 298195719-0
Opcode ID: bdbfbde53943e06cb84977794a913d9a8feaca20f0af7cd8f2ba57cf1041ecb5
Instruction ID: 10d891a56c4b4db0109e04e10b0597b56b96162e53721a7f69e0ea27a5975be5
Opcode Fuzzy Hash: bdbfbde53943e06cb84977794a913d9a8feaca20f0af7cd8f2ba57cf1041ecb5
Instruction Fuzzy Hash: D3119162F6B6118BFE8AA7567C143850062ABDABD9F5E8469CC0D06715EA28CBD3C210

Function 00007FF654CA75D0 Relevance: 9.1, APIs: 6, Instructions: 58COMMON

Download Yara Rule

APIs

wcscmp.MSVCRT ref: 00007FF654CA761A
wcscat.MSVCRT ref: 00007FF654CA7630

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: wcscatwcscmp
String ID:
API String ID: 3846154227-0
Opcode ID: 2e846096d5f1173c00e44c6aa62fcc8cda5cfbe0eb3fb93c179b8cb843208025
Instruction ID: dc6887e6ccc5f1225daad81d0523fa5e873dcda5db4dd2fa1c2f15dd1e19a61b
Opcode Fuzzy Hash: 2e846096d5f1173c00e44c6aa62fcc8cda5cfbe0eb3fb93c179b8cb843208025
Instruction Fuzzy Hash: D4116DD0B8D54345FA59AB2798B43B912B16FC4BC4F4C80B3DD0EE6282EE2CE5068224

Function 66F8F4E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 164memoryCOMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 66F8F4E9
VirtualAlloc.KERNEL32 ref: 66F8F60B
memcpy.MSVCRT ref: 66F8F62B

Strings

Failed to alloc memory for spp code, xrefs: 66F8F72B

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: AllocVirtualexitmemcpy
String ID: Failed to alloc memory for spp code
API String ID: 693558432-822294455
Opcode ID: f3bc23246e1a7ea39ca5eeb61b5eab4d2a1b7311cb43689520820e0dc14aebbb
Instruction ID: fec435337d9191e434979fca2facb34d50444232d1990e8d9ceb768e064c7e84
Opcode Fuzzy Hash: f3bc23246e1a7ea39ca5eeb61b5eab4d2a1b7311cb43689520820e0dc14aebbb
Instruction Fuzzy Hash: 99518BB2B16B4486EF948F09E88075873B5FB89BD8F54812ADE5C477A4EF38C061C310

Function 00007FF654CB2378 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

fwprintf.MSVCRT ref: 00007FF654CB241B
fwprintf.MSVCRT ref: 00007FF654CB2450

Part of subcall function 00007FF654CB1FF0: fputwc.MSVCRT ref: 00007FF654CB2040

Strings

%*.*s, xrefs: 00007FF654CB2411
%-*.*s, xrefs: 00007FF654CB2446
%.*s, xrefs: 00007FF654CB246E

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fwprintf$fputwc
String ID: %*.*s$%-*.*s$%.*s
API String ID: 2988249585-4054516066
Opcode ID: b02ba0fa6d73b1136932df1615eabb89f2fc48cd2a4aa50ad3fcf4feca9b3b31
Instruction ID: 56f9b3c771380ba5e434f42c949319a640f5cf67ea75b5c02e06c19b2a15a7b8
Opcode Fuzzy Hash: b02ba0fa6d73b1136932df1615eabb89f2fc48cd2a4aa50ad3fcf4feca9b3b31
Instruction Fuzzy Hash: 9671FCB6A04B89CADB24CF2AC4945AC77F0F788B9CB458566EE4D97B58DF38D400CB40

Function 00007FF654CA6F10 Relevance: 8.8, APIs: 7, Instructions: 67stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00007FF654CA6F30
strlen.MSVCRT ref: 00007FF654CA6F47
strlen.MSVCRT ref: 00007FF654CA6F5C
malloc.MSVCRT ref: 00007FF654CA6F6A

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: strlen$malloc
String ID:
API String ID: 3157260142-0
Opcode ID: 0419613c3ea4f464a99d91cc0fc2a83583cd7a599b744298bfe001e261bbff0e
Instruction ID: 649894e7a07060035aba572be40f29fdaeebe30295591872a16ee8c8711d47b8
Opcode Fuzzy Hash: 0419613c3ea4f464a99d91cc0fc2a83583cd7a599b744298bfe001e261bbff0e
Instruction Fuzzy Hash: 4311C282B0A14208FC5AEA5359F47BB45A11FD5FD8D8C80B2ED4DAB781FE3CA4468360

Function 66F90225 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON38 ref: 66F90214
PyErr_GivenExceptionMatches.PYTHON38 ref: 66F90256
PyTuple_Size.PYTHON38 ref: 66F90303
PyErr_SetString.PYTHON38 ref: 66F90371

Strings

catching classes that do not inherit from BaseException is not allowed, xrefs: 66F90365

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_$DeallocExceptionGivenMatchesSizeStringTuple_
String ID: catching classes that do not inherit from BaseException is not allowed
API String ID: 1667255942-1287988286
Opcode ID: 7aa5052ace1f0b2f986bcb667602ca640b41220727e23121f6c32aab47bdbf06
Instruction ID: 813c8e1707d8b2129448e4b63dbce8df304fb9c700ee6787fb423eed43f35ed2
Opcode Fuzzy Hash: 7aa5052ace1f0b2f986bcb667602ca640b41220727e23121f6c32aab47bdbf06
Instruction Fuzzy Hash: 7221CD73B09740C2FB088F36E484B597361A746F99F088229CE5C47360DFBAC195C380

Function 66F907B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON38 ref: 66F907B7
PyErr_Format.PYTHON38 ref: 66F907E6
PyErr_Format.PYTHON38 ref: 66F90805

Strings

No active exception to reraise, xrefs: 66F907DC
local variable referenced before assignment, xrefs: 66F907FB

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_$Format$Occurred
String ID: No active exception to reraise$local variable referenced before assignment
API String ID: 1084603930-1116140797
Opcode ID: ea755bf025dee667039df077fee257567cff1e322b8d29ae90c64374e7b485f0
Instruction ID: 5588140cc0f9ee580c6acc3bb115a1d8a3b10d05f1cf09ba4382bbcb72c72f03
Opcode Fuzzy Hash: ea755bf025dee667039df077fee257567cff1e322b8d29ae90c64374e7b485f0
Instruction Fuzzy Hash: F4F08271B29705C2FF05CBA5E88435413A1AB48B79F950615CC1C47331DE6EC1EAC721

Function 00007FFDFB133247 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 268stringCOMMON

Download Yara Rule

APIs

strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB337135

Part of subcall function 00007FFDFB1323B5: memset.VCRUNTIME140 ref: 00007FFDFB224AEB

memmove.VCRUNTIME140 ref: 00007FFDFB337312

Strings

NO X509_NAME, xrefs: 00007FFDFB337128
0123456789ABCDEF, xrefs: 00007FFDFB337331
..\s\crypto\x509\x509_obj.c, xrefs: 00007FFDFB337116, 00007FFDFB3373BF, 00007FFDFB337434

Memory Dump Source

Source File: 00000001.00000002.1767214909.00007FFDFB131000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFDFB130000, based on PE: true

Associated: 00000001.00000002.1767197166.00007FFDFB130000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB13D000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB195000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1A9000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1BA000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1C0000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1CE000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB371000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB39E000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3CF000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3F5000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB41A000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767756432.00007FFDFB441000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767781456.00007FFDFB447000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB449000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB465000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb130000_DeltaX.jbxd

Similarity

API ID: memmovememsetstrncpy
String ID: ..\s\crypto\x509\x509_obj.c$0123456789ABCDEF$NO X509_NAME
API String ID: 899670095-3422593365
Opcode ID: f899bb93a93083c1eed05d22a3c6f44b612f3e9b136a5c3ea0115cf8b111b2c6
Instruction ID: 56985a143d49d9970f34c8785794f0a7e223cc0dade8dbc4825bc511f434e4db
Opcode Fuzzy Hash: f899bb93a93083c1eed05d22a3c6f44b612f3e9b136a5c3ea0115cf8b111b2c6
Instruction Fuzzy Hash: E8B1BF22B4A68786EB11AB159460F7ABBD0EB44B98F084135EE6D477F9DF3CF4848740

Function 00007FFDFB135362 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFDFB2DB7F1

Strings

Enter PEM pass phrase:, xrefs: 00007FFDFB2DB807
..\s\crypto\pem\pem_lib.c, xrefs: 00007FFDFB2DB83A, 00007FFDFB2DB8A3, 00007FFDFB2DB98C
;, xrefs: 00007FFDFB2DB832

Memory Dump Source

Source File: 00000001.00000002.1767214909.00007FFDFB131000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFDFB130000, based on PE: true

Associated: 00000001.00000002.1767197166.00007FFDFB130000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB13D000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB195000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1A9000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1BA000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1C0000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1CE000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB371000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB39E000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3CF000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3F5000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB41A000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767756432.00007FFDFB441000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767781456.00007FFDFB447000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB449000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB465000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb130000_DeltaX.jbxd

Similarity

API ID: memmove
String ID: ..\s\crypto\pem\pem_lib.c$;$Enter PEM pass phrase:
API String ID: 2162964266-3733131234
Opcode ID: 8a61b3c6a358ae9897c4f46a3d158109fb8a417a44eb08eaed83332f1f5fbda0
Instruction ID: d7fc9878e87224e5ed1804240bb3e724aa43c044b0cb9fd21aeeae3826b38d28
Opcode Fuzzy Hash: 8a61b3c6a358ae9897c4f46a3d158109fb8a417a44eb08eaed83332f1f5fbda0
Instruction Fuzzy Hash: C6719266B0EA8386E720AB51E464BAE6390FB48798F440135DA6D83AEDDF3CD541CB40

Function 66F925E0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 66F92696
sprintf.MSVCRT ref: 66F926C0

Strings

../src/platforms/windows/hdinfo.c, xrefs: 66F9270C
/%d:, xrefs: 66F9266B, 66F9267D
No any serial number of harddisk got, xrefs: 66F92705

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: sprintfstrlen
String ID: ../src/platforms/windows/hdinfo.c$/%d:$No any serial number of harddisk got
API String ID: 1090396089-4267867539
Opcode ID: 31af2e46d4100cef63581085d68aae10d157700d2eb2dcb07bbe34cfb56b77b0
Instruction ID: 742a196d2347dd3a3586fae40d01f78c0c089f7c2c1a705e0f5f4cbf93905f9e
Opcode Fuzzy Hash: 31af2e46d4100cef63581085d68aae10d157700d2eb2dcb07bbe34cfb56b77b0
Instruction Fuzzy Hash: 00315A53F794504AFB118A79AC507AD2612B757BE9F884321CE2487BC4DA3B85D6C701

Function 66F91570 Relevance: 7.6, APIs: 5, Instructions: 100COMMON

Download Yara Rule

APIs

PyFunction_NewWithQualName.PYTHON38 ref: 66F915BC
_Py_Dealloc.PYTHON38 ref: 66F91647

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: DeallocFunction_NameQualWith
String ID:
API String ID: 2691592392-0
Opcode ID: c70d8e22b6fb7d042fcbe835daa285448b2ec46c728d816a336a837257fbbf6c
Instruction ID: bd5bf38e3743a5e35916c73aa4263de51001008af231bea976bcc660219758d5
Opcode Fuzzy Hash: c70d8e22b6fb7d042fcbe835daa285448b2ec46c728d816a336a837257fbbf6c
Instruction Fuzzy Hash: 21316C33E45A40C3FA1ADF66AA4832972ADE756BD8F1D4631DF2946B14EF34C1A1C310

Function 66FA0E50 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 97COMMON

Download Yara Rule

Strings

src/math/rand_prime.c, xrefs: 66FA0F96
N != NULL, xrefs: 66FA0F9D

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID:
String ID: N != NULL$src/math/rand_prime.c
API String ID: 0-3192267683
Opcode ID: e74fbf1bd119aaad982333372bbeefe55aa80f3d0b2425a64a8d787a8178b8b6
Instruction ID: 71ca21f85ae5edf2623e403285006933e7af733d431e057c60e540391ee86b9f
Opcode Fuzzy Hash: e74fbf1bd119aaad982333372bbeefe55aa80f3d0b2425a64a8d787a8178b8b6
Instruction Fuzzy Hash: 8E312463B08744CAFB248B16BC40B9E3B65E74ABEDF444129EE195BB94DF78C445C380

Function 66F89E90 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 66F88810: _PyFloat_Unpack8.PYTHON38 ref: 66F88841

PyErr_Occurred.PYTHON38 ref: 66F89EB4
PyErr_Occurred.PYTHON38 ref: 66F89F8D

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_Occurred$Float_Unpack8
String ID:
API String ID: 3006406168-0
Opcode ID: 25731e8754741c7258dcfdee3108278f9bf8a38bd790017d729a2d3f56006a67
Instruction ID: 7d0e9f83372ef69f9df16c3a787aed8ebe06486e262c1aff32f8199a6f3536fc
Opcode Fuzzy Hash: 25731e8754741c7258dcfdee3108278f9bf8a38bd790017d729a2d3f56006a67
Instruction Fuzzy Hash: 6C11AF326486408AF615CF69D05C71B3376FF66790F02A689C90A27268DF3AD686C380

Function 66F89D23 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 66F88C60: memcpy.MSVCRT ref: 66F88CB9
Part of subcall function 66F88C60: PyOS_string_to_double.PYTHON38 ref: 66F88CCB

PyErr_Occurred.PYTHON38 ref: 66F89D47
PyErr_Occurred.PYTHON38 ref: 66F89FED

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_Occurred$S_string_to_doublememcpy
String ID:
API String ID: 282781714-0
Opcode ID: c8eec1e2fb1afbe17f492ddba1688786fa44dcf2a18facbc5d00873f2a2d5e28
Instruction ID: 65021048e7727b8493c275957d86722a43481ffe7c7336157c345fb2bec24998
Opcode Fuzzy Hash: c8eec1e2fb1afbe17f492ddba1688786fa44dcf2a18facbc5d00873f2a2d5e28
Instruction Fuzzy Hash: 9911AF326096408BF615CF69D09C71B3376FFA6790F42A689890A36258DF3AE582C390

Function 00007FF654CA8310 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 00007FF654CA8329

Part of subcall function 00007FF654CA8210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246

free.MSVCRT ref: 00007FF654CA8377
free.MSVCRT ref: 00007FF654CA8384

Strings

C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI73442\lib-dynload;C:\Users\jone, xrefs: 00007FF654CA8312
C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI73442\lib-dynload;C:\Users\user\AppData\Local\Temp\_MEI73442, xrefs: 00007FF654CA8311

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free$ByteCharMultiWidecalloc
String ID: C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI73442\lib-dynload;C:\Users\jone$C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip;C:\Users\user\AppData\Local\Temp\_MEI73442\lib-dynload;C:\Users\user\AppData\Local\Temp\_MEI73442
API String ID: 3975185072-1692260131
Opcode ID: 0faf44b2c5f354340a62e8afc208ffbb73008dc180b0d557f08b18528392ab49
Instruction ID: ea8859a47de0189c25ce6c3eff647eb959316f7f7659f11613ca6d79bf32b054
Opcode Fuzzy Hash: 0faf44b2c5f354340a62e8afc208ffbb73008dc180b0d557f08b18528392ab49
Instruction Fuzzy Hash: 890166A2F1661142FA21D71AA9A03B961609FC47D4F8C4472CF4E93780EE3CE481C320

Function 00007FF654CA2920 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF654CA2949
EndDialog.USER32 ref: 00007FF654CA2978
GetWindowLongPtrW.USER32 ref: 00007FF654CA2985
InvalidateRect.USER32 ref: 00007FF654CA29A5
SetWindowLongPtrW.USER32 ref: 00007FF654CA29C4

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: DialogLongWindow$InvalidateRect
String ID:
API String ID: 1200242243-0
Opcode ID: 89cb7d82cb1b40587ec4d78b90bde32f8ec055dd5bdbf5a296f83f89b3663874
Instruction ID: cc460658e1ce59e7c95f55528b7dd1d069b67309fb220763fa14eefccef88c29
Opcode Fuzzy Hash: 89cb7d82cb1b40587ec4d78b90bde32f8ec055dd5bdbf5a296f83f89b3663874
Instruction Fuzzy Hash: 5901C0A0E1D17B42F65CA33778E56BC11B1AFD9B11F9C44B3D94FE5B988C2C68C24201

Function 66FDD510 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 233fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 66FDD7C4
abort.MSVCRT ref: 66FDD7C9

Strings

', xrefs: 66FDD82E
illegal index register, xrefs: 66FDD7AF

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: abortfwrite
String ID: '$illegal index register
API String ID: 1067672060-451399654
Opcode ID: 30ed7b924fe86d56e32075ecd28e360c321c5069fcfad807037309b7bfbb4194
Instruction ID: 0726b703c7262fa3e2ce39de831f5f1432f6725bbb19c518c08dad537baa04bb
Opcode Fuzzy Hash: 30ed7b924fe86d56e32075ecd28e360c321c5069fcfad807037309b7bfbb4194
Instruction Fuzzy Hash: D691AC7361AB89C5EB128F3DE880A4C3FA5E3A5F88B9AC112CB4C47714CA7ED456C710

Function 00007FF654CAD850 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

CCG , xrefs: 00007FF654CAD878

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID:
String ID: CCG
API String ID: 0-1584390748
Opcode ID: a2009b416c13826995d1c9318a92a1b9d2e4341e694bba52663129bfcb9c8ac9
Instruction ID: 26bed0aa39a31060e47e90cc69aba9865991b2ed665222cafed5457c9debdff5
Opcode Fuzzy Hash: a2009b416c13826995d1c9318a92a1b9d2e4341e694bba52663129bfcb9c8ac9
Instruction Fuzzy Hash: 734175B6A096028AF7208B65C4E43BC3272EFC5718F188677CA2DE77D4DE3CD9419241

Function 66F8F750 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 66F8F7A9
memcpy.MSVCRT ref: 66F8F7CC
fwrite.MSVCRT ref: 66F8F85C

Strings

Failed to alloc memory for bcc code, xrefs: 66F8F847

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: AllocVirtualfwritememcpy
String ID: Failed to alloc memory for bcc code
API String ID: 1603020442-783995166
Opcode ID: eb23d3be20123cf0cf08d2a85a5079c95ad4c67ffd96b2f544d334d3cac980b3
Instruction ID: 31a1d8baf03bd5c1194be895fe23854d1f9c9f6b13b733042da3f3a37fb28dff
Opcode Fuzzy Hash: eb23d3be20123cf0cf08d2a85a5079c95ad4c67ffd96b2f544d334d3cac980b3
Instruction Fuzzy Hash: CB218BB2706B548AEB548F1AE84076877A4F70CFE9F48852ADF4C83750EB38C0A2C350

Function 66F899D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON38 ref: 66F899E0
PyErr_SetString.PYTHON38 ref: 66F8A079

Strings

bad marshal data (string size out of range), xrefs: 66F8A06F

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_$OccurredString
String ID: bad marshal data (string size out of range)
API String ID: 114435612-3115314950
Opcode ID: 293430a6a5cdbc98a50b289ced698e2fed51f9bd8b8da540c01d7127c9aae8e1
Instruction ID: 3b4414d1bb201c171486ede7135525884a4aec373d10d333502f3ec199fbf4d9
Opcode Fuzzy Hash: 293430a6a5cdbc98a50b289ced698e2fed51f9bd8b8da540c01d7127c9aae8e1
Instruction Fuzzy Hash: 1E11063370568486FA12CF08E84439A63B1FF88BA5F018168CE1D177A8EF3DD586C350

Function 00007FF654CA2C10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF654CA8210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246

MessageBoxW.USER32 ref: 00007FF654CA2C93
MessageBoxA.USER32 ref: 00007FF654CA2CBB

Strings

Failed to get UTF-8 buffer size., xrefs: 00007FF654CA2C16
WideCharToMultiByte, xrefs: 00007FF654CA2C18

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: Message$ByteCharMultiWide
String ID: Failed to get UTF-8 buffer size.$WideCharToMultiByte
API String ID: 1878133881-785100509
Opcode ID: f8b2052244f997f8cf142d2b4763022da063b563fc09b0a30e2edc3fc9052039
Instruction ID: 7dc9d71577be989c89177034a91cf21993150ee6a6a911859f43416f3186c8a1
Opcode Fuzzy Hash: f8b2052244f997f8cf142d2b4763022da063b563fc09b0a30e2edc3fc9052039
Instruction Fuzzy Hash: 0801F5B279879041FB345B62B8547FA6290BB89FD8F888035CE4D67B85CD3DD5858B40

Function 66F82ECE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON38 ref: 66F82F4F
exit.MSVCRT(66F81E15), ref: 66F83240

Strings

\(, xrefs: 66F82F3A
%s (%d:%d), xrefs: 66F82F48

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_Formatexit
String ID: %s (%d:%d)$\(
API String ID: 2212715685-1109738240
Opcode ID: 0424d5ceef1ab17d7a6ad8fdbdb3027b58ed43a9019e03873f4a971e827090bd
Instruction ID: b4f2ff009cb8151a99e9bd8b925fe9c212c5883eeda4a26a5ec718530b71c56f
Opcode Fuzzy Hash: 0424d5ceef1ab17d7a6ad8fdbdb3027b58ed43a9019e03873f4a971e827090bd
Instruction Fuzzy Hash: 60112573366B8485FB01CB19E88435A3771E789BA8F855556CD2D0B3A0CF3DC182C790

Function 66F89D70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON38 ref: 66F8A114
PyErr_Occurred.PYTHON38 ref: 66F8A319
PyErr_SetString.PYTHON38 ref: 66F8ACF7

Strings

bad marshal data (invalid reference), xrefs: 66F8A107, 66F8ACEA

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_$String$Occurred
String ID: bad marshal data (invalid reference)
API String ID: 1118661901-2759865940
Opcode ID: 968cbeb75552fe5edac8bad04cde3dbc9d27da8db6f20704d605a970f4c42716
Instruction ID: b06c9a209ed7e0daf4cbee7a6fc9ff459a6e727a8ad181e6784ab6267fcdceb2
Opcode Fuzzy Hash: 968cbeb75552fe5edac8bad04cde3dbc9d27da8db6f20704d605a970f4c42716
Instruction Fuzzy Hash: DB111E72318A41C6FB04CF29D88871A3376F749BA4F529685CA2E173A4CF3AD5A5C790

Function 00007FF654CA42F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF654CA4312

Part of subcall function 00007FF654CA8040: WideCharToMultiByte.KERNEL32 ref: 00007FF654CA8088

Strings

Failed to get executable path., xrefs: 00007FF654CA4348
GetModuleFileNameW, xrefs: 00007FF654CA434F
Failed to convert executable path to UTF-8., xrefs: 00007FF654CA4360

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: ByteCharFileModuleMultiNameWide
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 1532159127-1977442011
Opcode ID: f4bf1276b97d64210b6653597ec094bb76e5d053494305fba7f19c3c38b4cda7
Instruction ID: e4688c0613782778e6b8853051936c5d7a0aef4b84b9e59e4f6a74800fa88d29
Opcode Fuzzy Hash: f4bf1276b97d64210b6653597ec094bb76e5d053494305fba7f19c3c38b4cda7
Instruction Fuzzy Hash: 53F0AFD1B1C15392FA556622A8B53F902B1AFC47C4F8C40B3D84EE67C6DD0EE5469310

Function 66F91B40 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 66F91B44
FormatMessageA.KERNEL32 ref: 66F91B75
LocalFree.KERNEL32 ref: 66F91B96

Strings

../src/platforms/windows/hdinfo.c, xrefs: 66F91B80

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID: ../src/platforms/windows/hdinfo.c
API String ID: 1365068426-2451707101
Opcode ID: 0b3497e0e8524aa34434791428da8e05064aec6413ab9b7d1de309c9d65537ca
Instruction ID: 8dce6f37feef62638acdf1acdd4dcdb0bf3105246173f09d06f6fee41ccbe511
Opcode Fuzzy Hash: 0b3497e0e8524aa34434791428da8e05064aec6413ab9b7d1de309c9d65537ca
Instruction Fuzzy Hash: 7CF03032308A40C1E7509B21E81934AB772F3D9B89F504115DB8D43BA4DF3EC2598B50

Function 00007FFDFB34E9B0 Relevance: 6.5, APIs: 5, Instructions: 218COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(?,?,00000000,?,00007FFDFB34F074), ref: 00007FFDFB34EB46
memcmp.VCRUNTIME140(?,?,00000000,?,00007FFDFB34F074), ref: 00007FFDFB34EB5E
memcmp.VCRUNTIME140(?,?,00000000,?,00007FFDFB34F074), ref: 00007FFDFB34EB76
memcmp.VCRUNTIME140(?,?,00000000,?,00007FFDFB34F074), ref: 00007FFDFB34EBB1
memcmp.VCRUNTIME140(?,?,00000000,?,00007FFDFB34F074), ref: 00007FFDFB34EC8D

Memory Dump Source

Source File: 00000001.00000002.1767214909.00007FFDFB1CE000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFDFB130000, based on PE: true

Associated: 00000001.00000002.1767197166.00007FFDFB130000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB131000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB13D000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB195000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1A9000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1BA000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1C0000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB371000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB39E000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3CF000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3F5000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB41A000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767756432.00007FFDFB441000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767781456.00007FFDFB447000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB449000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB465000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb130000_DeltaX.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: 8f8bb78f2a2637a729eadb8f3da555a761f623b2f8a1b02fd96e3a6437f90bd1
Instruction ID: edcda4a4fc6805b4c69f288f9108b227c18234642f0aef9a55be72d804884ef3
Opcode Fuzzy Hash: 8f8bb78f2a2637a729eadb8f3da555a761f623b2f8a1b02fd96e3a6437f90bd1
Instruction Fuzzy Hash: 9881B361B496A3C2FB24BA26D5609BE27E1BF447C8F445431CE2D5BAEDEE28E545C300

Function 00007FFDFB132E4B Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 368COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFDFB30EE02
memset.VCRUNTIME140 ref: 00007FFDFB30EE64

Strings

..\s\crypto\sm2\sm2_crypt.c, xrefs: 00007FFDFB30EE3B, 00007FFDFB30EE6F, 00007FFDFB30EE83, 00007FFDFB30EE9B, 00007FFDFB30EF00, 00007FFDFB30EF3F, 00007FFDFB30EF84, 00007FFDFB30EFA8, 00007FFDFB30EFBA, 00007FFDFB30EFDA, 00007FFDFB30F03B, 00007FFDFB30F302, 00007FFDFB30F340
@, xrefs: 00007FFDFB30F150

Memory Dump Source

Source File: 00000001.00000002.1767214909.00007FFDFB131000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFDFB130000, based on PE: true

Associated: 00000001.00000002.1767197166.00007FFDFB130000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB13D000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB195000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1A9000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1BA000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1C0000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1CE000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB371000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB39E000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3CF000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3F5000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB41A000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767756432.00007FFDFB441000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767781456.00007FFDFB447000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB449000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB465000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb130000_DeltaX.jbxd

Similarity

API ID: memset
String ID: ..\s\crypto\sm2\sm2_crypt.c$@
API String ID: 2221118986-485510600
Opcode ID: da7dc45c9c2dfd3cf84d3af2843d57906763fb0a5865fcf3f3ae2116ab873b62
Instruction ID: cba4bc86651f4b022fa2b4343283962724a3770a4b60e332f76822fe4bb72fd4
Opcode Fuzzy Hash: da7dc45c9c2dfd3cf84d3af2843d57906763fb0a5865fcf3f3ae2116ab873b62
Instruction Fuzzy Hash: D5F16132B0EA8782EB20AB15E4609A967A0FF85BC8F484135DE9D477E9EF3DD545C700

Function 00007FFDFB1E3450 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 164stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB1E3533
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB1E354B
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB1E3568

Strings

content-type, xrefs: 00007FFDFB1E345A

Memory Dump Source

Source File: 00000001.00000002.1767214909.00007FFDFB1CE000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFDFB130000, based on PE: true

Associated: 00000001.00000002.1767197166.00007FFDFB130000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB131000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB13D000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB195000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1A9000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1BA000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1C0000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB371000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB39E000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3CF000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3F5000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB41A000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767756432.00007FFDFB441000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767781456.00007FFDFB447000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB449000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB465000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb130000_DeltaX.jbxd

Similarity

API ID: strncmp
String ID: content-type
API String ID: 1114863663-3266185539
Opcode ID: 4631d19e4425c0fd0a3489a558a41e6dd35230276ece1185163dec947c25b71f
Instruction ID: 6cda78ec5f4cfa1a6176f8cf96b9201f9266618bf075ad81cedba0819021ec3e
Opcode Fuzzy Hash: 4631d19e4425c0fd0a3489a558a41e6dd35230276ece1185163dec947c25b71f
Instruction Fuzzy Hash: C0519123F1EA4341FB629725A560B7A6291AF45BACF441230DE7E477EDEF2CE5428700

Function 00007FFDFB13112C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFDFB23ECC5
memmove.VCRUNTIME140 ref: 00007FFDFB23ED76
memmove.VCRUNTIME140 ref: 00007FFDFB23EDFF

Strings

..\s\crypto\ct\ct_oct.c, xrefs: 00007FFDFB23EBF5, 00007FFDFB23ECED, 00007FFDFB23ED0E, 00007FFDFB23ED89, 00007FFDFB23EDA5, 00007FFDFB23EDCF, 00007FFDFB23EDE7

Memory Dump Source

Source File: 00000001.00000002.1767214909.00007FFDFB131000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFDFB130000, based on PE: true

Associated: 00000001.00000002.1767197166.00007FFDFB130000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB13D000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB195000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1A9000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1BA000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1C0000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1CE000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB371000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB39E000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3CF000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3F5000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB41A000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767756432.00007FFDFB441000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767781456.00007FFDFB447000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB449000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB465000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb130000_DeltaX.jbxd

Similarity

API ID: memmove
String ID: ..\s\crypto\ct\ct_oct.c
API String ID: 2162964266-1972679481
Opcode ID: 062cd3e64885ebfd0890634cdc10c5af027266595d2eae18cc88829b6952b2c6
Instruction ID: 4f017b744a4016e950ec9fff18767f3fe2a876819e6f84054ad22b7726625bbe
Opcode Fuzzy Hash: 062cd3e64885ebfd0890634cdc10c5af027266595d2eae18cc88829b6952b2c6
Instruction Fuzzy Hash: 1971A362B0E69289E715EF2580205BC3BA1FB15F44F084532DE6C477EADE2CE6D9C711

Function 66F81010 Relevance: 6.1, APIs: 4, Instructions: 131sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 66F81057
_amsg_exit.MSVCRT ref: 66F81081

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: e5702a439a4ad7f612bf09567f4b6bdbc3a59019ab1ed67d80b3c557a7c00de7
Instruction ID: 36f8baeecf6fe092316813967f0358202faac6b42ecc9b1c15b7995d41157d5a
Opcode Fuzzy Hash: e5702a439a4ad7f612bf09567f4b6bdbc3a59019ab1ed67d80b3c557a7c00de7
Instruction Fuzzy Hash: 1441BE33B19A45CAF706CF5AEC907563376A7A8BD9F84416ACE2C87350EE39C491C360

Function 66FA1AC0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 104COMMON

Download Yara Rule

Strings

in != NULL, xrefs: 66FA1C19
src/pk/asn1/der/sequence/der_decode_sequence_multi.c, xrefs: 66FA1C12

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID:
String ID: in != NULL$src/pk/asn1/der/sequence/der_decode_sequence_multi.c
API String ID: 0-85593093
Opcode ID: 5c52bab621110d91baed5af67f33942c581aa4e88befd0dd93c9ea70a8f3c3da
Instruction ID: fbac79a958a79ffb04a36821a58578e47854271ef9080731b78a1bea095f10be
Opcode Fuzzy Hash: 5c52bab621110d91baed5af67f33942c581aa4e88befd0dd93c9ea70a8f3c3da
Instruction Fuzzy Hash: 5E31E133B29784CBEB14CF29E810B9D7225E795BD9F994228DE4D4BB44EB39C451CB00

Function 66F89400 Relevance: 6.1, APIs: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 66F8943B
fwrite.MSVCRT ref: 66F89460
PyBytes_Size.PYTHON38 ref: 66F8949D

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Bytes_Sizefwritememcpy
String ID:
API String ID: 3636771336-0
Opcode ID: 093730332a7e9877e6b19efade14e0ea6c1ba5ef8ad62899f2d7a132981f3775
Instruction ID: 7fb8f1e4ecaeb01849937532973a0c10b29274815122a81459077c6be761d3af
Opcode Fuzzy Hash: 093730332a7e9877e6b19efade14e0ea6c1ba5ef8ad62899f2d7a132981f3775
Instruction Fuzzy Hash: 6F31A0A3745A5486EB05CF6AE94875823A1F39CFECF54812ADE2D1B788DE38C586C341

Function 00007FFDFB1322CA Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB2DEA8A

Strings

X9.42 DH PARAMETERS, xrefs: 00007FFDFB2DEA79
DH PARAMETERS, xrefs: 00007FFDFB2DEA3B
..\s\crypto\pem\pem_pkey.c, xrefs: 00007FFDFB2DEAB4, 00007FFDFB2DEAD9, 00007FFDFB2DEAF0

Memory Dump Source

Source File: 00000001.00000002.1767214909.00007FFDFB131000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFDFB130000, based on PE: true

Associated: 00000001.00000002.1767197166.00007FFDFB130000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB13D000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB195000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1A9000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1BA000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1C0000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1CE000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB371000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB39E000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3CF000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3F5000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB41A000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767756432.00007FFDFB441000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767781456.00007FFDFB447000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB449000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB465000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb130000_DeltaX.jbxd

Similarity

API ID: strcmp
String ID: ..\s\crypto\pem\pem_pkey.c$DH PARAMETERS$X9.42 DH PARAMETERS
API String ID: 1004003707-3633731555
Opcode ID: 96a109f9c30092f0ab8764c48a0b78b03f30e2d1876c41eb359e8fe877bb5394
Instruction ID: 7bc10604b3afa7911df0726c473694393fb598a34031373e7794f2ac2072df6c
Opcode Fuzzy Hash: 96a109f9c30092f0ab8764c48a0b78b03f30e2d1876c41eb359e8fe877bb5394
Instruction Fuzzy Hash: 9E215322B0AA4B82EB10EB55E4609A9A3A0FF88784F544135EA5C87BEDFE7DD155C700

Function 00007FF654CA2B10 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF654CA2B78
free.MSVCRT ref: 00007FF654CA2B80
free.MSVCRT ref: 00007FF654CA2B88

Part of subcall function 00007FF654CA8210: MultiByteToWideChar.KERNEL32(?,?,WideCharToMultiByte,?,Failed to get UTF-8 buffer size.,?,00007FF654CA2E40), ref: 00007FF654CA8246

Strings

Failed to obtain/convert traceback!, xrefs: 00007FF654CA2BA2

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free$ByteCharMultiWide
String ID: Failed to obtain/convert traceback!
API String ID: 3219091393-982972847
Opcode ID: 8df6a8358dac60a212556b377cd368c0f9cc8a804325971415c7063dd2af1f98
Instruction ID: 45b0259018f5ba383fbd1b91b62b7673d542c93eb8ca9fedd33e035a73825927
Opcode Fuzzy Hash: 8df6a8358dac60a212556b377cd368c0f9cc8a804325971415c7063dd2af1f98
Instruction Fuzzy Hash: 51017191B5966206FD1DA5A719B2AFA50610FC5BD0D9C48B6ED0FABF82EC2CE4454310

Function 66F89CD1 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 66F88810: _PyFloat_Unpack8.PYTHON38 ref: 66F88841

PyErr_Occurred.PYTHON38 ref: 66F89CF1
PyFloat_FromDouble.PYTHON38 ref: 66F89FB4

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Float_$DoubleErr_FromOccurredUnpack8
String ID:
API String ID: 4123378784-0
Opcode ID: 75cbe4f6236140e3f3e17949df3a7072b92d9d5fd2809eafefd520ee0c94fa05
Instruction ID: 27d32f8ea74f9d277b91601c6cedb36b2cba6cb8e9da901d03b1e33723779872
Opcode Fuzzy Hash: 75cbe4f6236140e3f3e17949df3a7072b92d9d5fd2809eafefd520ee0c94fa05
Instruction Fuzzy Hash: 41017133748200CBF614CF69D49CB1B7376FB55785F029588C91627268DF3AD581C790

Function 66F89DD3 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 66F88C60: memcpy.MSVCRT ref: 66F88CB9
Part of subcall function 66F88C60: PyOS_string_to_double.PYTHON38 ref: 66F88CCB

PyErr_Occurred.PYTHON38 ref: 66F89DF3
PyFloat_FromDouble.PYTHON38 ref: 66F8A014

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: DoubleErr_Float_FromOccurredS_string_to_doublememcpy
String ID:
API String ID: 1362591179-0
Opcode ID: b238720ab883d221391d78448b7b0e127067fece75bd79c02a78ff4f3cec0e5e
Instruction ID: e567c4af1fbd2cd196b2fd2dbc9fede7847cb61bbc0f2e85543c85b79b87e7e2
Opcode Fuzzy Hash: b238720ab883d221391d78448b7b0e127067fece75bd79c02a78ff4f3cec0e5e
Instruction Fuzzy Hash: 61017133745600CBF605CF25C49CB1B33BAFB55794F12AA98C90627254DF3AD582C780

Function 66F89BD0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON38 ref: 66F89BDA
PyLong_FromLong.PYTHON38 ref: 66F8A673

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_FromLongLong_Occurred
String ID:
API String ID: 4098471257-0
Opcode ID: 49b78bd632a16342053534db293ba5be799141b1bf89e5b3197291154ee42b47
Instruction ID: 3a83104b59892f6198c9341ee6ea786cc49422b5610113c751f71647becea107
Opcode Fuzzy Hash: 49b78bd632a16342053534db293ba5be799141b1bf89e5b3197291154ee42b47
Instruction Fuzzy Hash: E50128327496508BFA14CF68C49CB2B33B6FB85B81B429598C91A1B359DE3AD641C384

Function 00007FFDFB131DD4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FFDFB1F6269
getaddrinfo.WS2_32 ref: 00007FFDFB1F62A4

Strings

..\s\crypto\bio\b_addr.c, xrefs: 00007FFDFB1F62D1, 00007FFDFB1F6318, 00007FFDFB1F6344

Memory Dump Source

Source File: 00000001.00000002.1767214909.00007FFDFB131000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFDFB130000, based on PE: true

Associated: 00000001.00000002.1767197166.00007FFDFB130000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB13D000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB195000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1A9000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1BA000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1C0000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1CE000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB371000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB39E000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3CF000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3F5000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB41A000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767756432.00007FFDFB441000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767781456.00007FFDFB447000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB449000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB465000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb130000_DeltaX.jbxd

Similarity

API ID: getaddrinfo
String ID: ..\s\crypto\bio\b_addr.c
API String ID: 300660673-2547254400
Opcode ID: f3cfbca69420f5427df2d31b0fded41f4fb78145a65b2b5ca5eaac2b623b0e37
Instruction ID: b361f956b8c684cc923e67408492a74c28b4b66e2f7be0ba2f398166c024dba8
Opcode Fuzzy Hash: f3cfbca69420f5427df2d31b0fded41f4fb78145a65b2b5ca5eaac2b623b0e37
Instruction Fuzzy Hash: A941F873F1969387E7109B12A850AAD77A4FB84748F144035EA9E83BE9DF3CE844CB40

Function 00007FF654CACDD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF654CACECE

Strings

Unknown error, xrefs: 00007FF654CACE6A
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF654CACEC4

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 4b8c868c6939ec88d1abe8f8504a39c26f50d9ef9e938201b9fa1182f5e26e6d
Instruction ID: 160d08a1c4d8db08604566c55807b5423ddb61cdb3b3430b03f1b9281f6d1cac
Opcode Fuzzy Hash: 4b8c868c6939ec88d1abe8f8504a39c26f50d9ef9e938201b9fa1182f5e26e6d
Instruction Fuzzy Hash: F8215E66A04F849AD7128F68D8813E97371FF99798F484622EE8C67728DF38D255C300

Function 66F880B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

PyErr_Format.PYTHON38 ref: 66F88110

Strings

%s (%d:%d), xrefs: 66F88103

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: Err_Format
String ID: %s (%d:%d)
API String ID: 376477240-1595188566
Opcode ID: b3eb94625566ced6eae50b08347c60d5f23321d25285cdcded42f12e05cb6486
Instruction ID: fbd53ae8b92f25b70ab5e6e65fd5d64f7afccbd6fdcf3c2589c86460cb1a0f9e
Opcode Fuzzy Hash: b3eb94625566ced6eae50b08347c60d5f23321d25285cdcded42f12e05cb6486
Instruction Fuzzy Hash: 64012B73E18B5485F701DB1CD8413893761EB99B98F9A4166CD7D173A2CF2DC982C390

Function 00007FF654CA2E50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00007FF654CA2E97

Part of subcall function 00007FF654CA2C10: MessageBoxW.USER32 ref: 00007FF654CA2C93

Strings

%s%s: %s, xrefs: 00007FF654CA2EB4
Fatal error detected, xrefs: 00007FF654CA2ECB

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: Message_errno
String ID: %s%s: %s$Fatal error detected
API String ID: 1796756983-2410924014
Opcode ID: 80f6f717bb9969ece7152c8fde9cb11b8c043fce6b7f1340054d38df66cc8f43
Instruction ID: 0f0c90e1c03a1cbd28842ec4c07fd859d7d71d6edf2705573b18a42781d13223
Opcode Fuzzy Hash: 80f6f717bb9969ece7152c8fde9cb11b8c043fce6b7f1340054d38df66cc8f43
Instruction Fuzzy Hash: 7501A2A261CA8091E224DB11F8907EA6374FBC47C0F948132EFCD63B598E3CD246CB40

Function 00007FFDFB13343B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDFB23FC14

Strings

!, xrefs: 00007FFDFB23FBF1
..\s\crypto\ct\ct_policy.c, xrefs: 00007FFDFB23FBD3, 00007FFDFB23FBEA

Memory Dump Source

Source File: 00000001.00000002.1767214909.00007FFDFB131000.00000020.00000001.01000000.00000012.sdmp, Offset: 00007FFDFB130000, based on PE: true

Associated: 00000001.00000002.1767197166.00007FFDFB130000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB13D000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB195000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1A9000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1BA000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1C0000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB1CE000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767214909.00007FFDFB371000.00000020.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB373000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB39E000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3CF000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB3F5000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767491014.00007FFDFB41A000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767756432.00007FFDFB441000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767781456.00007FFDFB447000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB449000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB465000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.1767805120.00007FFDFB469000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfb130000_DeltaX.jbxd

Similarity

API ID: _time64
String ID: !$..\s\crypto\ct\ct_policy.c
API String ID: 1670930206-3401457818
Opcode ID: d9f64f4cc04cddd85ee12494419b894aad7291cbd22d4c8079ebbf3f97d39cc8
Instruction ID: 899f6c599aa421064b5e49b4e2e628cd99e94ccf8fe843189f4d89d2b43ba9a3
Opcode Fuzzy Hash: d9f64f4cc04cddd85ee12494419b894aad7291cbd22d4c8079ebbf3f97d39cc8
Instruction Fuzzy Hash: 10F06232B57A0786FB149B24E421BAD6390EF50714F580435DA2D463F9EE3CE796C740

Function 00007FF654CACE29 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF654CACECE

Strings

Argument singularity (SIGN), xrefs: 00007FF654CACE29
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF654CACEC4

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 50bb6e3b89c3acdd8da2640c7def1cf69755cc37c592828175fc8adef2d15e3e
Instruction ID: 5ff4d119244352cb4b47f4a5cee92e8a1fd84872159f6b7ed742f4f700e91d03
Opcode Fuzzy Hash: 50bb6e3b89c3acdd8da2640c7def1cf69755cc37c592828175fc8adef2d15e3e
Instruction Fuzzy Hash: 5E01B166904F888AD711CF69C8802AA3330FF8D798F488322EF8C27724DF28C184C300

Function 00007FF654CACE1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF654CACECE

Strings

Argument domain error (DOMAIN), xrefs: 00007FF654CACE1C
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF654CACEC4

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: 3ea1ec97f37694b9006fc54621547460099b2c1b8ca40b1c9d9b39adf94a092d
Instruction ID: 9a56ce93665c2303d4ab2f912c12740723eec1c522abf357ec411255b23e2c6a
Opcode Fuzzy Hash: 3ea1ec97f37694b9006fc54621547460099b2c1b8ca40b1c9d9b39adf94a092d
Instruction Fuzzy Hash: C501B166904F888AD711CF69C8902AA3330FF8D799F484322EF8C27724DF28C144C300

Function 00007FF654CACE50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF654CACECE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF654CACEC4
Total loss of significance (TLOSS), xrefs: 00007FF654CACE50

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: 48690192945bf7f32f1c5466faad3cff15a9c142b134f494af273dc6dbb7eaa3
Instruction ID: 29756801927750c44cda4c2788db84519a6c331a57eeaa591c7bb19d9feb123c
Opcode Fuzzy Hash: 48690192945bf7f32f1c5466faad3cff15a9c142b134f494af273dc6dbb7eaa3
Instruction Fuzzy Hash: 9C01B166904F888AD712CF29C8802AA3334FF8D798F488322EF8C27764DF28C185C300

Function 00007FF654CACE43 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF654CACECE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF654CACEC4
Partial loss of significance (PLOSS), xrefs: 00007FF654CACE43

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 671409083fba1ed317bee3cf4e306283cdb16a53cc92c70d1fd336fd5438df01
Instruction ID: 983412851e244faf7d01a7a946043e183935905247246f44830078ee0125b515
Opcode Fuzzy Hash: 671409083fba1ed317bee3cf4e306283cdb16a53cc92c70d1fd336fd5438df01
Instruction Fuzzy Hash: 2901B166904F888AD711CF29C8902AA3330FF8D798F484722EF8C27724DF28C144C300

Function 00007FF654CACE36 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF654CACECE

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF654CACEC4
Overflow range error (OVERFLOW), xrefs: 00007FF654CACE36

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 74916eb7a76916125411d7b1f6d0d259c89befd042e1e24e2dfbcfe61768ada9
Instruction ID: 60de4da7dd1c44de1050296ae39041b32620e19bdb2a7de74b7412cd955e8f8b
Opcode Fuzzy Hash: 74916eb7a76916125411d7b1f6d0d259c89befd042e1e24e2dfbcfe61768ada9
Instruction Fuzzy Hash: EA01B166904F888AD711CF29C8902AA3330FF8D798F484322EF8C67764DF28C144C300

Function 00007FF654CACE5D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF654CACECE

Strings

The result is too small to be represented (UNDERFLOW), xrefs: 00007FF654CACE5D
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF654CACEC4

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 828440ead5f24b7a3bcef289b9b0c651ba51a82a4e2612c4078c08dbf4f376dd
Instruction ID: fb016fedc043421df838e72b29ba9651d528aa472941d7cb9bfbb3d4e921c6d2
Opcode Fuzzy Hash: 828440ead5f24b7a3bcef289b9b0c651ba51a82a4e2612c4078c08dbf4f376dd
Instruction Fuzzy Hash: FB019E66904F888AD7128F29C8802AA3330FF8D798F484322EF8C27724DF28C185C300

Function 66F9D070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

__iob_func.MSVCRT ref: 66F9D080
abort.MSVCRT(?,?,?,?,?,66F971C2), ref: 66F9D0A1

Strings

LTC_ARGCHK '%s' failure on line %d of file %s, xrefs: 66F9D086

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: __iob_funcabort
String ID: LTC_ARGCHK '%s' failure on line %d of file %s
API String ID: 1307436159-2823265812
Opcode ID: 6c95e00e63d74bb15555f1f84c7ed5e16dc274d1385497de8ee2477182e8e9e6
Instruction ID: 958e54fbe73cadcdac70deab316540e8ce6e1ef0407032b64e17f0651719fcb9
Opcode Fuzzy Hash: 6c95e00e63d74bb15555f1f84c7ed5e16dc274d1385497de8ee2477182e8e9e6
Instruction Fuzzy Hash: CFD02E2022869890FA106B2AA808B595B22BB9DFECF844010CE0C53B10CB24C20AC321

Function 67000380 Relevance: 5.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 670003A7
free.MSVCRT ref: 670003F8
LeaveCriticalSection.KERNEL32 ref: 67000404

Memory Dump Source

Source File: 00000001.00000002.1761571661.0000000066F81000.00000020.00000001.01000000.0000000E.sdmp, Offset: 66F80000, based on PE: true

Associated: 00000001.00000002.1761508584.0000000066F80000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761656941.0000000067002000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761673819.0000000067006000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761688481.0000000067007000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761745018.000000006701F000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761763263.0000000067022000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761818119.0000000067024000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000001.00000002.1761834664.0000000067028000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_66f80000_DeltaX.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: 1b0edbb1c638297d1ebdf7b36e5fa0a372ee698b30de6fd8522890611b2a7f38
Instruction ID: 9cb60b5e56f25beca080cb13ee2fb0d33e2793e5fee911337a3605564f1e0887
Opcode Fuzzy Hash: 1b0edbb1c638297d1ebdf7b36e5fa0a372ee698b30de6fd8522890611b2a7f38
Instruction Fuzzy Hash: 0501527273D701C7FA09CF65E99431A23A6F78CB58F909525C92D87311EB79C5A5C320

Function 00007FF654CA61B0 Relevance: 5.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00007FF654CA61CD
free.MSVCRT ref: 00007FF654CA61DE
free.MSVCRT ref: 00007FF654CA61EF
free.MSVCRT ref: 00007FF654CA61F7

Memory Dump Source

Source File: 00000001.00000002.1767028691.00007FF654CA1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF654CA0000, based on PE: true

Associated: 00000001.00000002.1767010599.00007FF654CA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767050608.00007FF654CB9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767067166.00007FF654CBA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767087698.00007FF654CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CC6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CCC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767104819.00007FF654CD5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767159321.00007FF654CD6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1767176235.00007FF654CD9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff654ca0000_DeltaX.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: af07cd424250413d133a4ab32c21d85a647da0b60d227f0190338946df3b41f5
Instruction ID: 0698d354b4b25a07765c8f99eb973767fad330d26104eb627c8afaab40cd2894
Opcode Fuzzy Hash: af07cd424250413d133a4ab32c21d85a647da0b60d227f0190338946df3b41f5
Instruction Fuzzy Hash: 7FF08295F1A51240FD19E662E8B07BC2A345FC1B40F8C85B2CF4EB7682CE2CE4424310

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DeltaX.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI73442\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI73442\VCRUNTIME140_1.dll

C:\Users\user\AppData\Local\Temp\_MEI73442\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI73442\_ctypes.pyd

C:\Users\user\AppData\Local\Temp\_MEI73442\_elementtree.pyd

C:\Users\user\AppData\Local\Temp\_MEI73442\_hashlib.pyd

C:\Users\user\AppData\Local\Temp\_MEI73442\_lzma.pyd

C:\Users\user\AppData\Local\Temp\_MEI73442\_queue.pyd

C:\Users\user\AppData\Local\Temp\_MEI73442\_socket.pyd

C:\Users\user\AppData\Local\Temp\_MEI73442\_ssl.pyd

C:\Users\user\AppData\Local\Temp\_MEI73442\_win32sysloader.pyd

C:\Users\user\AppData\Local\Temp\_MEI73442\base_library.zip

C:\Users\user\AppData\Local\Temp\_MEI73442\certifi\cacert.pem

C:\Users\user\AppData\Local\Temp\_MEI73442\charset_normalizer\md.cp38-win_amd64.pyd

C:\Users\user\AppData\Local\Temp\_MEI73442\charset_normalizer\md__mypyc.cp38-win_amd64.pyd

C:\Users\user\AppData\Local\Temp\_MEI73442\libcrypto-1_1.dll

C:\Users\user\AppData\Local\Temp\_MEI73442\libffi-7.dll

C:\Users\user\AppData\Local\Temp\_MEI73442\libssl-1_1.dll

C:\Users\user\AppData\Local\Temp\_MEI73442\mfc140u.dll

C:\Users\user\AppData\Local\Temp\_MEI73442\psutil\_psutil_windows.pyd

C:\Users\user\AppData\Local\Temp\_MEI73442\pyarmor_runtime_000000\pyarmor_runtime.pyd

C:\Users\user\AppData\Local\Temp\_MEI73442\pyexpat.pyd

Windows Analysis Report
DeltaX.exe

C:\Users\user\AppData\Local\Temp\tmp4i57dvwl\gen_py\init.py

Function 00007FF654CA1154 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 123
COMMON

Function 00007FF654CA1C80 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 123
COMMON

Function 00007FF654CA7270 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 118
COMMON

Function 00007FF654CA1710 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 198
fileCOMMON

Function 00007FF654CA8440 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 96
COMMON

Function 00007FF654CAE5E0 Relevance: 25.9, APIs: 17, Instructions: 353
COMMON

Function 00007FF654CA1E80 Relevance: 24.6, APIs: 5, Strings: 9, Instructions: 144
COMMON

Function 00007FF654CA79C0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 89
processsynchronizationCOMMON

Function 00007FF654CA16D0 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 285
stringCOMMON

Function 00007FF654CA7490 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86
COMMON

Function 00007FF654CA76B0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 102
stringCOMMON