Edit tour

Windows Analysis Report
PDF_Resave.exe

Overview

General Information

Sample name:	PDF_Resave.exe
Analysis ID:	1579929
MD5:	27cc92c02c64ebc1ffc0b19f361bd5a7
SHA1:	a715498ca0fd960b7b71bb6cfa0344569e59ee58
SHA256:	9a69ccfd07ee7573b8a7b5ccfa4c58c2f331c854fe3f97e08ed5d29e55824650
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found pyInstaller with non standard icon

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Opens network shares

Potentially malicious time measurement code found

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

PDF_Resave.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\PDF_Resave.exe" MD5: 27CC92C02C64EBC1FFC0B19F361BD5A7)

conhost.exe (PID: 7312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PDF_Resave.exe (PID: 7364 cmdline: "C:\Users\user\Desktop\PDF_Resave.exe" MD5: 27CC92C02C64EBC1FFC0B19F361BD5A7)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for sample

Source: PDF_Resave.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE133018A0 _Py_NoneStruct,_PyArg_UnpackKeywords,PyObject_GetBuffer,PyBuffer_IsContiguous,PyObject_GetBuffer,PyBuffer_IsContiguous,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,PyLong_AsUnsignedLong,EVP_PBE_scrypt,PyBytes_FromStringAndSize,PyEval_SaveThread,EVP_PBE_scrypt,PyEval_RestoreThread,PyExc_ValueError,PyErr_SetString,PyBuffer_Release,PyBuffer_Release,PyLong_AsLong,PyErr_Occurred,PyLong_AsLong,PyErr_Occurred,PyExc_ValueError,PyExc_ValueError,PyErr_Format,_PyArg_BadArgument,_PyArg_BadArgument,_PyArg_BadArgument,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,PyErr_Occurred,PyExc_TypeError,_PyArg_BadArgument,_PyArg_BadArgument,PyExc_OverflowError,PyExc_OverflowError,_Py_Dealloc,PyExc_ValueError,		2_2_00007FFE133018A0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE13306124 CRYPTO_memcmp,		2_2_00007FFE13306124

Source: PDF_Resave.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: PDF_Resave.exe, 00000000.00000003.1670037811.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: PDF_Resave.exe, 00000000.00000003.1670226310.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: PDF_Resave.exe, 00000000.00000003.1664811591.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: PDF_Resave.exe, 00000002.00000002.1740368131.00007FFE126E9000.00000002.00000001.01000000.00000008.sdmp, _decimal.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: PDF_Resave.exe, 00000002.00000002.1740368131.00007FFE126E9000.00000002.00000001.01000000.00000008.sdmp, _decimal.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1740718938.00007FFE148E2000.00000002.00000001.01000000.00000009.sdmp, _uuid.pyd.0.dr
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: libssl-1_1.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: PDF_Resave.exe, 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmp, pyexpat.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: PDF_Resave.exe, 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1u 30 May 2023built on: Wed May 31 23:27:41 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: PDF_Resave.exe, 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: PDF_Resave.exe, 00000000.00000003.1664406065.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: PDF_Resave.exe, 00000000.00000003.1664218485.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: PDF_Resave.exe, 00000000.00000003.1664218485.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: PDF_Resave.exe, 00000000.00000003.1665110877.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.0.dr
Source:	Binary string: D:\a\1\b\libcrypto-1_1.pdb source: PDF_Resave.exe, 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: PDF_Resave.exe, 00000002.00000002.1738096620.00007FFDFB87B000.00000002.00000001.01000000.00000004.sdmp, python311.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: _ssl.pyd.0.dr
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb source: libssl-1_1.dll.0.dr

Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C6888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF7BD3C6888
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3D0A44 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7BD3D0A44
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3B69F0 FindFirstFileExW,FindClose,	0_2_00007FF7BD3B69F0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C6888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF7BD3C6888
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C6888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	2_2_00007FF7BD3C6888
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3D0A44 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF7BD3D0A44
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3B69F0 FindFirstFileExW,FindClose,	2_2_00007FF7BD3B69F0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C6888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	2_2_00007FF7BD3C6888
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A322E _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,	2_2_00007FFDFB1A322E

Source: PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEAC7000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670226310.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667162210.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670037811.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664811591.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665110877.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1668195575.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667462301.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665273791.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664406065.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670226310.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667162210.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670037811.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEAC5000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664811591.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665110877.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1668195575.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667462301.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665273791.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664406065.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _hashlib.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670226310.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667162210.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670037811.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEAC5000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664811591.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665110877.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1668195575.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667462301.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665273791.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664406065.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEAC7000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670226310.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667162210.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670037811.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEAC5000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664811591.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665110877.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1668195575.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667462301.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665273791.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664406065.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.cov
Source: PDF_Resave.exe, 00000000.00000003.1665273791.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.v
Source: PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEAC7000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670226310.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667162210.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670037811.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664811591.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665110877.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1668195575.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667462301.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665273791.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664406065.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670226310.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667162210.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670037811.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEAC5000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664811591.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665110877.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1668195575.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667462301.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665273791.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664406065.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _hashlib.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670226310.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667162210.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670037811.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEAC5000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664811591.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665110877.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1668195575.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667462301.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665273791.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664406065.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: _lzma.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670226310.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667162210.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670037811.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEAC5000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664811591.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665110877.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1668195575.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667462301.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665273791.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664406065.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _hashlib.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670226310.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667162210.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670037811.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEAC5000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664811591.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665110877.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1668195575.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667462301.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665273791.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664406065.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _hashlib.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEAC7000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670226310.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667162210.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670037811.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEAC5000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664811591.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665110877.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1668195575.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667462301.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665273791.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664406065.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEAC7000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670226310.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667162210.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670037811.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664811591.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665110877.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1668195575.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667462301.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665273791.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664406065.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670226310.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667162210.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670037811.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEAC5000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664811591.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665110877.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1668195575.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667462301.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665273791.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664406065.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: PDF_Resave.exe, 00000002.00000003.1691962181.000002D46C566000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1693113629.000002D46E004000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1691907930.000002D46E004000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1735349659.000002D46E430000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670226310.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667162210.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1670037811.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1666313943.00000206EEAC5000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664811591.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665110877.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1668195575.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1667462301.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665273791.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664406065.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _uuid.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _hashlib.pyd.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: PDF_Resave.exe, 00000002.00000003.1693113629.000002D46E004000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1691907930.000002D46E004000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: PDF_Resave.exe, 00000002.00000002.1735349659.000002D46E4EC000.00000004.00001000.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1734614811.000002D46C590000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.java2s.com/Open-Source/Java-Document/PDF/PDF-Renderer/com/sun/pdfview/decode/LZWDecode.ja
Source: PDF_Resave.exe, 00000002.00000003.1691962181.000002D46C566000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1693113629.000002D46E004000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1691907930.000002D46E004000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1735530935.000002D46E53C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: PDF_Resave.exe, 00000002.00000003.1691986331.000002D46C548000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1731895122.000002D46BCC0000.00000004.00001000.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1691756192.000002D46C548000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1693243429.000002D46C548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rasip.fer.hr/research/compress/algorithms/fund/lz/lzw.html
Source: base_library.zip.0.dr	String found in binary or memory: http://www.robotstxt.org/norobots-rfc.txt
Source: PDF_Resave.exe, 00000002.00000003.1693929478.000002D46C267000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1732931173.000002D46C276000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1691411109.000002D46C267000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1677357460.000002D46C4E8000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1680277323.000002D46C286000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1729744351.000002D46C275000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1677537529.000002D46C4E8000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1726292405.000002D46C271000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1719025275.000002D46C267000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue42195.
Source: PDF_Resave.exe, 00000002.00000003.1725857960.000002D46BBC2000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1724142196.000002D46BBBF000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1728051374.000002D46BB82000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1727241486.000002D46BBC3000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1731540792.000002D46BBC8000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1729399098.000002D46BBC5000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1731240658.000002D46BB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: PDF_Resave.exe, 00000002.00000002.1735530935.000002D46E550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/py-pdf/PyPDF2/blob/main/LICENSE
Source: PDF_Resave.exe, 00000002.00000002.1731895122.000002D46BD48000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: PDF_Resave.exe, 00000002.00000002.1731240658.000002D46BB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: PDF_Resave.exe, 00000002.00000003.1725857960.000002D46BBC2000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1724142196.000002D46BBBF000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1728051374.000002D46BB82000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1727241486.000002D46BBC3000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1731540792.000002D46BBC8000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1729399098.000002D46BBC5000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1731240658.000002D46BB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: PDF_Resave.exe, 00000002.00000003.1725857960.000002D46BBC2000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1724142196.000002D46BBBF000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1728051374.000002D46BB82000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1727241486.000002D46BBC3000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1731540792.000002D46BBC8000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1729399098.000002D46BBC5000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1731240658.000002D46BB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: PDF_Resave.exe, 00000002.00000002.1734718419.000002D46DE30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ia802202.us.archive.org/8/items/pdfy-0vt8s-egqFwDl7L2/PDF%20Reference%201.0.pdf
Source: base_library.zip.0.dr	String found in binary or memory: https://mahler:8092/site-updates.py
Source: PDF_Resave.exe, 00000002.00000002.1734614811.000002D46C590000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://peps.python.org/pep-0205/
Source: PDF_Resave.exe, 00000002.00000002.1738096620.00007FFDFB87B000.00000002.00000001.01000000.00000004.sdmp, python311.dll.0.dr	String found in binary or memory: https://peps.python.org/pep-0263/
Source: PDF_Resave.exe, 00000002.00000002.1732960209.000002D46C290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pypdf2.readthedocs.io/.
Source: PDF_Resave.exe, 00000000.00000003.1667162210.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr	String found in binary or memory: https://www.openssl.org/H
Source: base_library.zip.0.dr	String found in binary or memory: https://www.python.org/
Source: PDF_Resave.exe, 00000002.00000003.1672897369.000002D46C19E000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1731895122.000002D46BCC0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: PDF_Resave.exe, 00000002.00000002.1738486039.00007FFDFB918000.00000004.00000001.01000000.00000004.sdmp, python311.dll.0.dr	String found in binary or memory: https://www.python.org/psf/license/

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PDF_Resave.exe

Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3D4EB0	0_2_00007FF7BD3D4EB0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3D5DFC	0_2_00007FF7BD3D5DFC
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C6888	0_2_00007FF7BD3C6888
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3B58E0	0_2_00007FF7BD3B58E0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3CFA98	0_2_00007FF7BD3CFA98
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C2624	0_2_00007FF7BD3C2624
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C16D4	0_2_00007FF7BD3C16D4
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C66D4	0_2_00007FF7BD3C66D4
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3CCD74	0_2_00007FF7BD3CCD74
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C0570	0_2_00007FF7BD3C0570
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3BFD50	0_2_00007FF7BD3BFD50
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3CFA98	0_2_00007FF7BD3CFA98
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3D2DC0	0_2_00007FF7BD3D2DC0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3CD888	0_2_00007FF7BD3CD888
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C710C	0_2_00007FF7BD3C710C
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3D58B0	0_2_00007FF7BD3D58B0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C0774	0_2_00007FF7BD3C0774
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3BFF54	0_2_00007FF7BD3BFF54
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C4FD0	0_2_00007FF7BD3C4FD0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3D325C	0_2_00007FF7BD3D325C
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C2A28	0_2_00007FF7BD3C2A28
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3D0A44	0_2_00007FF7BD3D0A44
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C0160	0_2_00007FF7BD3C0160
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3D512C	0_2_00007FF7BD3D512C
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C21EC	0_2_00007FF7BD3C21EC
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3CD208	0_2_00007FF7BD3CD208
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C6888	0_2_00007FF7BD3C6888
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3B7430	0_2_00007FF7BD3B7430
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C8D10	0_2_00007FF7BD3C8D10
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C0364	0_2_00007FF7BD3C0364
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C133C	0_2_00007FF7BD3C133C
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3D8BF8	0_2_00007FF7BD3D8BF8
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3D5DFC	2_2_00007FF7BD3D5DFC
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C21EC	2_2_00007FF7BD3C21EC
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C133C	2_2_00007FF7BD3C133C
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C2624	2_2_00007FF7BD3C2624
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3D4EB0	2_2_00007FF7BD3D4EB0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C16D4	2_2_00007FF7BD3C16D4
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C66D4	2_2_00007FF7BD3C66D4
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3CCD74	2_2_00007FF7BD3CCD74
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C0570	2_2_00007FF7BD3C0570
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3BFD50	2_2_00007FF7BD3BFD50
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3CFA98	2_2_00007FF7BD3CFA98
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3D2DC0	2_2_00007FF7BD3D2DC0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C6888	2_2_00007FF7BD3C6888
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3CD888	2_2_00007FF7BD3CD888
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3B58E0	2_2_00007FF7BD3B58E0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C710C	2_2_00007FF7BD3C710C
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3D58B0	2_2_00007FF7BD3D58B0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C0774	2_2_00007FF7BD3C0774
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3BFF54	2_2_00007FF7BD3BFF54
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C4FD0	2_2_00007FF7BD3C4FD0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3D325C	2_2_00007FF7BD3D325C
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C2A28	2_2_00007FF7BD3C2A28
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3D0A44	2_2_00007FF7BD3D0A44
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3CFA98	2_2_00007FF7BD3CFA98
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C0160	2_2_00007FF7BD3C0160
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3D512C	2_2_00007FF7BD3D512C
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3CD208	2_2_00007FF7BD3CD208
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C6888	2_2_00007FF7BD3C6888
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3B7430	2_2_00007FF7BD3B7430
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C8D10	2_2_00007FF7BD3C8D10
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C0364	2_2_00007FF7BD3C0364
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3D8BF8	2_2_00007FF7BD3D8BF8
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A655F	2_2_00007FFDFB1A655F
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A3FDF	2_2_00007FFDFB1A3FDF
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A6A87	2_2_00007FFDFB1A6A87
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB3DFA70	2_2_00007FFDFB3DFA70
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A6F28	2_2_00007FFDFB1A6F28
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A21B7	2_2_00007FFDFB1A21B7
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A60A0	2_2_00007FFDFB1A60A0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A22E8	2_2_00007FFDFB1A22E8
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A416A	2_2_00007FFDFB1A416A
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A704A	2_2_00007FFDFB1A704A
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A2289	2_2_00007FFDFB1A2289
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1BBF20	2_2_00007FFDFB1BBF20
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1BBD60	2_2_00007FFDFB1BBD60
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A30C6	2_2_00007FFDFB1A30C6
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB343C90	2_2_00007FFDFB343C90
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB2D7D10	2_2_00007FFDFB2D7D10
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB357CF0	2_2_00007FFDFB357CF0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A29D2	2_2_00007FFDFB1A29D2
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A6EF1	2_2_00007FFDFB1A6EF1
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A114F	2_2_00007FFDFB1A114F
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1CB1C0	2_2_00007FFDFB1CB1C0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A4638	2_2_00007FFDFB1A4638
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1BF200	2_2_00007FFDFB1BF200
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB2DB240	2_2_00007FFDFB2DB240
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1BF060	2_2_00007FFDFB1BF060
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A213F	2_2_00007FFDFB1A213F
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A1EA1	2_2_00007FFDFB1A1EA1
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB20F700	2_2_00007FFDFB20F700
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A516E	2_2_00007FFDFB1A516E
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A3B98	2_2_00007FFDFB1A3B98
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A6CBC	2_2_00007FFDFB1A6CBC
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A5D8A	2_2_00007FFDFB1A5D8A
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1CB550	2_2_00007FFDFB1CB550
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB2D7540	2_2_00007FFDFB2D7540
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A1B22	2_2_00007FFDFB1A1B22
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A60DC	2_2_00007FFDFB1A60DC
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A4D09	2_2_00007FFDFB1A4D09
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A5DA3	2_2_00007FFDFB1A5DA3
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A5E25	2_2_00007FFDFB1A5E25
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A5A65	2_2_00007FFDFB1A5A65
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A4E53	2_2_00007FFDFB1A4E53
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB2D28A0	2_2_00007FFDFB2D28A0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB32E920	2_2_00007FFDFB32E920
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A23F1	2_2_00007FFDFB1A23F1
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A1CC1	2_2_00007FFDFB1A1CC1
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A72C5	2_2_00007FFDFB1A72C5
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A5B14	2_2_00007FFDFB1A5B14
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1BEF00	2_2_00007FFDFB1BEF00
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB282C90	2_2_00007FFDFB282C90
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB342D50	2_2_00007FFDFB342D50
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB2D6360	2_2_00007FFDFB2D6360
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A57D6	2_2_00007FFDFB1A57D6
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A1A4B	2_2_00007FFDFB1A1A4B
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A435E	2_2_00007FFDFB1A435E
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A3792	2_2_00007FFDFB1A3792
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A474B	2_2_00007FFDFB1A474B
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A1B31	2_2_00007FFDFB1A1B31
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB2D6060	2_2_00007FFDFB2D6060
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A2D10	2_2_00007FFDFB1A2D10
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A6FFF	2_2_00007FFDFB1A6FFF
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A707C	2_2_00007FFDFB1A707C
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A348B	2_2_00007FFDFB1A348B
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A3698	2_2_00007FFDFB1A3698
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A1CFD	2_2_00007FFDFB1A1CFD
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB341BF0	2_2_00007FFDFB341BF0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A3602	2_2_00007FFDFB1A3602
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A53C6	2_2_00007FFDFB1A53C6
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A216C	2_2_00007FFDFB1A216C
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A4F43	2_2_00007FFDFB1A4F43
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A59FC	2_2_00007FFDFB1A59FC
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A3A8A	2_2_00007FFDFB1A3A8A
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A2135	2_2_00007FFDFB1A2135
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A1299	2_2_00007FFDFB1A1299
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A54CF	2_2_00007FFDFB1A54CF
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A15C8	2_2_00007FFDFB1A15C8
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A6564	2_2_00007FFDFB1A6564
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A5434	2_2_00007FFDFB1A5434
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A3BA7	2_2_00007FFDFB1A3BA7
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A2671	2_2_00007FFDFB1A2671
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A7257	2_2_00007FFDFB1A7257
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A2987	2_2_00007FFDFB1A2987
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A1D83	2_2_00007FFDFB1A1D83
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A736A	2_2_00007FFDFB1A736A
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A72AC	2_2_00007FFDFB1A72AC
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A3837	2_2_00007FFDFB1A3837
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB359CD0	2_2_00007FFDFB359CD0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A638E	2_2_00007FFDFB1A638E
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A1622	2_2_00007FFDFB1A1622
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A50B0	2_2_00007FFDFB1A50B0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A5515	2_2_00007FFDFB1A5515
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A68CA	2_2_00007FFDFB1A68CA
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1BD260	2_2_00007FFDFB1BD260
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A318E	2_2_00007FFDFB1A318E
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB2CD1D0	2_2_00007FFDFB2CD1D0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB2E11B0	2_2_00007FFDFB2E11B0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A5BF5	2_2_00007FFDFB1A5BF5
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1C5200	2_2_00007FFDFB1C5200
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A144C	2_2_00007FFDFB1A144C
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A1217	2_2_00007FFDFB1A1217
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A65A0	2_2_00007FFDFB1A65A0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A4408	2_2_00007FFDFB1A4408
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A710D	2_2_00007FFDFB1A710D
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A10AA	2_2_00007FFDFB1A10AA
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A3A94	2_2_00007FFDFB1A3A94
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB2E17E0	2_2_00007FFDFB2E17E0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A54D4	2_2_00007FFDFB1A54D4
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A5F10	2_2_00007FFDFB1A5F10
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A504C	2_2_00007FFDFB1A504C
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A4ACA	2_2_00007FFDFB1A4ACA
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A44CB	2_2_00007FFDFB1A44CB
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A5614	2_2_00007FFDFB1A5614
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A428C	2_2_00007FFDFB1A428C
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A53AD	2_2_00007FFDFB1A53AD
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB3594F0	2_2_00007FFDFB3594F0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A2761	2_2_00007FFDFB1A2761
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A5934	2_2_00007FFDFB1A5934
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A11CC	2_2_00007FFDFB1A11CC
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A2FD1	2_2_00007FFDFB1A2FD1
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A4C19	2_2_00007FFDFB1A4C19
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A22AC	2_2_00007FFDFB1A22AC
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A4A59	2_2_00007FFDFB1A4A59
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A2D79	2_2_00007FFDFB1A2D79
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A6EBF	2_2_00007FFDFB1A6EBF
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A3634	2_2_00007FFDFB1A3634
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A22FC	2_2_00007FFDFB1A22FC
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A1F96	2_2_00007FFDFB1A1F96
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A26EE	2_2_00007FFDFB1A26EE
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A6D5C	2_2_00007FFDFB1A6D5C
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A1140	2_2_00007FFDFB1A1140
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB354CF0	2_2_00007FFDFB354CF0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A1424	2_2_00007FFDFB1A1424
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB250440	2_2_00007FFDFB250440
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A4C3C	2_2_00007FFDFB1A4C3C
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A2C7A	2_2_00007FFDFB1A2C7A
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A2E91	2_2_00007FFDFB1A2E91
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB2E0340	2_2_00007FFDFB2E0340
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A276B	2_2_00007FFDFB1A276B
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB2D0070	2_2_00007FFDFB2D0070
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A4106	2_2_00007FFDFB1A4106
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A32EC	2_2_00007FFDFB1A32EC
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A5B78	2_2_00007FFDFB1A5B78
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A6C21	2_2_00007FFDFB1A6C21
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A4B5B	2_2_00007FFDFB1A4B5B
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB2CC830	2_2_00007FFDFB2CC830
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A25F4	2_2_00007FFDFB1A25F4
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB3585C0	2_2_00007FFDFB3585C0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A177B	2_2_00007FFDFB1A177B
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1BC620	2_2_00007FFDFB1BC620
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1BC480	2_2_00007FFDFB1BC480
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A69E7	2_2_00007FFDFB1A69E7
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE11EB7BD0	2_2_00007FFE11EB7BD0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE11EB7F7A	2_2_00007FFE11EB7F7A
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE126C9690	2_2_00007FFE126C9690
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE126D3270	2_2_00007FFE126D3270
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE126C32D0	2_2_00007FFE126C32D0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE126D40B4	2_2_00007FFE126D40B4
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE126CD8B0	2_2_00007FFE126CD8B0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE126CFC94	2_2_00007FFE126CFC94
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE126C8C70	2_2_00007FFE126C8C70
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE126CA8C0	2_2_00007FFE126CA8C0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE126C71E9	2_2_00007FFE126C71E9
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE126CA5E0	2_2_00007FFE126CA5E0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE126CC5D0	2_2_00007FFE126CC5D0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE133018A0	2_2_00007FFE133018A0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE1A457778	2_2_00007FFE1A457778
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE1A459620	2_2_00007FFE1A459620

Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: String function: 00007FFDFB1A24B9 appears 83 times
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: String function: 00007FFDFB1A4840 appears 130 times
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: String function: 00007FF7BD3B1CB0 appears 38 times
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: String function: 00007FFDFB1A1EF1 appears 1585 times
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: String function: 00007FFDFB1A2739 appears 512 times
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: String function: 00007FFDFB1A3012 appears 55 times
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: String function: 00007FF7BD3B1C50 appears 90 times
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: String function: 00007FFDFB1A4D6D appears 35 times
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: String function: 00007FFDFB1A688E appears 31 times
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: String function: 00007FFDFB1A698D appears 51 times
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: String function: 00007FFDFB1A2A09 appears 172 times
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: String function: 00007FFDFB1A405C appears 783 times

Source: unicodedata.pyd.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000000.00000003.1670226310.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000000.00000003.1667162210.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000000.00000003.1670037811.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000000.00000003.1664811591.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000000.00000003.1665110877.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000000.00000003.1664218485.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000000.00000003.1667462301.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000000.00000003.1665273791.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000000.00000003.1664406065.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs PDF_Resave.exe
Source: PDF_Resave.exe	Binary or memory string: OriginalFilename vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000002.00000002.1740469746.00007FFE126FA000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000002.00000002.1740797470.00007FFE148E4000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs PDF_Resave.exe
Source: PDF_Resave.exe, 00000002.00000002.1740058870.00007FFDFBAB7000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython311.dll. vs PDF_Resave.exe

Source: classification engine

Classification label: mal60.spyw.evad.winEXE@4/16@0/0

Source: C:\Users\user\Desktop\PDF_Resave.exe

Code function: 0_2_00007FF7BD3B6680 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF7BD3B6680

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7312:120:WilError_03

Source: C:\Users\user\Desktop\PDF_Resave.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI73042

Jump to behavior

Source: PDF_Resave.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PDF_Resave.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\PDF_Resave.exe

File read: C:\Users\user\Desktop\PDF_Resave.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PDF_Resave.exe "C:\Users\user\Desktop\PDF_Resave.exe"
Source: C:\Users\user\Desktop\PDF_Resave.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PDF_Resave.exe	Process created: C:\Users\user\Desktop\PDF_Resave.exe "C:\Users\user\Desktop\PDF_Resave.exe"
Source: C:\Users\user\Desktop\PDF_Resave.exe	Process created: C:\Users\user\Desktop\PDF_Resave.exe "C:\Users\user\Desktop\PDF_Resave.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PDF_Resave.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: PDF_Resave.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: PDF_Resave.exe

Static file information: File size 7729425 > 1048576

Source: PDF_Resave.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PDF_Resave.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PDF_Resave.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PDF_Resave.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PDF_Resave.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PDF_Resave.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PDF_Resave.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: PDF_Resave.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: PDF_Resave.exe, 00000000.00000003.1670037811.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: PDF_Resave.exe, 00000000.00000003.1670226310.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: PDF_Resave.exe, 00000000.00000003.1664811591.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmp, _hashlib.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb$$ source: PDF_Resave.exe, 00000002.00000002.1740368131.00007FFE126E9000.00000002.00000001.01000000.00000008.sdmp, _decimal.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_decimal.pdb source: PDF_Resave.exe, 00000002.00000002.1740368131.00007FFE126E9000.00000002.00000001.01000000.00000008.sdmp, _decimal.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: PDF_Resave.exe, 00000000.00000003.1665818401.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1740718938.00007FFE148E2000.00000002.00000001.01000000.00000009.sdmp, _uuid.pyd.0.dr
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: libssl-1_1.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\pyexpat.pdb source: PDF_Resave.exe, 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmp, pyexpat.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: PDF_Resave.exe, 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1u 30 May 2023built on: Wed May 31 23:27:41 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: PDF_Resave.exe, 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, _lzma.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: PDF_Resave.exe, 00000000.00000003.1664406065.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: PDF_Resave.exe, 00000000.00000003.1664218485.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: PDF_Resave.exe, 00000000.00000003.1664218485.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: PDF_Resave.exe, 00000000.00000003.1665110877.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.0.dr
Source:	Binary string: D:\a\1\b\libcrypto-1_1.pdb source: PDF_Resave.exe, 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmp, libcrypto-1_1.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\python311.pdb source: PDF_Resave.exe, 00000002.00000002.1738096620.00007FFDFB87B000.00000002.00000001.01000000.00000004.sdmp, python311.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: _ssl.pyd.0.dr
Source:	Binary string: D:\a\1\b\libssl-1_1.pdb source: libssl-1_1.dll.0.dr

Source: PDF_Resave.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PDF_Resave.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PDF_Resave.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PDF_Resave.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PDF_Resave.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: PDF_Resave.exe	Static PE information: section name: _RDATA
Source: python311.dll.0.dr	Static PE information: section name: PyRuntim
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\PDF_Resave.exe

Process created: "C:\Users\user\Desktop\PDF_Resave.exe"

Source: C:\Users\user\Desktop\PDF_Resave.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73042\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73042\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73042\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73042\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73042\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73042\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73042\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73042\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73042\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73042\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73042\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73042\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73042\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI73042\_ssl.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\PDF_Resave.exe

Code function: 0_2_00007FF7BD3B50B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF7BD3B50B0

Source: C:\Users\user\Desktop\PDF_Resave.exe

Code function: 2_2_00007FFDFB1A5731 rdtsc

2_2_00007FFDFB1A5731

Source: C:\Users\user\Desktop\PDF_Resave.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73042\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73042\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73042\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73042\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73042\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73042\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73042\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73042\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73042\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73042\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73042\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\PDF_Resave.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI73042\python311.dll	Jump to dropped file

Source: C:\Users\user\Desktop\PDF_Resave.exe

API coverage: 1.6 %

Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C6888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF7BD3C6888
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3D0A44 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF7BD3D0A44
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3B69F0 FindFirstFileExW,FindClose,	0_2_00007FF7BD3B69F0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C6888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF7BD3C6888
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C6888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	2_2_00007FF7BD3C6888
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3D0A44 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF7BD3D0A44
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3B69F0 FindFirstFileExW,FindClose,	2_2_00007FF7BD3B69F0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C6888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	2_2_00007FF7BD3C6888
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A322E _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,	2_2_00007FFDFB1A322E

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A5731		2_2_00007FFDFB1A5731
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A4246		2_2_00007FFDFB1A4246

Source: C:\Users\user\Desktop\PDF_Resave.exe

Code function: 2_2_00007FFDFB1A5731 rdtsc

2_2_00007FFDFB1A5731

Source: C:\Users\user\Desktop\PDF_Resave.exe

Code function: 0_2_00007FF7BD3BAA3C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7BD3BAA3C

Source: C:\Users\user\Desktop\PDF_Resave.exe

Code function: 0_2_00007FF7BD3D2630 GetProcessHeap,

0_2_00007FF7BD3D2630

Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3BAA3C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7BD3BAA3C
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3BA190 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7BD3BA190
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3C9C54 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7BD3C9C54
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 0_2_00007FF7BD3BABE4 SetUnhandledExceptionFilter,	0_2_00007FF7BD3BABE4
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3BAA3C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF7BD3BAA3C
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3BA190 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF7BD3BA190
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3C9C54 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF7BD3C9C54
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FF7BD3BABE4 SetUnhandledExceptionFilter,	2_2_00007FF7BD3BABE4
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFDFB1A5A24 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFDFB1A5A24
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE11EC0238 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFE11EC0238
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE11EBFC70 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFE11EBFC70
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE126E00B0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFE126E00B0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE126E09D8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFE126E09D8
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE13304570 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFE13304570
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE13303FA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFE13303FA0
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE148E1460 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFE148E1460
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE148E1A30 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFE148E1A30
Source: C:\Users\user\Desktop\PDF_Resave.exe	Code function: 2_2_00007FFE1A460468 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFE1A460468

Source: C:\Users\user\Desktop\PDF_Resave.exe

Process created: C:\Users\user\Desktop\PDF_Resave.exe "C:\Users\user\Desktop\PDF_Resave.exe"

Jump to behavior

Source: C:\Users\user\Desktop\PDF_Resave.exe

Code function: 0_2_00007FF7BD3D8A40 cpuid

0_2_00007FF7BD3D8A40

Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\_decimal.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\_uuid.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI73042\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PDF_Resave.exe	Queries volume information: C:\Users\user\Desktop\PDF_Resave.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PDF_Resave.exe

Code function: 0_2_00007FF7BD3BA920 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7BD3BA920

Source: C:\Users\user\Desktop\PDF_Resave.exe

Code function: 0_2_00007FF7BD3D4EB0 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF7BD3D4EB0

Stealing of Sensitive Information

Opens network shares

Source: C:\Users\user\Desktop\PDF_Resave.exe

File opened: \\kmcluster\UNIDATA\PDF_PROCESS\PDF\

Jump to behavior

Source: C:\Users\user\Desktop\PDF_Resave.exe

Code function: 2_2_00007FFDFB1A2B62 bind,WSAGetLastError,

2_2_00007FFDFB1A2B62

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	11 Process Injection	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 System Time Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	3 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PDF_Resave.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI73042\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73042\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73042\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73042\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73042\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73042\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73042\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73042\_uuid.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73042\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73042\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73042\pyexpat.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73042\python311.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73042\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI73042\unicodedata.pyd	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://bugs.python.org/issue42195.	0%	Avira URL Cloud	safe
https://ia802202.us.archive.org/8/items/pdfy-0vt8s-egqFwDl7L2/PDF%20Reference%201.0.pdf	0%	Avira URL Cloud	safe
http://www.rasip.fer.hr/research/compress/algorithms/fund/lz/lzw.html	0%	Avira URL Cloud	safe
https://pypdf2.readthedocs.io/.	0%	Avira URL Cloud	safe
http://cacerts.v	0%	Avira URL Cloud	safe
http://www.robotstxt.org/norobots-rfc.txt	0%	Avira URL Cloud	safe
http://cacerts.digicert.cov	0%	Avira URL Cloud	safe
http://www.java2s.com/Open-Source/Java-Document/PDF/PDF-Renderer/com/sun/pdfview/decode/LZWDecode.ja	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.rasip.fer.hr/research/compress/algorithms/fund/lz/lzw.html	PDF_Resave.exe, 00000002.00000003.1691986331.000002D46C548000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1731895122.000002D46BCC0000.00000004.00001000.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1691756192.000002D46C548000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1693243429.000002D46C548000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	PDF_Resave.exe, 00000002.00000002.1731895122.000002D46BD48000.00000004.00001000.00020000.00000000.sdmp	false		high
https://pypdf2.readthedocs.io/.	PDF_Resave.exe, 00000002.00000002.1732960209.000002D46C290000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mahler:8092/site-updates.py	base_library.zip.0.dr	false		high
http://www.robotstxt.org/norobots-rfc.txt	base_library.zip.0.dr	false	Avira URL Cloud: safe	unknown
http://cacerts.v	PDF_Resave.exe, 00000000.00000003.1665273791.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/py-pdf/PyPDF2/blob/main/LICENSE	PDF_Resave.exe, 00000002.00000002.1735530935.000002D46E550000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.python.org/download/releases/2.3/mro/.	PDF_Resave.exe, 00000002.00000003.1672897369.000002D46C19E000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1731895122.000002D46BCC0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	false		high
https://www.python.org/	base_library.zip.0.dr	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	PDF_Resave.exe, 00000002.00000003.1725857960.000002D46BBC2000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1724142196.000002D46BBBF000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1728051374.000002D46BB82000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1727241486.000002D46BBC3000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1731540792.000002D46BBC8000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1729399098.000002D46BBC5000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1731240658.000002D46BB83000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ia802202.us.archive.org/8/items/pdfy-0vt8s-egqFwDl7L2/PDF%20Reference%201.0.pdf	PDF_Resave.exe, 00000002.00000002.1734718419.000002D46DE30000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	PDF_Resave.exe, 00000002.00000003.1691962181.000002D46C566000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1693113629.000002D46E004000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1691907930.000002D46E004000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1735349659.000002D46E430000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	PDF_Resave.exe, 00000002.00000003.1725857960.000002D46BBC2000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1724142196.000002D46BBBF000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1728051374.000002D46BB82000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1727241486.000002D46BBC3000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1731540792.000002D46BBC8000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1729399098.000002D46BBC5000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1731240658.000002D46BB83000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	PDF_Resave.exe, 00000002.00000003.1725857960.000002D46BBC2000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1724142196.000002D46BBBF000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1728051374.000002D46BB82000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1727241486.000002D46BBC3000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1731540792.000002D46BBC8000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1729399098.000002D46BBC5000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1731240658.000002D46BB83000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/psf/license/	PDF_Resave.exe, 00000002.00000002.1738486039.00007FFDFB918000.00000004.00000001.01000000.00000004.sdmp, python311.dll.0.dr	false		high
https://bugs.python.org/issue42195.	PDF_Resave.exe, 00000002.00000003.1693929478.000002D46C267000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1732931173.000002D46C276000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1691411109.000002D46C267000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1677357460.000002D46C4E8000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1680277323.000002D46C286000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1729744351.000002D46C275000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1677537529.000002D46C4E8000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1726292405.000002D46C271000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1719025275.000002D46C267000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cacerts.digicert.cov	PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cacerts.digicert.co	PDF_Resave.exe, 00000000.00000003.1664606579.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000000.00000003.1664962259.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.java2s.com/Open-Source/Java-Document/PDF/PDF-Renderer/com/sun/pdfview/decode/LZWDecode.ja	PDF_Resave.exe, 00000002.00000002.1735349659.000002D46E4EC000.00000004.00001000.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1734614811.000002D46C590000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.openssl.org/H	PDF_Resave.exe, 00000000.00000003.1667162210.00000206EEABA000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr	false		high
http://www.iana.org/time-zones/repository/tz-link.html	PDF_Resave.exe, 00000002.00000003.1693113629.000002D46E004000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1691907930.000002D46E004000.00000004.00000020.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0205/	PDF_Resave.exe, 00000002.00000002.1734614811.000002D46C590000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.dr	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	PDF_Resave.exe, 00000002.00000002.1731240658.000002D46BB83000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	PDF_Resave.exe, 00000002.00000003.1691962181.000002D46C566000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1693113629.000002D46E004000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000003.1691907930.000002D46E004000.00000004.00000020.00020000.00000000.sdmp, PDF_Resave.exe, 00000002.00000002.1735530935.000002D46E53C000.00000004.00001000.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0263/	PDF_Resave.exe, 00000002.00000002.1738096620.00007FFDFB87B000.00000002.00000001.01000000.00000004.sdmp, python311.dll.0.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579929
Start date and time:	2024-12-23 15:43:33 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PDF_Resave.exe
Detection:	MAL
Classification:	mal60.spyw.evad.winEXE@4/16@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: PDF_Resave.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI73042\VCRUNTIME140.dll	phost.exe	Get hash	malicious	Blank Grabber	Browse
	shost.exe	Get hash	malicious	Python Stealer, Muck Stealer	Browse
	sppawx.exe	Get hash	malicious	Blank Grabber	Browse
	qhos.exe	Get hash	malicious	Python Stealer, Muck Stealer	Browse
	wsapx.exe	Get hash	malicious	Blank Grabber	Browse
	lz4wnSavmK.exe	Get hash	malicious	Python Stealer	Browse
	WVuXCNNYG0.exe	Get hash	malicious	Python Stealer	Browse
	dipwo1iToJ.exe	Get hash	malicious	Python Stealer	Browse
	Counseling_Services_Overview.docm	Get hash	malicious	Unknown	Browse
	uOsIQqfgiT.exe	Get hash	malicious	Charity, TrojanRansom	Browse
C:\Users\user\AppData\Local\Temp\_MEI73042\_bz2.pyd	Counseling_Services_Overview.docm	Get hash	malicious	Unknown	Browse
	uOsIQqfgiT.exe	Get hash	malicious	Charity, TrojanRansom	Browse
	RuntimeusererVers.exe	Get hash	malicious	Python Stealer	Browse
	file.exe	Get hash	malicious	CStealer	Browse
	SecuriteInfo.com.W32.Agent.NS.tr.pws.15623.10495.exe	Get hash	malicious	Unknown	Browse
	4.7.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002A_441.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.23205.20359.exe	Get hash	malicious	Unknown	Browse
	mav17final.exe	Get hash	malicious	Xmrig	Browse
	file.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI73042\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\PDF_Resave.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	109392
Entropy (8bit):	6.641929675972235
Encrypted:	false
SSDEEP:	1536:GcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/woecbq8qZHg2zuCS+zuecL:GV3iC0h9q4v6XjKwoecbq8qBTq+1cL
MD5:	4585A96CC4EEF6AAFD5E27EA09147DC6
SHA1:	489CFFF1B19ABBEC98FDA26AC8958005E88DD0CB
SHA-256:	A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
SHA-512:	D78260C66331FE3029D2CC1B41A5D002EC651F2E3BBF55076D65839B5E3C6297955AFD4D9AB8951FBDC9F929DBC65EB18B14B59BCE1F2994318564EB4920F286
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: phost.exe, Detection: malicious, Browse Filename: shost.exe, Detection: malicious, Browse Filename: sppawx.exe, Detection: malicious, Browse Filename: qhos.exe, Detection: malicious, Browse Filename: wsapx.exe, Detection: malicious, Browse Filename: lz4wnSavmK.exe, Detection: malicious, Browse Filename: WVuXCNNYG0.exe, Detection: malicious, Browse Filename: dipwo1iToJ.exe, Detection: malicious, Browse Filename: Counseling_Services_Overview.docm, Detection: malicious, Browse Filename: uOsIQqfgiT.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d..._#;..........." ...".....`......................................................=.....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73042\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\PDF_Resave.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84760
Entropy (8bit):	6.570831353064175
Encrypted:	false
SSDEEP:	1536:PdQz7pZ3catNZTRGE51LOBK5bib8tsfYqpIPCV17SyQPx:VQz9Z5VOwiItsAqpIPCV1Gx
MD5:	3859239CED9A45399B967EBCE5A6BA23
SHA1:	6F8FF3DF90AC833C1EB69208DB462CDA8CA3F8D6
SHA-256:	A4DD883257A7ACE84F96BCC6CD59E22D843D0DB080606DEFAE32923FC712C75A
SHA-512:	030E5CE81E36BD55F69D55CBB8385820EB7C1F95342C1A32058F49ABEABB485B1C4A30877C07A56C9D909228E45A4196872E14DED4F87ADAA8B6AD97463E5C69
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Counseling_Services_Overview.docm, Detection: malicious, Browse Filename: uOsIQqfgiT.exe, Detection: malicious, Browse Filename: RuntimeusererVers.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.Agent.NS.tr.pws.15623.10495.exe, Detection: malicious, Browse Filename: 4.7.exe, Detection: malicious, Browse Filename: LisectAVT_2403002A_441.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.23205.20359.exe, Detection: malicious, Browse Filename: mav17final.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A}...............d`.....J`......J`......J`......J`......J`.......`......Nd..........Z....`.......`.......`.......`......Rich............PE..d......d.........." ...".....^......L........................................P.......`....`.........................................p...H............0....... .. ......../...@..........T...........................p...@............................................text............................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73042\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\PDF_Resave.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	253200
Entropy (8bit):	6.559097478184273
Encrypted:	false
SSDEEP:	6144:7t9gXW32tb0yf6CgLp+E4YECs5wxvj9qWM53pLW1Apw9tBg2YAp:7ngXW3wgyCiE4texvGI4Ap
MD5:	65B4AB77D6C6231C145D3E20E7073F51
SHA1:	23D5CE68ED6AA8EAABE3366D2DD04E89D248328E
SHA-256:	93EB9D1859EDCA1C29594491863BF3D72AF70B9A4240E0D9DD171F668F4F8614
SHA-512:	28023446E5AC90E9E618673C879CA46F598A62FBB9E69EF925DB334AD9CB1544916CAF81E2ECDC26B75964DCEDBA4AD4DE1BA2C42FB838D0DF504D963FCF17EE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nyR.............w.......s.......s.......s.......s.......s.......w.........._....s.......s.......s.......s.......s......Rich............PE..d......d.........." ...".v...<......L...............................................Rn....`..........................................T..P...`T...................&......./......P.......T...........................P...@............................................text....u.......v.................. ..`.rdata..<............z..............@..@.data....*...p...$...R..............@....pdata...&.......(...v..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73042\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\PDF_Resave.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65304
Entropy (8bit):	6.222786912280051
Encrypted:	false
SSDEEP:	1536:6TO+CPN/pV8ETeERZX/fchw/IpBIPOIVQ7SygPx:mClZZow/IpBIPOIVQyx
MD5:	4255C44DC64F11F32C961BF275AAB3A2
SHA1:	C1631B2821A7E8A1783ECFE9A14DB453BE54C30A
SHA-256:	E557873D5AD59FD6BD29D0F801AD0651DBB8D9AC21545DEFE508089E92A15E29
SHA-512:	7D3A306755A123B246F31994CD812E7922943CDBBC9DB5A6E4D3372EA434A635FFD3945B5D2046DE669E7983EF2845BD007A441D09CFE05CF346523C12BDAD52
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F.u.'.&.'.&.'.&._,&.'.&.[.'.'.&.[.'.'.&.[.'.'.&.[.'.'.&._.'.'.&[.'.'.&.'.&e'.&[.'.'.&[.'.'.&[@&.'.&*[.'.'.&Rich.'.&........PE..d......d.........." ...".T...~......`?...............................................%....`.............................................P.......................,......../......\...0}..T............................{..@............p..(............................text...uR.......T.................. ..`.rdata...N...p...P...X..............@..@.data...8...........................@....pdata..,...........................@..@.rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73042\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\PDF_Resave.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	158992
Entropy (8bit):	6.8491146526380025
Encrypted:	false
SSDEEP:	3072:A4lirS97HrdVmEkGCm5hAznf49mNo2NOvJ02pIPZ1wBExN:VlirG0EkTVAYO2NQ3w
MD5:	E5ABC3A72996F8FDE0BCF709E6577D9D
SHA1:	15770BDCD06E171F0B868C803B8CF33A8581EDD3
SHA-256:	1796038480754A680F33A4E37C8B5673CC86C49281A287DC0C5CAE984D0CB4BB
SHA-512:	B347474DC071F2857E1E16965B43DB6518E35915B8168BDEFF1EAD4DFF710A1CC9F04CA0CED23A6DE40D717EEA375EEDB0BF3714DAF35DE6A77F071DB33DFAE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*...D,..D,..D,...,..D,..E-..D,..A-..D,..@-..D,..G-..D,M.E-..D,..E-..D,..E,.D,M.I-..D,M.D-..D,M.,..D,M.F-..D,Rich..D,........PE..d...$..d.........." ...".b...........5....................................................`..........................................%..L...\%..x....p.......P.......>.../......8.......T...........................p...@............................................text....a.......b.................. ..`.rdata..............f..............@..@.data........@......................@....pdata.......P......................@..@.rsrc........p.......2..............@..@.reloc..8............<..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73042\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\PDF_Resave.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	79640
Entropy (8bit):	6.290841920161528
Encrypted:	false
SSDEEP:	1536:0JltpedXL+3ujz9/s+S+pzpMoiyivViaE9IPLwj7SyZPx:07tp4i3ujz9/sT+pzqoavVpE9IPLwjHx
MD5:	1EEA9568D6FDEF29B9963783827F5867
SHA1:	A17760365094966220661AD87E57EFE09CD85B84
SHA-256:	74181072392A3727049EA3681FE9E59516373809CED53E08F6DA7C496B76E117
SHA-512:	D9443B70FCDC4D0EA1CB93A88325012D3F99DB88C36393A7DED6D04F590E582F7F1640D8B153FE3C5342FA93802A8374F03F6CD37DD40CDBB5ADE2E07FAD1E09
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RXY..97..97..97..A...97.YE6..97.YE2..97.YE3..97.YE4..97..E6..97..96..97.]A6..97..E:..97..E7..97..E...97..E5..97.Rich.97.................PE..d... ..d.........." ...".l...........%.......................................P......V.....`.............................................P............0....... ..x......../...@..........T...............................@............................................text...:k.......l.................. ..`.rdata...t.......v...p..............@..@.data...............................@....pdata..x.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73042\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\PDF_Resave.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	161040
Entropy (8bit):	6.029728458381984
Encrypted:	false
SSDEEP:	3072:LMaGbIQQbN9W3PiNGeA66l8rBk3xA87xfCA+nbUtFMsVjTNbEzc+pIPC7ODxd:LMaG0bN96oG1l8YA8ZMSR+E
MD5:	208B0108172E59542260934A2E7CFA85
SHA1:	1D7FFB1B1754B97448EB41E686C0C79194D2AB3A
SHA-256:	5160500474EC95D4F3AF7E467CC70CB37BEC1D12545F0299AAB6D69CEA106C69
SHA-512:	41ABF6DEAB0F6C048967CA6060C337067F9F8125529925971BE86681EC0D3592C72B9CC85DD8BDEE5DD3E4E69E3BB629710D2D641078D5618B4F55B8A60CC69D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........p...p...p....8..p.......p.......p.......p.......p..N....p...p...q.......p..N....p..N....p..N.T..p..N....p..Rich.p..........................PE..d...'..d.........." ..."............l+..............................................NS....`.............................................d...t........`.......P.......F.../...p..8...0...T...............................@............................................text............................... ..`.rdata..............................@..@.data....j.......f..................@....pdata.......P......."..............@..@.rsrc........`......................@..@.reloc..8....p.......8..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73042\_uuid.pyd

Download File

Process:	C:\Users\user\Desktop\PDF_Resave.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25360
Entropy (8bit):	6.6307231018245325
Encrypted:	false
SSDEEP:	384:SR9ZfwFpEWE6ivQpIPZwGjHQIYiSy1pCQKzmPxh8E9VF0NyptVQcM:SRvqpEM4QpIPZw65YiSyvamPxWE3PS
MD5:	46E9D7B5D9668C9DB5CAA48782CA71BA
SHA1:	6BBC83A542053991B57F431DD377940418848131
SHA-256:	F6063622C0A0A34468679413D1B18D1F3BE67E747696AB972361FAED4B8D6735
SHA-512:	C5B171EBDB51B1755281C3180B30E88796DB8AA96073489613DAB96B6959A205846711187266A0BA30782102CE14FBFA4D9F413A2C018494597600482329EBF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h%p..K#..K#..K#.q.#..K#.uJ"..K#.uN"..K#.uO"..K#.uH"..K#.uJ"..K#.qJ"..K#..J#..K#.uC"..K#.uK"..K#.u.#..K#.uI"..K#Rich..K#................PE..d......d.........." ...".....&...... ........................................p.......p....`.........................................`)..L....)..x....P.......@.......4.../...`..@...`#..T........................... "..@............ ..8............................text...h........................... ..`.rdata....... ......................@..@.data........0.......$..............@....pdata.......@.......&..............@..@.rsrc........P.......(..............@..@.reloc..@....`.......2..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip

Download File

Process:	C:\Users\user\Desktop\PDF_Resave.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1847603
Entropy (8bit):	5.576587358103163
Encrypted:	false
SSDEEP:	24576:mQR5pATu7xm4lUKdcubgAnyfbazZ0iwh9EpdYf9P3sLoThUdWQhuHHa:mQR5plxm+zJ5uUwQ5
MD5:	E17CE7183E682DE459EEC1A5AC9CBBFF
SHA1:	722968CA6EB123730EBC30FF2D498F9A5DAD4CC1
SHA-256:	FF6A37C49EE4BB07A763866D4163126165038296C1FB7B730928297C25CFBE6D
SHA-512:	FAB76B59DCD3570695FA260F56E277F8D714048F3D89F6E9F69EA700FCA7C097D0DB5F5294BEAB4E6409570408F1D680E8220851FEDEDB981ACB129A415358D1
Malicious:	false
Preview:	PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

C:\Users\user\AppData\Local\Temp\_MEI73042\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\Desktop\PDF_Resave.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3445016
Entropy (8bit):	6.099467326309974
Encrypted:	false
SSDEEP:	98304:+/+YgEQaGDoWS04ki7x+QRsZ51CPwDv3uFfJx:MLgEXGUZ37x+VZ51CPwDv3uFfJx
MD5:	E94733523BCD9A1FB6AC47E10A267287
SHA1:	94033B405386D04C75FFE6A424B9814B75C608AC
SHA-256:	F20EB4EFD8647B5273FDAAFCEB8CCB2B8BA5329665878E01986CBFC1E6832C44
SHA-512:	07DD0EB86498497E693DA0F9DD08DE5B7B09052A2D6754CFBC2AA260E7F56790E6C0A968875F7803CB735609B1E9B9C91A91B84913059C561BFFED5AB2CBB29F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........).h.z.h.z.h.z..Oz.h.z...{.h.z...{.h.z...{.h.z...{.h.z.h.zjh.z...{.h.z=..{.h.z=..{.j.z=..{.h.z=.#z.h.z=..{.h.zRich.h.z........................PE..d.....wd.........." ..."..$...................................................5......o5...`..........................................y/..h...J4.@.....4.\|....p2......b4../....4..O..P.,.8.............................,.@............@4..............................text...$.$.......$................. ..`.rdata........$.......$.............@..@.data...!z....1..,....1.............@....pdata..h....p2.......1.............@..@.idata..^#...@4..$....3.............@..@.00cfg..u....p4.......3.............@..@.rsrc...\|.....4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73042\libssl-1_1.dll

Download File

Process:	C:\Users\user\Desktop\PDF_Resave.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	704792
Entropy (8bit):	5.55753143710539
Encrypted:	false
SSDEEP:	12288:ihO7/rNKmrouK/POt6h+7ToRLgo479dQwwLOpWW/dQ0T9qwfU2lvzA:iis/POtrzbLp5dQ0T9qcU2lvzA
MD5:	25BDE25D332383D1228B2E66A4CB9F3E
SHA1:	CD5B9C3DD6AAB470D445E3956708A324E93A9160
SHA-256:	C8F7237E7040A73C2BEA567ACC9CEC373AADD48654AAAC6122416E160F08CA13
SHA-512:	CA2F2139BB456799C9F98EF8D89FD7C09D1972FA5DD8FC01B14B7AF00BF8D2C2175FB2C0C41E49A6DAF540E67943AAD338E33C1556FD6040EF06E0F25BFA88FA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........q...q...q.....q..p...q..p...q..t...q..u...q..r...q.[.p...q...p.u.q.[.u...q.[.q...q.[.....q.[.s...q.Rich..q.........................PE..d.....wd.........." ...".D...T......<.....................................................`..........................................A...N..@U..........s........N......./......h.......8...............................@............@..@............................text....B.......D.................. ..`.rdata.../...`...0...H..............@..@.data...AM.......D...x..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............l..............@..@.rsrc...s............n..............@..@.reloc..q............v..............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73042\pyexpat.pyd

Download File

Process:	C:\Users\user\Desktop\PDF_Resave.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	199448
Entropy (8bit):	6.377510350928234
Encrypted:	false
SSDEEP:	3072:OA1YT2Ga6xWK+RohrRoi9+IC08K9YSMJiCNi+GVwlijAOBgC4i9IPLhhHx:v1YOyGohNoEC08K9oJ5GWl7Fi
MD5:	9C21A5540FC572F75901820CF97245EC
SHA1:	09296F032A50DE7B398018F28EE8086DA915AEBD
SHA-256:	2FF8CD82E7CC255E219E7734498D2DEA0C65A5AB29DC8581240D40EB81246045
SHA-512:	4217268DB87EEC2F0A14B5881EDB3FDB8EFE7EA27D6DCBEE7602CA4997416C1130420F11167DAC7E781553F3611409FA37650B7C2B2D09F19DC190B17B410BA5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T..5.5.5.Mu..5..I.5..I.5..I.5..I.5..I.5..M.5.5..5..I.5..I.5..I...5..I.5.Rich.5.................PE..d......d.........." ..."............0........................................ .......=....`.............................................P................................/..........`3..T........................... 2..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...@!..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73042\python311.dll

Download File

Process:	C:\Users\user\Desktop\PDF_Resave.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5762840
Entropy (8bit):	6.089392282930885
Encrypted:	false
SSDEEP:	49152:73djosVvASxQKADxYBVD0NErnKqroleDkcWE/Q3pPITbwVFZL7VgVr42I1vJHH++:73ZOKRtlrJ7wfGrs1BHeM+2PocL2
MD5:	5A5DD7CAD8028097842B0AFEF45BFBCF
SHA1:	E247A2E460687C607253949C52AE2801FF35DC4A
SHA-256:	A811C7516F531F1515D10743AE78004DD627EBA0DC2D3BC0D2E033B2722043CE
SHA-512:	E6268E4FAD2CE3EF16B68298A57498E16F0262BF3531539AD013A66F72DF471569F94C6FCC48154B7C3049A3AD15CBFCBB6345DACB4F4ED7D528C74D589C9858
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.D.5..5..5..z.+.7..z...;..z./.9..z...=..z.).1..<../..~.+.>..5.+.P....'......4......4....(.4..Rich5.*.........................PE..d......d.........." ...".X%..47.....\H........................................\.......X...`...........................................@......WA......p[.......V.d0....W../....[..C....).T.............................).@............p%..............................text...rV%......X%................. ..`.rdata.......p%......\%.............@..@.data.........A..L...hA.............@....pdata..d0....V..2....Q.............@..@PyRuntim......X.......S.............@....rsrc........p[......rV.............@..@.reloc...C....[..D...\|V.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73042\select.pyd

Download File

Process:	C:\Users\user\Desktop\PDF_Resave.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30480
Entropy (8bit):	6.578957517354568
Encrypted:	false
SSDEEP:	384:N1ecReJKrHqDUI7A700EZ9IPQGNHQIYiSy1pCQn1tPxh8E9VF0NykfF:3eUeJGHqNbD9IPQGR5YiSyvnnPxWEuN
MD5:	C97A587E19227D03A85E90A04D7937F6
SHA1:	463703CF1CAC4E2297B442654FC6169B70CFB9BF
SHA-256:	C4AA9A106381835CFB5F9BADFB9D77DF74338BC66E69183757A5A3774CCDACCF
SHA-512:	97784363F3B0B794D2F9FD6A2C862D64910C71591006A34EEDFF989ECCA669AC245B3DFE68EAA6DA621209A3AB61D36E9118EBB4BE4C0E72CE80FAB7B43BDE12
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........tB.t'B.t'B.t'K..'@.t'..u&@.t'..q&N.t'..p&J.t'..w&F.t'..u&@.t'B.u'..t'..u&G.t'..y&C.t'..t&C.t'...'C.t'..v&C.t'RichB.t'................PE..d......d.........." ...".....2............................................................`..........................................@..L...,A..x....p.......`.......H.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI73042\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\PDF_Resave.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1141016
Entropy (8bit):	5.435086202175289
Encrypted:	false
SSDEEP:	12288:83kYbfjwR6nblonRiPDjRrO5184EPYPx++ZiLKGZ5KXyVH4eD1ol:8UYbMA0IDJcjEwPgPOG6Xyd461ol
MD5:	AA13EE6770452AF73828B55AF5CD1A32
SHA1:	C01ECE61C7623E36A834D8B3C660E7F28C91177E
SHA-256:	8FBED20E9225FF82132E97B4FEFBB5DDBC10C062D9E3F920A6616AB27BB5B0FB
SHA-512:	B2EEB9A7D4A32E91084FDAE302953AAC57388A5390F9404D8DFE5C4A8F66CA2AB73253CF5BA4CC55350D8306230DD1114A61E22C23F42FBCC5C0098046E97E0F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................,...............,.....,.....,.y...,.....Rich..........PE..d......d.........." ...".@..........P*...............................................!....`.............................................X............`.......P..0....:.../...p.......]..T............................[..@............P..x............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..0....P.......&..............@..@.rsrc........`......................@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\PDF_Resave.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	74
Entropy (8bit):	4.562324021719868
Encrypted:	false
SSDEEP:	3:t/4IABFReNmI4hWQAuF5QEyn:mMmI4hWb3
MD5:	CD8074B6ED2C364CF10C22A3016376B3
SHA1:	1B8F1F62BD078640061C6B2589F2C91744EEAAD8
SHA-256:	A17A31EF1084B042E3F5E7B12FE536E6691AA30F9646EA36756DCC4814CF6D7A
SHA-512:	E76B110D58E8CC7B5F1EF80DB0B444A126C6A3B1CE601430648F5FD88A927945E0D671001EC0F930228B26968A459567C3E5902C5CF2D069E32B7DED5B6B380F
Malicious:	false
Preview:	[7364] Failed to execute script 'PDF_Resave' due to unhandled exception!..

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.9915710983981745
TrID:	Win64 Executable Console (202006/5) 77.37% InstallShield setup (43055/19) 16.49% Win64 Executable (generic) (12005/4) 4.60% Generic Win/DOS Executable (2004/3) 0.77% DOS Executable Generic (2002/1) 0.77%
File name:	PDF_Resave.exe
File size:	7'729'425 bytes
MD5:	27cc92c02c64ebc1ffc0b19f361bd5a7
SHA1:	a715498ca0fd960b7b71bb6cfa0344569e59ee58
SHA256:	9a69ccfd07ee7573b8a7b5ccfa4c58c2f331c854fe3f97e08ed5d29e55824650
SHA512:	ceef40a63447370869e21f71caea774e97ebb18997eb5687f9e5f0903b9208eb7554feb61a062665b9ded691690b92cb0e6fb3e8e09370aaae18813abd8b8216
SSDEEP:	196608:cJDc4FMIZETKRjPePdrQJ/BNOqJVYPLbQ:TQETKRvJHOqjKbQ
TLSH:	20763389B2B109E8D523403CC582D868FA7674771778E28743F999AB2F538C2687FF15
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R........................c...........y.L.....y.......y.......y.......................................Rich...................

File Icon


Icon Hash:	2e1e7c4c4c61e979

Static PE Info

General

Entrypoint:	0x14000a6b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x65F81ACE [Mon Mar 18 10:43:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	ba5546933531fafa869b1f86a4e2a959

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F542CB176ECh
dec eax
add esp, 28h
jmp 00007F542CB172EFh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F542CB17C34h
test eax, eax
je 00007F542CB174A3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F542CB17487h
dec eax
cmp ecx, eax
je 00007F542CB17496h
xor eax, eax
dec eax
cmpxchg dword ptr [00041E7Ch], ecx
jne 00007F542CB17470h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F542CB17479h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [00041E67h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [00041E57h], al
call 00007F542CB17A33h
call 00007F542CB18B62h
test al, al
jne 00007F542CB17486h
xor al, al
jmp 00007F542CB17496h
call 00007F542CB25F41h
test al, al
jne 00007F542CB1748Bh
xor ecx, ecx
call 00007F542CB18B72h
jmp 00007F542CB1746Ch
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [00041E1Ch], 00000000h
mov ebx, ecx
jne 00007F542CB174E9h
cmp ecx, 01h
jnbe 00007F542CB174ECh
call 00007F542CB17B9Ah
test eax, eax
je 00007F542CB174AAh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3bb5c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0xf00c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4e000	0x20c4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x62000	0x75c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x39350	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39210	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a000	0x350	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x288a0	0x28a00	cd519058a1cc7a614054b311d84d179b	False	0.5563401442307693	zlib compressed data	6.490694010276288	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2a000	0x126e2	0x12800	cf5ddfd901c106657758d0f946582b07	False	0.5156381967905406	data	5.846091788420925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x103f8	0xe00	9bd2cebaa3285e8e266c4c373a15119d	False	0.13337053571428573	DOS executable (block device driver \377\3)	1.808915577448681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x4e000	0x20c4	0x2200	47e5659f5cd2366c7761336e5e8f1fbd	False	0.4763327205882353	data	5.30946295758841	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x51000	0x15c	0x200	739c14bf73dcb926054c7e1038da65e4	False	0.384765625	data	2.7733452366771543	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0xf00c	0xf200	b86a71d1708d58ca2afb06ba88c0c945	False	0.7951639979338843	data	7.356266549685757	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x62000	0x75c	0x800	b7279c82d58eeae8dc663879402c6f2e	False	0.54296875	data	5.238892234772638	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x52208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.56636460554371
RT_ICON	0x530b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7287906137184116
RT_ICON	0x53958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.7471098265895953
RT_ICON	0x53ec0	0x909b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9971636186822983
RT_ICON	0x5cf5c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.38309128630705397
RT_ICON	0x5f504	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4826454033771107
RT_ICON	0x605ac	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.699468085106383
RT_GROUP_ICON	0x60a14	0x68	data	0.7019230769230769
RT_MANIFEST	0x60a7c	0x58f	XML 1.0 document, ASCII text, with CRLF line terminators	0.4483485593815882

Imports

DLL

Import

KERNEL32.dll

GetCommandLineW, GetEnvironmentVariableW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, WriteConsoleW, GetProcAddress, GetModuleFileNameW, SetDllDirectoryW, FreeLibrary, GetLastError, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetModuleHandleW, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, GetCurrentDirectoryW, FlushFileBuffers, HeapReAlloc, GetFileAttributesExW, GetStringTypeW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, SetEndOfFile

ADVAPI32.dll

ConvertSidToStringSidW, GetTokenInformation, OpenProcessToken, ConvertStringSecurityDescriptorToSecurityDescriptorW

Target ID:	0
Start time:	09:44:23
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\PDF_Resave.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PDF_Resave.exe"
Imagebase:	0x7ff7bd3b0000
File size:	7'729'425 bytes
MD5 hash:	27CC92C02C64EBC1FFC0B19F361BD5A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:44:23
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:44:24
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\PDF_Resave.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\PDF_Resave.exe"
Imagebase:	0x7ff7bd3b0000
File size:	7'729'425 bytes
MD5 hash:	27CC92C02C64EBC1FFC0B19F361BD5A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	69

Executed Functions

Function 00007FF7BD3D4EB0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF7BD3D4EF5

Part of subcall function 00007FF7BD3D4848: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D485C

Part of subcall function 00007FF7BD3C9F88: RtlFreeHeap.NTDLL(?,?,?,00007FF7BD3D1ED2,?,?,?,00007FF7BD3D1F0F,?,?,00000000,00007FF7BD3D23D5,?,?,00000000,00007FF7BD3D2307), ref: 00007FF7BD3C9F9E
Part of subcall function 00007FF7BD3C9F88: GetLastError.KERNEL32(?,?,?,00007FF7BD3D1ED2,?,?,?,00007FF7BD3D1F0F,?,?,00000000,00007FF7BD3D23D5,?,?,00000000,00007FF7BD3D2307), ref: 00007FF7BD3C9FA8

Part of subcall function 00007FF7BD3C9F40: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7BD3C9F1F,?,?,?,?,?,00007FF7BD3C1A50), ref: 00007FF7BD3C9F49
Part of subcall function 00007FF7BD3C9F40: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7BD3C9F1F,?,?,?,?,?,00007FF7BD3C1A50), ref: 00007FF7BD3C9F6E

_get_daylight.LIBCMT ref: 00007FF7BD3D4EE4

Part of subcall function 00007FF7BD3D48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D48BC

_get_daylight.LIBCMT ref: 00007FF7BD3D515A
_get_daylight.LIBCMT ref: 00007FF7BD3D516B
_get_daylight.LIBCMT ref: 00007FF7BD3D517C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7BD3D53BC), ref: 00007FF7BD3D51A3

Strings

Eastern Summer Time, xrefs: 00007FF7BD3D5261
Eastern Standard Time, xrefs: 00007FF7BD3D5249

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 094aa0b8d65919baa3d0772ff3767fd2675aa8a4e03dc9ca21af0ffdcdca806f
Instruction ID: 76071ce308c92680174e936acf4efdca744feb708df7ca26c9ca378d5590d59f
Opcode Fuzzy Hash: 094aa0b8d65919baa3d0772ff3767fd2675aa8a4e03dc9ca21af0ffdcdca806f
Instruction Fuzzy Hash: 04D19026E0C242C6EB68BF29D4601B9E751EB66784F844139EB4D4769FFF3CE4418B60

Function 00007FF7BD3B58E0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B5977
GetCurrentProcessId.KERNEL32(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B597D

Part of subcall function 00007FF7BD3B5AF0: GetEnvironmentVariableW.KERNEL32(00007FF7BD3B2817,?,?,?,?,?,?), ref: 00007FF7BD3B5B2A
Part of subcall function 00007FF7BD3B5AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF7BD3B5B47

Part of subcall function 00007FF7BD3C6828: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C6841

SetEnvironmentVariableW.KERNEL32(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B5A31

Strings

LOADER: Failed to set the TMP environment variable., xrefs: 00007FF7BD3B595A
_MEI%d, xrefs: 00007FF7BD3B5985
TMP, xrefs: 00007FF7BD3B591A, 00007FF7BD3B59D9, 00007FF7BD3B5A67
TMP, xrefs: 00007FF7BD3B5940

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Environment$Variable$CurrentExpandPathProcessStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 1556224225-1116378104
Opcode ID: c37227a989606194a9b775c0e79d879d36e5a46f9a7ba2449f26b34a68ac7e0c
Instruction ID: 2879302f61b62613c469c61e037d04f7869bf1581f5f94fbf05ca48e661793fe
Opcode Fuzzy Hash: c37227a989606194a9b775c0e79d879d36e5a46f9a7ba2449f26b34a68ac7e0c
Instruction Fuzzy Hash: 1A516E11B1D65381FA9DB72AA8512B9E6515F6BBC0FC85038EF0E5B69BFD2CE4018720

Function 00007FF7BD3D5DFC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7BD3D5B30: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D5B71
Part of subcall function 00007FF7BD3D5B30: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D5BEF
Part of subcall function 00007FF7BD3D5B30: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D5C40

CreateFileW.KERNELBASE ref: 00007FF7BD3D5F02
CreateFileW.KERNEL32 ref: 00007FF7BD3D5F52
GetLastError.KERNEL32 ref: 00007FF7BD3D5F82
GetFileType.KERNELBASE ref: 00007FF7BD3D5F97
GetLastError.KERNEL32 ref: 00007FF7BD3D5FA1
CloseHandle.KERNEL32 ref: 00007FF7BD3D5FD4
CloseHandle.KERNEL32 ref: 00007FF7BD3D6137
CreateFileW.KERNEL32 ref: 00007FF7BD3D616C
GetLastError.KERNEL32 ref: 00007FF7BD3D617B

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: f4a66a793454549687445e322010bf0c8aa55a7819c853dce57e356f604717af
Instruction ID: 828f3d3319de8c9f82800a809c0269d92b7a49632210904c2268358630a2ba04
Opcode Fuzzy Hash: f4a66a793454549687445e322010bf0c8aa55a7819c853dce57e356f604717af
Instruction Fuzzy Hash: B0C1F433B1CA45C5EB14EF68C4901ACBB61F76AB98B450239DB2E573AAEF38D055C710

Function 00007FF7BD3D512C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF7BD3D515A

Part of subcall function 00007FF7BD3D48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D48BC

_get_daylight.LIBCMT ref: 00007FF7BD3D516B

Part of subcall function 00007FF7BD3D4848: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D485C

_get_daylight.LIBCMT ref: 00007FF7BD3D517C

Part of subcall function 00007FF7BD3D4878: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D488C

Part of subcall function 00007FF7BD3C9F88: RtlFreeHeap.NTDLL(?,?,?,00007FF7BD3D1ED2,?,?,?,00007FF7BD3D1F0F,?,?,00000000,00007FF7BD3D23D5,?,?,00000000,00007FF7BD3D2307), ref: 00007FF7BD3C9F9E
Part of subcall function 00007FF7BD3C9F88: GetLastError.KERNEL32(?,?,?,00007FF7BD3D1ED2,?,?,?,00007FF7BD3D1F0F,?,?,00000000,00007FF7BD3D23D5,?,?,00000000,00007FF7BD3D2307), ref: 00007FF7BD3C9FA8

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7BD3D53BC), ref: 00007FF7BD3D51A3

Strings

Eastern Summer Time, xrefs: 00007FF7BD3D5261
Eastern Standard Time, xrefs: 00007FF7BD3D5249

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: fd078edb7ea8857bbddca5cb379a768099f63ff1987e7d86fa41c3a02db3c977
Instruction ID: 01b8db909708d385df8fc9d698bb0496eb16ee311fbb955f6a634f2448fb0fc3
Opcode Fuzzy Hash: fd078edb7ea8857bbddca5cb379a768099f63ff1987e7d86fa41c3a02db3c977
Instruction Fuzzy Hash: 24517622A0C642C6E758FF29E5901A9E750BB6A784FC4513DEB4D4369BEF3CE4008B60

Function 00007FF7BD3CFA98 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 77b634f070b5d0425022c69dd6fb332ff82a5336b27442bcf42cac2e1250e46a
Instruction ID: ecf1ee5935456352ae56c2746130978a38331d83d5c177743cb59a8de8218ad7
Opcode Fuzzy Hash: 77b634f070b5d0425022c69dd6fb332ff82a5336b27442bcf42cac2e1250e46a
Instruction Fuzzy Hash: 79024C22A0E746C0EA59BB2994502B9E680AF63B90FDD453DDB5D473DBFE3DA4018320

Function 00007FF7BD3B17B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fread_nolock.LIBCMT ref: 00007FF7BD3B185C
_fread_nolock.LIBCMT ref: 00007FF7BD3B190E

Part of subcall function 00007FF7BD3BE6E0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3BE6F4

Strings

MEI, xrefs: 00007FF7BD3B17EF
Could not read full TOC!, xrefs: 00007FF7BD3B1919
Could not allocate buffer for TOC!, xrefs: 00007FF7BD3B18E3
Failed to read cookie!, xrefs: 00007FF7BD3B1867
Cannot read Table of Contents., xrefs: 00007FF7BD3B1995
Failed to seek to cookie position!, xrefs: 00007FF7BD3B182F
malloc, xrefs: 00007FF7BD3B18EA
fseek, xrefs: 00007FF7BD3B1836
fread, xrefs: 00007FF7BD3B186E
Error on file., xrefs: 00007FF7BD3B193D

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _fread_nolock$_invalid_parameter_noinfo
String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 3405171723-4158440160
Opcode ID: f9899f3dab2afdea0400dc1ca05c52481182e316f861a99ca011915560981afd
Instruction ID: b4bbd77f65c9b53a4da38963feb11938de0c1edaa2a4bb0781954b7bf57c4a3f
Opcode Fuzzy Hash: f9899f3dab2afdea0400dc1ca05c52481182e316f861a99ca011915560981afd
Instruction Fuzzy Hash: 45515E71A1DA46C6EB58EF2CD450278F3A0EB6AB44B904139EB0D8739EEE3CE540C750

Function 00007FF7BD3B1440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7BD3B15E5
fopen, xrefs: 00007FF7BD3B1491
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7BD3B15D5
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7BD3B14F9
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7BD3B14CA
Failed to extract %s: failed to open target file!, xrefs: 00007FF7BD3B148A
malloc, xrefs: 00007FF7BD3B1560
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF7BD3B1559
fseek, xrefs: 00007FF7BD3B1500
fread, xrefs: 00007FF7BD3B15EC
fwrite, xrefs: 00007FF7BD3B15DC

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 0-666925554
Opcode ID: 7e2a2c0b0f0d064d10a2880fe4117471e88475fb40869babe68c62c10a2f5a98
Instruction ID: 73c0713862583da631b8ef7b2cf8468f5049d922c0cbeb58ca2b56963aed74c1
Opcode Fuzzy Hash: 7e2a2c0b0f0d064d10a2880fe4117471e88475fb40869babe68c62c10a2f5a98
Instruction Fuzzy Hash: 67519921B0C642C5EA18BB19A5507B9F360AF62BD4F840539EF1D476AFFE3CE1448720

Function 00007FF7BD3B6A70 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00007FF7BD3B59BA,?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B6AB0
OpenProcessToken.ADVAPI32(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B6AC1
GetTokenInformation.KERNELBASE(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B6AE3
GetLastError.KERNEL32(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B6AED
GetTokenInformation.KERNELBASE(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B6B2A
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7BD3B6B3C
CloseHandle.KERNEL32(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B6B54
LocalFree.KERNEL32(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B6B86
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF7BD3B6BAD
CreateDirectoryW.KERNELBASE(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B6BBE

Strings

S-1-3-4, xrefs: 00007FF7BD3B6B5F
D:(A;;FA;;;%s), xrefs: 00007FF7BD3B6B69

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 4998090-2855260032
Opcode ID: 8db0a8c5664a071b86435850a3cc39cf0dbbe99956597f5d8ba641213cd3919b
Instruction ID: 1ba6a531c45c0faab4739f53c9146d181aeec1f70e831a4f5c9d2ee29371cca4
Opcode Fuzzy Hash: 8db0a8c5664a071b86435850a3cc39cf0dbbe99956597f5d8ba641213cd3919b
Instruction Fuzzy Hash: CE41913160C642C2E654EF19E4502AAF361FBA6790F840239FB5E476AAEF7CD448CB10

Function 00007FF7BD3B6140 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7BD3B6DC0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF7BD3B6DFA

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF7BD3B2B60,?,?,?,?,?,?), ref: 00007FF7BD3B618F
GetStartupInfoW.KERNEL32 ref: 00007FF7BD3B61AE

Part of subcall function 00007FF7BD3C92F4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C9308

Part of subcall function 00007FF7BD3C706C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C70D3

GetCommandLineW.KERNEL32 ref: 00007FF7BD3B624E
CreateProcessW.KERNELBASE ref: 00007FF7BD3B6290
WaitForSingleObject.KERNEL32 ref: 00007FF7BD3B62A4
GetExitCodeProcess.KERNELBASE ref: 00007FF7BD3B62B4

Strings

Error creating child process!, xrefs: 00007FF7BD3B62C0
CreateProcessW, xrefs: 00007FF7BD3B62C7

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: f9329e10ecf7cd9add790cd54d80bd1613acac9f8f0a608475d9c7ff608cd0f3
Instruction ID: 9d114a1be8cab9415e207323e7e19a21b95f1a9e75d2d632595eaa1dba65ec20
Opcode Fuzzy Hash: f9329e10ecf7cd9add790cd54d80bd1613acac9f8f0a608475d9c7ff608cd0f3
Instruction Fuzzy Hash: 8A410571A0C782C1DA24AB68F4552AAF364FBA5360F900739E7AD477DAEF7CD0548B10

Function 00007FF7BD3B1000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7BD3B2CD0: GetModuleFileNameW.KERNEL32(?,00007FF7BD3B27C9,?,?,?,?,?,?), ref: 00007FF7BD3B2D01

SetDllDirectoryW.KERNEL32 ref: 00007FF7BD3B29D5

Part of subcall function 00007FF7BD3B5AF0: GetEnvironmentVariableW.KERNEL32(00007FF7BD3B2817,?,?,?,?,?,?), ref: 00007FF7BD3B5B2A
Part of subcall function 00007FF7BD3B5AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF7BD3B5B47

Strings

Failed to convert DLL search path!, xrefs: 00007FF7BD3B29BD
MEI, xrefs: 00007FF7BD3B2917
_PYI_ONEDIR_MODE, xrefs: 00007FF7BD3B282C, 00007FF7BD3B2857
_MEIPASS2, xrefs: 00007FF7BD3B2803, 00007FF7BD3B286C, 00007FF7BD3B2B1B, 00007FF7BD3B2B2B
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF7BD3B28BE
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF7BD3B295C

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-3602715111
Opcode ID: 144c16ccd7672ff0b95d7af8685cd2bb33374b1d9a395c9c1d49ec4117b97591
Instruction ID: f506db1a5e6e5c821c4cfb531445107295d9188a9d343c27fddfd35e91286a1e
Opcode Fuzzy Hash: 144c16ccd7672ff0b95d7af8685cd2bb33374b1d9a395c9c1d49ec4117b97591
Instruction Fuzzy Hash: 13C19125A1C643D1EA68BB2994912FDF390AF66784FC04139FB4D4769FFE2CE5068720

Function 00007FF7BD3B1050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF7BD3B1249
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7BD3B10F1
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF7BD3B111F
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7BD3B10B4
malloc, xrefs: 00007FF7BD3B10F8, 00007FF7BD3B1126
1.2.13, xrefs: 00007FF7BD3B107E

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 0-1655038675
Opcode ID: 75a8f361488b902336a9f66c708dd5ad1a5206faca2c9aa32f7c4d8285429985
Instruction ID: 472e0288a5ec5c3fb12d9c9b5fa75644befafebb37553e312b644ce63dfbf082
Opcode Fuzzy Hash: 75a8f361488b902336a9f66c708dd5ad1a5206faca2c9aa32f7c4d8285429985
Instruction Fuzzy Hash: 1351B322A0D642C5EA68BB19E4403B9F290FBA6794F844139EF4D4779EFE3CE505C710

Function 00007FF7BD3CDF40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,00000000,?,00007FF7BD3CE2DA,?,?,-00000018,00007FF7BD3CA393,?,?,?,00007FF7BD3CA28A,?,?,?,00007FF7BD3C54F2), ref: 00007FF7BD3CE0BC
GetProcAddress.KERNEL32(?,00000000,?,00007FF7BD3CE2DA,?,?,-00000018,00007FF7BD3CA393,?,?,?,00007FF7BD3CA28A,?,?,?,00007FF7BD3C54F2), ref: 00007FF7BD3CE0C8

Strings

api-ms-, xrefs: 00007FF7BD3CE006
ext-ms-, xrefs: 00007FF7BD3CE019

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: aad9aede478575e979b907d5906f12f078c77a7925399981a7c8c7e1570d79b3
Instruction ID: 21ca648a56e317d33fd6f73d2a6f6aca1c4800d7577f034a1e09d5a53926f60c
Opcode Fuzzy Hash: aad9aede478575e979b907d5906f12f078c77a7925399981a7c8c7e1570d79b3
Instruction Fuzzy Hash: 10411322B1DB22C1FA19EB1A9810575E291BF6AB90F8C413DDF0D5778AFE3CE4448364

Function 00007FF7BD3CB09C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3CB4C9

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f51be05eff67105166a8e0974f5b8922bd2b6cae86938e82961f641d8e49780a
Instruction ID: 80bfda2e179dac222cec5da69a796a9d6565723f865e5b59f535de7271ec42ac
Opcode Fuzzy Hash: f51be05eff67105166a8e0974f5b8922bd2b6cae86938e82961f641d8e49780a
Instruction Fuzzy Hash: B0C1B42290C786D1E658AB1994402BDFB51FBA3B80FDD0139DB4D0779BEE7DE4898720

Function 00007FF7BD3CC5A0 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF7BD3CC58B), ref: 00007FF7BD3CC6BC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF7BD3CC58B), ref: 00007FF7BD3CC747

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 47869f412bece76eb023dbb07aa2cba14259a80e0a96d05eb24eea3b46299af7
Instruction ID: 8514e83ca0e7feb7d6a8aeda6163a5a01d5fa30a26bc67b77cbc0fd8cd58bd02
Opcode Fuzzy Hash: 47869f412bece76eb023dbb07aa2cba14259a80e0a96d05eb24eea3b46299af7
Instruction Fuzzy Hash: A991A236B0C751C5F768AB6984402BDE7A0AB26788F9C413DDF0E57A8AEF38D4418720

Function 00007FF7BD3CE96C Relevance: 6.2, APIs: 4, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF7BD3CEA5C
_get_daylight.LIBCMT ref: 00007FF7BD3CEA6D
_get_daylight.LIBCMT ref: 00007FF7BD3CEA7E
_isindst.LIBCMT ref: 00007FF7BD3CEB49

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 7c116d52e869d70fe36170fafcd4453455d7a89aa2c255f713b58b82420c40e6
Instruction ID: b3e3ed580e8b1492829c924ad517ca4eaa5adbd984c187ed48e21132101f0ad5
Opcode Fuzzy Hash: 7c116d52e869d70fe36170fafcd4453455d7a89aa2c255f713b58b82420c40e6
Instruction Fuzzy Hash: BA51F972F0D311CAEB1CEF28995167CE765AB21359F94013DEF1E636DAEB38A4118710

Function 00007FF7BD3C46F8 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C4725
CreateFileW.KERNELBASE ref: 00007FF7BD3C4764
CloseHandle.KERNEL32 ref: 00007FF7BD3C4799

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 2e14a9a22f8bbc959da1ddaf4bea7386fc9969426b98b87380e1d1a6b88a1f24
Instruction ID: 80aa2333f4c1c823000293213d114e3ea0367026501973fcc005c8456ad276d4
Opcode Fuzzy Hash: 2e14a9a22f8bbc959da1ddaf4bea7386fc9969426b98b87380e1d1a6b88a1f24
Instruction Fuzzy Hash: 36419722E1C782C3E758AB649510369F660FBA6754F549338E76C03ADAEF6CB5E08710

Function 00007FF7BD3BA52C Relevance: 4.6, APIs: 3, Instructions: 102COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF7BD3BA540

Part of subcall function 00007FF7BD3BA70C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7BD3BA72E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7BD3BA555
__scrt_release_startup_lock.LIBCMT ref: 00007FF7BD3BA5C3

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 3058843127-0
Opcode ID: 1be6874be7b06f60d2a206459abee2dcc30803262f01e71d3cdcfcaefe82dc60
Instruction ID: 1e848b09286e92d3d617ca55b284786a80e8eef00a26ae849f771588371f352e
Opcode Fuzzy Hash: 1be6874be7b06f60d2a206459abee2dcc30803262f01e71d3cdcfcaefe82dc60
Instruction Fuzzy Hash: AA313F21A0CA06C6EA5CBB2C95513B9E291AF63784FC4403DF74D4729BFEACA5048738

Function 00007FF7BD3C89F8 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7BD3C89F4), ref: 00007FF7BD3C8A09
TerminateProcess.KERNEL32(?,?,?,00007FF7BD3C89F4), ref: 00007FF7BD3C8A14
ExitProcess.KERNEL32 ref: 00007FF7BD3C8A23

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cdaea237e1b592d6c154aaf0f90f60ef9ca2b577adbaa54e82ff2db6f3b91dce
Instruction ID: 8d9f7445b4ce7dc7d6ce0dda79984bb52ccd80f9e184eefc238529967e8f1dfa
Opcode Fuzzy Hash: cdaea237e1b592d6c154aaf0f90f60ef9ca2b577adbaa54e82ff2db6f3b91dce
Instruction Fuzzy Hash: 62D01714B0C702D2EA5C3B395965138D2111F7A700B84143CCA0F033ABED2DA54D4730

Function 00007FF7BD3BE70C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3BE750
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3BE847

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 91f838de0bf1c0634cfb639a0c406c35748c40ae1573d712d08faa75350ec251
Instruction ID: 7df5a9fff5deb558690805e68ba1cbeea62d22569525da985e871d3600cffd1e
Opcode Fuzzy Hash: 91f838de0bf1c0634cfb639a0c406c35748c40ae1573d712d08faa75350ec251
Instruction Fuzzy Hash: 7151B921A0D641C5E66CAA2D9800679F691EF52B64F984638FF7D577CFEE3CE4408720

Function 00007FF7BD3CBA58 Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF7BD3CBAD1
GetFileType.KERNELBASE ref: 00007FF7BD3CBAE7

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: ea0bf9139acf7e29816fcd0aba872ae9fa759e19ef548db38860721d431a1d9c
Instruction ID: 3e3b262315d10a1a55d30cef7d7bb90a9c2c315e0a3e93c011051081e756ead2
Opcode Fuzzy Hash: ea0bf9139acf7e29816fcd0aba872ae9fa759e19ef548db38860721d431a1d9c
Instruction Fuzzy Hash: 51316321A1CB46C1DB689B1C8590179E650EB56BB0FAC032DDBAE073E9DF7DE491D310

Function 00007FF7BD3CB774 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF7BD3CB760,00000000,?,?,?,00007FF7BD3B1023,00007FF7BD3CB869), ref: 00007FF7BD3CB7C0
GetLastError.KERNEL32(?,?,?,?,?,00007FF7BD3CB760,00000000,?,?,?,00007FF7BD3B1023,00007FF7BD3CB869), ref: 00007FF7BD3CB7CA

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3ffa62e109f94fb18d3b2cbff054a6c81447e1b6aec8cf58aa39285ecb5c62cf
Instruction ID: d8f7600a7ce32ff25557009afb2b1e5f9e90fa3b24686f7a5ba1b4caff019032
Opcode Fuzzy Hash: 3ffa62e109f94fb18d3b2cbff054a6c81447e1b6aec8cf58aa39285ecb5c62cf
Instruction Fuzzy Hash: 4F11C46171CB81C1DA54AB29A814069E761AB66BF4F984339EF7D077EEEE3CD0948700

Function 00007FF7BD3C6AF8 Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7BD3C6975), ref: 00007FF7BD3C6B1B
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7BD3C6975), ref: 00007FF7BD3C6B31

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 695a997772c6d588bd3c19a829da3cd4efb67dac24a46cf8f274d2962167cdc2
Instruction ID: 10e2779cc233112943d8cf678764d8a6d10ce6b8c16b83c979252e1aed8aa264
Opcode Fuzzy Hash: 695a997772c6d588bd3c19a829da3cd4efb67dac24a46cf8f274d2962167cdc2
Instruction Fuzzy Hash: 8701822250C651C2D758AB19E40213AF7B0FB96761F940239E7AD025EDEF7DD050DB20

Function 00007FF7BD3C9F88 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF7BD3D1ED2,?,?,?,00007FF7BD3D1F0F,?,?,00000000,00007FF7BD3D23D5,?,?,00000000,00007FF7BD3D2307), ref: 00007FF7BD3C9F9E
GetLastError.KERNEL32(?,?,?,00007FF7BD3D1ED2,?,?,?,00007FF7BD3D1F0F,?,?,00000000,00007FF7BD3D23D5,?,?,00000000,00007FF7BD3D2307), ref: 00007FF7BD3C9FA8

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 635cad2e0ff3992951b7a77c4f2b8b42bf407885737c95784d501ba83ef464ff
Instruction ID: 00a976503f583d56a9d85f6ac6997636b631affde30da6a8aebcf6fdc2fd4b35
Opcode Fuzzy Hash: 635cad2e0ff3992951b7a77c4f2b8b42bf407885737c95784d501ba83ef464ff
Instruction Fuzzy Hash: CAE04F51E0D302C2FF1C7BBA9464074E2515FB6742B89443CCA0D5726BFE2CA4898730

Function 00007FF7BD3C6860 Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE(?,?,?,?,?), ref: 00007FF7BD3C6864
GetLastError.KERNEL32(?,?,?,?,?), ref: 00007FF7BD3C686E

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 6ee4c4c1d826b64487a110c2ae4246bf529d87c63a5704ba62e6a74145362de3
Instruction ID: bd8335c1cf58d82f201e0ce414ed0613b6252d93681a8dd113fb0f2bcd57160f
Opcode Fuzzy Hash: 6ee4c4c1d826b64487a110c2ae4246bf529d87c63a5704ba62e6a74145362de3
Instruction Fuzzy Hash: 31D0C910F5C703C1E62C37BA1915178D5902F7A724FD40638C229832FBFE2CA5C90721

Function 00007FF7BD3C70E4 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00007FF7BD3C70E8
GetLastError.KERNEL32 ref: 00007FF7BD3C70F2

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: e62d151a604f4e0a1f97514f12a36258322d99d4e44f7b0e6aef129f7c091d96
Instruction ID: 0932ecf04584acf0b6d204457c5495fe73f0a63f1403a2ede7dc04f4c1dc23cd
Opcode Fuzzy Hash: e62d151a604f4e0a1f97514f12a36258322d99d4e44f7b0e6aef129f7c091d96
Instruction Fuzzy Hash: 2FD0C910E5C603C1E61C37BB1959179D2901F77720FD4067CCA29822EAFE2CA0894721

Function 00007FF7BD3CA198 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF7BD3CA015,?,?,00000000,00007FF7BD3CA0CA), ref: 00007FF7BD3CA206
GetLastError.KERNEL32(?,?,?,00007FF7BD3CA015,?,?,00000000,00007FF7BD3CA0CA), ref: 00007FF7BD3CA210

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 176045b7523cf5febd9284a5f88f2e5d392980a8c79d008abc553eacec4aafb7
Instruction ID: 94a8bfa16f3a610a5fcb2c02a72d0e389d35d6ea297f3f4b8303a28699186b1e
Opcode Fuzzy Hash: 176045b7523cf5febd9284a5f88f2e5d392980a8c79d008abc553eacec4aafb7
Instruction Fuzzy Hash: 3D21C211F0C742C1EE68775898A0379D1919FA67A0F8C423DDF2E473DBEE6CA4848324

Function 00007FF7BD3B5E00 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BD3B6DC0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF7BD3B6DFA

_findclose.LIBCMT ref: 00007FF7BD3B6059

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ByteCharMultiWide_findclose
String ID:
API String ID: 2772937645-0
Opcode ID: f49b861ea7d3f103746b3a21f9c25844a1af0d2aa27eefd751e744e4ab09ae28
Instruction ID: 03b71d435549e49abec8bcb999560cdd6fc1b8f48923bdc37d808cfbc68232a1
Opcode Fuzzy Hash: f49b861ea7d3f103746b3a21f9c25844a1af0d2aa27eefd751e744e4ab09ae28
Instruction Fuzzy Hash: 83716A52E18AC581E615DB2CC5452FDB360F7A9B48F94E329DB8C12597FF28E2D9C700

Function 00007FF7BD3CB4EC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3CB514

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8f779a44aa3b0a3f4ccf073f5887973493dec229e4be6da509badb23d6131534
Instruction ID: f864e123c879d6212f0de0000b889d07b22aa495a481d8581d6b2c7ad2725250
Opcode Fuzzy Hash: 8f779a44aa3b0a3f4ccf073f5887973493dec229e4be6da509badb23d6131534
Instruction Fuzzy Hash: 6141B13290C341C3EA28AB1DE550279F3A0EB77785F980139D78A4369AEF2DE452C770

Function 00007FF7BD3B6370 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF7BD3B641A

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 99bbfe1d2f05c0455474663fa123003f277943937db98f160d8ca22a423e34c6
Instruction ID: 8c134236b7549a175959a87fff95f7e4efc147e065a3dc9f43c3d1523a01fea5
Opcode Fuzzy Hash: 99bbfe1d2f05c0455474663fa123003f277943937db98f160d8ca22a423e34c6
Instruction Fuzzy Hash: 96216121B0C69285EA59AB1A69043BAF651BF56BD4FC85435EF4D0B78BEE3CE0418710

Function 00007FF7BD3CAF7C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3CB002

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5c21e00b33c8f2b45ceb84e2d38ad87eb1f0bac44c293c41f89c92cf48f3706b
Instruction ID: da99ae3c5094f18c32371a127a52da57c5ee026e545c045b906db27c012275d2
Opcode Fuzzy Hash: 5c21e00b33c8f2b45ceb84e2d38ad87eb1f0bac44c293c41f89c92cf48f3706b
Instruction Fuzzy Hash: 3A319062A1C722C1E6197B69984137CEA50AB62B50FC9013DEB1D133DBEF7CE4818730

Function 00007FF7BD3C8929 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7BD3C8957

Part of subcall function 00007FF7BD3C8A50: GetModuleHandleExW.KERNEL32 ref: 00007FF7BD3C8A75
Part of subcall function 00007FF7BD3C8A50: GetProcAddress.KERNEL32 ref: 00007FF7BD3C8A8B
Part of subcall function 00007FF7BD3C8A50: FreeLibrary.KERNEL32 ref: 00007FF7BD3C8AB2

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 4364183f743529bba0b1b8a1ab3c287b648935f4c13821245ef64b361732f161
Instruction ID: c4091e5f4d0e6922c94ae27b589d3c8e13dbc13b0f702dc47ef4de7438e10ad3
Opcode Fuzzy Hash: 4364183f743529bba0b1b8a1ab3c287b648935f4c13821245ef64b361732f161
Instruction Fuzzy Hash: 4A21A631A08701D9EB1CAF68C4402FCB7A0EB15318F481639D76D47ADAEF38D685C761

Function 00007FF7BD3C5548 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C54AD

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction ID: 3ad7a4d83fb595b817a0ea37005c77b075d8e4bc8c6d594f0435c154bbb9a820
Opcode Fuzzy Hash: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction Fuzzy Hash: CD115E22A0D741C1EA68BF59940027DE660BFA7B80F8C4439EB4C5779BEE3DE4408720

Function 00007FF7BD3D57EC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D580F

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ae9bd99ce62d3538fe7d29b8c80f6b7eb83d48e2b866bc47fbdf5b394f043f57
Instruction ID: 74628f5b9ad3b56525e40a76cef617878b4049ca4853c56d075e9c618593c4b9
Opcode Fuzzy Hash: ae9bd99ce62d3538fe7d29b8c80f6b7eb83d48e2b866bc47fbdf5b394f043f57
Instruction Fuzzy Hash: D521A432A0C641C7D7649F1CD450369FA60FB96B54FA84238D75D476DAEF3DD4008B10

Function 00007FF7BD3BE98C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3BE9E0

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction ID: 921dac09ad7f55a1eff9aea9a94ab918c84925bb4b627e228d6f6644898bffe2
Opcode Fuzzy Hash: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction Fuzzy Hash: 9F018221A0C74581EA48AB5A9901169F795BBA7FE0B884639EF5C67BDFEE3CE0114310

Function 00007FF7BD3C64EC Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C652A

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 89f1a6046394815f14ac2edb09e2e5d8c749716ba98b122b0912a1bcf1d4c737
Instruction ID: 748b2f30643e5b43c76f8b212a49160b5701884aedae5f1c9f4c978055dbd8e7
Opcode Fuzzy Hash: 89f1a6046394815f14ac2edb09e2e5d8c749716ba98b122b0912a1bcf1d4c737
Instruction Fuzzy Hash: D0013C61A0D742C0FE687B296540179DA90AF66794FAC453DEB1C437EFFE2CE4808320

Function 00007FF7BD3C6828 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C6841

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d8ddd072cb9aeb27808c6bd09a31392064f42f391621abce153dcee42f6a1f6e
Instruction ID: 8ed51f4512fd27d5948f7759c2523ce508f1ee42d0839d5d46f832e5859d3e58
Opcode Fuzzy Hash: d8ddd072cb9aeb27808c6bd09a31392064f42f391621abce153dcee42f6a1f6e
Instruction Fuzzy Hash: E2E0B691A0C316C2FA683AAC4592278DA519F66340FC8443DDB08172ABFD1D78885731

Function 00007FF7BD3B64A0 Relevance: 1.3, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: efc5bac48e0eb0ffe74c9f21acabb1ae742049e90b115f0f612458e6ed3a3079
Instruction ID: 397ea53bb4f806c33e1d49b969d6fa4cb6597a9d5b8f56ed1ba249ce2be872ca
Opcode Fuzzy Hash: efc5bac48e0eb0ffe74c9f21acabb1ae742049e90b115f0f612458e6ed3a3079
Instruction Fuzzy Hash: 92419616D1CB85C1E655AB2895013BCF360FBB6744F84A236EB8D5719BFF28A5D8C310

Function 00007FF7BD3CDEC8 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF7BD3CAA26,?,?,?,00007FF7BD3C9BE3,?,?,00000000,00007FF7BD3C9E7E), ref: 00007FF7BD3CDF1D

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5680686827257c125c79c0b434b54bb6693b4c02053300f6c32a97532040a367
Instruction ID: eceb658cadcd62f0e1bdf87788e887ade637e137d5398de205b85939c94484da
Opcode Fuzzy Hash: 5680686827257c125c79c0b434b54bb6693b4c02053300f6c32a97532040a367
Instruction Fuzzy Hash: E6F03755B0D307C0FE5C776AA9602B5E2906F76B80F8C5439EA0E8769BFE2CE4814330

Function 00007FF7BD3CCC3C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF7BD3BF1F4,?,?,?,00007FF7BD3C0706,?,?,?,?,?,00007FF7BD3C276D), ref: 00007FF7BD3CCC7A

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: b11fc6a16e25d187a1b91613ce7ef6c78f7eee5e93957fcc5bb755ad2e5a5504
Instruction ID: eb71ee05c0d57079bfb00c791d1ffbcfc5328c73ed70d3d1ad13473dcc92341f
Opcode Fuzzy Hash: b11fc6a16e25d187a1b91613ce7ef6c78f7eee5e93957fcc5bb755ad2e5a5504
Instruction Fuzzy Hash: D0F03A69A0D346C4FE2C77795950279D2805FA67A0F8C86389A2E872DBFD2CA4529330

Non-executed Functions

Function 00007FF7BD3B50B0 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B50C7
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B5106
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B512B
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B5150
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B5178
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B51A0
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B51C8
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B51F0
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B5218

Strings

Failed to get address for Tcl_CreateInterp, xrefs: 00007FF7BD3B5118
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF7BD3B513D
Failed to get address for Tcl_Finalize, xrefs: 00007FF7BD3B518A
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF7BD3B522A
Failed to get address for Tcl_EvalEx, xrefs: 00007FF7BD3B54D2
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF7BD3B5342
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF7BD3B51B2
Tcl_CreateObjCommand, xrefs: 00007FF7BD3B539E
Tcl_ThreadQueueEvent, xrefs: 00007FF7BD3B52FE
Tcl_EvalFile, xrefs: 00007FF7BD3B548E
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF7BD3B51DA
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF7BD3B531A
Tcl_EvalObjv, xrefs: 00007FF7BD3B54DE
Tcl_Free, xrefs: 00007FF7BD3B552E
Tcl_ThreadAlert, xrefs: 00007FF7BD3B5326
Tcl_GetObjResult, xrefs: 00007FF7BD3B5466
Tcl_NewByteArrayObj, xrefs: 00007FF7BD3B5416
Tcl_SetVar2Ex, xrefs: 00007FF7BD3B543E
Failed to get address for Tcl_Free, xrefs: 00007FF7BD3B554A
Failed to get address for Tcl_MutexLock, xrefs: 00007FF7BD3B5252
GetProcAddress, xrefs: 00007FF7BD3B50E0
Tcl_GetCurrentThread, xrefs: 00007FF7BD3B520E
Failed to get address for Tk_Init, xrefs: 00007FF7BD3B5572
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF7BD3B527A
Failed to get address for Tcl_GetString, xrefs: 00007FF7BD3B53E2
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF7BD3B5432
Tcl_MutexLock, xrefs: 00007FF7BD3B5236
Tcl_ConditionNotify, xrefs: 00007FF7BD3B52AE
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF7BD3B5162
Tcl_DoOneEvent, xrefs: 00007FF7BD3B5146
Tcl_DeleteInterp, xrefs: 00007FF7BD3B51BE
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF7BD3B53BA
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF7BD3B52F2
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF7BD3B52A2
Failed to get address for Tcl_Alloc, xrefs: 00007FF7BD3B5522
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF7BD3B5482
Failed to get address for Tcl_Init, xrefs: 00007FF7BD3B50D9
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF7BD3B540A
Tcl_FinalizeThread, xrefs: 00007FF7BD3B5196
Tcl_Init, xrefs: 00007FF7BD3B50C0
Tcl_NewStringObj, xrefs: 00007FF7BD3B53EE
Tcl_Alloc, xrefs: 00007FF7BD3B5506
Failed to get address for Tcl_EvalFile, xrefs: 00007FF7BD3B54AA
Tcl_SetVar2, xrefs: 00007FF7BD3B5376
Tcl_ConditionFinalize, xrefs: 00007FF7BD3B5286
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF7BD3B545A
Tcl_CreateThread, xrefs: 00007FF7BD3B51E6
Failed to get address for Tcl_GetVar2, xrefs: 00007FF7BD3B536A
Tcl_GetVar2, xrefs: 00007FF7BD3B534E
Tcl_ConditionWait, xrefs: 00007FF7BD3B52D6
Tcl_Finalize, xrefs: 00007FF7BD3B516E
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF7BD3B52CA
Failed to get address for Tcl_SetVar2, xrefs: 00007FF7BD3B5392
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF7BD3B559A
Tcl_CreateInterp, xrefs: 00007FF7BD3B50FC
Tcl_MutexUnlock, xrefs: 00007FF7BD3B525E
Tcl_GetString, xrefs: 00007FF7BD3B53C6
Failed to get address for Tcl_CreateThread, xrefs: 00007FF7BD3B5202
Tcl_FindExecutable, xrefs: 00007FF7BD3B5121
Tk_GetNumMainWindows, xrefs: 00007FF7BD3B557E
Tk_Init, xrefs: 00007FF7BD3B5556
Tcl_EvalEx, xrefs: 00007FF7BD3B54B6
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF7BD3B54FA

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-2208601799
Opcode ID: 77b5a64d38601d97cc6f46ef17bc262d941289dca8cc320d3ff37db910af6723
Instruction ID: 69d35b04fdef8627c6349b3cc8a0e513b09fe4dd7d761d5941f657da2b768c6b
Opcode Fuzzy Hash: 77b5a64d38601d97cc6f46ef17bc262d941289dca8cc320d3ff37db910af6723
Instruction Fuzzy Hash: 51E1C565A5DB07D0EE0DBB0CA960174E2A1AF3A780BD8513DDB0D0726EFF7CA5489724

Function 00007FF7BD3D325C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF7BD3D32AA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D3916
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D3A8C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D3D4A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D3F6A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D41A7
memcpy_s.LIBCPMT ref: 00007FF7BD3D4282
memcpy_s.LIBCPMT ref: 00007FF7BD3D432D
memcpy_s.LIBCPMT ref: 00007FF7BD3D43FC

Strings

1#QNAN, xrefs: 00007FF7BD3D33C3
1#SNAN, xrefs: 00007FF7BD3D33BA
1#INF, xrefs: 00007FF7BD3D33D3
1#IND, xrefs: 00007FF7BD3D3397

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 8e3f32220dbedb6b83d3a56d93bef729e8f640f2dff9788303e755a102ce7513
Instruction ID: 28e87ce8cd7bf34fcc610d06ca66068e5600c99f7a288089be00d6528862267e
Opcode Fuzzy Hash: 8e3f32220dbedb6b83d3a56d93bef729e8f640f2dff9788303e755a102ce7513
Instruction Fuzzy Hash: 6FB2E672A1C682CAE7689F68D4507FDF7A1FB65344F841139DB0957A8EEB38A900CF50

Function 00007FF7BD3B6680 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(WideCharToMultiByte,00007FF7BD3B1CE4,?,?,00000000,00007FF7BD3B6914), ref: 00007FF7BD3B66A7
FormatMessageW.KERNEL32 ref: 00007FF7BD3B66D6
WideCharToMultiByte.KERNEL32 ref: 00007FF7BD3B672C

Part of subcall function 00007FF7BD3B1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF7BD3B6914,?,?,?,?,?,?,?,?,?,?,?,00007FF7BD3B1023), ref: 00007FF7BD3B1CD7

Strings

WideCharToMultiByte, xrefs: 00007FF7BD3B6680, 00007FF7BD3B673D
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF7BD3B6749
No error messages generated., xrefs: 00007FF7BD3B66E0
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7BD3B6736
PyInstaller: FormatMessageW failed., xrefs: 00007FF7BD3B66F3
FormatMessageW, xrefs: 00007FF7BD3B66E7

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ErrorLast$ByteCharFormatMessageMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2383786077-2573406579
Opcode ID: 8af1543621e2225bbe5bffd5a6056578706e604aa2a65e437b117fd27dbfded5
Instruction ID: c0594de0d79d9287b83c5eb124a60ad215728328735715f8b49cf5a0ad33081e
Opcode Fuzzy Hash: 8af1543621e2225bbe5bffd5a6056578706e604aa2a65e437b117fd27dbfded5
Instruction Fuzzy Hash: E821652161CA42C1E768AB19E860266F365FBAA344FC40139E74D876AEFF3CD545CB20

Function 00007FF7BD3BAA3C Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7BD3BAA58
RtlCaptureContext.KERNEL32 ref: 00007FF7BD3BAA85
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7BD3BAA9F
RtlVirtualUnwind.KERNEL32 ref: 00007FF7BD3BAAE0
IsDebuggerPresent.KERNEL32 ref: 00007FF7BD3BAB34
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7BD3BAB55
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7BD3BAB60

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1bf0d945bdc6b6fdad2122b0a21604f4ba0b1612e3b53cdd76e1331efcd592fd
Instruction ID: 0eac65721541c133260d158ed231f03ab8d088e641c7aa6c542a2b639c9bb498
Opcode Fuzzy Hash: 1bf0d945bdc6b6fdad2122b0a21604f4ba0b1612e3b53cdd76e1331efcd592fd
Instruction Fuzzy Hash: CA318F72608A81CAEB649F64E8503E9B360FB65704F84403DDB4D43B99EF7CC208CB24

Function 00007FF7BD3C9C54 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7BD3C9CCD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7BD3C9CE5
RtlVirtualUnwind.KERNEL32 ref: 00007FF7BD3C9D20
IsDebuggerPresent.KERNEL32 ref: 00007FF7BD3C9D59
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7BD3C9D63
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7BD3C9D6E

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 397cea56bba315d20c834348c2ab8ed400ffbe874e1da4898cc87947d67c4ad4
Instruction ID: 23d136b3c591e737ceb4b0867e5d7f745a7fc403f2b42e10ec33473c45527440
Opcode Fuzzy Hash: 397cea56bba315d20c834348c2ab8ed400ffbe874e1da4898cc87947d67c4ad4
Instruction Fuzzy Hash: DC316232608F81C6DB64DB29E8502ADB3A4FB95754F940139EB9D43B5AEF3CC545CB10

Function 00007FF7BD3D0A44 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D0A90
FindFirstFileExW.KERNEL32 ref: 00007FF7BD3D0B9A

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 539584bc973764fdeb57c39dee6d85e67abf5b785ab6bac293b25a2b00955d70
Instruction ID: f0b33024d9b522623ecdda39b7fb5b1315b2b0e6bb01df6fdcaf477485176253
Opcode Fuzzy Hash: 539584bc973764fdeb57c39dee6d85e67abf5b785ab6bac293b25a2b00955d70
Instruction Fuzzy Hash: 66B1CC22B1D64AC1EA68AB29D4201B9E350EB66FD4F845139EF5D077CEEE7CE441C720

Function 00007FF7BD3BA920 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7BD3BA94C
GetCurrentThreadId.KERNEL32 ref: 00007FF7BD3BA95A
GetCurrentProcessId.KERNEL32 ref: 00007FF7BD3BA966
QueryPerformanceCounter.KERNEL32 ref: 00007FF7BD3BA976

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: be9da76585353bf4ff120931e3f5bbaf95a19439f17c7ee9af2afa7da57e9186
Instruction ID: 6288fe12811421a8e06ab3f27ac4ff6fb891c1ad4a21f938270666553730db28
Opcode Fuzzy Hash: be9da76585353bf4ff120931e3f5bbaf95a19439f17c7ee9af2afa7da57e9186
Instruction Fuzzy Hash: D7114F22B18F01CAEB00DF64E8542A8B3A4F729758F840D35DB6D477A9EF78D1548350

Function 00007FF7BD3D2DC0 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF7BD3D2E26
memcpy_s.LIBCPMT ref: 00007FF7BD3D2E51

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 8d297a2892ae913b98ace0637c64ca9cb311d578915f69ce8ba4b20aed441ee6
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 56C1E472B1C686C7D7289F59E05466AF791F7A6B84F848139DB4A43749EB3DEC01CB00

Function 00007FF7BD3D8BF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF7BD3D8E47
RaiseException.KERNEL32 ref: 00007FF7BD3D8E58

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 7f7800ade579f0d6f16bfab74bfde48d1f128962063d5dbe27371a705b590b7f
Instruction ID: 0da6d51849ade0f428b60b05bd3f8af5adc125425cdc7a30f25e0ba31a51e391
Opcode Fuzzy Hash: 7f7800ade579f0d6f16bfab74bfde48d1f128962063d5dbe27371a705b590b7f
Instruction Fuzzy Hash: C3B18C73605B84CAEB1DCF2DC842368B7A0F791B48F188926DB5D837A9DB39E451CB10

Function 00007FF7BD3B69F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF7BD3B6A21
FindClose.KERNEL32 ref: 00007FF7BD3B6A30

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: dc40c5d753e30fe3fc1e8c3801fb870584b7f8e0a0b7135dd7118dd934c1c4bb
Instruction ID: d4c0adaf30842c49700e56e335259c1252e9ba6e1c02832710d0ff711ad68e6b
Opcode Fuzzy Hash: dc40c5d753e30fe3fc1e8c3801fb870584b7f8e0a0b7135dd7118dd934c1c4bb
Instruction Fuzzy Hash: 13F02162A1C281C7EBA49F28E458366F350AB94324F844239E76C076DAEF3CD0488B10

Function 00007FF7BD3C2A28 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7BD3C2DD8
, xrefs: 00007FF7BD3C2B96

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 7bbf33436acad36ae8a1b43dc77540a41ad4992d9fd982d144688fd018ad6b29
Instruction ID: 7e43e7da7cfa5a9c8e6ca151cb7c33d9373c7175fce60c8cadffe97801fb2676
Opcode Fuzzy Hash: 7bbf33436acad36ae8a1b43dc77540a41ad4992d9fd982d144688fd018ad6b29
Instruction Fuzzy Hash: 17E1843AA0D746C5DB6CAE2D8090139F360FB66B44F985139DB5E0769AEE39D841C720

Function 00007FF7BD3CD208 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF7BD3CD392
e+000, xrefs: 00007FF7BD3CD315

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 533175c5a31c969ed4ab8aeb227c1284adb18f6ecb4834c3077741e0ab5839c5
Instruction ID: a08a5fd2cd10662c97f2a2db113c7e9de8fe662b5419317aa5a7e4b53c1ab532
Opcode Fuzzy Hash: 533175c5a31c969ed4ab8aeb227c1284adb18f6ecb4834c3077741e0ab5839c5
Instruction Fuzzy Hash: BD517E22B1C7C5C5E7289A39A800769F791F755B90F8C8235DB9C47ACAEF3DD4048710

Function 00007FF7BD3CCD74 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF7BD3CD0B6

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 7cb6c3f32e91a926ccbf64ab8ba01f2a38c928c6639247976dccb01524fe6e1b
Instruction ID: 020476d81f2a205077e9bcccddd96f7da4a64846debd77759f1cb5c3bc44950f
Opcode Fuzzy Hash: 7cb6c3f32e91a926ccbf64ab8ba01f2a38c928c6639247976dccb01524fe6e1b
Instruction Fuzzy Hash: A1A14773B0C78586EB29DB2DA4007A9F790EB62B84F488035DB8D4778AEE3DD402C311

Function 00007FF7BD3C710C Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF7BD3C712B

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 985e0a801e29725e04b4583fc225105d37087a949469f4e17e32398978b5ab39
Instruction ID: 0b8fd62a6c1400980e60226103029e2b28e3ffeaf5c3ff218773574059ada6e6
Opcode Fuzzy Hash: 985e0a801e29725e04b4583fc225105d37087a949469f4e17e32398978b5ab39
Instruction Fuzzy Hash: 00515F51B0C70681EA6CBA2A59116BAD291AF66BC4BDC4438DF0D4769BFE3CE4428360

Function 00007FF7BD3D2630 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7BD3D2634

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: fe4f89a29164ef60706ac008de4aa1412735d6976d80202131d31ba446223f83
Instruction ID: 72bac9d1a2ad8b420dfdd77f6325d7dc945e72f7f715062e4d46918a8a443a50
Opcode Fuzzy Hash: fe4f89a29164ef60706ac008de4aa1412735d6976d80202131d31ba446223f83
Instruction Fuzzy Hash: DEB09B10E0B745C2DF0C37156D4551492757F69710FC4003CC10C41325EF2C11A55710

Function 00007FF7BD3C21EC Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6bd4aeaf1a32ba0a400cf215f270628cf800823f5191017f2ae2dcea54fc97
Instruction ID: d4c2b6ea1a12ce3feeb5e94b4254b3bf53c2da891f999c993a9341d6ed4c4150
Opcode Fuzzy Hash: be6bd4aeaf1a32ba0a400cf215f270628cf800823f5191017f2ae2dcea54fc97
Instruction Fuzzy Hash: FBE1863AA0C742C6E76CAA2D8594379F791AB67754F9C4139CB0D072DEEF29E841C720

Function 00007FF7BD3C2624 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7030e3183cde293472bd1af0c19cf6b5d71ff879be136be2a1b5beee93e2b61
Instruction ID: e7f5067a4e4effa0b226f774730934a2ab7ef2052cfd3b4c7c2d4bb5392475db
Opcode Fuzzy Hash: c7030e3183cde293472bd1af0c19cf6b5d71ff879be136be2a1b5beee93e2b61
Instruction Fuzzy Hash: 5ED1C72AA0C742C5E76CAA2D85D023DF790EB26B48F984139CF0D0769BEF39D855D760

Function 00007FF7BD3B7430 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87de8634ded3f4e8458923233739ad96d21dd7a231352b5b7c5ed9b2526c006a
Instruction ID: c38c5bf9d16c4f01a737080db349a33a018d15ae6e85baec8fa5d360e87e829e
Opcode Fuzzy Hash: 87de8634ded3f4e8458923233739ad96d21dd7a231352b5b7c5ed9b2526c006a
Instruction Fuzzy Hash: 65C1F9722241E08BE688EB29F45987A73D2F799309FC9403AEB8747786CA3DE414D750

Function 00007FF7BD3C133C Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afbdd63b75b42ad7439867ca4b24ab3856e6f83d1386856208b462784abde87f
Instruction ID: 2071c7069f8ba5988a9f3cb6da4d10578e01f24417ba01d252d47edf088267e9
Opcode Fuzzy Hash: afbdd63b75b42ad7439867ca4b24ab3856e6f83d1386856208b462784abde87f
Instruction Fuzzy Hash: 0AB15B72A0C741C5E768AF2DC050269FBA0EB66B48F9C4139CB4E4739EEE29D450E764

Function 00007FF7BD3C16D4 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc8fd975d7067d56c776f48e591c75802337bcef6e3071df9449d276b1abfcc
Instruction ID: 9358ff68b995d28f2ef2f93300411dc8ec28164a8a4b8f0715ceacab07357b93
Opcode Fuzzy Hash: 9fc8fd975d7067d56c776f48e591c75802337bcef6e3071df9449d276b1abfcc
Instruction Fuzzy Hash: A7B17D76A0C745C5E769AF2D805022CFBA0E766B48FA80139CB4E4739AEF39D441E761

Function 00007FF7BD3CD888 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd5d989e7635e1d0b21fa60e30f3936793c7b8db49fcf77cee77a31b8038a54
Instruction ID: c80bd46e5ecef0d0f68b25871fbaad3100b4a8d3acb19a6bb57984e443371876
Opcode Fuzzy Hash: fcd5d989e7635e1d0b21fa60e30f3936793c7b8db49fcf77cee77a31b8038a54
Instruction Fuzzy Hash: CA81A572A0C781C5D778EB1DA440369E690FB97794F984239EB9D43B9EEE3DD4008B10

Function 00007FF7BD3D58B0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d003bb86ff7f146e11c69d63177ddcecb431cf0828b5e126d5f920f3d1e621d2
Instruction ID: ae30881d322bf09bc1342ccc16839c6c7a0c3093e67655d36dfb04ee18871caa
Opcode Fuzzy Hash: d003bb86ff7f146e11c69d63177ddcecb431cf0828b5e126d5f920f3d1e621d2
Instruction Fuzzy Hash: 9961A822E1C252C5F76DA92C8460279E991AF63370FD8023DD75D476DAFE7DE8408B20

Function 00007FF7BD3C0774 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e009b45869f76b4bc0fd62373217406c0429eee7efa8b33e1f678da67ddd1256
Instruction ID: eaa5f44d648d3b43d724cfd33a24a73681028a5c4690de351c2256cbd3cb4fd1
Opcode Fuzzy Hash: e009b45869f76b4bc0fd62373217406c0429eee7efa8b33e1f678da67ddd1256
Instruction Fuzzy Hash: 4C517976A1C791C5E7289B2DC444228F3A0EB66F58F688135CB4D1779AEB3AE843C750

Function 00007FF7BD3BFF54 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7d583fdacf7a8c68166448a21aae8e03012e85621840fd7aae1b2904462282
Instruction ID: 2ea7bfb2dfbdb296b06fd4e9806e2138803d9284964c1f3e0e9127ab0da3b77f
Opcode Fuzzy Hash: 9a7d583fdacf7a8c68166448a21aae8e03012e85621840fd7aae1b2904462282
Instruction Fuzzy Hash: 3051A637A1D751C1E7289B2DC040228F7A0EB66B58F685139DF4C1779AEB3BE852C750

Function 00007FF7BD3C0364 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0632a4a7e014686f42235b66fbebb9a54d6c0d44d943c89546efb0de6bc1d6
Instruction ID: 0bfd30adec5dfad85760df82d06f7640ae6fa830ff825fa46a30688baedf6eba
Opcode Fuzzy Hash: 4e0632a4a7e014686f42235b66fbebb9a54d6c0d44d943c89546efb0de6bc1d6
Instruction Fuzzy Hash: 9B519836A1C791C6E7289B2DC04023DF360EB66B58F685135CB4D5779AEB3AE843C750

Function 00007FF7BD3C0570 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc3e59ea296ef31dc5cb467e3ef236485a99d13d7a42ba6bd49c72ea64a61b5
Instruction ID: ee8744a2e84c79c424fd36b7d3369b740fccabb71da378120a7d7f3c7ccfd187
Opcode Fuzzy Hash: bbc3e59ea296ef31dc5cb467e3ef236485a99d13d7a42ba6bd49c72ea64a61b5
Instruction Fuzzy Hash: F5519436A1C791C6E7289B2CC04023CE7A0EB66B58F684135CF4D5779AEF3AE852C750

Function 00007FF7BD3BFD50 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1122cbedd3da6cae4974dcedcaf2c480ad91f4dcca857e3bd784bf5366bd6c74
Instruction ID: f8cd8cdee2a003b6f6f7052b0b1a46aff2bf962efbfe0dbdc3f9124b314699e1
Opcode Fuzzy Hash: 1122cbedd3da6cae4974dcedcaf2c480ad91f4dcca857e3bd784bf5366bd6c74
Instruction Fuzzy Hash: 5E51967261E651C5E7289B2CC040338F7A0EB56B58F686139EB4C1779EDB3BE852C750

Function 00007FF7BD3C0160 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fed526c0ef6e22bd960d06d2221fad266d41c34a47db8c9ca14c01ed2528e2
Instruction ID: c16394ace70151c6c3e325e37ec6e2fc55417670e58757f49fbde312ed1f92f9
Opcode Fuzzy Hash: e8fed526c0ef6e22bd960d06d2221fad266d41c34a47db8c9ca14c01ed2528e2
Instruction Fuzzy Hash: 53517236A1C791C6E7689B2DC040328F7A1EB66B58F684135CF4D1779EEB3AE842C750

Function 00007FF7BD3C4FD0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e13b74b0b529d91a8ac9ee6727b9f2d590474870fceb05c3e17ea5803dfc50d
Instruction ID: fd61a4680d9d1ef544828ac64ac077dc07f244ba0f34d4bf86a04ff803390e09
Opcode Fuzzy Hash: 7e13b74b0b529d91a8ac9ee6727b9f2d590474870fceb05c3e17ea5803dfc50d
Instruction Fuzzy Hash: FA41A35290E75AC5ED99AA1C05087B5EE80DF33BA0EDC52B8DE99533CFED0C2586C320

Function 00007FF7BD3C8D10 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4e626db8f672c8f9a68360c7389e8f7894e58d94442387c78e1b4a483649a916
Instruction ID: 5986fa41fef58bb13735e750cf9afd95540bf0f8b9a317951fb95923096a9009
Opcode Fuzzy Hash: 4e626db8f672c8f9a68360c7389e8f7894e58d94442387c78e1b4a483649a916
Instruction Fuzzy Hash: C8411562718A55D2EF0CDF2ED9241A9E391AB59FD0B8D903ADF0D87B59EE3CC5428310

Function 00007FF7BD3C66D4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff02aa40d47e1f81f312e06ee07fce20c9eb6e0e746124aa9fd8eb4087d69ca8
Instruction ID: 8293bfd92b633d7ca7ed72462472649338384c5c6995c711c8e9d978e328980b
Opcode Fuzzy Hash: ff02aa40d47e1f81f312e06ee07fce20c9eb6e0e746124aa9fd8eb4087d69ca8
Instruction Fuzzy Hash: 9E31C63270DB42C1E728AF29A94012DEAD5ABD6B90F48463CEB5D53BEAEF3CD0414714

Function 00007FF7BD3D8A40 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f11e33a503e903f6fd17a98672f77b01e7338ee743f4d3b2c43cccbf09155b6
Instruction ID: 3d37c756fbd1c584e7965c9e5f67b8cdf315f42defee9bdc9ba9f42590ef8033
Opcode Fuzzy Hash: 1f11e33a503e903f6fd17a98672f77b01e7338ee743f4d3b2c43cccbf09155b6
Instruction Fuzzy Hash: D2F044717182958ADB9C9F6DB8026A9B7D0F758380F80803ED78D83A08D63C90508F14

Function 00007FF7BD3BABE4 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da48dd3124fb9caf3cd120bb8db444467ff7ae744a775920e6920fcf6cc11ced
Instruction ID: 00bd5f14988096925501048dea470c65ff2519679ab04701af439d11488dde5d
Opcode Fuzzy Hash: da48dd3124fb9caf3cd120bb8db444467ff7ae744a775920e6920fcf6cc11ced
Instruction Fuzzy Hash: E7A0012190CC02E1E698AB08E961130E220BB76300B810139E24D830AAAE6CA940D728

Function 00007FF7BD3B2F20 Relevance: 291.0, APIs: 55, Strings: 111, Instructions: 457libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B2F36
GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B2F75
GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B2F9A
GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B2FBF
GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B2FE7
GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B300F
GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B3037
GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B305F
GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B3087

Strings

Failed to get address for PyErr_Fetch, xrefs: 00007FF7BD3B32F9
Py_SetPythonHome, xrefs: 00007FF7BD3B3215
Failed to get address for PyList_Append, xrefs: 00007FF7BD3B33E9
PyMarshal_ReadObjectFromString, xrefs: 00007FF7BD3B364D
Py_VerboseFlag, xrefs: 00007FF7BD3B3055
PyDict_GetItemString, xrefs: 00007FF7BD3B323D
Failed to get address for Py_SetPythonHome, xrefs: 00007FF7BD3B3231
Failed to get address for PyObject_Str, xrefs: 00007FF7BD3B3529
PyObject_SetAttrString, xrefs: 00007FF7BD3B34BD
PyImport_AddModule, xrefs: 00007FF7BD3B3355
PyObject_CallFunctionObjArgs, xrefs: 00007FF7BD3B3495
Failed to get address for PyErr_Occurred, xrefs: 00007FF7BD3B32A9
PyImport_ExecCodeModule, xrefs: 00007FF7BD3B337D
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF7BD3B3759
PyErr_Restore, xrefs: 00007FF7BD3B3305
Failed to get address for Py_IncRef, xrefs: 00007FF7BD3B3169
Failed to get address for PyUnicode_Decode, xrefs: 00007FF7BD3B3731
Failed to get address for Py_UTF8Mode, xrefs: 00007FF7BD3B30C9
Py_DecRef, xrefs: 00007FF7BD3B30FD
Failed to get address for PyDict_GetItemString, xrefs: 00007FF7BD3B3259
PyErr_NormalizeException, xrefs: 00007FF7BD3B332D
Failed to get address for PyUnicode_FromString, xrefs: 00007FF7BD3B3691
PySys_AddWarnOption, xrefs: 00007FF7BD3B355D
Py_NoUserSiteDirectory, xrefs: 00007FF7BD3B3005
Py_UnbufferedStdioFlag, xrefs: 00007FF7BD3B307D
Failed to get address for Py_FrozenFlag, xrefs: 00007FF7BD3B2FAC
Failed to get address for PySys_GetObject, xrefs: 00007FF7BD3B35C9
Failed to get address for PyErr_Print, xrefs: 00007FF7BD3B32D1
Failed to get address for PyUnicode_Join, xrefs: 00007FF7BD3B37A9
PySys_SetPath, xrefs: 00007FF7BD3B35FD
Failed to get address for PyImport_AddModule, xrefs: 00007FF7BD3B3371
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF7BD3B3501
PyObject_Str, xrefs: 00007FF7BD3B350D
Failed to get address for PySys_AddWarnOption, xrefs: 00007FF7BD3B3579
PyUnicode_AsUTF8, xrefs: 00007FF7BD3B3765
PyObject_CallFunction, xrefs: 00007FF7BD3B346D
Failed to get address for Py_OptimizeFlag, xrefs: 00007FF7BD3B3049
Py_UTF8Mode, xrefs: 00007FF7BD3B30AD
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF7BD3B3349
Failed to get address for Py_Finalize, xrefs: 00007FF7BD3B3141
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF7BD3B3781
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF7BD3B3399
PySys_SetArgvEx, xrefs: 00007FF7BD3B3585
Failed to get address for Py_BuildValue, xrefs: 00007FF7BD3B30F1
Failed to get address for PySys_SetArgvEx, xrefs: 00007FF7BD3B35A1
Py_FrozenFlag, xrefs: 00007FF7BD3B2F90
Py_NoSiteFlag, xrefs: 00007FF7BD3B2FDD
Failed to get address for Py_UnbufferedStdioFlag, xrefs: 00007FF7BD3B3099
PyUnicode_Join, xrefs: 00007FF7BD3B378D
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF7BD3B34B1
PyMem_RawFree, xrefs: 00007FF7BD3B36C5
PyModule_GetDict, xrefs: 00007FF7BD3B3445
Failed to get address for PyEval_EvalCode, xrefs: 00007FF7BD3B3641
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF7BD3B3709
PySys_GetObject, xrefs: 00007FF7BD3B35AD
Failed to get address for Py_IgnoreEnvironmentFlag, xrefs: 00007FF7BD3B2FD1
Py_SetPath, xrefs: 00007FF7BD3B319D
Failed to get address for Py_Initialize, xrefs: 00007FF7BD3B3191
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF7BD3B34D9
Py_SetProgramName, xrefs: 00007FF7BD3B31ED
Failed to get address for PyMem_RawFree, xrefs: 00007FF7BD3B36E1
PyObject_GetAttrString, xrefs: 00007FF7BD3B34E5
PyList_Append, xrefs: 00007FF7BD3B33CD
PyUnicode_Decode, xrefs: 00007FF7BD3B3715
GetProcAddress, xrefs: 00007FF7BD3B2F4F
PyErr_Print, xrefs: 00007FF7BD3B32B5
Failed to get address for Py_DontWriteBytecodeFlag, xrefs: 00007FF7BD3B2F48
PyErr_Occurred, xrefs: 00007FF7BD3B328D
PyUnicode_FromFormat, xrefs: 00007FF7BD3B36ED
PyLong_AsLong, xrefs: 00007FF7BD3B341D
Py_Finalize, xrefs: 00007FF7BD3B3125
Failed to get address for PySys_SetObject, xrefs: 00007FF7BD3B35F1
Failed to get address for PyImport_ImportModule, xrefs: 00007FF7BD3B33C1
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF7BD3B3669
PySys_SetObject, xrefs: 00007FF7BD3B35D5
Py_DecodeLocale, xrefs: 00007FF7BD3B369D
Failed to get address for PyLong_AsLong, xrefs: 00007FF7BD3B3439
Py_Initialize, xrefs: 00007FF7BD3B3175
Failed to get address for PyUnicode_Replace, xrefs: 00007FF7BD3B37D1
Failed to get address for PyModule_GetDict, xrefs: 00007FF7BD3B3461
Failed to get address for PyErr_Restore, xrefs: 00007FF7BD3B3321
Failed to get address for Py_FileSystemDefaultEncoding, xrefs: 00007FF7BD3B2F87
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF7BD3B3551
PyList_New, xrefs: 00007FF7BD3B33F5
Py_FileSystemDefaultEncoding, xrefs: 00007FF7BD3B2F6B
Failed to get address for PySys_SetPath, xrefs: 00007FF7BD3B3619
Failed to get address for Py_NoUserSiteDirectory, xrefs: 00007FF7BD3B3021
Py_BuildValue, xrefs: 00007FF7BD3B30D5
PyUnicode_Replace, xrefs: 00007FF7BD3B37B5
PyUnicode_FromString, xrefs: 00007FF7BD3B3675
Failed to get address for Py_GetPath, xrefs: 00007FF7BD3B31E1
Failed to get address for PyObject_CallFunction, xrefs: 00007FF7BD3B3489
Failed to get address for PyList_New, xrefs: 00007FF7BD3B3411
Py_OptimizeFlag, xrefs: 00007FF7BD3B302D
PyRun_SimpleStringFlags, xrefs: 00007FF7BD3B3535
PyEval_EvalCode, xrefs: 00007FF7BD3B3625
Py_IncRef, xrefs: 00007FF7BD3B314D
Py_GetPath, xrefs: 00007FF7BD3B31C5
Failed to get address for Py_DecRef, xrefs: 00007FF7BD3B3119
Py_IgnoreEnvironmentFlag, xrefs: 00007FF7BD3B2FB5
Failed to get address for Py_SetPath, xrefs: 00007FF7BD3B31B9
PyErr_Fetch, xrefs: 00007FF7BD3B32DD
PyErr_Clear, xrefs: 00007FF7BD3B3265
PyImport_ImportModule, xrefs: 00007FF7BD3B33A5
Failed to get address for Py_VerboseFlag, xrefs: 00007FF7BD3B3071
Failed to get address for Py_DecodeLocale, xrefs: 00007FF7BD3B36B9
Failed to get address for PyErr_Clear, xrefs: 00007FF7BD3B3281
Failed to get address for Py_NoSiteFlag, xrefs: 00007FF7BD3B2FF9
Failed to get address for Py_SetProgramName, xrefs: 00007FF7BD3B3209
Py_DontWriteBytecodeFlag, xrefs: 00007FF7BD3B2F2F
PyUnicode_DecodeFSDefault, xrefs: 00007FF7BD3B373D

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
API String ID: 190572456-3109299426
Opcode ID: 3bea514fa4f08e80501ab3dc7f797134890914dfa2bea7b2bd18d9992429628c
Instruction ID: 701580494b77783a8a6760936e13967aa9aa2bdad5c922e1fa9ccedb97e52912
Opcode Fuzzy Hash: 3bea514fa4f08e80501ab3dc7f797134890914dfa2bea7b2bd18d9992429628c
Instruction Fuzzy Hash: E942A665A0DB03D1EA5DBB0CF960174E2A1AF7A780BC4513DDA1E0726EFF7CA5489720

Function 00007FF7BD3B6C00 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 113COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7BD3B6C3C

Part of subcall function 00007FF7BD3B1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF7BD3B6914,?,?,?,?,?,?,?,?,?,?,?,00007FF7BD3B1023), ref: 00007FF7BD3B1CD7

Strings

Failed to decode wchar_t from UTF-8, xrefs: 00007FF7BD3B6CB6
win32_wcs_to_mbs, xrefs: 00007FF7BD3B6D1B
win32_utils_from_utf8, xrefs: 00007FF7BD3B6C79
WideCharToMultiByte, xrefs: 00007FF7BD3B6D5C
MultiByteToWideChar, xrefs: 00007FF7BD3B6C50, 00007FF7BD3B6CBD
Out of memory., xrefs: 00007FF7BD3B6C80, 00007FF7BD3B6D22
Failed to encode filename as ANSI., xrefs: 00007FF7BD3B6D55
Failed to get wchar_t buffer size., xrefs: 00007FF7BD3B6C49
Failed to get ANSI buffer size., xrefs: 00007FF7BD3B6CFD

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$WideCharToMultiByte$win32_utils_from_utf8$win32_wcs_to_mbs
API String ID: 203985260-1562484376
Opcode ID: dfd2e6ae5ae4f06e2dcec91347fe620f2b8f19115178a136d0a7e781d69e4ee9
Instruction ID: a680af05ea21ee1ed3b8fa1f65f83a728125c3a93026b5def0747f8563ad7766
Opcode Fuzzy Hash: dfd2e6ae5ae4f06e2dcec91347fe620f2b8f19115178a136d0a7e781d69e4ee9
Instruction Fuzzy Hash: 5E419461A0DA02C1E618BB19AC5017AF6A1AF667C0FC8453CEB4D4769FFF3CE1418720

Function 00007FF7BD3BF5D8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3BF618
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3BF9E0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3BFC7F

Strings

p, xrefs: 00007FF7BD3BF6BD
f, xrefs: 00007FF7BD3BF71A
f, xrefs: 00007FF7BD3BF6B0
f, xrefs: 00007FF7BD3BF865
p, xrefs: 00007FF7BD3BF722

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 5b8d5396a44c552a0cc4e48ad8092be8cf806d396b8c8f6251230df5f0eb9214
Instruction ID: 269c89211061b848dca959544a91fdc492e0bd3d647a81a66cab1e842b20abf4
Opcode Fuzzy Hash: 5b8d5396a44c552a0cc4e48ad8092be8cf806d396b8c8f6251230df5f0eb9214
Instruction Fuzzy Hash: D1128222A0E143C6FB68BA18D054679F351EBA2754FC45139F789476CEEB7FE4808B21

Function 00007FF7BD3B12B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7BD3B134C
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7BD3B13E2
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7BD3B1312
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7BD3B12E2
malloc, xrefs: 00007FF7BD3B1353
fseek, xrefs: 00007FF7BD3B1319
fread, xrefs: 00007FF7BD3B13E9

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 0-3659356012
Opcode ID: 9db823990f91315a927dbcfa8556ce36822af028d0ca0bd1d3b1f37ffff75a1d
Instruction ID: f6986a33921d4d6c5305046179258a84407e4a2b6a45a00daea2516e2868f86b
Opcode Fuzzy Hash: 9db823990f91315a927dbcfa8556ce36822af028d0ca0bd1d3b1f37ffff75a1d
Instruction Fuzzy Hash: 59415F21A0C642C1EA58FB19A4513B9F3A0EB667D4FD4443AEB4D07A5EFE3CE541C710

Function 00007FF7BD3BCFA0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF7BD3BCFFD

Part of subcall function 00007FF7BD3BDF10: __GetUnwindTryBlock.LIBCMT ref: 00007FF7BD3BDF53
Part of subcall function 00007FF7BD3BDF10: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF7BD3BDF78

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7BD3BD0D5
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF7BD3BD32A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7BD3BD436

Strings

csm, xrefs: 00007FF7BD3BD07E
csm, xrefs: 00007FF7BD3BD0F8
csm, xrefs: 00007FF7BD3BD017

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: f65cca0dd748533ec0e0c8100e92ec79f40903f330e835159906267943919e52
Instruction ID: 468d5dd6d38b11ca986ba912bd2d922aa65ad38380a56717e026a5e73c6b1c46
Opcode Fuzzy Hash: f65cca0dd748533ec0e0c8100e92ec79f40903f330e835159906267943919e52
Instruction Fuzzy Hash: FDE1753690C745C6EB68AB69A4403ADF7A0FB56798F440139EF8E5775AEF38E041C710

Function 00007FF7BD3B67D0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7BD3B1023), ref: 00007FF7BD3B686F
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7BD3B1023), ref: 00007FF7BD3B68BF

Strings

Failed to get UTF-8 buffer size., xrefs: 00007FF7BD3B6901
WideCharToMultiByte, xrefs: 00007FF7BD3B6908
win32_utils_to_utf8, xrefs: 00007FF7BD3B68F8
Out of memory., xrefs: 00007FF7BD3B68F1
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7BD3B68E8

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 3a9eaa4d48dfa929a96e8abe244da43a5b844615b7a4874281830bf30dfaf9a2
Instruction ID: 92af4557c0dff79542e140b82ab8862b59e1798be57e24192fb7cf8b642f02dc
Opcode Fuzzy Hash: 3a9eaa4d48dfa929a96e8abe244da43a5b844615b7a4874281830bf30dfaf9a2
Instruction Fuzzy Hash: 47419532A0DB82C1D624EF19B85016AF764FBA5790F984139EB8D47B9AEF3CD055C710

Function 00007FF7BD3B6ED0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00007FF7BD3B2D35,?,?,?,?,?,?), ref: 00007FF7BD3B6F11

Part of subcall function 00007FF7BD3B1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF7BD3B6914,?,?,?,?,?,?,?,?,?,?,?,00007FF7BD3B1023), ref: 00007FF7BD3B1CD7

WideCharToMultiByte.KERNEL32(00000000,00007FF7BD3B2D35,?,?,?,?,?,?), ref: 00007FF7BD3B6F85

Strings

Failed to get UTF-8 buffer size., xrefs: 00007FF7BD3B6F1E
WideCharToMultiByte, xrefs: 00007FF7BD3B6F25, 00007FF7BD3B6F96
win32_utils_to_utf8, xrefs: 00007FF7BD3B6F52
Out of memory., xrefs: 00007FF7BD3B6F4B
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7BD3B6F8F

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 1717984340-27947307
Opcode ID: 5afdcdb59fb222a27107398a8b6c2bf27ae6caccf3d44a434106b937189859e6
Instruction ID: 33583444744e37d7b763640a9d7c862e1353f99fd043b47e74ca177c4c561d71
Opcode Fuzzy Hash: 5afdcdb59fb222a27107398a8b6c2bf27ae6caccf3d44a434106b937189859e6
Instruction Fuzzy Hash: 9E21932161DB42C5EB18AB1AAC50079FB61ABA5B80B984139E74D4776BFF3CE544C710

Function 00007FF7BD3C93D4 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C9417
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C9804
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C9AA0

Strings

p, xrefs: 00007FF7BD3C94C9
f, xrefs: 00007FF7BD3C9539
p, xrefs: 00007FF7BD3C9541

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: d478605e8072a694eb9a9d804e4987f1596106984b5661be3eee2fb972e34d58
Instruction ID: 4cc6ef968586023c12b3e987560ed59142393eb3db0a1b3862314240e5cf4513
Opcode Fuzzy Hash: d478605e8072a694eb9a9d804e4987f1596106984b5661be3eee2fb972e34d58
Instruction Fuzzy Hash: 2D12A122A0C343C6FB28BE19D464279E251EB62752FDE4139D789476CEEE3DE5908730

Function 00007FF7BD3B6FC0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7BD3B7055
MultiByteToWideChar.KERNEL32 ref: 00007FF7BD3B7097

Strings

Failed to decode wchar_t from UTF-8, xrefs: 00007FF7BD3B70BD
win32_utils_from_utf8, xrefs: 00007FF7BD3B70CD
MultiByteToWideChar, xrefs: 00007FF7BD3B70DD
Out of memory., xrefs: 00007FF7BD3B70C6
Failed to get wchar_t buffer size., xrefs: 00007FF7BD3B70D6

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 626452242-876015163
Opcode ID: c587d9df721d6d5f2ea3110ac275589e54037fbf0ff6ea62f868986421b6576b
Instruction ID: d2f47c1a21062996c9d1d6f679df1a63038ff6c4db0f2bbd3238e7bc3481b3cc
Opcode Fuzzy Hash: c587d9df721d6d5f2ea3110ac275589e54037fbf0ff6ea62f868986421b6576b
Instruction Fuzzy Hash: 7541C372A0CB42C5E614EF19A840265F6A5FB65780F984139EB8D47BAAEF3CD051C710

Function 00007FF7BD3B55E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BD3B6DC0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF7BD3B6DFA

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF7BD3B5931,?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B563F

Strings

LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7BD3B5653
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7BD3B569A
LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF7BD3B5616

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 2001182103-3498232454
Opcode ID: b373b57cbe41deb0754166daaf063714267b67395664b0f7720f06d5c9520c04
Instruction ID: 43494b8ce88491b37edf37ec4e7fb5141a3698f6d491cecec88d530dcd0ac7d8
Opcode Fuzzy Hash: b373b57cbe41deb0754166daaf063714267b67395664b0f7720f06d5c9520c04
Instruction Fuzzy Hash: 6E316851B1D742C0FA69B72999153B9F251AFBA780FC44439EB4E4369FFE2CE1048720

Function 00007FF7BD3BC258 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7BD3BC50A,?,?,?,00007FF7BD3BC1FC,?,?,00000001,00007FF7BD3BBE19), ref: 00007FF7BD3BC2DD
GetLastError.KERNEL32(?,?,?,00007FF7BD3BC50A,?,?,?,00007FF7BD3BC1FC,?,?,00000001,00007FF7BD3BBE19), ref: 00007FF7BD3BC2EB
LoadLibraryExW.KERNEL32(?,?,?,00007FF7BD3BC50A,?,?,?,00007FF7BD3BC1FC,?,?,00000001,00007FF7BD3BBE19), ref: 00007FF7BD3BC315
FreeLibrary.KERNEL32(?,?,?,00007FF7BD3BC50A,?,?,?,00007FF7BD3BC1FC,?,?,00000001,00007FF7BD3BBE19), ref: 00007FF7BD3BC35B
GetProcAddress.KERNEL32(?,?,?,00007FF7BD3BC50A,?,?,?,00007FF7BD3BC1FC,?,?,00000001,00007FF7BD3BBE19), ref: 00007FF7BD3BC367

Strings

api-ms-, xrefs: 00007FF7BD3BC2FD

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 9fa3fe7d6df773d1c5bf24e67e430f6ff715784c160aee4fa5e303400e9c878a
Instruction ID: 3e159bd9ae40d57ab114fb486dd6fbf3d946eac754b7529e0357083ffdcbeebc
Opcode Fuzzy Hash: 9fa3fe7d6df773d1c5bf24e67e430f6ff715784c160aee4fa5e303400e9c878a
Instruction Fuzzy Hash: D531E725A0E602C1EE69BB2A9410575F294BF6AB90FCD0538EF1D4735AFF3CE0448724

Function 00007FF7BD3B6DC0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF7BD3B6DFA

Part of subcall function 00007FF7BD3B1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF7BD3B6914,?,?,?,?,?,?,?,?,?,?,?,00007FF7BD3B1023), ref: 00007FF7BD3B1CD7

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF7BD3B6E80

Strings

Failed to decode wchar_t from UTF-8, xrefs: 00007FF7BD3B6E8A
win32_utils_from_utf8, xrefs: 00007FF7BD3B6E49
MultiByteToWideChar, xrefs: 00007FF7BD3B6E0E, 00007FF7BD3B6E91
Out of memory., xrefs: 00007FF7BD3B6E42
Failed to get wchar_t buffer size., xrefs: 00007FF7BD3B6E07

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 1717984340-876015163
Opcode ID: 705d5e7388990673e4057f708bdfa41fc1795a7d6f27c416964fabcc6ec96bd2
Instruction ID: 43019b4954d51c81cb7c509cd164a11531004945b6041284c7f790dd7be236ee
Opcode Fuzzy Hash: 705d5e7388990673e4057f708bdfa41fc1795a7d6f27c416964fabcc6ec96bd2
Instruction Fuzzy Hash: A021D725B1CA42C1EB54EB2DF810166E361EBAA7C4F8C4139EB4C8376EFE2CD5818700

Function 00007FF7BD3CA790 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F,?,?,?,00007FF7BD3C9483), ref: 00007FF7BD3CA79F
FlsGetValue.KERNEL32(?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F,?,?,?,00007FF7BD3C9483), ref: 00007FF7BD3CA7B4
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F,?,?,?,00007FF7BD3C9483), ref: 00007FF7BD3CA7D5
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F,?,?,?,00007FF7BD3C9483), ref: 00007FF7BD3CA802
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F,?,?,?,00007FF7BD3C9483), ref: 00007FF7BD3CA813
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F,?,?,?,00007FF7BD3C9483), ref: 00007FF7BD3CA824
SetLastError.KERNEL32(?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F,?,?,?,00007FF7BD3C9483), ref: 00007FF7BD3CA83F

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 2edf535838d47d07e159287e64e919bbb9833f77d9c5416c102145f594fa91aa
Instruction ID: 29f4fc0e4a7f8aee5534c9c7f14c1e7fc5a4232ad2de6063861c5116dfcd1ed4
Opcode Fuzzy Hash: 2edf535838d47d07e159287e64e919bbb9833f77d9c5416c102145f594fa91aa
Instruction Fuzzy Hash: 47215E20F0D302C2F56C73696551239E6525FA77A0F98463CDA3E076CFFE2CA4418324

Function 00007FF7BD3D70FC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7BD3D712D
GetLastError.KERNEL32 ref: 00007FF7BD3D7139
CloseHandle.KERNEL32 ref: 00007FF7BD3D7151
CreateFileW.KERNEL32 ref: 00007FF7BD3D717C
WriteConsoleW.KERNEL32 ref: 00007FF7BD3D719B

Strings

CONOUT$, xrefs: 00007FF7BD3D715D

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 2b1705eb60c5a9ea67d3abf5815f39d96026ea1e9a70ddd12955119ba33cdf2b
Instruction ID: b842a94c9f96ababdf988789b92d1f6feeaba91113d7d4c8505609732cad9c64
Opcode Fuzzy Hash: 2b1705eb60c5a9ea67d3abf5815f39d96026ea1e9a70ddd12955119ba33cdf2b
Instruction Fuzzy Hash: AE11B721A1CA42C6E7549B0AF854325E2A0FB69BE4F444238DB1D437A9EF7CD4048714

Function 00007FF7BD3CA908 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7BD3C60A1,?,?,?,?,00007FF7BD3CDF2F,?,?,00000000,00007FF7BD3CAA26,?,?,?), ref: 00007FF7BD3CA917
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3C60A1,?,?,?,?,00007FF7BD3CDF2F,?,?,00000000,00007FF7BD3CAA26,?,?,?), ref: 00007FF7BD3CA94D
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3C60A1,?,?,?,?,00007FF7BD3CDF2F,?,?,00000000,00007FF7BD3CAA26,?,?,?), ref: 00007FF7BD3CA97A
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3C60A1,?,?,?,?,00007FF7BD3CDF2F,?,?,00000000,00007FF7BD3CAA26,?,?,?), ref: 00007FF7BD3CA98B
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3C60A1,?,?,?,?,00007FF7BD3CDF2F,?,?,00000000,00007FF7BD3CAA26,?,?,?), ref: 00007FF7BD3CA99C
SetLastError.KERNEL32(?,?,?,00007FF7BD3C60A1,?,?,?,?,00007FF7BD3CDF2F,?,?,00000000,00007FF7BD3CAA26,?,?,?), ref: 00007FF7BD3CA9B7

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 0908324b7ac9a3d747a6848fb68d48d79e4d89c371889db26e425d0a64325479
Instruction ID: ba54a310d88874236fbdb84d322050d41d40ac447218f561f1c323d22ed5de28
Opcode Fuzzy Hash: 0908324b7ac9a3d747a6848fb68d48d79e4d89c371889db26e425d0a64325479
Instruction Fuzzy Hash: 4D115E21A0C346C2F65C7329A552279E2424FAB7B0F89473CDA3E476DFFD2CA4418724

Function 00007FF7BD3BBC18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7BD3BBC43
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7BD3BBCD8
RtlUnwindEx.KERNEL32 ref: 00007FF7BD3BBD27

Strings

f, xrefs: 00007FF7BD3BBC56
csm, xrefs: 00007FF7BD3BBCBE

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: c81fa8b68ebdc3525af754f24f91b9dd724933d7398a71cb8b59e34543720a2d
Instruction ID: c5102b279eed2fc118f84790d36a2eadaecb3b6f248f11b9dfcba135aaf7349f
Opcode Fuzzy Hash: c81fa8b68ebdc3525af754f24f91b9dd724933d7398a71cb8b59e34543720a2d
Instruction Fuzzy Hash: C4519031A0E602CADB18AF19D504A29F755FB65B88F908538EB4A0774EEE3CE941C720

Function 00007FF7BD3C8A50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7BD3C8A75
GetProcAddress.KERNEL32 ref: 00007FF7BD3C8A8B
FreeLibrary.KERNEL32 ref: 00007FF7BD3C8AB2

Strings

CorExitProcess, xrefs: 00007FF7BD3C8A84
mscoree.dll, xrefs: 00007FF7BD3C8A6C

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7b1d64ab01259317c918a4692f10d75b0eff9ac50a6035860a5edd4d678e03f2
Instruction ID: c647239916c546d9985f5d89d7f9e4c67baf5d8d49787aca7db6d191eab41ae8
Opcode Fuzzy Hash: 7b1d64ab01259317c918a4692f10d75b0eff9ac50a6035860a5edd4d678e03f2
Instruction Fuzzy Hash: 75F0312561D702C1EA186B18E854379D360AFAB7A1F980239C76D465F9EF2CD1498724

Function 00007FF7BD3D8834 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7BD3D885C
_set_statfp.LIBCMT ref: 00007FF7BD3D8877
_set_statfp.LIBCMT ref: 00007FF7BD3D8893
_set_statfp.LIBCMT ref: 00007FF7BD3D88CF

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction ID: e3c27ec6b527f42052d3c2c9959b2106fffc2fe0b8eae23766fc3a14d1e34fa5
Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction Fuzzy Hash: 22114C22E1CA0391F65D312CE466375D0426FB6364EA80A38E77E072DFEE2C7941CB20

Function 00007FF7BD3CA9D0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7BD3C9BE3,?,?,00000000,00007FF7BD3C9E7E,?,?,?,?,?,00007FF7BD3C1A50), ref: 00007FF7BD3CA9EF
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3C9BE3,?,?,00000000,00007FF7BD3C9E7E,?,?,?,?,?,00007FF7BD3C1A50), ref: 00007FF7BD3CAA0E
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3C9BE3,?,?,00000000,00007FF7BD3C9E7E,?,?,?,?,?,00007FF7BD3C1A50), ref: 00007FF7BD3CAA36
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3C9BE3,?,?,00000000,00007FF7BD3C9E7E,?,?,?,?,?,00007FF7BD3C1A50), ref: 00007FF7BD3CAA47
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3C9BE3,?,?,00000000,00007FF7BD3C9E7E,?,?,?,?,?,00007FF7BD3C1A50), ref: 00007FF7BD3CAA58

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 09351de027a9279ca2a4c1b6434e165991dd483229a246c23f0232d6cbc44178
Instruction ID: 59194b0d37bfc73cba979a393629374cb6b84439a0779f473ab1b6d942d507bb
Opcode Fuzzy Hash: 09351de027a9279ca2a4c1b6434e165991dd483229a246c23f0232d6cbc44178
Instruction Fuzzy Hash: 76114D14A0C342C2F99C7329A65127AE2415FA77E0F8C963CEA3E476DFFD2CA4118324

Function 00007FF7BD3CA864 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F), ref: 00007FF7BD3CA875
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F), ref: 00007FF7BD3CA894
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F), ref: 00007FF7BD3CA8BC
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F), ref: 00007FF7BD3CA8CD
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F), ref: 00007FF7BD3CA8DE

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 3503e44f68c09ab1fcc5f97d2f28d09950786fdc08e97e82da204339743e9a53
Instruction ID: 5c27a8d0a23a98b6fa89a3ff85655f900ec52981e6f314d4c528d8e6b6ca2180
Opcode Fuzzy Hash: 3503e44f68c09ab1fcc5f97d2f28d09950786fdc08e97e82da204339743e9a53
Instruction Fuzzy Hash: C311C810E0D30AC2F9AC72695852279D6424FAB3A0E9C563CDB3D5B2CBFD2CB4519735

Function 00007FF7BD3CF228 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3CF507

Part of subcall function 00007FF7BD3D5504: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D5521

Strings

UTF-8, xrefs: 00007FF7BD3CF486
ccs, xrefs: 00007FF7BD3CF442
UTF-16LEUNICODE, xrefs: 00007FF7BD3CF4A5

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: c382c1c977a669aecc7822defb6d065999e88b5839408fc9f42df24ac2fd9b51
Instruction ID: 9cdd842acd2f923cff1bfc5d4412d29f831739f658cae44d336a9dfc89414a46
Opcode Fuzzy Hash: c382c1c977a669aecc7822defb6d065999e88b5839408fc9f42df24ac2fd9b51
Instruction Fuzzy Hash: 5A819232D0F342D5E76C6E2D8550278E790AB23788FD9407DCB099729FEA2EE5019321

Function 00007FF7BD3BD478 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7BD3BD4C4
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7BD3BD513

Strings

RCC, xrefs: 00007FF7BD3BD4E1
MOC, xrefs: 00007FF7BD3BD4D8

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 9b170d5fd3c93297408b7667d730af6b03d447aa0970c9ad65c03f5590751db3
Instruction ID: 2491a4b6078eafa01a2e98c327d1514655d89949ec5a1c1c6e85c6e082fb8b79
Opcode Fuzzy Hash: 9b170d5fd3c93297408b7667d730af6b03d447aa0970c9ad65c03f5590751db3
Instruction Fuzzy Hash: 86618D36A08B45CAE7249F69E4403ADF7A0FB55B8CF44012AEF4E17B9ADB78E151C710

Function 00007FF7BD3BD7D4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7BD3BD7FC
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF7BD3BD8E4

Strings

csm, xrefs: 00007FF7BD3BD936
csm, xrefs: 00007FF7BD3BD81E

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 637ab8e9c70e0df228760242cb149b7cb456e558a6c876299bf740c7ea814677
Instruction ID: 053b6a667b65d02205ce1cb63a92c8b126f2bd286cac6245723587ee3abe6c53
Opcode Fuzzy Hash: 637ab8e9c70e0df228760242cb149b7cb456e558a6c876299bf740c7ea814677
Instruction Fuzzy Hash: A751A53290C641C6DB78AB19A140368F7A0EB66B84F984139EB9E47B9EDF3CE450C710

Function 00007FF7BD3B2CD0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7BD3B27C9,?,?,?,?,?,?), ref: 00007FF7BD3B2D01

Part of subcall function 00007FF7BD3B1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF7BD3B6914,?,?,?,?,?,?,?,?,?,?,?,00007FF7BD3B1023), ref: 00007FF7BD3B1CD7

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF7BD3B2D3A
Failed to get executable path., xrefs: 00007FF7BD3B2D0B
GetModuleFileNameW, xrefs: 00007FF7BD3B2D12

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2776309574-1977442011
Opcode ID: f4519b566fb866c0e24e0c0f6095b74e6cdfdbd0a944601a087909324ed073f8
Instruction ID: 27384000befb7e05524c57c3c5200b51ba7d392859e3654e7c3acc8a16e0f3ef
Opcode Fuzzy Hash: f4519b566fb866c0e24e0c0f6095b74e6cdfdbd0a944601a087909324ed073f8
Instruction Fuzzy Hash: 4D017520B1D642D1FA69B728D4553B5E251AF7A380FC0003DEA4D872AFFE1CE145C724

Function 00007FF7BD3CBBE0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7BD3CBC5F
WriteFile.KERNEL32 ref: 00007FF7BD3CBF27
WriteFile.KERNEL32 ref: 00007FF7BD3CBF6D
GetLastError.KERNEL32 ref: 00007FF7BD3CC023

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 89395c3cea06f18251b83f2629999b57cc62c4450565b522e677bf7b2279916c
Instruction ID: a9cb4ea5f669012141e1e3486195a00278acf6da7f37215adf90e947c09d2117
Opcode Fuzzy Hash: 89395c3cea06f18251b83f2629999b57cc62c4450565b522e677bf7b2279916c
Instruction Fuzzy Hash: ECD1F072B08B85C9E714DF69D4401ACB7B1FB25798B884239CF4E57B9AEE38E046C710

Function 00007FF7BD3C484C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF7BD3C487F
GetFileInformationByHandle.KERNEL32 ref: 00007FF7BD3C48E1
GetLastError.KERNEL32 ref: 00007FF7BD3C4972
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7BD3C4784), ref: 00007FF7BD3C49BE

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 1de9790e05870a994c8cd512dc0bf73c5d0095e8d25e0a1662523fa2deb398d1
Instruction ID: e3dfa5a85605567d9155ec7b302fe11245d513346fec6761870e2eb321187fbd
Opcode Fuzzy Hash: 1de9790e05870a994c8cd512dc0bf73c5d0095e8d25e0a1662523fa2deb398d1
Instruction Fuzzy Hash: D8519F22A0C752C5FB58EF68D4503BDA3A1AB66B48F548538DF4D5768EEF38E4808720

Function 00007FF7BD3D4DCC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BD3D0930: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D0963

_get_daylight.LIBCMT ref: 00007FF7BD3D4EE4
_get_daylight.LIBCMT ref: 00007FF7BD3D4EF5

Strings

?, xrefs: 00007FF7BD3D4E75

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: ea61919ac6f8524f279918af95d4a367ebe415bf813acb2bc51f70dff045491e
Instruction ID: d17d9ba8bb0e8347fdc6c9ddac3e3dc2d5c432fb368b4154733dda25059e991a
Opcode Fuzzy Hash: ea61919ac6f8524f279918af95d4a367ebe415bf813acb2bc51f70dff045491e
Instruction Fuzzy Hash: 3341D812A1C38395FB686729A451379D650EBA2BA4F544239EF5C07ADEFE3CD441CB10

Function 00007FF7BD3C7FE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C8012

Part of subcall function 00007FF7BD3C9F88: RtlFreeHeap.NTDLL(?,?,?,00007FF7BD3D1ED2,?,?,?,00007FF7BD3D1F0F,?,?,00000000,00007FF7BD3D23D5,?,?,00000000,00007FF7BD3D2307), ref: 00007FF7BD3C9F9E
Part of subcall function 00007FF7BD3C9F88: GetLastError.KERNEL32(?,?,?,00007FF7BD3D1ED2,?,?,?,00007FF7BD3D1F0F,?,?,00000000,00007FF7BD3D23D5,?,?,00000000,00007FF7BD3D2307), ref: 00007FF7BD3C9FA8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7BD3BA495), ref: 00007FF7BD3C8030

Strings

C:\Users\user\Desktop\PDF_Resave.exe, xrefs: 00007FF7BD3C801E

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\PDF_Resave.exe
API String ID: 3580290477-2412123782
Opcode ID: 8d8b2631746941ed8e9d93c586c1e08c09f8ebf82f2c91caf3ed4a0a8a2970d8
Instruction ID: b04708d4d979ec27fb3d421536f1bc1447a313af7229441e7e5bdac0ce27de34
Opcode Fuzzy Hash: 8d8b2631746941ed8e9d93c586c1e08c09f8ebf82f2c91caf3ed4a0a8a2970d8
Instruction Fuzzy Hash: A7418136A0C716D5EB1CAF2998500B9E694EF56780F994039EB4D03B8BEF39E5858320

Function 00007FF7BD3CC278 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7BD3CC38F
GetLastError.KERNEL32 ref: 00007FF7BD3CC3B1

Strings

U, xrefs: 00007FF7BD3CC33B

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4ebfda0eb3dddeb426bdf92ebf3ecfca638941ee1d5aabdffb869394d8dbdab1
Instruction ID: f190a49516a6666e16bcd2807a639ab5eee144e43fa92977ca968a1be397fd67
Opcode Fuzzy Hash: 4ebfda0eb3dddeb426bdf92ebf3ecfca638941ee1d5aabdffb869394d8dbdab1
Instruction Fuzzy Hash: 87419132A1CB41C1DB649F29E8443A9E760FBA9794F884039EB4D87799EF3CD441C710

Function 00007FF7BD3CE598 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF7BD3CE5D8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7BD3CE62A

Strings

:, xrefs: 00007FF7BD3CE5EE

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 6ea6d4d4bc35d25bba8af1de083b0a6473d04d25c8de49d1e69948f0a07f610c
Instruction ID: c2cf92d24edbd2137cc49e877df280306f526e7003ea89c126b4233fa3620c2a
Opcode Fuzzy Hash: 6ea6d4d4bc35d25bba8af1de083b0a6473d04d25c8de49d1e69948f0a07f610c
Instruction Fuzzy Hash: 11210622B1C781C1EB28AB19D04426DF3A1FBA5B44FC9403DD74D1328AEF7CE9658B60

Function 00007FF7BD3BE320 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF7BD3BE364
RaiseException.KERNEL32 ref: 00007FF7BD3BE3AA

Strings

csm, xrefs: 00007FF7BD3BE397

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: ca300da370bc200b47a9e29752d724a25d804681f54f6f31a4c62ce82835f912
Instruction ID: 64289bdfc823a9ddaa8e3dd3567965a6a858180e18b3cfcba344a957ba26770c
Opcode Fuzzy Hash: ca300da370bc200b47a9e29752d724a25d804681f54f6f31a4c62ce82835f912
Instruction Fuzzy Hash: A6113A3260CB4182EB259F19E540269F7A1FB99B84F584238EF8D07769EF3CD551CB40

Function 00007FF7BD3CF09C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3CF0CC
GetDriveTypeW.KERNEL32 ref: 00007FF7BD3CF10C

Strings

:, xrefs: 00007FF7BD3CF0F5

Memory Dump Source

Source File: 00000000.00000002.1741912686.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000000.00000002.1741886960.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741951602.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1741989201.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1742071853.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 5bb9208f1dd75f8da1bf4b84d43d2649c4580fde4fdc4700cc46879c1844a841
Instruction ID: d60ea243c01b6f0165575908ce6eea43b20058adc4d7d487a53a972b5e6e5cd9
Opcode Fuzzy Hash: 5bb9208f1dd75f8da1bf4b84d43d2649c4580fde4fdc4700cc46879c1844a841
Instruction Fuzzy Hash: 9A01B12291D312C6F768BB28946127EE3A0EF66704FC8103DD74C4729BFE2DE5448B24

Analysis Process: PDF_Resave.exePID: 7364, Parent PID: 7304COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	845
Total number of Limit Nodes:	26

Executed Functions

Function 00007FF7BD3D5DFC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7BD3D5B30: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D5B71
Part of subcall function 00007FF7BD3D5B30: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D5BEF
Part of subcall function 00007FF7BD3D5B30: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D5C40

CreateFileW.KERNELBASE ref: 00007FF7BD3D5F02
CreateFileW.KERNEL32 ref: 00007FF7BD3D5F52
GetLastError.KERNEL32 ref: 00007FF7BD3D5F82
GetFileType.KERNELBASE ref: 00007FF7BD3D5F97
GetLastError.KERNEL32 ref: 00007FF7BD3D5FA1
CloseHandle.KERNEL32 ref: 00007FF7BD3D5FD4
CloseHandle.KERNEL32 ref: 00007FF7BD3D6137
CreateFileW.KERNEL32 ref: 00007FF7BD3D616C
GetLastError.KERNEL32 ref: 00007FF7BD3D617B

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: f4a66a793454549687445e322010bf0c8aa55a7819c853dce57e356f604717af
Instruction ID: 828f3d3319de8c9f82800a809c0269d92b7a49632210904c2268358630a2ba04
Opcode Fuzzy Hash: f4a66a793454549687445e322010bf0c8aa55a7819c853dce57e356f604717af
Instruction Fuzzy Hash: B0C1F433B1CA45C5EB14EF68C4901ACBB61F76AB98B450239DB2E573AAEF38D055C710

Function 00007FFE126DE510 Relevance: 198.4, APIs: 78, Strings: 35, Instructions: 663COMMON

Download Yara Rule

APIs

PyType_Ready.PYTHON311 ref: 00007FFE126DE649
PyType_Ready.PYTHON311 ref: 00007FFE126DE65E
PyType_Ready.PYTHON311 ref: 00007FFE126DE673
PyType_Ready.PYTHON311 ref: 00007FFE126DE688
PyUnicode_FromString.PYTHON311 ref: 00007FFE126DE69D
PyDict_SetItemString.PYTHON311 ref: 00007FFE126DE6C0
PyDict_SetItemString.PYTHON311 ref: 00007FFE126DE6DF
PyImport_ImportModule.PYTHON311 ref: 00007FFE126DE6FE
PyObject_GetAttrString.PYTHON311 ref: 00007FFE126DE71A
PyObject_CallMethod.PYTHON311 ref: 00007FFE126DE748
PyObject_GetAttrString.PYTHON311 ref: 00007FFE126DE76E
PyImport_ImportModule.PYTHON311 ref: 00007FFE126DE7AC
PyObject_CallMethod.PYTHON311 ref: 00007FFE126DE7E2
PyUnicode_FromString.PYTHON311 ref: 00007FFE126DE7FF
PyDict_SetItemString.PYTHON311 ref: 00007FFE126DE829
PyImport_ImportModule.PYTHON311 ref: 00007FFE126DE848
PyObject_GetAttrString.PYTHON311 ref: 00007FFE126DE864
PyObject_CallFunction.PYTHON311 ref: 00007FFE126DE897
PyModule_Create2.PYTHON311 ref: 00007FFE126DE8ED
PyModule_AddObject.PYTHON311 ref: 00007FFE126DE917
PyModule_AddObject.PYTHON311 ref: 00007FFE126DE93D
PyModule_AddObject.PYTHON311 ref: 00007FFE126DE95F
PyErr_NewException.PYTHON311 ref: 00007FFE126DE981
PyModule_AddObject.PYTHON311 ref: 00007FFE126DE9A7
PyTuple_New.PYTHON311 ref: 00007FFE126DE9BA
PyTuple_Pack.PYTHON311 ref: 00007FFE126DEA16
PyErr_NewException.PYTHON311 ref: 00007FFE126DEA32
PyModule_AddObject.PYTHON311 ref: 00007FFE126DEA5E
PyTuple_Pack.PYTHON311 ref: 00007FFE126DEAC8
PyErr_NewException.PYTHON311 ref: 00007FFE126DEAE4
PyModule_AddObject.PYTHON311 ref: 00007FFE126DEB10
PyObject_CallObject.PYTHON311 ref: 00007FFE126DEB3D
PyModule_AddObject.PYTHON311 ref: 00007FFE126DEB63
PyContextVar_New.PYTHON311 ref: 00007FFE126DEB7A
PyModule_AddObject.PYTHON311 ref: 00007FFE126DEBAB
PyModule_AddObject.PYTHON311 ref: 00007FFE126DEBD4
PyObject_CallObject.PYTHON311 ref: 00007FFE126DEBE7
PyModule_AddObject.PYTHON311 ref: 00007FFE126DEC72
PyObject_CallObject.PYTHON311 ref: 00007FFE126DEC85
PyModule_AddObject.PYTHON311 ref: 00007FFE126DECEB
PyLong_FromSsize_t.PYTHON311 ref: 00007FFE126DED0D
PyModule_AddObject.PYTHON311 ref: 00007FFE126DED28
PyUnicode_InternFromString.PYTHON311 ref: 00007FFE126DED6B
PyModule_AddObject.PYTHON311 ref: 00007FFE126DED9A
PyModule_AddStringConstant.PYTHON311 ref: 00007FFE126DEDCB
PyModule_AddStringConstant.PYTHON311 ref: 00007FFE126DEDED
PyTuple_Pack.PYTHON311 ref: 00007FFE126DEE2C
PyTuple_Pack.PYTHON311 ref: 00007FFE126DEE51
PyTuple_Pack.PYTHON311 ref: 00007FFE126DEE84
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE126E68AD
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE126E68D4
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE126E68EE
fputc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE126E68FC

Part of subcall function 00007FFE126DEE90: PyErr_Format.PYTHON311(?,?,?,?,00007FFE126DE5EC), ref: 00007FFE126E6B46

_Py_Dealloc.PYTHON311 ref: 00007FFE126E690B
_Py_Dealloc.PYTHON311 ref: 00007FFE126E691A
_Py_Dealloc.PYTHON311 ref: 00007FFE126E6926
_Py_Dealloc.PYTHON311 ref: 00007FFE126E6932
_Py_Dealloc.PYTHON311 ref: 00007FFE126E6941
_Py_Dealloc.PYTHON311 ref: 00007FFE126E694D
_Py_Dealloc.PYTHON311 ref: 00007FFE126E6959
_Py_Dealloc.PYTHON311 ref: 00007FFE126E6965
_Py_Dealloc.PYTHON311 ref: 00007FFE126E6974
_Py_Dealloc.PYTHON311 ref: 00007FFE126E69CA
_Py_Dealloc.PYTHON311 ref: 00007FFE126E69DE
_Py_Dealloc.PYTHON311 ref: 00007FFE126E69F6
_Py_Dealloc.PYTHON311 ref: 00007FFE126E6A19
_Py_Dealloc.PYTHON311 ref: 00007FFE126E6A2E
_Py_Dealloc.PYTHON311 ref: 00007FFE126E6A43
_Py_Dealloc.PYTHON311 ref: 00007FFE126E6A57
_Py_Dealloc.PYTHON311 ref: 00007FFE126E6A76
_Py_Dealloc.PYTHON311 ref: 00007FFE126E6A95
_Py_Dealloc.PYTHON311 ref: 00007FFE126E6AB4
_Py_Dealloc.PYTHON311 ref: 00007FFE126E6AD3
_Py_Dealloc.PYTHON311 ref: 00007FFE126E6AF2
_Py_Dealloc.PYTHON311 ref: 00007FFE126E6B11
_Py_Dealloc.PYTHON311 ref: 00007FFE126E6B25

Strings

MutableMapping, xrefs: 00007FFE126DE85A
2.5.1, xrefs: 00007FFE126DEDD9
Decimal, xrefs: 00007FFE126DE90D
sign digits exponent, xrefs: 00007FFE126DE7BE
namedtuple, xrefs: 00007FFE126DE7DB
as_integer_ratio, xrefs: 00007FFE126DE5E0
__version__, xrefs: 00007FFE126DEDC4
SignalDict, xrefs: 00007FFE126DE884
mpd_setminalloc: ignoring request to set MPD_MINALLOC a second time, xrefs: 00007FFE126E68DD
collections, xrefs: 00007FFE126DE7A5
Context, xrefs: 00007FFE126DE933
DecimalException, xrefs: 00007FFE126DE99A
1.70, xrefs: 00007FFE126DEDBA
HAVE_THREADS, xrefs: 00007FFE126DEBC0
HAVE_CONTEXTVAR, xrefs: 00007FFE126DEB97
decimal.DecimalException, xrefs: 00007FFE126DE974
bit_length, xrefs: 00007FFE126DE603
decimal, xrefs: 00007FFE126DE696, 00007FFE126DE7F8
Rational, xrefs: 00007FFE126DE764
ExtendedContext, xrefs: 00007FFE126DECAF
register, xrefs: 00007FFE126DE741
D:\a\1\s\Modules\_decimal\libmpdec\context.c, xrefs: 00007FFE126E68B9
decimal_context, xrefs: 00007FFE126DEB73
Number, xrefs: 00007FFE126DE710
BasicContext, xrefs: 00007FFE126DEC16
(O), xrefs: 00007FFE126DE73A
__libmpdec_version__, xrefs: 00007FFE126DEDE3
s(OO){}, xrefs: 00007FFE126DE890
__module__, xrefs: 00007FFE126DE6B6, 00007FFE126DE6D5, 00007FFE126DE818
collections.abc, xrefs: 00007FFE126DE841
DecimalTuple, xrefs: 00007FFE126DE7C8, 00007FFE126DE952
numbers, xrefs: 00007FFE126DE6F7
(ss), xrefs: 00007FFE126DE7D4
DefaultContext, xrefs: 00007FFE126DEB56
%s:%d: warning: , xrefs: 00007FFE126E68C3

Memory Dump Source

Source File: 00000002.00000002.1740301447.00007FFE126C1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FFE126C0000, based on PE: true

Associated: 00000002.00000002.1740277028.00007FFE126C0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1740368131.00007FFE126E9000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1740396766.00007FFE126F7000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1740421707.00007FFE126F8000.00000008.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1740445059.00007FFE126F9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1740469746.00007FFE126FA000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe126c0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$Module_Object$String$Object_$CallTuple_$Pack$Err_FromReadyType_$AttrDict_ExceptionImportImport_ItemModuleUnicode___acrt_iob_func$ConstantMethod$ContextCreate2FormatFunctionInternLong_Ssize_tVar_fputc
String ID: %s:%d: warning: $(O)$(ss)$1.70$2.5.1$BasicContext$Context$D:\a\1\s\Modules\_decimal\libmpdec\context.c$Decimal$DecimalException$DecimalTuple$DefaultContext$ExtendedContext$HAVE_CONTEXTVAR$HAVE_THREADS$MutableMapping$Number$Rational$SignalDict$__libmpdec_version__$__module__$__version__$as_integer_ratio$bit_length$collections$collections.abc$decimal$decimal.DecimalException$decimal_context$mpd_setminalloc: ignoring request to set MPD_MINALLOC a second time$namedtuple$numbers$register$s(OO){}$sign digits exponent
API String ID: 2210023312-630389593
Opcode ID: 3950c89dd7d0f46fa85523a6f954b02b05b136cfa4dcdb363a16ae3cdb450f87
Instruction ID: d4ec1de9929b7574cfe712798db7990386de190f770ef2284bcf54b3eb2e3999
Opcode Fuzzy Hash: 3950c89dd7d0f46fa85523a6f954b02b05b136cfa4dcdb363a16ae3cdb450f87
Instruction Fuzzy Hash: B462E361E0AF4785EB19CB27EC542B823A4BF58BA4F0451B5C94E467F4EFBCA985C304

Function 00007FF7BD3B17B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fread_nolock.LIBCMT ref: 00007FF7BD3B185C
_fread_nolock.LIBCMT ref: 00007FF7BD3B190E

Part of subcall function 00007FF7BD3BE6E0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3BE6F4

Strings

malloc, xrefs: 00007FF7BD3B18EA
Could not read full TOC!, xrefs: 00007FF7BD3B1919
MEI, xrefs: 00007FF7BD3B17EF
fread, xrefs: 00007FF7BD3B186E
Failed to read cookie!, xrefs: 00007FF7BD3B1867
Could not allocate buffer for TOC!, xrefs: 00007FF7BD3B18E3
Failed to seek to cookie position!, xrefs: 00007FF7BD3B182F
Error on file., xrefs: 00007FF7BD3B193D
fseek, xrefs: 00007FF7BD3B1836
Cannot read Table of Contents., xrefs: 00007FF7BD3B1995

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _fread_nolock$_invalid_parameter_noinfo
String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 3405171723-4158440160
Opcode ID: 3d57fbadd83ca00b5ee3a27cfc09c8de2ef1b8a7f7769bb7cec00fb7d522cde7
Instruction ID: b4bbd77f65c9b53a4da38963feb11938de0c1edaa2a4bb0781954b7bf57c4a3f
Opcode Fuzzy Hash: 3d57fbadd83ca00b5ee3a27cfc09c8de2ef1b8a7f7769bb7cec00fb7d522cde7
Instruction Fuzzy Hash: 45515E71A1DA46C6EB58EF2CD450278F3A0EB6AB44B904139EB0D8739EEE3CE540C750

Function 00007FF7BD3B12B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

malloc, xrefs: 00007FF7BD3B1353
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7BD3B13E2
fread, xrefs: 00007FF7BD3B13E9
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF7BD3B134C
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7BD3B12E2
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7BD3B1312
fseek, xrefs: 00007FF7BD3B1319

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 0-3659356012
Opcode ID: b062efcf8f2c193bbae1d484d54a3a38d285118df6d9e6730312538d15cfbc06
Instruction ID: f6986a33921d4d6c5305046179258a84407e4a2b6a45a00daea2516e2868f86b
Opcode Fuzzy Hash: b062efcf8f2c193bbae1d484d54a3a38d285118df6d9e6730312538d15cfbc06
Instruction Fuzzy Hash: 59415F21A0C642C1EA58FB19A4513B9F3A0EB667D4FD4443AEB4D07A5EFE3CE541C710

Function 00007FF7BD3B1000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7BD3B2CD0: GetModuleFileNameW.KERNEL32(?,00007FF7BD3B27C9,?,?,?,?,?,?), ref: 00007FF7BD3B2D01

SetDllDirectoryW.KERNEL32 ref: 00007FF7BD3B29D5

Part of subcall function 00007FF7BD3B5AF0: GetEnvironmentVariableW.KERNEL32(00007FF7BD3B2817,?,?,?,?,?,?), ref: 00007FF7BD3B5B2A
Part of subcall function 00007FF7BD3B5AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF7BD3B5B47

Strings

Cannot side-load external archive %s (code %d)!, xrefs: 00007FF7BD3B295C
_MEIPASS2, xrefs: 00007FF7BD3B2803, 00007FF7BD3B286C, 00007FF7BD3B2B1B, 00007FF7BD3B2B2B
MEI, xrefs: 00007FF7BD3B2917
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF7BD3B28BE
_PYI_ONEDIR_MODE, xrefs: 00007FF7BD3B282C, 00007FF7BD3B2857
Failed to convert DLL search path!, xrefs: 00007FF7BD3B29BD

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-3602715111
Opcode ID: 1bcce19713f1ced71a1944ec487b66c2c1f8826570a39f9e2af0ada334e553cf
Instruction ID: f506db1a5e6e5c821c4cfb531445107295d9188a9d343c27fddfd35e91286a1e
Opcode Fuzzy Hash: 1bcce19713f1ced71a1944ec487b66c2c1f8826570a39f9e2af0ada334e553cf
Instruction Fuzzy Hash: 13C19125A1C643D1EA68BB2994912FDF390AF66784FC04139FB4D4769FFE2CE5068720

Function 00007FF7BD3B1050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

malloc, xrefs: 00007FF7BD3B10F8, 00007FF7BD3B1126
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF7BD3B111F
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7BD3B10F1
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF7BD3B1249
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7BD3B10B4
1.2.13, xrefs: 00007FF7BD3B107E

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 0-1655038675
Opcode ID: 835778965ba396b8c2d65636b0d4ee4ffcc8eef45f14a4a44827f752a2557c3a
Instruction ID: 472e0288a5ec5c3fb12d9c9b5fa75644befafebb37553e312b644ce63dfbf082
Opcode Fuzzy Hash: 835778965ba396b8c2d65636b0d4ee4ffcc8eef45f14a4a44827f752a2557c3a
Instruction Fuzzy Hash: 1351B322A0D642C5EA68BB19E4403B9F290FBA6794F844139EF4D4779EFE3CE505C710

Function 00007FF7BD3CDF40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,00000000,?,00007FF7BD3CE2DA,?,?,-00000018,00007FF7BD3CA393,?,?,?,00007FF7BD3CA28A,?,?,?,00007FF7BD3C54F2), ref: 00007FF7BD3CE0BC
GetProcAddress.KERNEL32(?,00000000,?,00007FF7BD3CE2DA,?,?,-00000018,00007FF7BD3CA393,?,?,?,00007FF7BD3CA28A,?,?,?,00007FF7BD3C54F2), ref: 00007FF7BD3CE0C8

Strings

api-ms-, xrefs: 00007FF7BD3CE006
ext-ms-, xrefs: 00007FF7BD3CE019

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: aad9aede478575e979b907d5906f12f078c77a7925399981a7c8c7e1570d79b3
Instruction ID: 21ca648a56e317d33fd6f73d2a6f6aca1c4800d7577f034a1e09d5a53926f60c
Opcode Fuzzy Hash: aad9aede478575e979b907d5906f12f078c77a7925399981a7c8c7e1570d79b3
Instruction Fuzzy Hash: 10411322B1DB22C1FA19EB1A9810575E291BF6AB90F8C413DDF0D5778AFE3CE4448364

Function 00007FF7BD3CB09C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3CB4C9

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a4d685ae9cce30cf93841342e5a1d314e29f636783538e3b5adbfb391e49450
Instruction ID: 80bfda2e179dac222cec5da69a796a9d6565723f865e5b59f535de7271ec42ac
Opcode Fuzzy Hash: 5a4d685ae9cce30cf93841342e5a1d314e29f636783538e3b5adbfb391e49450
Instruction Fuzzy Hash: B0C1B42290C786D1E658AB1994402BDFB51FBA3B80FDD0139DB4D0779BEE7DE4898720

Function 00007FF7BD3CC5A0 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF7BD3CC58B), ref: 00007FF7BD3CC6BC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF7BD3CC58B), ref: 00007FF7BD3CC747

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 47869f412bece76eb023dbb07aa2cba14259a80e0a96d05eb24eea3b46299af7
Instruction ID: 8514e83ca0e7feb7d6a8aeda6163a5a01d5fa30a26bc67b77cbc0fd8cd58bd02
Opcode Fuzzy Hash: 47869f412bece76eb023dbb07aa2cba14259a80e0a96d05eb24eea3b46299af7
Instruction Fuzzy Hash: A991A236B0C751C5F768AB6984402BDE7A0AB26788F9C413DDF0E57A8AEF38D4418720

Function 00007FF7BD3C46F8 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C4725
CreateFileW.KERNELBASE ref: 00007FF7BD3C4764
CloseHandle.KERNEL32 ref: 00007FF7BD3C4799

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: f267924f7f97080439486145e1bcefd5e45286d82813a9840df1f1c4553f85a0
Instruction ID: 80aa2333f4c1c823000293213d114e3ea0367026501973fcc005c8456ad276d4
Opcode Fuzzy Hash: f267924f7f97080439486145e1bcefd5e45286d82813a9840df1f1c4553f85a0
Instruction Fuzzy Hash: 36419722E1C782C3E758AB649510369F660FBA6754F549338E76C03ADAEF6CB5E08710

Function 00007FF7BD3BA52C Relevance: 4.6, APIs: 3, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF7BD3BA540

Part of subcall function 00007FF7BD3BA70C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7BD3BA72E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7BD3BA555
__scrt_release_startup_lock.LIBCMT ref: 00007FF7BD3BA5C3

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 3058843127-0
Opcode ID: 1be6874be7b06f60d2a206459abee2dcc30803262f01e71d3cdcfcaefe82dc60
Instruction ID: 1e848b09286e92d3d617ca55b284786a80e8eef00a26ae849f771588371f352e
Opcode Fuzzy Hash: 1be6874be7b06f60d2a206459abee2dcc30803262f01e71d3cdcfcaefe82dc60
Instruction Fuzzy Hash: AA313F21A0CA06C6EA5CBB2C95513B9E291AF63784FC4403DF74D4729BFEACA5048738

Function 00007FF7BD3C89F8 Relevance: 4.5, APIs: 3, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7BD3C89F4), ref: 00007FF7BD3C8A09
TerminateProcess.KERNEL32(?,?,?,00007FF7BD3C89F4), ref: 00007FF7BD3C8A14
ExitProcess.KERNEL32 ref: 00007FF7BD3C8A23

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cdaea237e1b592d6c154aaf0f90f60ef9ca2b577adbaa54e82ff2db6f3b91dce
Instruction ID: 8d9f7445b4ce7dc7d6ce0dda79984bb52ccd80f9e184eefc238529967e8f1dfa
Opcode Fuzzy Hash: cdaea237e1b592d6c154aaf0f90f60ef9ca2b577adbaa54e82ff2db6f3b91dce
Instruction Fuzzy Hash: 62D01714B0C702D2EA5C3B395965138D2111F7A700B84143CCA0F033ABED2DA54D4730

Function 00007FF7BD3BE70C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3BE750
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3BE847

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 91f838de0bf1c0634cfb639a0c406c35748c40ae1573d712d08faa75350ec251
Instruction ID: 7df5a9fff5deb558690805e68ba1cbeea62d22569525da985e871d3600cffd1e
Opcode Fuzzy Hash: 91f838de0bf1c0634cfb639a0c406c35748c40ae1573d712d08faa75350ec251
Instruction Fuzzy Hash: 7151B921A0D641C5E66CAA2D9800679F691EF52B64F984638FF7D577CFEE3CE4408720

Function 00007FF7BD3CC058 Relevance: 3.1, APIs: 2, Instructions: 74fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 00007FF7BD3CC10B
GetLastError.KERNEL32 ref: 00007FF7BD3CC127

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: d35954f5888671c4b8e9d3f715c627a4543e92b38a07bde94bce825eac47ac6c
Instruction ID: a0a772bbb6b8b12033d9f40eccec9c83653630167b39addbc967f07420be4132
Opcode Fuzzy Hash: d35954f5888671c4b8e9d3f715c627a4543e92b38a07bde94bce825eac47ac6c
Instruction Fuzzy Hash: A031D436A1CB85DADB54AF19E4402A9F760FB69780F884039EB4D8375AEF3CD455CB10

Function 00007FF7BD3CBA58 Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF7BD3CBAD1
GetFileType.KERNELBASE ref: 00007FF7BD3CBAE7

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: ea0bf9139acf7e29816fcd0aba872ae9fa759e19ef548db38860721d431a1d9c
Instruction ID: 3e3b262315d10a1a55d30cef7d7bb90a9c2c315e0a3e93c011051081e756ead2
Opcode Fuzzy Hash: ea0bf9139acf7e29816fcd0aba872ae9fa759e19ef548db38860721d431a1d9c
Instruction Fuzzy Hash: 51316321A1CB46C1DB689B1C8590179E650EB56BB0FAC032DDBAE073E9DF7DE491D310

Function 00007FF7BD3CB774 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF7BD3CB760,00000000,?,?,?,00007FF7BD3B1023,00007FF7BD3CB869), ref: 00007FF7BD3CB7C0
GetLastError.KERNEL32(?,?,?,?,?,00007FF7BD3CB760,00000000,?,?,?,00007FF7BD3B1023,00007FF7BD3CB869), ref: 00007FF7BD3CB7CA

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3ffa62e109f94fb18d3b2cbff054a6c81447e1b6aec8cf58aa39285ecb5c62cf
Instruction ID: d8f7600a7ce32ff25557009afb2b1e5f9e90fa3b24686f7a5ba1b4caff019032
Opcode Fuzzy Hash: 3ffa62e109f94fb18d3b2cbff054a6c81447e1b6aec8cf58aa39285ecb5c62cf
Instruction Fuzzy Hash: 4F11C46171CB81C1DA54AB29A814069E761AB66BF4F984339EF7D077EEEE3CD0948700

Function 00007FF7BD3CA198 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF7BD3CA015,?,?,00000000,00007FF7BD3CA0CA), ref: 00007FF7BD3CA206
GetLastError.KERNEL32(?,?,?,00007FF7BD3CA015,?,?,00000000,00007FF7BD3CA0CA), ref: 00007FF7BD3CA210

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 176045b7523cf5febd9284a5f88f2e5d392980a8c79d008abc553eacec4aafb7
Instruction ID: 94a8bfa16f3a610a5fcb2c02a72d0e389d35d6ea297f3f4b8303a28699186b1e
Opcode Fuzzy Hash: 176045b7523cf5febd9284a5f88f2e5d392980a8c79d008abc553eacec4aafb7
Instruction Fuzzy Hash: 3D21C211F0C742C1EE68775898A0379D1919FA67A0F8C423DDF2E473DBEE6CA4848324

Function 00007FF7BD3CB4EC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3CB514

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8f779a44aa3b0a3f4ccf073f5887973493dec229e4be6da509badb23d6131534
Instruction ID: f864e123c879d6212f0de0000b889d07b22aa495a481d8581d6b2c7ad2725250
Opcode Fuzzy Hash: 8f779a44aa3b0a3f4ccf073f5887973493dec229e4be6da509badb23d6131534
Instruction Fuzzy Hash: 6141B13290C341C3EA28AB1DE550279F3A0EB77785F980139D78A4369AEF2DE452C770

Function 00007FF7BD3B6370 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF7BD3B641A

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: b2dfcc5e9e9a4df627897d8805f43cf7818036fed7bf937ffc55c7782f5abc16
Instruction ID: 8c134236b7549a175959a87fff95f7e4efc147e065a3dc9f43c3d1523a01fea5
Opcode Fuzzy Hash: b2dfcc5e9e9a4df627897d8805f43cf7818036fed7bf937ffc55c7782f5abc16
Instruction Fuzzy Hash: 96216121B0C69285EA59AB1A69043BAF651BF56BD4FC85435EF4D0B78BEE3CE0418710

Function 00007FF7BD3CAF7C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3CB002

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5c21e00b33c8f2b45ceb84e2d38ad87eb1f0bac44c293c41f89c92cf48f3706b
Instruction ID: da99ae3c5094f18c32371a127a52da57c5ee026e545c045b906db27c012275d2
Opcode Fuzzy Hash: 5c21e00b33c8f2b45ceb84e2d38ad87eb1f0bac44c293c41f89c92cf48f3706b
Instruction Fuzzy Hash: 3A319062A1C722C1E6197B69984137CEA50AB62B50FC9013DEB1D133DBEF7CE4818730

Function 00007FF7BD3C8929 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7BD3C8957

Part of subcall function 00007FF7BD3C8A50: GetModuleHandleExW.KERNEL32 ref: 00007FF7BD3C8A75
Part of subcall function 00007FF7BD3C8A50: GetProcAddress.KERNEL32 ref: 00007FF7BD3C8A8B
Part of subcall function 00007FF7BD3C8A50: FreeLibrary.KERNEL32 ref: 00007FF7BD3C8AB2

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 4364183f743529bba0b1b8a1ab3c287b648935f4c13821245ef64b361732f161
Instruction ID: c4091e5f4d0e6922c94ae27b589d3c8e13dbc13b0f702dc47ef4de7438e10ad3
Opcode Fuzzy Hash: 4364183f743529bba0b1b8a1ab3c287b648935f4c13821245ef64b361732f161
Instruction Fuzzy Hash: 4A21A631A08701D9EB1CAF68C4402FCB7A0EB15318F481639D76D47ADAEF38D685C761

Function 00007FF7BD3C5548 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C54AD

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction ID: 3ad7a4d83fb595b817a0ea37005c77b075d8e4bc8c6d594f0435c154bbb9a820
Opcode Fuzzy Hash: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction Fuzzy Hash: CD115E22A0D741C1EA68BF59940027DE660BFA7B80F8C4439EB4C5779BEE3DE4408720

Function 00007FF7BD3D57EC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D580F

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ae9bd99ce62d3538fe7d29b8c80f6b7eb83d48e2b866bc47fbdf5b394f043f57
Instruction ID: 74628f5b9ad3b56525e40a76cef617878b4049ca4853c56d075e9c618593c4b9
Opcode Fuzzy Hash: ae9bd99ce62d3538fe7d29b8c80f6b7eb83d48e2b866bc47fbdf5b394f043f57
Instruction Fuzzy Hash: D521A432A0C641C7D7649F1CD450369FA60FB96B54FA84238D75D476DAEF3DD4008B10

Function 00007FF7BD3BE98C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3BE9E0

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction ID: 921dac09ad7f55a1eff9aea9a94ab918c84925bb4b627e228d6f6644898bffe2
Opcode Fuzzy Hash: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction Fuzzy Hash: 9F018221A0C74581EA48AB5A9901169F795BBA7FE0B884639EF5C67BDFEE3CE0114310

Function 00007FF7BD3B6320 Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BD3B6DC0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF7BD3B6DFA

LoadLibraryExW.KERNELBASE(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B6343

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 4bdf6301c84a861bdb536e2334b00053543545dc7c114505350ac69f55b0c6e6
Instruction ID: 10ea2c233890a92ad9f22b0a9fa1925a8c0bc2fe49a67246bf42270eeb1e9219
Opcode Fuzzy Hash: 4bdf6301c84a861bdb536e2334b00053543545dc7c114505350ac69f55b0c6e6
Instruction Fuzzy Hash: 0AE08611B1818682DA5CA76BF91556AE251EF59BC0B889039EF0D4775BED2CD4908B04

Function 00007FFDFB1A2B58 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32 ref: 00007FFDFB39955F

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: Free
String ID:
API String ID: 3978063606-0
Opcode ID: 99c7829f09a5c78c67ae0b713d3d91cb04d237d0367d97be12d496e7a1f6d673
Instruction ID: 1146ded9445bb3ec7ab4a40ba2633cde10cf032c33519bc7a1534412fc9b60cf
Opcode Fuzzy Hash: 99c7829f09a5c78c67ae0b713d3d91cb04d237d0367d97be12d496e7a1f6d673
Instruction Fuzzy Hash: 9EC01226F070038BF7086338C87AA6E12A45F49318F918038E02EC6AE9DD0CA8698B01

Function 00007FF7BD3CDEC8 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF7BD3CAA26,?,?,?,00007FF7BD3C9BE3,?,?,00000000,00007FF7BD3C9E7E), ref: 00007FF7BD3CDF1D

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5680686827257c125c79c0b434b54bb6693b4c02053300f6c32a97532040a367
Instruction ID: eceb658cadcd62f0e1bdf87788e887ade637e137d5398de205b85939c94484da
Opcode Fuzzy Hash: 5680686827257c125c79c0b434b54bb6693b4c02053300f6c32a97532040a367
Instruction Fuzzy Hash: E6F03755B0D307C0FE5C776AA9602B5E2906F76B80F8C5439EA0E8769BFE2CE4814330

Function 00007FF7BD3CCC3C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF7BD3BF1F4,?,?,?,00007FF7BD3C0706,?,?,?,?,?,00007FF7BD3C276D), ref: 00007FF7BD3CCC7A

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: b11fc6a16e25d187a1b91613ce7ef6c78f7eee5e93957fcc5bb755ad2e5a5504
Instruction ID: eb71ee05c0d57079bfb00c791d1ffbcfc5328c73ed70d3d1ad13473dcc92341f
Opcode Fuzzy Hash: b11fc6a16e25d187a1b91613ce7ef6c78f7eee5e93957fcc5bb755ad2e5a5504
Instruction Fuzzy Hash: D0F03A69A0D346C4FE2C77795950279D2805FA67A0F8C86389A2E872DBFD2CA4529330

Non-executed Functions

Function 00007FFDFB354CF0 Relevance: 33.6, APIs: 11, Strings: 8, Instructions: 351stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB354E85
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB354EFF
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB354F23
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB354F3C
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB354F58
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB354F71
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB354FB0
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB354FE8
strcspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB354FFE
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB355028

Strings

ENCRYPTED, xrefs: 00007FFDFB354F2F
, xrefs: 00007FFDFB354F4E
Proc-Type:, xrefs: 00007FFDFB354E7B
DEK-Info:, xrefs: 00007FFDFB354FA5
..\s\crypto\pem\pem_lib.c, xrefs: 00007FFDFB354D7E, 00007FFDFB354D92, 00007FFDFB354DA6, 00007FFDFB354DC3, 00007FFDFB354DD5, 00007FFDFB354DEA, 00007FFDFB354E9C, 00007FFDFB354EC7, 00007FFDFB354EDB, 00007FFDFB354F8C, 00007FFDFB354FC7, 00007FFDFB35503E, 00007FFDFB355077, 00007FFDFB35509E, 00007FFDFB35512A, 00007FFDFB35514F, 00007FFDFB3551C9, 00007FFDFB3551DB, 00007FFDFB3551FB, 00007FFDFB355218
Expecting: , xrefs: 00007FFDFB35523B
,, xrefs: 00007FFDFB354FF1
, xrefs: 00007FFDFB354F67

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: strspn$strncmp$strcspn
String ID: $ $ ,$..\s\crypto\pem\pem_lib.c$DEK-Info:$ENCRYPTED$Expecting: $Proc-Type:
API String ID: 232339659-387852012
Opcode ID: 42ddd34fbb514b972c3841d9454f420e3ab624245703583627a5e92b4a3d4a41
Instruction ID: 314bf5e938e5c629d7e4e7681daeef04066a901fe424a459015789553ea8ab35
Opcode Fuzzy Hash: 42ddd34fbb514b972c3841d9454f420e3ab624245703583627a5e92b4a3d4a41
Instruction Fuzzy Hash: 06F17E72F0AA4786FB14DB65A560AB927A1BB04788F414031CE6D57AEDEF3CF606C740

Function 00007FFDFB1A322E Relevance: 21.3, APIs: 14, Instructions: 251fileCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFB34422E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFB34427E
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFB34428C
memset.VCRUNTIME140 ref: 00007FFDFB3442A8
MultiByteToWideChar.KERNEL32 ref: 00007FFDFB3442CF
GetLastError.KERNEL32 ref: 00007FFDFB3442DC
MultiByteToWideChar.KERNEL32 ref: 00007FFDFB344303
MultiByteToWideChar.KERNEL32 ref: 00007FFDFB344358
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFDFB344369
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFB344372
FindFirstFileW.KERNEL32 ref: 00007FFDFB3444DC
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFDFB3444FE
FindNextFileW.KERNEL32 ref: 00007FFDFB344519
WideCharToMultiByte.KERNEL32 ref: 00007FFDFB344577

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: ByteCharMultiWide_errno$FileFind$ErrorFirstLastNextfreemallocmemset
String ID:
API String ID: 3372420414-0
Opcode ID: 3d8f240a4f90c780c6746068f38d3319f7b472bfe65928556dd2a935678a57e1
Instruction ID: 8e2a39d2f5862895f9ce58e0b2df146d4079d31a5dc734f697725850a2c90bb7
Opcode Fuzzy Hash: 3d8f240a4f90c780c6746068f38d3319f7b472bfe65928556dd2a935678a57e1
Instruction Fuzzy Hash: 99B1B122B46A83C6EB109F25D464A7C67E4FB45BA8F468735DA6D437E8EF3CD1518300

Function 00007FFDFB1A2671 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 168COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FFDFB36DFC1
GetEnvironmentVariableW.KERNEL32 ref: 00007FFDFB36DFE2
GetEnvironmentVariableW.KERNEL32 ref: 00007FFDFB36DFFD
GetEnvironmentVariableW.KERNEL32 ref: 00007FFDFB36E018
GetEnvironmentVariableW.KERNEL32 ref: 00007FFDFB36E060
WideCharToMultiByte.KERNEL32 ref: 00007FFDFB36E096
WideCharToMultiByte.KERNEL32 ref: 00007FFDFB36E0EB

Strings

RANDFILE, xrefs: 00007FFDFB36DFA9
USERPROFILE, xrefs: 00007FFDFB36DFEE
.rnd, xrefs: 00007FFDFB36E19A
SYSTEMROOT, xrefs: 00007FFDFB36E009
HOME, xrefs: 00007FFDFB36DFD0

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: EnvironmentVariable$ByteCharMultiWide
String ID: .rnd$HOME$RANDFILE$SYSTEMROOT$USERPROFILE
API String ID: 2184640988-1666712896
Opcode ID: 9bdffb1b50c3161ebfeb316bcddf5aa0d76d079b0f97c82e6ecc90dc1062e570
Instruction ID: 31eff2b31a8f30854a1562d78dcb244e738cac4994a8cdbb931aa65523485cf4
Opcode Fuzzy Hash: 9bdffb1b50c3161ebfeb316bcddf5aa0d76d079b0f97c82e6ecc90dc1062e570
Instruction Fuzzy Hash: 5661DB22B09B934AEB159F25D96097967E6FF45BA8B444231DE7D43BE8DF3DE0098300

Function 00007FF7BD3B58E0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 141COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B5977
GetCurrentProcessId.KERNEL32(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B597D

Part of subcall function 00007FF7BD3B5AF0: GetEnvironmentVariableW.KERNEL32(00007FF7BD3B2817,?,?,?,?,?,?), ref: 00007FF7BD3B5B2A
Part of subcall function 00007FF7BD3B5AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF7BD3B5B47

Part of subcall function 00007FF7BD3C6828: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C6841

SetEnvironmentVariableW.KERNEL32(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B5A31

Strings

TMP, xrefs: 00007FF7BD3B591A, 00007FF7BD3B59D9, 00007FF7BD3B5A67
TMP, xrefs: 00007FF7BD3B5940
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF7BD3B595A
_MEI%d, xrefs: 00007FF7BD3B5985

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Environment$Variable$CurrentExpandPathProcessStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 1556224225-1116378104
Opcode ID: d9ed24271a3d1c9d9675edf7404b1264d8195ad00974861240995d31d7993455
Instruction ID: 2879302f61b62613c469c61e037d04f7869bf1581f5f94fbf05ca48e661793fe
Opcode Fuzzy Hash: d9ed24271a3d1c9d9675edf7404b1264d8195ad00974861240995d31d7993455
Instruction Fuzzy Hash: 1A516E11B1D65381FA9DB72AA8512B9E6515F6BBC0FC85038EF0E5B69BFD2CE4018720

Function 00007FFDFB1A5A24 Relevance: 13.6, APIs: 9, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFDFB3E623C
memset.VCRUNTIME140 ref: 00007FFDFB3E6260
RtlCaptureContext.KERNEL32 ref: 00007FFDFB3E6269
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDFB3E6283
RtlVirtualUnwind.KERNEL32 ref: 00007FFDFB3E62C4
memset.VCRUNTIME140 ref: 00007FFDFB3E62F7
IsDebuggerPresent.KERNEL32 ref: 00007FFDFB3E6318
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDFB3E6339
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDFB3E6344

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: a2d914222e0312e5cf461600ac8b059d6c61fa3806f1dd2a9609d900ee9212fe
Instruction ID: 1d69fe359a50610ef0d0f7d8138717b7e56ea7f14cd7aa19830ac7d0f666d8bb
Opcode Fuzzy Hash: a2d914222e0312e5cf461600ac8b059d6c61fa3806f1dd2a9609d900ee9212fe
Instruction Fuzzy Hash: 0D313272B0AB8286EB609F60E8607ED7364FB94748F44443ADA5E47BE9DF38D548C710

Function 00007FFE148E1A30 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFE148E1A4C
memset.VCRUNTIME140 ref: 00007FFE148E1A70
RtlCaptureContext.KERNEL32 ref: 00007FFE148E1A79
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE148E1A93
RtlVirtualUnwind.KERNEL32 ref: 00007FFE148E1AD4
memset.VCRUNTIME140 ref: 00007FFE148E1B07
IsDebuggerPresent.KERNEL32 ref: 00007FFE148E1B28
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE148E1B49
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE148E1B54

Memory Dump Source

Source File: 00000002.00000002.1740691190.00007FFE148E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000002.00000002.1740628690.00007FFE148E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1740718938.00007FFE148E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1740772023.00007FFE148E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1740797470.00007FFE148E4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe148e0000_PDF_Resave.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 7af6d3e7f7e34c059537e11f5101d55855401e4335d46a65a440c931bdec65b4
Instruction ID: 25b38a270ecfec644f511d091599fb7bd765f7ea5bbbcc572a3f1e5d83220398
Opcode Fuzzy Hash: 7af6d3e7f7e34c059537e11f5101d55855401e4335d46a65a440c931bdec65b4
Instruction Fuzzy Hash: 33314C72609E818AEB609F61E8807EDB361FB85754F44447AEA4D57BA4DF38D64CC700

Function 00007FFE11EC0238 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFE11EC0254
memset.VCRUNTIME140 ref: 00007FFE11EC0278
RtlCaptureContext.KERNEL32 ref: 00007FFE11EC0281
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE11EC029B
RtlVirtualUnwind.KERNEL32 ref: 00007FFE11EC02DC
memset.VCRUNTIME140 ref: 00007FFE11EC030F
IsDebuggerPresent.KERNEL32 ref: 00007FFE11EC0330
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE11EC0351
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE11EC035C

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: f917ff8333d386f8a0a80f5860abe6176b111c19f843e3b6836ed2e39eb9178d
Instruction ID: f65d6ea98ba0af1a2403d0885b44e251b6420678d60b2beab69a1933074595c5
Opcode Fuzzy Hash: f917ff8333d386f8a0a80f5860abe6176b111c19f843e3b6836ed2e39eb9178d
Instruction Fuzzy Hash: C0316F76609E8286EB608FA5EC403EE7769FB84764F40443ADA4E47BA9DF3CD548C710

Function 00007FFE13304570 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFE1330458C
memset.VCRUNTIME140 ref: 00007FFE133045B0
RtlCaptureContext.KERNEL32 ref: 00007FFE133045B9
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE133045D3
RtlVirtualUnwind.KERNEL32 ref: 00007FFE13304614
memset.VCRUNTIME140 ref: 00007FFE13304647
IsDebuggerPresent.KERNEL32 ref: 00007FFE13304668
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE13304689
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE13304694

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 7a4736268932c74a693b3e5a833589d54eed0b055916a83f70a1c8991e9e4dcb
Instruction ID: 81c2764fd0aca090884e09c90d8fb94908a37a083bbc558e9660d1afd968c1ae
Opcode Fuzzy Hash: 7a4736268932c74a693b3e5a833589d54eed0b055916a83f70a1c8991e9e4dcb
Instruction Fuzzy Hash: 68319272609F8189EB609F61E8403ED3360FB94754F44413ADA5D67BA8DF3CC648CB14

Function 00007FF7BD3BAA3C Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7BD3BAA58
RtlCaptureContext.KERNEL32 ref: 00007FF7BD3BAA85
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7BD3BAA9F
RtlVirtualUnwind.KERNEL32 ref: 00007FF7BD3BAAE0
IsDebuggerPresent.KERNEL32 ref: 00007FF7BD3BAB34
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7BD3BAB55
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7BD3BAB60

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1bf0d945bdc6b6fdad2122b0a21604f4ba0b1612e3b53cdd76e1331efcd592fd
Instruction ID: 0eac65721541c133260d158ed231f03ab8d088e641c7aa6c542a2b639c9bb498
Opcode Fuzzy Hash: 1bf0d945bdc6b6fdad2122b0a21604f4ba0b1612e3b53cdd76e1331efcd592fd
Instruction Fuzzy Hash: CA318F72608A81CAEB649F64E8503E9B360FB65704F84403DDB4D43B99EF7CC208CB24

Function 00007FF7BD3D4EB0 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7BD3D4EF5

Part of subcall function 00007FF7BD3D4848: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D485C

Part of subcall function 00007FF7BD3C9F88: HeapFree.KERNEL32(?,?,?,00007FF7BD3D1ED2,?,?,?,00007FF7BD3D1F0F,?,?,00000000,00007FF7BD3D23D5,?,?,00000000,00007FF7BD3D2307), ref: 00007FF7BD3C9F9E
Part of subcall function 00007FF7BD3C9F88: GetLastError.KERNEL32(?,?,?,00007FF7BD3D1ED2,?,?,?,00007FF7BD3D1F0F,?,?,00000000,00007FF7BD3D23D5,?,?,00000000,00007FF7BD3D2307), ref: 00007FF7BD3C9FA8

Part of subcall function 00007FF7BD3C9F40: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7BD3C9F1F,?,?,?,?,?,00007FF7BD3C1A50), ref: 00007FF7BD3C9F49
Part of subcall function 00007FF7BD3C9F40: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7BD3C9F1F,?,?,?,?,?,00007FF7BD3C1A50), ref: 00007FF7BD3C9F6E

_get_daylight.LIBCMT ref: 00007FF7BD3D4EE4

Part of subcall function 00007FF7BD3D48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D48BC

_get_daylight.LIBCMT ref: 00007FF7BD3D515A
_get_daylight.LIBCMT ref: 00007FF7BD3D516B
_get_daylight.LIBCMT ref: 00007FF7BD3D517C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7BD3D53BC), ref: 00007FF7BD3D51A3

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID:
API String ID: 4070488512-0
Opcode ID: 694ad2a23735cc7fb3f2ec8971a6aa60c063a628b57b9edeeabbe946f82a905d
Instruction ID: 76071ce308c92680174e936acf4efdca744feb708df7ca26c9ca378d5590d59f
Opcode Fuzzy Hash: 694ad2a23735cc7fb3f2ec8971a6aa60c063a628b57b9edeeabbe946f82a905d
Instruction Fuzzy Hash: 04D19026E0C242C6EB68BF29D4601B9E751EB66784F844139EB4D4769FFF3CE4418B60

Function 00007FF7BD3C9C54 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7BD3C9CCD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7BD3C9CE5
RtlVirtualUnwind.KERNEL32 ref: 00007FF7BD3C9D20
IsDebuggerPresent.KERNEL32 ref: 00007FF7BD3C9D59
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7BD3C9D63
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7BD3C9D6E

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 397cea56bba315d20c834348c2ab8ed400ffbe874e1da4898cc87947d67c4ad4
Instruction ID: 23d136b3c591e737ceb4b0867e5d7f745a7fc403f2b42e10ec33473c45527440
Opcode Fuzzy Hash: 397cea56bba315d20c834348c2ab8ed400ffbe874e1da4898cc87947d67c4ad4
Instruction Fuzzy Hash: DC316232608F81C6DB64DB29E8502ADB3A4FB95754F940139EB9D43B5AEF3CC545CB10

Function 00007FF7BD3D0A44 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D0A90
FindFirstFileExW.KERNEL32 ref: 00007FF7BD3D0B9A

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 8a0645f7c53ed7709a047ca8b2fddc0db645f6da8a23fcc325910753c37d0ffe
Instruction ID: f0b33024d9b522623ecdda39b7fb5b1315b2b0e6bb01df6fdcaf477485176253
Opcode Fuzzy Hash: 8a0645f7c53ed7709a047ca8b2fddc0db645f6da8a23fcc325910753c37d0ffe
Instruction Fuzzy Hash: 66B1CC22B1D64AC1EA68AB29D4201B9E350EB66FD4F845139EF5D077CEEE7CE441C720

Function 00007FFDFB1A22E8 Relevance: 6.4, APIs: 5, Instructions: 140COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFDFB343A9B
memset.VCRUNTIME140 ref: 00007FFDFB343AB2
memmove.VCRUNTIME140 ref: 00007FFDFB343AD9
memset.VCRUNTIME140 ref: 00007FFDFB343AE6
memmove.VCRUNTIME140 ref: 00007FFDFB343B1A

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: memmove$memset
String ID:
API String ID: 3790616698-0
Opcode ID: 093f8d80f515eaee4f0976beeb406aa8df2a8c5bb98ba842fea8dd7f9a606363
Instruction ID: 4e90520ca7bb2a632c4de6e6c0ba49ff408d039563ad340e8a09ec0b0934eba6
Opcode Fuzzy Hash: 093f8d80f515eaee4f0976beeb406aa8df2a8c5bb98ba842fea8dd7f9a606363
Instruction Fuzzy Hash: 3951E332B1EB86C2DB10DB15E45066EABA4FB49B94F444135EEAD077E9CE3CD105C700

Function 00007FF7BD3D512C Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7BD3D515A

Part of subcall function 00007FF7BD3D48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D48BC

_get_daylight.LIBCMT ref: 00007FF7BD3D516B

Part of subcall function 00007FF7BD3D4848: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D485C

_get_daylight.LIBCMT ref: 00007FF7BD3D517C

Part of subcall function 00007FF7BD3D4878: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D488C

Part of subcall function 00007FF7BD3C9F88: HeapFree.KERNEL32(?,?,?,00007FF7BD3D1ED2,?,?,?,00007FF7BD3D1F0F,?,?,00000000,00007FF7BD3D23D5,?,?,00000000,00007FF7BD3D2307), ref: 00007FF7BD3C9F9E
Part of subcall function 00007FF7BD3C9F88: GetLastError.KERNEL32(?,?,?,00007FF7BD3D1ED2,?,?,?,00007FF7BD3D1F0F,?,?,00000000,00007FF7BD3D23D5,?,?,00000000,00007FF7BD3D2307), ref: 00007FF7BD3C9FA8

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7BD3D53BC), ref: 00007FF7BD3D51A3

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3458911817-0
Opcode ID: aa908a3e8f59a2679ecf24881337d3af3797adb0d4fc4d825233bf145dabf6f9
Instruction ID: 01b8db909708d385df8fc9d698bb0496eb16ee311fbb955f6a634f2448fb0fc3
Opcode Fuzzy Hash: aa908a3e8f59a2679ecf24881337d3af3797adb0d4fc4d825233bf145dabf6f9
Instruction Fuzzy Hash: 24517622A0C642C6E758FF29E5901A9E750BB6A784FC4513DEB4D4369BEF3CE4008B60

Function 00007FFDFB1A2B62 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57networkCOMMON

Download Yara Rule

APIs

bind.WS2_32 ref: 00007FFDFB26A3D9
WSAGetLastError.WS2_32 ref: 00007FFDFB26A3E8

Strings

..\s\crypto\bio\b_sock2.c, xrefs: 00007FFDFB26A38E, 00007FFDFB26A3FE, 00007FFDFB26A41A

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: ErrorLastbind
String ID: ..\s\crypto\bio\b_sock2.c
API String ID: 2328862993-3200932406
Opcode ID: 769c29d007f33f69811d41728ff054719c46503b891464c8ad49b5064c10f0e6
Instruction ID: b3baaf7506c18f723691533905af9d716ca1234243cd866b3dddf9db8115788f
Opcode Fuzzy Hash: 769c29d007f33f69811d41728ff054719c46503b891464c8ad49b5064c10f0e6
Instruction Fuzzy Hash: D7219D32F0A25386E710DB25E920AAD77A0EB81B88F404131EA6C47BEDDF3DE5558B40

Function 00007FFDFB1A4246 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46b17bfff405d911cbf0ed16f10332b4be66aad2a683c4b6cb6413eca26ac33
Instruction ID: 3034934b09d58a0f83ea6a0d8633b04cc6c4a493c969781e60f78700529a0210
Opcode Fuzzy Hash: a46b17bfff405d911cbf0ed16f10332b4be66aad2a683c4b6cb6413eca26ac33
Instruction Fuzzy Hash: 5FF0E9327283E145C795CA36A408F592DD59391BC8F16C030DA0DC3F59E92EC5018B40

Function 00007FFDFB1A5731 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47cb47f2231c500fe69675262d211844ffd3893697c7c00b0061ec7b87a542e7
Instruction ID: 443367fc066b6b07e8b46954733c218ddd65d2b6729f2e2c5a3644ed3b6f3cef
Opcode Fuzzy Hash: 47cb47f2231c500fe69675262d211844ffd3893697c7c00b0061ec7b87a542e7
Instruction Fuzzy Hash: 6DE0DF727193A505C796CA336118E692A90A716B89F43C0309A0EC3B99EC2EC601CB40

Function 00007FF7BD3B2F20 Relevance: 291.0, APIs: 55, Strings: 111, Instructions: 457libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B2F36
GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B2F75
GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B2F9A
GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B2FBF
GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B2FE7
GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B300F
GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B3037
GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B305F
GetProcAddress.KERNEL32(?,?,00000000,00007FF7BD3B22DE,?,?,?,?), ref: 00007FF7BD3B3087

Strings

Failed to get address for Py_FileSystemDefaultEncoding, xrefs: 00007FF7BD3B2F87
Failed to get address for Py_NoSiteFlag, xrefs: 00007FF7BD3B2FF9
Failed to get address for Py_Initialize, xrefs: 00007FF7BD3B3191
Failed to get address for Py_Finalize, xrefs: 00007FF7BD3B3141
Failed to get address for Py_UnbufferedStdioFlag, xrefs: 00007FF7BD3B3099
Failed to get address for PyDict_GetItemString, xrefs: 00007FF7BD3B3259
PyObject_CallFunctionObjArgs, xrefs: 00007FF7BD3B3495
Py_OptimizeFlag, xrefs: 00007FF7BD3B302D
PyList_Append, xrefs: 00007FF7BD3B33CD
Failed to get address for Py_SetProgramName, xrefs: 00007FF7BD3B3209
Failed to get address for PyModule_GetDict, xrefs: 00007FF7BD3B3461
Py_VerboseFlag, xrefs: 00007FF7BD3B3055
PyObject_Str, xrefs: 00007FF7BD3B350D
GetProcAddress, xrefs: 00007FF7BD3B2F4F
PyImport_AddModule, xrefs: 00007FF7BD3B3355
Py_IncRef, xrefs: 00007FF7BD3B314D
PyObject_GetAttrString, xrefs: 00007FF7BD3B34E5
Failed to get address for PyErr_Occurred, xrefs: 00007FF7BD3B32A9
PyObject_CallFunction, xrefs: 00007FF7BD3B346D
Failed to get address for PyList_Append, xrefs: 00007FF7BD3B33E9
Failed to get address for Py_OptimizeFlag, xrefs: 00007FF7BD3B3049
Failed to get address for PyErr_Fetch, xrefs: 00007FF7BD3B32F9
Failed to get address for PySys_SetPath, xrefs: 00007FF7BD3B3619
PyUnicode_Decode, xrefs: 00007FF7BD3B3715
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF7BD3B34D9
Failed to get address for PyList_New, xrefs: 00007FF7BD3B3411
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF7BD3B34B1
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF7BD3B3759
Failed to get address for PySys_SetObject, xrefs: 00007FF7BD3B35F1
Failed to get address for Py_GetPath, xrefs: 00007FF7BD3B31E1
Failed to get address for Py_IncRef, xrefs: 00007FF7BD3B3169
Failed to get address for PySys_GetObject, xrefs: 00007FF7BD3B35C9
PySys_AddWarnOption, xrefs: 00007FF7BD3B355D
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF7BD3B3399
Failed to get address for PyLong_AsLong, xrefs: 00007FF7BD3B3439
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF7BD3B3781
PyUnicode_FromString, xrefs: 00007FF7BD3B3675
Failed to get address for Py_SetPath, xrefs: 00007FF7BD3B31B9
Failed to get address for PySys_AddWarnOption, xrefs: 00007FF7BD3B3579
Py_GetPath, xrefs: 00007FF7BD3B31C5
Failed to get address for PyErr_Print, xrefs: 00007FF7BD3B32D1
Py_SetPath, xrefs: 00007FF7BD3B319D
Py_IgnoreEnvironmentFlag, xrefs: 00007FF7BD3B2FB5
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF7BD3B3551
PyUnicode_DecodeFSDefault, xrefs: 00007FF7BD3B373D
Py_NoUserSiteDirectory, xrefs: 00007FF7BD3B3005
PySys_SetObject, xrefs: 00007FF7BD3B35D5
Failed to get address for PyImport_AddModule, xrefs: 00007FF7BD3B3371
Failed to get address for Py_IgnoreEnvironmentFlag, xrefs: 00007FF7BD3B2FD1
PyErr_Clear, xrefs: 00007FF7BD3B3265
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF7BD3B3349
Failed to get address for Py_BuildValue, xrefs: 00007FF7BD3B30F1
PyLong_AsLong, xrefs: 00007FF7BD3B341D
PyMarshal_ReadObjectFromString, xrefs: 00007FF7BD3B364D
Failed to get address for Py_FrozenFlag, xrefs: 00007FF7BD3B2FAC
Failed to get address for PyUnicode_Decode, xrefs: 00007FF7BD3B3731
Failed to get address for PyObject_CallFunction, xrefs: 00007FF7BD3B3489
Failed to get address for PyUnicode_Replace, xrefs: 00007FF7BD3B37D1
PyErr_Restore, xrefs: 00007FF7BD3B3305
Py_DontWriteBytecodeFlag, xrefs: 00007FF7BD3B2F2F
Py_DecRef, xrefs: 00007FF7BD3B30FD
Py_BuildValue, xrefs: 00007FF7BD3B30D5
Py_UTF8Mode, xrefs: 00007FF7BD3B30AD
Failed to get address for PyObject_Str, xrefs: 00007FF7BD3B3529
PyEval_EvalCode, xrefs: 00007FF7BD3B3625
PyUnicode_Join, xrefs: 00007FF7BD3B378D
PyUnicode_AsUTF8, xrefs: 00007FF7BD3B3765
PyObject_SetAttrString, xrefs: 00007FF7BD3B34BD
PySys_GetObject, xrefs: 00007FF7BD3B35AD
Failed to get address for Py_UTF8Mode, xrefs: 00007FF7BD3B30C9
Failed to get address for Py_DecRef, xrefs: 00007FF7BD3B3119
Py_DecodeLocale, xrefs: 00007FF7BD3B369D
Py_FrozenFlag, xrefs: 00007FF7BD3B2F90
Failed to get address for PyErr_Clear, xrefs: 00007FF7BD3B3281
Failed to get address for PyUnicode_FromString, xrefs: 00007FF7BD3B3691
Failed to get address for Py_VerboseFlag, xrefs: 00007FF7BD3B3071
Py_Initialize, xrefs: 00007FF7BD3B3175
Failed to get address for PyUnicode_Join, xrefs: 00007FF7BD3B37A9
Failed to get address for Py_NoUserSiteDirectory, xrefs: 00007FF7BD3B3021
Failed to get address for PySys_SetArgvEx, xrefs: 00007FF7BD3B35A1
Py_Finalize, xrefs: 00007FF7BD3B3125
PyErr_Occurred, xrefs: 00007FF7BD3B328D
PyErr_Print, xrefs: 00007FF7BD3B32B5
Failed to get address for PyEval_EvalCode, xrefs: 00007FF7BD3B3641
PyList_New, xrefs: 00007FF7BD3B33F5
PyMem_RawFree, xrefs: 00007FF7BD3B36C5
Failed to get address for Py_SetPythonHome, xrefs: 00007FF7BD3B3231
PyImport_ImportModule, xrefs: 00007FF7BD3B33A5
Py_FileSystemDefaultEncoding, xrefs: 00007FF7BD3B2F6B
PyRun_SimpleStringFlags, xrefs: 00007FF7BD3B3535
PyErr_NormalizeException, xrefs: 00007FF7BD3B332D
Failed to get address for PyErr_Restore, xrefs: 00007FF7BD3B3321
PySys_SetPath, xrefs: 00007FF7BD3B35FD
PyUnicode_FromFormat, xrefs: 00007FF7BD3B36ED
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF7BD3B3709
PyUnicode_Replace, xrefs: 00007FF7BD3B37B5
PySys_SetArgvEx, xrefs: 00007FF7BD3B3585
PyImport_ExecCodeModule, xrefs: 00007FF7BD3B337D
Failed to get address for Py_DontWriteBytecodeFlag, xrefs: 00007FF7BD3B2F48
PyErr_Fetch, xrefs: 00007FF7BD3B32DD
PyDict_GetItemString, xrefs: 00007FF7BD3B323D
PyModule_GetDict, xrefs: 00007FF7BD3B3445
Failed to get address for Py_DecodeLocale, xrefs: 00007FF7BD3B36B9
Py_SetPythonHome, xrefs: 00007FF7BD3B3215
Py_NoSiteFlag, xrefs: 00007FF7BD3B2FDD
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF7BD3B3669
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF7BD3B3501
Py_SetProgramName, xrefs: 00007FF7BD3B31ED
Py_UnbufferedStdioFlag, xrefs: 00007FF7BD3B307D
Failed to get address for PyMem_RawFree, xrefs: 00007FF7BD3B36E1
Failed to get address for PyImport_ImportModule, xrefs: 00007FF7BD3B33C1

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
API String ID: 190572456-3109299426
Opcode ID: 3bea514fa4f08e80501ab3dc7f797134890914dfa2bea7b2bd18d9992429628c
Instruction ID: 701580494b77783a8a6760936e13967aa9aa2bdad5c922e1fa9ccedb97e52912
Opcode Fuzzy Hash: 3bea514fa4f08e80501ab3dc7f797134890914dfa2bea7b2bd18d9992429628c
Instruction Fuzzy Hash: E942A665A0DB03D1EA5DBB0CF960174E2A1AF7A780BC4513DDA1E0726EFF7CA5489720

Function 00007FF7BD3B50B0 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B50C7
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B5106
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B512B
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B5150
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B5178
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B51A0
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B51C8
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B51F0
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF7BD3B5218

Strings

Tk_Init, xrefs: 00007FF7BD3B5556
Failed to get address for Tcl_Init, xrefs: 00007FF7BD3B50D9
Failed to get address for Tcl_Free, xrefs: 00007FF7BD3B554A
Tcl_Alloc, xrefs: 00007FF7BD3B5506
Tcl_GetObjResult, xrefs: 00007FF7BD3B5466
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF7BD3B513D
Tcl_SetVar2, xrefs: 00007FF7BD3B5376
Tcl_FindExecutable, xrefs: 00007FF7BD3B5121
Failed to get address for Tcl_CreateThread, xrefs: 00007FF7BD3B5202
Tcl_GetCurrentThread, xrefs: 00007FF7BD3B520E
Tcl_MutexUnlock, xrefs: 00007FF7BD3B525E
Tk_GetNumMainWindows, xrefs: 00007FF7BD3B557E
Failed to get address for Tcl_GetString, xrefs: 00007FF7BD3B53E2
Tcl_ConditionNotify, xrefs: 00007FF7BD3B52AE
Failed to get address for Tcl_EvalFile, xrefs: 00007FF7BD3B54AA
Tcl_CreateObjCommand, xrefs: 00007FF7BD3B539E
Tcl_MutexLock, xrefs: 00007FF7BD3B5236
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF7BD3B5432
Failed to get address for Tcl_Finalize, xrefs: 00007FF7BD3B518A
GetProcAddress, xrefs: 00007FF7BD3B50E0
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF7BD3B51DA
Tcl_DeleteInterp, xrefs: 00007FF7BD3B51BE
Tcl_ConditionFinalize, xrefs: 00007FF7BD3B5286
Tcl_ConditionWait, xrefs: 00007FF7BD3B52D6
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF7BD3B54FA
Tcl_NewByteArrayObj, xrefs: 00007FF7BD3B5416
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF7BD3B5118
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF7BD3B52CA
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF7BD3B5162
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF7BD3B5482
Tcl_Init, xrefs: 00007FF7BD3B50C0
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF7BD3B527A
Tcl_EvalFile, xrefs: 00007FF7BD3B548E
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF7BD3B559A
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF7BD3B5342
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF7BD3B522A
Failed to get address for Tcl_GetVar2, xrefs: 00007FF7BD3B536A
Tcl_CreateThread, xrefs: 00007FF7BD3B51E6
Tcl_EvalObjv, xrefs: 00007FF7BD3B54DE
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF7BD3B52A2
Tcl_DoOneEvent, xrefs: 00007FF7BD3B5146
Tcl_Free, xrefs: 00007FF7BD3B552E
Tcl_EvalEx, xrefs: 00007FF7BD3B54B6
Tcl_FinalizeThread, xrefs: 00007FF7BD3B5196
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF7BD3B53BA
Tcl_ThreadQueueEvent, xrefs: 00007FF7BD3B52FE
Tcl_ThreadAlert, xrefs: 00007FF7BD3B5326
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF7BD3B540A
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF7BD3B51B2
Tcl_Finalize, xrefs: 00007FF7BD3B516E
Tcl_SetVar2Ex, xrefs: 00007FF7BD3B543E
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF7BD3B52F2
Failed to get address for Tcl_Alloc, xrefs: 00007FF7BD3B5522
Failed to get address for Tcl_MutexLock, xrefs: 00007FF7BD3B5252
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF7BD3B531A
Tcl_GetVar2, xrefs: 00007FF7BD3B534E
Failed to get address for Tk_Init, xrefs: 00007FF7BD3B5572
Failed to get address for Tcl_EvalEx, xrefs: 00007FF7BD3B54D2
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF7BD3B545A
Tcl_CreateInterp, xrefs: 00007FF7BD3B50FC
Tcl_NewStringObj, xrefs: 00007FF7BD3B53EE
Failed to get address for Tcl_SetVar2, xrefs: 00007FF7BD3B5392
Tcl_GetString, xrefs: 00007FF7BD3B53C6

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-2208601799
Opcode ID: 77b5a64d38601d97cc6f46ef17bc262d941289dca8cc320d3ff37db910af6723
Instruction ID: 69d35b04fdef8627c6349b3cc8a0e513b09fe4dd7d761d5941f657da2b768c6b
Opcode Fuzzy Hash: 77b5a64d38601d97cc6f46ef17bc262d941289dca8cc320d3ff37db910af6723
Instruction Fuzzy Hash: 51E1C565A5DB07D0EE0DBB0CA960174E2A1AF3A780BD8513DDB0D0726EFF7CA5489724

Function 00007FFE11EB5650 Relevance: 73.9, APIs: 37, Strings: 5, Instructions: 356COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EB5670
PyList_New.PYTHON311 ref: 00007FFE11EB56DC
PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EB571B
PyDict_GetItemWithError.PYTHON311 ref: 00007FFE11EB5739
PyErr_Occurred.PYTHON311 ref: 00007FFE11EB574B
PyDict_SetItem.PYTHON311 ref: 00007FFE11EB5764
Py_BuildValue.PYTHON311 ref: 00007FFE11EB577F
PyObject_Call.PYTHON311 ref: 00007FFE11EB57A1
_Py_Dealloc.PYTHON311 ref: 00007FFE11EB57C0
PyTuple_New.PYTHON311 ref: 00007FFE11EB580E
PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EB582D
PyObject_Call.PYTHON311 ref: 00007FFE11EB5855
_Py_Dealloc.PYTHON311 ref: 00007FFE11EB5874
PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EB58C2
PyDict_GetItemWithError.PYTHON311 ref: 00007FFE11EB58E0
PyErr_Occurred.PYTHON311 ref: 00007FFE11EB58F2
PyDict_SetItem.PYTHON311 ref: 00007FFE11EB590B
PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EB5940
_Py_Dealloc.PYTHON311 ref: 00007FFE11EB59AD
_Py_Dealloc.PYTHON311 ref: 00007FFE11EB59C7

Strings

(NN), xrefs: 00007FFE11EB5775
StartElement, xrefs: 00007FFE11EC2CD5
CharacterData, xrefs: 00007FFE11EC2B21
D:\a\1\s\Modules\pyexpat.c, xrefs: 00007FFE11EC2B1A, 00007FFE11EC2CCE
strict, xrefs: 00007FFE11EB5711, 00007FFE11EB5823, 00007FFE11EB58BB, 00007FFE11EB5939

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: DeallocDecodeDict_ItemUnicode_$Err_Occurred$CallErrorObject_With$BuildList_Tuple_Value
String ID: (NN)$CharacterData$D:\a\1\s\Modules\pyexpat.c$StartElement$strict
API String ID: 1108465364-2450736762
Opcode ID: ec1538620baa8ccbbed54320d37762024d44c978dd331c21885a558486103a2e
Instruction ID: 6b0a4e1648f6cee860728bcce58b9fb7642ff89f6054ec459e1b6089ce4959fe
Opcode Fuzzy Hash: ec1538620baa8ccbbed54320d37762024d44c978dd331c21885a558486103a2e
Instruction Fuzzy Hash: EFF13335A09E4382EB658FA3AC4427B63A8BF45FB0F4850B2DA4E067B0DE3CF4458704

Function 00007FFE11EB1000 Relevance: 59.7, APIs: 17, Strings: 17, Instructions: 171COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON311 ref: 00007FFE11EB100D
PyUnicode_InternFromString.PYTHON311 ref: 00007FFE11EB101D
PyType_FromModuleAndSpec.PYTHON311 ref: 00007FFE11EB103D

Part of subcall function 00007FFE11EB1420: PyDescr_NewGetSet.PYTHON311(?,?,?,00007FFE11EB1057), ref: 00007FFE11EB1488
Part of subcall function 00007FFE11EB1420: PyDict_SetDefault.PYTHON311(?,?,?,00007FFE11EB1057), ref: 00007FFE11EB14A7

PyErr_NewException.PYTHON311 ref: 00007FFE11EB106B
PyModule_AddObjectRef.PYTHON311 ref: 00007FFE11EB108B
PyModule_AddObjectRef.PYTHON311 ref: 00007FFE11EB10A7
PyModule_AddObjectRef.PYTHON311 ref: 00007FFE11EB10C2
PyModule_AddStringConstant.PYTHON311 ref: 00007FFE11EB10E1
Py_BuildValue.PYTHON311 ref: 00007FFE11EB1101
PyModule_AddObject.PYTHON311 ref: 00007FFE11EB1117
PyModule_AddStringConstant.PYTHON311 ref: 00007FFE11EB1136

Part of subcall function 00007FFE11EB1A9C: PyDict_New.PYTHON311(?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1ACD
Part of subcall function 00007FFE11EB1A9C: PyDict_New.PYTHON311(?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1AD6
Part of subcall function 00007FFE11EB1A9C: PyModule_AddStringConstant.PYTHON311(?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1B37
Part of subcall function 00007FFE11EB1A9C: PyModule_AddObject.PYTHON311(?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1B55
Part of subcall function 00007FFE11EB1A9C: PyModule_AddObject.PYTHON311(?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1B7D

Part of subcall function 00007FFE11EB15A8: PyModule_AddStringConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB15DD
Part of subcall function 00007FFE11EB15A8: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB15F9
Part of subcall function 00007FFE11EB15A8: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB1615
Part of subcall function 00007FFE11EB15A8: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB1631
Part of subcall function 00007FFE11EB15A8: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB164D
Part of subcall function 00007FFE11EB15A8: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB1669
Part of subcall function 00007FFE11EB15A8: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB1685
Part of subcall function 00007FFE11EB15A8: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB169C
Part of subcall function 00007FFE11EB15A8: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB16B4
Part of subcall function 00007FFE11EB15A8: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB16CC
Part of subcall function 00007FFE11EB15A8: PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB16E4

Part of subcall function 00007FFE11EB1354: PyList_New.PYTHON311(?,?,00000000,00007FFE11EB116C), ref: 00007FFE11EB1371
Part of subcall function 00007FFE11EB1354: Py_BuildValue.PYTHON311(?,?,00000000,00007FFE11EB116C), ref: 00007FFE11EB139F
Part of subcall function 00007FFE11EB1354: PyList_Append.PYTHON311(?,?,00000000,00007FFE11EB116C), ref: 00007FFE11EB13B7
Part of subcall function 00007FFE11EB1354: PyModule_AddObject.PYTHON311(?,?,00000000,00007FFE11EB116C), ref: 00007FFE11EB13F0

PyModule_AddIntConstant.PYTHON311 ref: 00007FFE11EB1181
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE11EB119F
PyModule_AddIntConstant.PYTHON311 ref: 00007FFE11EB11BD
PyCapsule_New.PYTHON311 ref: 00007FFE11EB1319
PyModule_AddObject.PYTHON311 ref: 00007FFE11EB1334
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC087D

Strings

(iii), xrefs: 00007FFE11EB10F2
expat_CAPI, xrefs: 00007FFE11EB132A
pyexpat.expat_CAPI, xrefs: 00007FFE11EB11E0
EXPAT_VERSION, xrefs: 00007FFE11EB10DA
XML_PARAM_ENTITY_PARSING_ALWAYS, xrefs: 00007FFE11EB11B3
native_encoding, xrefs: 00007FFE11EB112F
expat_2.5.0, xrefs: 00007FFE11EB10D0
UTF-8, xrefs: 00007FFE11EB1125
XMLParserType, xrefs: 00007FFE11EB10B8
version_info, xrefs: 00007FFE11EB1107
read, xrefs: 00007FFE11EB1013
pyexpat.expat_CAPI 1.1, xrefs: 00007FFE11EB11D2
ExpatError, xrefs: 00007FFE11EB109D
error, xrefs: 00007FFE11EB1081
xml.parsers.expat.ExpatError, xrefs: 00007FFE11EB1062
XML_PARAM_ENTITY_PARSING_UNLESS_STANDALONE, xrefs: 00007FFE11EB1195
XML_PARAM_ENTITY_PARSING_NEVER, xrefs: 00007FFE11EB1177

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Module_$Constant$Object$String$Dict_$BuildFromList_Value$AppendCapsule_DeallocDefaultDescr_Err_ExceptionInternModuleSpecStateType_Unicode_
String ID: (iii)$EXPAT_VERSION$ExpatError$UTF-8$XMLParserType$XML_PARAM_ENTITY_PARSING_ALWAYS$XML_PARAM_ENTITY_PARSING_NEVER$XML_PARAM_ENTITY_PARSING_UNLESS_STANDALONE$error$expat_2.5.0$expat_CAPI$native_encoding$pyexpat.expat_CAPI$pyexpat.expat_CAPI 1.1$read$version_info$xml.parsers.expat.ExpatError
API String ID: 235282681-1039362492
Opcode ID: 0d2f8b653efa714e59c4df950fb5ca91b7968f6d6ff7bf994debafffa61f2783
Instruction ID: 8ca4943924843608f26eaf62135aa829c70df3cf1d050f5bbe6ce5933531abe0
Opcode Fuzzy Hash: 0d2f8b653efa714e59c4df950fb5ca91b7968f6d6ff7bf994debafffa61f2783
Instruction Fuzzy Hash: FF918024A0AF0395EB019BA7FD502AB23ADBF457B4F4461B6C90D427B0EF3EE1198354

Function 00007FFE1A458EE4 Relevance: 58.1, APIs: 4, Strings: 29, Instructions: 382COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459455
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45948A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4594C3

Strings

wchar_t, xrefs: 00007FFE1A459376
__int128, xrefs: 00007FFE1A45917C
char8_t, xrefs: 00007FFE1A459205
this , xrefs: 00007FFE1A45937F
decltype(auto), xrefs: 00007FFE1A45932C
UNKNOWN, xrefs: 00007FFE1A459358
__int16, xrefs: 00007FFE1A4590EC
__w64 , xrefs: 00007FFE1A45910A
void, xrefs: 00007FFE1A459048
__int8, xrefs: 00007FFE1A4590FE
__int32, xrefs: 00007FFE1A45919A
long , xrefs: 00007FFE1A458FF3
float, xrefs: 00007FFE1A459036
const, xrefs: 00007FFE1A4592B3
volatile, xrefs: 00007FFE1A4592FB
long, xrefs: 00007FFE1A458F7E
int, xrefs: 00007FFE1A458F90
short, xrefs: 00007FFE1A458FA2
__int64, xrefs: 00007FFE1A45918B
volatile, xrefs: 00007FFE1A4592CE
char, xrefs: 00007FFE1A458FB4
char32_t, xrefs: 00007FFE1A4593D7
<unknown>, xrefs: 00007FFE1A4591F6
bool, xrefs: 00007FFE1A4591AC
double, xrefs: 00007FFE1A45900A
signed , xrefs: 00007FFE1A459422
auto, xrefs: 00007FFE1A459217
unsigned , xrefs: 00007FFE1A459412
char16_t, xrefs: 00007FFE1A4591E4

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: Name::operator+
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $this $unsigned $void$volatile$wchar_t
API String ID: 2943138195-1482988683
Opcode ID: 36e6e2d055789cd29251c4bf9697f6c8a4377c58ea8e1572b96a4f003d2d3a05
Instruction ID: 7dbdcc0aec0229bd67dc74b7a8b344ddb4082a3b9b28ae3fc64f9eee612ad8f4
Opcode Fuzzy Hash: 36e6e2d055789cd29251c4bf9697f6c8a4377c58ea8e1572b96a4f003d2d3a05
Instruction Fuzzy Hash: 8D0281B6F08E1294FB14EB66D8941BC27B0BB0AB64F5441F7DA0D52AB9DF3CA564C340

Function 00007FFDFB3541F0 Relevance: 49.7, APIs: 19, Strings: 14, Instructions: 223stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB354241
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB354258
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB35426F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB3542A2
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB3542EB
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB35431F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB354371
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB354384
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB35439B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB3543AE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB3543C5
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB3543D8
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB3543EF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB354402
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB354415
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB354428
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB35443B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB354487
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00007FFDFB354E33,?,?,?,?,?,?,?,?,00007FFDFB352E4B), ref: 00007FFDFB3544B2

Strings

X509 CERTIFICATE, xrefs: 00007FFDFB354391, 00007FFDFB35440B
CMS, xrefs: 00007FFDFB3544B7
CERTIFICATE, xrefs: 00007FFDFB3543A4, 00007FFDFB3543E5, 00007FFDFB354431, 00007FFDFB3544A8
ANY PRIVATE KEY, xrefs: 00007FFDFB354237
PKCS #7 SIGNED DATA, xrefs: 00007FFDFB35447D
NEW CERTIFICATE REQUEST, xrefs: 00007FFDFB3543BB
PKCS7, xrefs: 00007FFDFB354442
CERTIFICATE REQUEST, xrefs: 00007FFDFB3543CE
PRIVATE KEY, xrefs: 00007FFDFB354265, 00007FFDFB354294
DH PARAMETERS, xrefs: 00007FFDFB35437A
PARAMETERS, xrefs: 00007FFDFB3542E1, 00007FFDFB354311
X9.42 DH PARAMETERS, xrefs: 00007FFDFB354367
TRUSTED CERTIFICATE, xrefs: 00007FFDFB3543F8, 00007FFDFB35441E
ENCRYPTED PRIVATE KEY, xrefs: 00007FFDFB35424E

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: strcmp
String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS
API String ID: 1004003707-1119032718
Opcode ID: 5faaf54baf5283146832f0d94d5468780e9adc20c66d13194ea508598b332b28
Instruction ID: 7cbc1fd0439f93f08adbf8878ed6ef511716744a8dac1ef1443cdf87db9aca02
Opcode Fuzzy Hash: 5faaf54baf5283146832f0d94d5468780e9adc20c66d13194ea508598b332b28
Instruction Fuzzy Hash: 3E91EF61BCE65742FF58A7269A70A7826D19F45B88F462131D97E822FEEF1CF4068300

Function 00007FFE11EBCAD0 Relevance: 44.0, APIs: 17, Strings: 8, Instructions: 277COMMON

Download Yara Rule

APIs

PyUnicode_AsUTF8AndSize.PYTHON311 ref: 00007FFE11EBCB97
PyDict_New.PYTHON311 ref: 00007FFE11EBCC09
PyModule_GetState.PYTHON311 ref: 00007FFE11EBCC24
_PyObject_GC_New.PYTHON311 ref: 00007FFE11EBCC2D
PyMem_Malloc.PYTHON311 ref: 00007FFE11EBCD2C
PyObject_GC_Track.PYTHON311 ref: 00007FFE11EBCD69
PyUnicode_AsUTF8AndSize.PYTHON311 ref: 00007FFE11EBCDCB
_PyArg_UnpackKeywords.PYTHON311 ref: 00007FFE11EC5A9E
_PyArg_BadArgument.PYTHON311 ref: 00007FFE11EC5AD6
PyErr_SetString.PYTHON311 ref: 00007FFE11EC5B2E

Strings

namespace_separator must be at most one character, omitted, or None, xrefs: 00007FFE11EC5B1D
XML_ParserCreate failed, xrefs: 00007FFE11EC5B7B
str or None, xrefs: 00007FFE11EC5AC1, 00007FFE11EC5AF3
intern must be a dictionary, xrefs: 00007FFE11EC5B5E
embedded null character, xrefs: 00007FFE11EC5AEA
argument 'encoding', xrefs: 00007FFE11EC5AC8
argument 'namespace_separator', xrefs: 00007FFE11EC5AFA
ParserCreate, xrefs: 00007FFE11EC5ACF, 00007FFE11EC5B01

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Arg_Object_SizeUnicode_$ArgumentDict_Err_KeywordsMallocMem_Module_StateStringTrackUnpack
String ID: ParserCreate$XML_ParserCreate failed$argument 'encoding'$argument 'namespace_separator'$embedded null character$intern must be a dictionary$namespace_separator must be at most one character, omitted, or None$str or None
API String ID: 2842625026-809047262
Opcode ID: 9de47e51edb65ea99209e14fea0ba0e77745f753954ab8dae8a519e15648c6aa
Instruction ID: 0be57a4ae5de4f5ebe77e0c702be83b3651a58dba96532799df6a841617b5d33
Opcode Fuzzy Hash: 9de47e51edb65ea99209e14fea0ba0e77745f753954ab8dae8a519e15648c6aa
Instruction Fuzzy Hash: 9AC13426A0DF4282EF658B96EC8027A67A8FF45BB0F5451B6DA1E077B0DF3CE4558700

Function 00007FFE11EB5421 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 209COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EB544C
PyTuple_New.PYTHON311 ref: 00007FFE11EB54A6
PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EB54C5
PyObject_Call.PYTHON311 ref: 00007FFE11EB54ED
_Py_Dealloc.PYTHON311 ref: 00007FFE11EB550D
PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EB5559
PyDict_GetItemWithError.PYTHON311 ref: 00007FFE11EB5577
_Py_Dealloc.PYTHON311 ref: 00007FFE11EB5595
Py_BuildValue.PYTHON311 ref: 00007FFE11EB55A8
PyObject_Call.PYTHON311 ref: 00007FFE11EB55CF
_Py_Dealloc.PYTHON311 ref: 00007FFE11EB55EE
PyErr_Occurred.PYTHON311 ref: 00007FFE11EB5622
PyDict_SetItem.PYTHON311 ref: 00007FFE11EB563B
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC29BF
_PyTraceback_Add.PYTHON311 ref: 00007FFE11EC29FC
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC2A67

Strings

EndElement, xrefs: 00007FFE11EC2A82
CharacterData, xrefs: 00007FFE11EC29F5
(N), xrefs: 00007FFE11EB55A1
D:\a\1\s\Modules\pyexpat.c, xrefs: 00007FFE11EC29EE, 00007FFE11EC2A7B
strict, xrefs: 00007FFE11EB54BB, 00007FFE11EB554F

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$CallDecodeDict_Err_ItemObject_OccurredUnicode_$BuildErrorTraceback_Tuple_ValueWith
String ID: (N)$CharacterData$D:\a\1\s\Modules\pyexpat.c$EndElement$strict
API String ID: 2795322658-1455353876
Opcode ID: 7b35b030cee3a01824993ae3c3782c2dba0e933724c7249c1410480d19b91b92
Instruction ID: a646c05a783d438abda6cb36d27b53dd8703f12be80bcc6049b3cc653282c353
Opcode Fuzzy Hash: 7b35b030cee3a01824993ae3c3782c2dba0e933724c7249c1410480d19b91b92
Instruction Fuzzy Hash: 73913731A09E4386EB658FA7ED4427A63A9FF49BB0F4850B5CA4E46774DF3DE4458300

Function 00007FFE11EB15A8 Relevance: 42.1, APIs: 11, Strings: 13, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE11EB1504: strrchr.VCRUNTIME140(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1526
Part of subcall function 00007FFE11EB1504: PyModule_New.PYTHON311(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1532
Part of subcall function 00007FFE11EB1504: PyUnicode_FromString.PYTHON311(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1543
Part of subcall function 00007FFE11EB1504: _PyImport_SetModule.PYTHON311(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB155B
Part of subcall function 00007FFE11EB1504: PyModule_AddObject.PYTHON311(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB157D

PyModule_AddStringConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB15DD
PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB15F9
PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB1615
PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB1631
PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB164D
PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB1669
PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB1685
PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB169C
PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB16B4
PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB16CC
PyModule_AddIntConstant.PYTHON311(?,?,00000000,00007FFE11EB115C), ref: 00007FFE11EB16E4

Strings

pyexpat.model, xrefs: 00007FFE11EB15B2
XML_CQUANT_REP, xrefs: 00007FFE11EB16C5
XML_CQUANT_PLUS, xrefs: 00007FFE11EB16DD
XML_CTYPE_NAME, xrefs: 00007FFE11EB1646
XML_CTYPE_CHOICE, xrefs: 00007FFE11EB1662
XML_CQUANT_OPT, xrefs: 00007FFE11EB16AD
XML_CTYPE_SEQ, xrefs: 00007FFE11EB167E
XML_CTYPE_MIXED, xrefs: 00007FFE11EB162A
XML_CTYPE_ANY, xrefs: 00007FFE11EB160E
XML_CQUANT_NONE, xrefs: 00007FFE11EB1692
__doc__, xrefs: 00007FFE11EB15D6
XML_CTYPE_EMPTY, xrefs: 00007FFE11EB15F2
Constants used to interpret content model information., xrefs: 00007FFE11EB15CC

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Module_$Constant$String$FromImport_ModuleObjectUnicode_strrchr
String ID: Constants used to interpret content model information.$XML_CQUANT_NONE$XML_CQUANT_OPT$XML_CQUANT_PLUS$XML_CQUANT_REP$XML_CTYPE_ANY$XML_CTYPE_CHOICE$XML_CTYPE_EMPTY$XML_CTYPE_MIXED$XML_CTYPE_NAME$XML_CTYPE_SEQ$__doc__$pyexpat.model
API String ID: 3546453425-788580754
Opcode ID: 6f809eb47c2d32f2b44fb7ca14c0080896cc1be493fd68ee0d64ff1e60cc6176
Instruction ID: 6ba055c7965f9d072ae30080c888bf4a8f7b9793e3547f06ac9b93136daca91f
Opcode Fuzzy Hash: 6f809eb47c2d32f2b44fb7ca14c0080896cc1be493fd68ee0d64ff1e60cc6176
Instruction Fuzzy Hash: 2F314524B1CD5392EB148FA3ED501A7236DBF00BB5B84A172C96D86574DF6DF909C710

Function 00007FFE13305568 Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 148COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FFE1330558D
_PyUnicode_Ready.PYTHON311 ref: 00007FFE133055F8
_PyUnicode_Ready.PYTHON311 ref: 00007FFE13305610
PyBool_FromLong.PYTHON311 ref: 00007FFE133057A7

Strings

Buffer must be single dimension, xrefs: 00007FFE133056FE, 00007FFE13305747
compare_digest, xrefs: 00007FFE13305580
unsupported operand types(s) or combination of types: '%.100s' and '%.100s', xrefs: 00007FFE133056B0
comparing strings with non-ASCII characters is not supported, xrefs: 00007FFE1330567B

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: ReadyUnicode_$Arg_Bool_CheckFromLongPositional
String ID: Buffer must be single dimension$compare_digest$comparing strings with non-ASCII characters is not supported$unsupported operand types(s) or combination of types: '%.100s' and '%.100s'
API String ID: 960716163-2538118963
Opcode ID: fb16102ad7aedabbae2b720364eef6ebaee46cbfe74884b07019a587325ceb3c
Instruction ID: d9182b26bbe81dc5205f0afe3f0e5a84177ddce808d1c73d159c84dc49addaec
Opcode Fuzzy Hash: fb16102ad7aedabbae2b720364eef6ebaee46cbfe74884b07019a587325ceb3c
Instruction Fuzzy Hash: AF61AE61A0CE46CAFB208B27E45427D23A0FFA4BA4F5451B1DA6E676F4DF2CE445C708

Function 00007FFDFB1A1B77 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 204stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB35345A
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB35349A
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB3534BE
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB3534D7
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB3534F3
strspn.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB35350C

Strings

ENCRYPTED, xrefs: 00007FFDFB3534CA
, xrefs: 00007FFDFB3534E9
Proc-Type:, xrefs: 00007FFDFB353453
DEK-Info:, xrefs: 00007FFDFB353547
..\s\crypto\pem\pem_lib.c, xrefs: 00007FFDFB353474, 00007FFDFB353527, 00007FFDFB353569, 00007FFDFB3535DE, 00007FFDFB353626, 00007FFDFB353654, 00007FFDFB353709
,, xrefs: 00007FFDFB35359A
, xrefs: 00007FFDFB353502

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: strspn$strncmp
String ID: $ $ ,$..\s\crypto\pem\pem_lib.c$DEK-Info:$ENCRYPTED$Proc-Type:
API String ID: 1384302209-3505811795
Opcode ID: 1b869f1a6eac8aeb398c7f487eda61ac9ae1a2185d31ed71d5288b5492fc2b28
Instruction ID: 905123f1040e50d07e9ce5430beb8f4f5ecca839b2e6859b98a244e413b5d175
Opcode Fuzzy Hash: 1b869f1a6eac8aeb398c7f487eda61ac9ae1a2185d31ed71d5288b5492fc2b28
Instruction Fuzzy Hash: 5991D061F5EA5796E7209F21A9A09B93790EF00788F404034DA6E476F9EF3CF556C740

Function 00007FFE13301650 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 128threadCOMMON

Download Yara Rule

APIs

PyObject_CheckBuffer.PYTHON311 ref: 00007FFE13301674
PyObject_GetBuffer.PYTHON311 ref: 00007FFE133016A2
PyEval_SaveThread.PYTHON311 ref: 00007FFE133016CF
PyThread_acquire_lock.PYTHON311 ref: 00007FFE133016E1
EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 00007FFE13301711
PyThread_release_lock.PYTHON311 ref: 00007FFE13301730
PyEval_RestoreThread.PYTHON311 ref: 00007FFE13301739
PyBuffer_Release.PYTHON311 ref: 00007FFE13301744
EVP_DigestUpdate.LIBCRYPTO-1_1 ref: 00007FFE133017C1
PyBuffer_Release.PYTHON311 ref: 00007FFE133017DF
PyThread_allocate_lock.PYTHON311 ref: 00007FFE133017EA
PyErr_SetString.PYTHON311 ref: 00007FFE13301807
PyErr_SetString.PYTHON311 ref: 00007FFE13304C77
PyBuffer_Release.PYTHON311 ref: 00007FFE13304CB0

Strings

Buffer must be single dimension, xrefs: 00007FFE13304C6D
Strings must be encoded before hashing, xrefs: 00007FFE133017F6
object supporting the buffer API required, xrefs: 00007FFE13304C5A

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: Buffer_Release$BufferDigestErr_Eval_Object_StringThreadUpdate$CheckRestoreSaveThread_acquire_lockThread_allocate_lockThread_release_lock
String ID: Buffer must be single dimension$Strings must be encoded before hashing$object supporting the buffer API required
API String ID: 3566613315-2943709887
Opcode ID: a1547ea42d92a3772ce6650c4cebde31e608418f5351fa5d4bab7438ae3a001c
Instruction ID: a72c75207f78c1545a26d3462e8e4c3158f20d9a3f221e916952bcf436952847
Opcode Fuzzy Hash: a1547ea42d92a3772ce6650c4cebde31e608418f5351fa5d4bab7438ae3a001c
Instruction Fuzzy Hash: 71514A25B08E428AE7258B27E84423D63A1FBA4FB4F5441B1DD6E63AB4DF3CE4458744

Function 00007FFE1A45C78C Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 289COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C81D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C856
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C92A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C93B
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C9A3
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C9B3
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C9FF
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CA11
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CB83

Part of subcall function 00007FFE1A45E72C: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A45E786

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CC05
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CC14

Strings

`anonymous namespace', xrefs: 00007FFE1A45CAE3

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID: `anonymous namespace'
API String ID: 3863519203-3062148218
Opcode ID: 29843075ff213e4678463bd9e4c4852a4219599ce3764149382065ef125c3596
Instruction ID: 6a758915081d58248ca3c32c78a191dc0b8c5a9bcc3ca2fce3e8a3b1add8117b
Opcode Fuzzy Hash: 29843075ff213e4678463bd9e4c4852a4219599ce3764149382065ef125c3596
Instruction Fuzzy Hash: 89E15AB2B08F8295EB10EF26E4801BC7BA0FB45BA4F5041B6EA5D57B65DF38E564C700

Function 00007FFE11EB1A9C Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE11EB1504: strrchr.VCRUNTIME140(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1526
Part of subcall function 00007FFE11EB1504: PyModule_New.PYTHON311(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1532
Part of subcall function 00007FFE11EB1504: PyUnicode_FromString.PYTHON311(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1543
Part of subcall function 00007FFE11EB1504: _PyImport_SetModule.PYTHON311(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB155B
Part of subcall function 00007FFE11EB1504: PyModule_AddObject.PYTHON311(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB157D

PyDict_New.PYTHON311(?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1ACD
PyDict_New.PYTHON311(?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1AD6
PyModule_AddStringConstant.PYTHON311(?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1B37
PyModule_AddObject.PYTHON311(?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1B55
PyModule_AddObject.PYTHON311(?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1B7D

Part of subcall function 00007FFE11EB1BC0: PyModule_AddStringConstant.PYTHON311(?,?,00000000,00007FFE11EB1B11,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1C16
Part of subcall function 00007FFE11EB1BC0: PyLong_FromLong.PYTHON311(?,?,00000000,00007FFE11EB1B11,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1C26
Part of subcall function 00007FFE11EB1BC0: PyDict_SetItemString.PYTHON311(?,?,00000000,00007FFE11EB1B11,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1C3D
Part of subcall function 00007FFE11EB1BC0: PyUnicode_FromString.PYTHON311(?,?,00000000,00007FFE11EB1B11,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1C4E
Part of subcall function 00007FFE11EB1BC0: PyDict_SetItem.PYTHON311(?,?,00000000,00007FFE11EB1B11,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1C69

_Py_Dealloc.PYTHON311(?,?,?,00007FFE11EB114C), ref: 00007FFE11EC0B66
_Py_Dealloc.PYTHON311(?,?,?,00007FFE11EB114C), ref: 00007FFE11EC0B82
_Py_Dealloc.PYTHON311(?,?,?,00007FFE11EB114C), ref: 00007FFE11EC0B91
_Py_Dealloc.PYTHON311(?,?,?,00007FFE11EB114C), ref: 00007FFE11EC0BA5
_Py_Dealloc.PYTHON311(?,?,?,00007FFE11EB114C), ref: 00007FFE11EC0BB0

Strings

pyexpat.errors, xrefs: 00007FFE11EB1AB5
Constants used to describe error conditions., xrefs: 00007FFE11EB1B26
__doc__, xrefs: 00007FFE11EB1B30
messages, xrefs: 00007FFE11EB1B70
codes, xrefs: 00007FFE11EB1B48

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Module_$DeallocString$Dict_$FromObject$ConstantItemUnicode_$Import_LongLong_Modulestrrchr
String ID: Constants used to describe error conditions.$__doc__$codes$messages$pyexpat.errors
API String ID: 2569741488-1115447882
Opcode ID: c1e41d8709b64e828bdf0e6f325532cf85e1998db5eab65bac950ab610a439a0
Instruction ID: bb001fd6783fca7039b841fecf09ba144d5791e92f5e9c507af096d637716025
Opcode Fuzzy Hash: c1e41d8709b64e828bdf0e6f325532cf85e1998db5eab65bac950ab610a439a0
Instruction Fuzzy Hash: 79410835A08E4381EF189FA3ED5427A67ADBF46BB4F4861B1DA0F426B4DE2CF5518300

Function 00007FFE11EB2F20 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 331COMMON

Download Yara Rule

APIs

_PyLong_AsInt.PYTHON311 ref: 00007FFE11EB2F7E
PyType_GetModuleState.PYTHON311 ref: 00007FFE11EB2FA2
PyObject_GetBuffer.PYTHON311 ref: 00007FFE11EB2FCF
memcpy.VCRUNTIME140 ref: 00007FFE11EB3060
PyBuffer_Release.PYTHON311 ref: 00007FFE11EB310C
PyErr_Occurred.PYTHON311 ref: 00007FFE11EB3112
PyLong_FromLong.PYTHON311 ref: 00007FFE11EB313D
PyUnicode_AsUTF8AndSize.PYTHON311 ref: 00007FFE11EB317D
memcpy.VCRUNTIME140 ref: 00007FFE11EB31E8
_PyArg_UnpackKeywords.PYTHON311 ref: 00007FFE11EC1190
PyErr_Occurred.PYTHON311 ref: 00007FFE11EC11AA

Strings

utf-8, xrefs: 00007FFE11EB31B0
), xrefs: 00007FFE11EB30FA
xml=http://www.w3.org/XML/1998/namespace, xrefs: 00007FFE11EB3230
), xrefs: 00007FFE11EB2FEF

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Err_Long_Occurredmemcpy$Arg_BufferBuffer_FromKeywordsLongModuleObject_ReleaseSizeStateType_Unicode_Unpack
String ID: )$)$utf-8$xml=http://www.w3.org/XML/1998/namespace
API String ID: 3949833915-3008315473
Opcode ID: ef3439f6a5de1ea3a5c19d6bac1bee45308c51c526ee5f09446c2ef53c21038d
Instruction ID: d7915aced36367889b2bb6aa1f4c07a2ce81a182c2bfd0f0cfb5ec568a7421b2
Opcode Fuzzy Hash: ef3439f6a5de1ea3a5c19d6bac1bee45308c51c526ee5f09446c2ef53c21038d
Instruction Fuzzy Hash: 7FE15F76A0DB8682EB618FA29C453AA22ADFF44FA4F544076CE4D477A4DF3CE4808754

Function 00007FFDFB1A4E44 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 205registryfileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FFDFB2ADE44
GetFileType.KERNEL32 ref: 00007FFDFB2ADE55
__stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFB2ADE91
WriteFile.KERNEL32 ref: 00007FFDFB2ADEB9
MultiByteToWideChar.KERNEL32 ref: 00007FFDFB2ADF26
__stdio_common_vswprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFB2AE0B5
RegisterEventSourceW.ADVAPI32 ref: 00007FFDFB2AE0D4
ReportEventW.ADVAPI32 ref: 00007FFDFB2AE116
DeregisterEventSource.ADVAPI32 ref: 00007FFDFB2AE11F

Strings

no stack?, xrefs: 00007FFDFB2ADF0C
OpenSSL: FATAL, xrefs: 00007FFDFB2AE12D
OpenSSL, xrefs: 00007FFDFB2AE0CD
, xrefs: 00007FFDFB2ADF40

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: Event$FileSource$ByteCharDeregisterHandleMultiRegisterReportTypeWideWrite__stdio_common_vsprintf__stdio_common_vswprintf
String ID: $OpenSSL$OpenSSL: FATAL$no stack?
API String ID: 2603057392-2963566556
Opcode ID: 75131406242315063b9eb8b61f751d263e868ede2efdb133bf2f38d68100ef13
Instruction ID: dc649143297beeeeea613eb550f854a08adf828ff5dcf86a72242b6124115709
Opcode Fuzzy Hash: 75131406242315063b9eb8b61f751d263e868ede2efdb133bf2f38d68100ef13
Instruction Fuzzy Hash: 98910533B09B8391EB209F24D8649AD3764FB45B98F404635EA6D5BBE8EF38E155C300

Function 00007FFE1A45D5B0 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 359COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00007FFE1A458B34), ref: 00007FFE1A45DA16
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45DA55
swprintf_s.PGOCR ref: 00007FFE1A45DA75
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45DA85
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45DAD5

Strings

`generic-class-parameter-, xrefs: 00007FFE1A45DAE6
`template-type-parameter-, xrefs: 00007FFE1A45DAF6
NULL, xrefs: 00007FFE1A45D67D
`generic-method-parameter-, xrefs: 00007FFE1A45DAA2
lambda, xrefs: 00007FFE1A45D974
nullptr, xrefs: 00007FFE1A45D799

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: NameName::$Name::operator+atolswprintf_s
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
API String ID: 2331677841-2441609178
Opcode ID: 9797e925e62f8d7d60f646e305733279f9163504f8593401decf67f28b7cb35e
Instruction ID: a0640689a17bf5f943b04cc540ad424429349c19d9146e0dc1704bca9f803f80
Opcode Fuzzy Hash: 9797e925e62f8d7d60f646e305733279f9163504f8593401decf67f28b7cb35e
Instruction Fuzzy Hash: 0DF19FA2F0CE4294FB14FB6685541BC27B1AF44F64F0401F7C98D26AB5DE3CA96AC340

Function 00007FF7BD3B6C00 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 113COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7BD3B6C3C

Part of subcall function 00007FF7BD3B1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF7BD3B6914,?,?,?,?,?,?,?,?,?,?,?,00007FF7BD3B1023), ref: 00007FF7BD3B1CD7

Strings

WideCharToMultiByte, xrefs: 00007FF7BD3B6D5C
Failed to get ANSI buffer size., xrefs: 00007FF7BD3B6CFD
MultiByteToWideChar, xrefs: 00007FF7BD3B6C50, 00007FF7BD3B6CBD
win32_utils_from_utf8, xrefs: 00007FF7BD3B6C79
Failed to encode filename as ANSI., xrefs: 00007FF7BD3B6D55
Failed to decode wchar_t from UTF-8, xrefs: 00007FF7BD3B6CB6
win32_wcs_to_mbs, xrefs: 00007FF7BD3B6D1B
Failed to get wchar_t buffer size., xrefs: 00007FF7BD3B6C49
Out of memory., xrefs: 00007FF7BD3B6C80, 00007FF7BD3B6D22

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$WideCharToMultiByte$win32_utils_from_utf8$win32_wcs_to_mbs
API String ID: 203985260-1562484376
Opcode ID: c6af48c2a72f93560c75fce8b7fe5bee055e0ffe2315a87dca28ecb6449ed662
Instruction ID: a680af05ea21ee1ed3b8fa1f65f83a728125c3a93026b5def0747f8563ad7766
Opcode Fuzzy Hash: c6af48c2a72f93560c75fce8b7fe5bee055e0ffe2315a87dca28ecb6449ed662
Instruction Fuzzy Hash: 5E419461A0DA02C1E618BB19AC5017AF6A1AF667C0FC8453CEB4D4769FFF3CE1418720

Function 00007FFE13305B70 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 102COMMON

Download Yara Rule

APIs

_PyArg_UnpackKeywords.PYTHON311 ref: 00007FFE13305C26
PyObject_GetBuffer.PYTHON311 ref: 00007FFE13305C43
PyBuffer_IsContiguous.PYTHON311 ref: 00007FFE13305C58
_PyArg_BadArgument.PYTHON311 ref: 00007FFE13305C7A
PyObject_GetBuffer.PYTHON311 ref: 00007FFE13305C91
PyBuffer_IsContiguous.PYTHON311 ref: 00007FFE13305CA5
_PyArg_BadArgument.PYTHON311 ref: 00007FFE13305CC8
PyBuffer_Release.PYTHON311 ref: 00007FFE13305CF9
PyBuffer_Release.PYTHON311 ref: 00007FFE13305D12

Strings

argument 'msg', xrefs: 00007FFE13305CBA
argument 'key', xrefs: 00007FFE13305C6C
contiguous buffer, xrefs: 00007FFE13305C65, 00007FFE13305CB3
hmac_digest, xrefs: 00007FFE13305C73, 00007FFE13305CC1

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: Buffer_$Arg_$ArgumentBufferContiguousObject_Release$KeywordsUnpack
String ID: argument 'key'$argument 'msg'$contiguous buffer$hmac_digest
API String ID: 3345984100-3409375717
Opcode ID: 5845a12e731993df909c334ade5d379dbbea437c27d36fd20dbefa8c412e903a
Instruction ID: 3652595bbfac9e710dd1ea5e69cb8c4d9a5ff3b09fde23b95081a7e8c003a3d2
Opcode Fuzzy Hash: 5845a12e731993df909c334ade5d379dbbea437c27d36fd20dbefa8c412e903a
Instruction Fuzzy Hash: C2518022A0CF8685FB20CB26E8443BE6360FBB57A8F405171E99D56575DF7CE588C704

Function 00007FFDFB1A1C1C Relevance: 21.3, APIs: 5, Strings: 9, Instructions: 267stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB251893
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB2519BC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB2519CF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB251B6C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB251B7F

Part of subcall function 00007FFDFB253690: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB253753
Part of subcall function 00007FFDFB253690: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB25376B
Part of subcall function 00007FFDFB253690: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB253788

Strings

boundary, xrefs: 00007FFDFB2518A4
application/pkcs7-signature, xrefs: 00007FFDFB2519C5
application/pkcs7-mime, xrefs: 00007FFDFB251B75
..\s\crypto\asn1\asn_mime.c, xrefs: 00007FFDFB25180B, 00007FFDFB25194D, 00007FFDFB2519E5, 00007FFDFB251A61, 00007FFDFB251AE5, 00007FFDFB251B17, 00007FFDFB251B95, 00007FFDFB251C1C
type: , xrefs: 00007FFDFB2519FE, 00007FFDFB251BAE
application/x-pkcs7-signature, xrefs: 00007FFDFB2519B2
application/x-pkcs7-mime, xrefs: 00007FFDFB251B62
multipart/signed, xrefs: 00007FFDFB251889
content-type, xrefs: 00007FFDFB251844

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: strcmp$strncmp
String ID: ..\s\crypto\asn1\asn_mime.c$application/pkcs7-mime$application/pkcs7-signature$application/x-pkcs7-mime$application/x-pkcs7-signature$boundary$content-type$multipart/signed$type:
API String ID: 1244041713-3630080479
Opcode ID: cb09d76981884f911073ec79770a94529b3f76ec59753b3682a11d1b1a51dff2
Instruction ID: c7289a3164cacd96cc2c9a67f0fc95dd18a98978600e5d0adcc1645f34c271dc
Opcode Fuzzy Hash: cb09d76981884f911073ec79770a94529b3f76ec59753b3682a11d1b1a51dff2
Instruction Fuzzy Hash: 3BC17C62F1E68381FB14EB11A460AB96295AF81B88F448032ED6D4B7EDEF3CF505D700

Function 00007FFE11EBD120 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 152stringCOMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFE11EBD33D
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFE11EBD37D
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE11EC5C8A
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFE11EC5CA5
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE11EC5CAD
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE11EC5CC5
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE11EC5CD2
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFE11EC5CED
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE11EC5CF5

Strings

EXPAT_ACCOUNTING_DEBUG, xrefs: 00007FFE11EBD1BB
EXPAT_ENTITY_DEBUG, xrefs: 00007FFE11EBD364

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: _errno$getenvstrtoul
String ID: EXPAT_ACCOUNTING_DEBUG$EXPAT_ENTITY_DEBUG
API String ID: 1872403029-3277422050
Opcode ID: 84d1486a463a4cd18aafa05269b5d552b7879547b4fb56850b1ed22286907d38
Instruction ID: 0fbb3047e43239df3a8aecaaea6e390405de3be246ded6c01e9ea916d6cd68df
Opcode Fuzzy Hash: 84d1486a463a4cd18aafa05269b5d552b7879547b4fb56850b1ed22286907d38
Instruction Fuzzy Hash: DB912A72525F91C5E7418F61E84439D33ADFB44F98F58823AEE894BB68DF3890A1C760

Function 00007FFDFB1A1F69 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

Filename=, xrefs: 00007FFDFB36E2F3, 00007FFDFB36E347, 00007FFDFB36E45D
i, xrefs: 00007FFDFB36E329
..\s\crypto\rand\randfile.c, xrefs: 00007FFDFB36E2D2, 00007FFDFB36E331, 00007FFDFB36E43C

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID:
String ID: ..\s\crypto\rand\randfile.c$Filename=$i
API String ID: 0-1799673945
Opcode ID: a736c0758ac64ed8d8ce1e09c9eb5d692d3ad43bf8a19e6fd3513a6c640bf2e0
Instruction ID: 86979c604b9dae808947768ec813ea30e1ecb1cc1acae56d16a4fb8902bccc32
Opcode Fuzzy Hash: a736c0758ac64ed8d8ce1e09c9eb5d692d3ad43bf8a19e6fd3513a6c640bf2e0
Instruction Fuzzy Hash: 8951A222B0EA538AFB10AB65E860E7A2391EF85B84F400135D96D476EDEF3CF509C700

Function 00007FF7BD3B1440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133COMMON

Download Yara Rule

Strings

malloc, xrefs: 00007FF7BD3B1560
Failed to extract %s: failed to open target file!, xrefs: 00007FF7BD3B148A
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7BD3B15E5
fread, xrefs: 00007FF7BD3B15EC
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7BD3B14CA
fopen, xrefs: 00007FF7BD3B1491
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7BD3B14F9
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF7BD3B1559
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7BD3B15D5
fwrite, xrefs: 00007FF7BD3B15DC
fseek, xrefs: 00007FF7BD3B1500

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 0-666925554
Opcode ID: 41c00267e824b168c08840519eb6b49ad12eba3dbed6fe9bea21d766fdc91f50
Instruction ID: 73c0713862583da631b8ef7b2cf8468f5049d922c0cbeb58ca2b56963aed74c1
Opcode Fuzzy Hash: 41c00267e824b168c08840519eb6b49ad12eba3dbed6fe9bea21d766fdc91f50
Instruction Fuzzy Hash: 67519921B0C642C5EA18BB19A5507B9F360AF62BD4F840539EF1D476AFFE3CE1448720

Function 00007FF7BD3B6A70 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00007FF7BD3B59BA,?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B6AB0
OpenProcessToken.ADVAPI32(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B6AC1
GetTokenInformation.ADVAPI32(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B6AE3
GetLastError.KERNEL32(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B6AED
GetTokenInformation.ADVAPI32(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B6B2A
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7BD3B6B3C
CloseHandle.KERNEL32(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B6B54
LocalFree.KERNEL32(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B6B86
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF7BD3B6BAD
CreateDirectoryW.KERNEL32(?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B6BBE

Strings

D:(A;;FA;;;%s), xrefs: 00007FF7BD3B6B69
S-1-3-4, xrefs: 00007FF7BD3B6B5F

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 4998090-2855260032
Opcode ID: 91f206f193b68330ebd28d0cb2e5982b23392e5c7638bf7621f932f987ca90f9
Instruction ID: 1ba6a531c45c0faab4739f53c9146d181aeec1f70e831a4f5c9d2ee29371cca4
Opcode Fuzzy Hash: 91f206f193b68330ebd28d0cb2e5982b23392e5c7638bf7621f932f987ca90f9
Instruction Fuzzy Hash: CE41913160C642C2E654EF19E4502AAF361FBA6790F840239FB5E476AAEF7CD448CB10

Function 00007FFE1A45AC40 Relevance: 19.9, APIs: 13, Instructions: 361COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45AC91
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45AD5A
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45ADA3
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45ADB4

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: b0c5aa40c95afe9820d08c2b3a0b3f0a0bd29e174dcc6565612d28bd398cd5cc
Instruction ID: a7aa80316a2878be015e071105aea082f55ffaeb5075f6b9b9b5806ce88fa842
Opcode Fuzzy Hash: b0c5aa40c95afe9820d08c2b3a0b3f0a0bd29e174dcc6565612d28bd398cd5cc
Instruction Fuzzy Hash: 7CF16DB6B08B829AE711EF66D4901FC37B0EB04B5CB4044B6EA4D57BA9DF38D569C340

Function 00007FFE13302760 Relevance: 19.6, APIs: 13, Instructions: 70COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON311 ref: 00007FFE13302778
EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 00007FFE1330278F
EVP_DigestFinalXOF.LIBCRYPTO-1_1 ref: 00007FFE133027BD
EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FFE133027CE
_Py_strhex.PYTHON311 ref: 00007FFE133027DA
PyMem_Free.PYTHON311 ref: 00007FFE133027E6
PyErr_NoMemory.PYTHON311 ref: 00007FFE13305084
PyMem_Free.PYTHON311 ref: 00007FFE13305094
PyErr_NoMemory.PYTHON311 ref: 00007FFE1330509A

Part of subcall function 00007FFE133029C0: EVP_MD_CTX_copy.LIBCRYPTO-1_1(?,?,00000000,00007FFE133027AC), ref: 00007FFE133029E5

PyMem_Free.PYTHON311 ref: 00007FFE133050AA
EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FFE133050B3
PyMem_Free.PYTHON311 ref: 00007FFE133050D3
EVP_MD_CTX_free.LIBCRYPTO-1_1 ref: 00007FFE133050DC

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: Mem_$Free$X_free$Err_Memory$DigestFinalMallocPy_strhexX_copyX_new
String ID:
API String ID: 422439089-0
Opcode ID: b2ab8a0d7e008b83c2d7629f2e51ae589ec2dfac3e9a1e52696f2ca71d4e8ac7
Instruction ID: 79286bf0bf7bb8bc762e80645f0ad85c904e4c8d98e6fa41c58c1672212293b2
Opcode Fuzzy Hash: b2ab8a0d7e008b83c2d7629f2e51ae589ec2dfac3e9a1e52696f2ca71d4e8ac7
Instruction Fuzzy Hash: E6210E24A0CE4389FA159B23AD5413D6365AFA9FE0B0450B0ED6F67BB5DE3CE0448318

Function 00007FFE11EC9410 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 105COMMON

Download Yara Rule

APIs

_PyArg_UnpackKeywords.PYTHON311 ref: 00007FFE11EC948B
PyUnicode_AsUTF8AndSize.PYTHON311 ref: 00007FFE11EC9503
PyErr_SetString.PYTHON311 ref: 00007FFE11EC953C
PyUnicode_AsUTF8AndSize.PYTHON311 ref: 00007FFE11EC954C
_PyArg_BadArgument.PYTHON311 ref: 00007FFE11EC9597

Strings

str or None, xrefs: 00007FFE11EC9582
ExternalEntityParserCreate, xrefs: 00007FFE11EC9590
argument 2, xrefs: 00007FFE11EC94D8
embedded null character, xrefs: 00007FFE11EC9532
argument 1, xrefs: 00007FFE11EC9589
str, xrefs: 00007FFE11EC94D1

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Arg_SizeUnicode_$ArgumentErr_KeywordsStringUnpack
String ID: ExternalEntityParserCreate$argument 1$argument 2$embedded null character$str$str or None
API String ID: 542819765-2847936699
Opcode ID: 85ed71d5f9bd933ff640a86a9dd3fe66ec5ead2380ae7da7a34d43c44726738e
Instruction ID: 852517d838476a289b46b7ef3a798a0b724afdef1d31fcbef8650c59559a175c
Opcode Fuzzy Hash: 85ed71d5f9bd933ff640a86a9dd3fe66ec5ead2380ae7da7a34d43c44726738e
Instruction Fuzzy Hash: 24412E21A08F8695EF608B83EC406A663A8FB54BA4F8551B2ED5D037B4EF3DE545C710

Function 00007FFE1A452F14 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFE1A452F71

Part of subcall function 00007FFE1A4552D0: __GetUnwindTryBlock.LIBCMT ref: 00007FFE1A455313
Part of subcall function 00007FFE1A4552D0: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFE1A455338

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1A453049
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453056
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFE1A4532A0
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4532CE

Part of subcall function 00007FFE1A4569C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4525CE), ref: 00007FFE1A4569CE

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453394
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A4533C9

Strings

csm, xrefs: 00007FFE1A452FF2
csm, xrefs: 00007FFE1A45306E
csm, xrefs: 00007FFE1A452F8B

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: BlockFrameHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 4223619315-393685449
Opcode ID: 1fea5c564d133bdba3aecb898f1e2b7bc476544beebca211cb7a23793dbe9004
Instruction ID: e8cc468c752573ce801f211601fbd0435f1f4d5e40cf52f815ae5a79b57f6e2d
Opcode Fuzzy Hash: 1fea5c564d133bdba3aecb898f1e2b7bc476544beebca211cb7a23793dbe9004
Instruction Fuzzy Hash: DEE150B2B08F4186EB10AB66D4502BD77A4FB45FA8F1401B6EA4D57B69CF38E5A4C700

Function 00007FFE1A45E72C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 192COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A45E786

Strings

generic-type-, xrefs: 00007FFE1A45E82F
`generic-type-, xrefs: 00007FFE1A45E862
template-parameter-, xrefs: 00007FFE1A45E7E8
`template-parameter-, xrefs: 00007FFE1A45E81B

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: Replicator::operator[]
String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
API String ID: 3676697650-3207858774
Opcode ID: ecd4a8ae6d7230611fff1dd4e64a59f99909a897cce7822f33257ee1ddf9a1a8
Instruction ID: 643e62bf24f5c2b9b99468e577bec5373a6d064ef5e31ed0111f09d99902349a
Opcode Fuzzy Hash: ecd4a8ae6d7230611fff1dd4e64a59f99909a897cce7822f33257ee1ddf9a1a8
Instruction Fuzzy Hash: 5F91ACA2B08E8695FB24EF26D4412B877B1AB44B68F4481F3DA5D036B5DF3CE565C340

Function 00007FFE11ECB434 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 104COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE11ECB481

Part of subcall function 00007FFE11ECC53C: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE11ECC572

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE11ECB509
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE11ECB52C
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE11ECB552
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE11ECB582
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE11ECB5A5

Strings

[..], xrefs: 00007FFE11ECB4CB
(+%6I64d bytes %s|%d, xmlparse.c:%d) %*s", xrefs: 00007FFE11ECB48F
DIR, xrefs: 00007FFE11ECB465
EXP, xrefs: 00007FFE11ECB45B

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: __acrt_iob_func$__stdio_common_vfprintf
String ID: (+%6I64d bytes %s|%d, xmlparse.c:%d) %*s"$DIR$EXP$[..]
API String ID: 2815179470-1851131210
Opcode ID: 3a1ae70cdbf03e82a2f9a2e4278202063ac46a8c3148231cdacc49116479c827
Instruction ID: 9c7b9882619e6f2744aca068bda16a7aaf080ddaba0a3b7a1bc6b1b57e1a55cb
Opcode Fuzzy Hash: 3a1ae70cdbf03e82a2f9a2e4278202063ac46a8c3148231cdacc49116479c827
Instruction Fuzzy Hash: A6415F65E08E8285EF049BA6EC142BA77A9BF497A0F8464B5DA4D07375DF3CF4068B00

Function 00007FFE11EB2734 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

PyTuple_New.PYTHON311 ref: 00007FFE11EB2765
PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EB278D
PyObject_Call.PYTHON311 ref: 00007FFE11EB27B5
_Py_Dealloc.PYTHON311 ref: 00007FFE11EB27D4
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC0EC4
_PyTraceback_Add.PYTHON311 ref: 00007FFE11EC0F03

Strings

CharacterData, xrefs: 00007FFE11EC0EFC
D:\a\1\s\Modules\pyexpat.c, xrefs: 00007FFE11EC0EF5
strict, xrefs: 00007FFE11EB2783

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$CallDecodeObject_Traceback_Tuple_Unicode_
String ID: CharacterData$D:\a\1\s\Modules\pyexpat.c$strict
API String ID: 1267065021-205442349
Opcode ID: 1526a3ff9da1062465dbc525b4bcc35980f186fe257fc366dd8affedb9d03219
Instruction ID: cb1d64e7f5d07f9b20a906e7e7437444766810f29fc5a73add17c07bfb593111
Opcode Fuzzy Hash: 1526a3ff9da1062465dbc525b4bcc35980f186fe257fc366dd8affedb9d03219
Instruction Fuzzy Hash: 4C415835A09E1386EB188BA2DC4423A22A8FF45FA4F1841B1DA0D07BB4DF2DF5828344

Function 00007FFE148E1100 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE148E1128
__scrt_initialize_crt.LIBCMT ref: 00007FFE148E116D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE148E117A
_RTC_Initialize.LIBCMT ref: 00007FFE148E11A8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFE148E11CE
__scrt_release_startup_lock.LIBCMT ref: 00007FFE148E11F9

Memory Dump Source

Source File: 00000002.00000002.1740691190.00007FFE148E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000002.00000002.1740628690.00007FFE148E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1740718938.00007FFE148E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1740772023.00007FFE148E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1740797470.00007FFE148E4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe148e0000_PDF_Resave.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: d573cd7bf0bafa259f49a36843b2703105abc7edda614b8f92858340699d7a94
Instruction ID: 77597de31c131fafda537e2bee4bd31a9131f913a9c72463567c5403aff98f66
Opcode Fuzzy Hash: d573cd7bf0bafa259f49a36843b2703105abc7edda614b8f92858340699d7a94
Instruction Fuzzy Hash: AB819061E0CE4386F650AB6798C12F9E290AF477A0F4441B9FA0C677B6DF2DE84D8600

Function 00007FFE11EBF910 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE11EBF938
__scrt_initialize_crt.LIBCMT ref: 00007FFE11EBF97D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE11EBF98A
_RTC_Initialize.LIBCMT ref: 00007FFE11EBF9B8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFE11EBF9DE
__scrt_release_startup_lock.LIBCMT ref: 00007FFE11EBFA09

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: ed0456ed56a28c5e954244ba569a3f5ab9305d27bbb2f4b4d91e80861801ede4
Instruction ID: 792a43f8441a834f10eb752c0b9ace501afb81d7d015713e8dcafd7ace6e4335
Opcode Fuzzy Hash: ed0456ed56a28c5e954244ba569a3f5ab9305d27bbb2f4b4d91e80861801ede4
Instruction Fuzzy Hash: 0C81C321E0CE4346FB549BE79C4127B6698BF457B0F5450B6E90D833B6DE3EE841870A

Function 00007FFE13303C40 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE13303C68
__scrt_initialize_crt.LIBCMT ref: 00007FFE13303CAD
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE13303CBA
_RTC_Initialize.LIBCMT ref: 00007FFE13303CE8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFE13303D0E
__scrt_release_startup_lock.LIBCMT ref: 00007FFE13303D39

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 60740118ffc561110092f8fa7fcfca06e5701660f826d2aea51ad36781cacfe9
Instruction ID: c5e916b21fabc8101b9a0aa4641fc76c96260a58bc83d59c2eb34a5316c57663
Opcode Fuzzy Hash: 60740118ffc561110092f8fa7fcfca06e5701660f826d2aea51ad36781cacfe9
Instruction Fuzzy Hash: BA81A021E0CE434EFA50AB6794412BE66A0AF75BB0F4441B5DA6C777B2DF3CE9418708

Function 00007FFDFB1A7207 Relevance: 16.7, APIs: 4, Strings: 7, Instructions: 159stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FFDFB34CF68
strchr.VCRUNTIME140 ref: 00007FFDFB34D012
strchr.VCRUNTIME140 ref: 00007FFDFB34D072
strchr.VCRUNTIME140 ref: 00007FFDFB34D08A

Strings

/, xrefs: 00007FFDFB34CFF7
https, xrefs: 00007FFDFB34CFB2
http, xrefs: 00007FFDFB34CF7C
[, xrefs: 00007FFDFB34D05F
443, xrefs: 00007FFDFB34CFD7
..\s\crypto\ocsp\ocsp_lib.c, xrefs: 00007FFDFB34CF3F, 00007FFDFB34D017, 00007FFDFB34D0A1, 00007FFDFB34D0BF, 00007FFDFB34D0DC, 00007FFDFB34D114, 00007FFDFB34D129, 00007FFDFB34D13B, 00007FFDFB34D150, 00007FFDFB34D16A
/, xrefs: 00007FFDFB34CFED

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: strchr
String ID: ..\s\crypto\ocsp\ocsp_lib.c$/$/$443$[$http$https
API String ID: 2830005266-535551730
Opcode ID: 3f4b0d76255caf907e181389f39ab80ca888ca80cbe07dbd0ebd0c6e25bf62fd
Instruction ID: 2cd41896455bffde1cd32c57371564698dad538185ac17439d5a4a69b7bc63ba
Opcode Fuzzy Hash: 3f4b0d76255caf907e181389f39ab80ca888ca80cbe07dbd0ebd0c6e25bf62fd
Instruction Fuzzy Hash: B561A062B0AB47C5FB51EB11E920A7927A0AF45B88F444036DD6D0B7EDEE3DE649C700

Function 00007FFDFB1A32B0 Relevance: 16.6, APIs: 5, Strings: 6, Instructions: 127stringCOMMON

Download Yara Rule

APIs

atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFDFB39AF1C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB39AF31
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFDFB39AF43

Strings

..\s\crypto\ts\ts_conf.c, xrefs: 00007FFDFB39AE90, 00007FFDFB39AFDC
microsecs, xrefs: 00007FFDFB39AF4E
millisecs, xrefs: 00007FFDFB39AF27
secs, xrefs: 00007FFDFB39AEED
accuracy, xrefs: 00007FFDFB39AE53, 00007FFDFB39AEA3, 00007FFDFB39AFF4
p, xrefs: 00007FFDFB39AFD4

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: atoi$strcmp
String ID: ..\s\crypto\ts\ts_conf.c$accuracy$microsecs$millisecs$p$secs
API String ID: 4175852868-1596076588
Opcode ID: 7fedaee5a43b9f96133ba3337b9998908fec395ca8a45f4228c1692c16d9240c
Instruction ID: 7a67a9be9151b202da89f1865efef95a0ea5e9224899cfa27d96b56d1ead318d
Opcode Fuzzy Hash: 7fedaee5a43b9f96133ba3337b9998908fec395ca8a45f4228c1692c16d9240c
Instruction Fuzzy Hash: 1C519262F0A60796EB04AB25A9209B973D6BF44B8CF404535DD2E477F9DE3CF5098340

Function 00007FFE1A45A4E8 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A542
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A678

Strings

union , xrefs: 00007FFE1A45A6A5
struct , xrefs: 00007FFE1A45A69C
cointerface , xrefs: 00007FFE1A45A61F
class , xrefs: 00007FFE1A45A68D
`unknown ecsu', xrefs: 00007FFE1A45A50E
coclass , xrefs: 00007FFE1A45A631
enum , xrefs: 00007FFE1A45A63A

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: Name::operator+
String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
API String ID: 2943138195-1464470183
Opcode ID: f2c82fd6e231fdf3051f437846c0782e2719a4821ee929760b6b2afc08469b6e
Instruction ID: 90fb06028247f6d77425227131e51550878adda126d9450814a8a4ab99568be3
Opcode Fuzzy Hash: f2c82fd6e231fdf3051f437846c0782e2719a4821ee929760b6b2afc08469b6e
Instruction Fuzzy Hash: F6518CB2F08F5699F700EB66E8844BC37B0BB14BA4F5441B6DA4D53A64DF39E565C300

Function 00007FFE11EB9FF0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EBA00A
PyUnicode_Decode.PYTHON311 ref: 00007FFE11EBA041
_Py_Dealloc.PYTHON311 ref: 00007FFE11EBA0EB
_Py_Dealloc.PYTHON311 ref: 00007FFE11EBA11A
PyErr_SetString.PYTHON311 ref: 00007FFE11EBA131
_PyUnicode_Ready.PYTHON311 ref: 00007FFE11EC44BB
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC44D6

Strings

replace, xrefs: 00007FFE11EBA02D
multi-byte encodings are not supported, xrefs: 00007FFE11EBA127

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$Err_Unicode_$DecodeOccurredReadyString
String ID: multi-byte encodings are not supported$replace
API String ID: 1319564554-2045899619
Opcode ID: d4c1c5eafa3785139b68f326a19696d4b02b28e109f97959f1921c0f227bc78d
Instruction ID: 58fc7abf7e6cdab12937650c46a56b9e60ece7569fa3cd53bb4702299f774d4e
Opcode Fuzzy Hash: d4c1c5eafa3785139b68f326a19696d4b02b28e109f97959f1921c0f227bc78d
Instruction Fuzzy Hash: 27418371A0CE8382EF548FA69D4017A33A9BB45BF1F5451B6DA4E476B0DF2CE8558304

Function 00007FFDFB1A23D3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FFDFB2ADC68
GetProcAddress.KERNEL32 ref: 00007FFDFB2ADC7D
GetProcessWindowStation.USER32 ref: 00007FFDFB2ADCA7
GetUserObjectInformationW.USER32 ref: 00007FFDFB2ADCCF
GetLastError.KERNEL32 ref: 00007FFDFB2ADCDD
GetUserObjectInformationW.USER32 ref: 00007FFDFB2ADD48
wcsstr.VCRUNTIME140 ref: 00007FFDFB2ADD70

Strings

_OPENSSL_isservice, xrefs: 00007FFDFB2ADC73
Service-0x, xrefs: 00007FFDFB2ADD69

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindowwcsstr
String ID: Service-0x$_OPENSSL_isservice
API String ID: 459917433-1672312481
Opcode ID: 79db5ee4ce9dc6ccf9bd915a9b468d2fbd35849815718b4b7a41fc8616343fad
Instruction ID: d607e57c3c44349edb2bf8beccbacc434d7b76aaafe80f244729d010c8832d7e
Opcode Fuzzy Hash: 79db5ee4ce9dc6ccf9bd915a9b468d2fbd35849815718b4b7a41fc8616343fad
Instruction Fuzzy Hash: BF415162B06B8396EB609F34D960AB82395EF447B8B544735E97D8A7F8DF2CE1548300

Function 00007FFE11EBA590 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 91COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EBA5D7

Part of subcall function 00007FFE11EBA690: PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EBA6C3
Part of subcall function 00007FFE11EBA690: PyDict_GetItemWithError.PYTHON311 ref: 00007FFE11EBA6E6
Part of subcall function 00007FFE11EBA690: PyErr_Occurred.PYTHON311 ref: 00007FFE11EBA6F4
Part of subcall function 00007FFE11EBA690: PyDict_SetItem.PYTHON311 ref: 00007FFE11EBA70D

Py_BuildValue.PYTHON311 ref: 00007FFE11EBA61C
PyObject_Call.PYTHON311 ref: 00007FFE11EBA63F
_Py_Dealloc.PYTHON311 ref: 00007FFE11EBA661
_PyTraceback_Add.PYTHON311 ref: 00007FFE11EC4800

Strings

(NN), xrefs: 00007FFE11EBA612
D:\a\1\s\Modules\pyexpat.c, xrefs: 00007FFE11EC47F2
StartNamespaceDecl, xrefs: 00007FFE11EC47F9

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dict_Err_ItemOccurred$BuildCallDeallocDecodeErrorObject_Traceback_Unicode_ValueWith
String ID: (NN)$D:\a\1\s\Modules\pyexpat.c$StartNamespaceDecl
API String ID: 1461374241-2703805572
Opcode ID: c9965105b1e5023872393aa6f5c4cb6ce1f5c0438ad748433070bf6b076e749f
Instruction ID: 81dc28465cb9603fdbfa35be2ce0e460b012258f7af9a21e61f082be9d4c5d0f
Opcode Fuzzy Hash: c9965105b1e5023872393aa6f5c4cb6ce1f5c0438ad748433070bf6b076e749f
Instruction Fuzzy Hash: 2E316F65A08E4382EF159B939D4827A37A8BF84FE5F0890B2DE0D07778DE3CE4418304

Function 00007FFE11EB1FA8 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

PyUnicode_FromFormat.PYTHON311 ref: 00007FFE11EB1FF7
PyObject_CallOneArg.PYTHON311 ref: 00007FFE11EB200C
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC0C01

Part of subcall function 00007FFE11EB2098: PyLong_FromLong.PYTHON311(?,?,-00000001,00007FFE11EB2036), ref: 00007FFE11EB20B0
Part of subcall function 00007FFE11EB2098: PyObject_SetAttrString.PYTHON311(?,?,-00000001,00007FFE11EB2036), ref: 00007FFE11EB20C7

PyErr_SetObject.PYTHON311 ref: 00007FFE11EB206D

Strings

lineno, xrefs: 00007FFE11EB2053
%s: line %i, column %i, xrefs: 00007FFE11EB1FEA
code, xrefs: 00007FFE11EB2027
offset, xrefs: 00007FFE11EB203D

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: FromObject_$AttrCallDeallocErr_FormatLongLong_ObjectStringUnicode_
String ID: %s: line %i, column %i$code$lineno$offset
API String ID: 3270526086-733642575
Opcode ID: 130eec3d85cdee8b352909b319ba11d90a4deefe4052ac1d7ba20ce27dae6916
Instruction ID: 86984e237fa9c55f8da5aee87b47629c666a31e31cb12bfdd25aae4aaaf146c1
Opcode Fuzzy Hash: 130eec3d85cdee8b352909b319ba11d90a4deefe4052ac1d7ba20ce27dae6916
Instruction Fuzzy Hash: 90210621B08F0341EF189BA7AC4417B62A9BF49BF0F4864B6DE1E4B775DE2DE4448708

Function 00007FFE11EC9C28 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

PyObject_CallFunction.PYTHON311 ref: 00007FFE11EC9C4D
PyType_IsSubtype.PYTHON311 ref: 00007FFE11EC9C81
PyErr_Format.PYTHON311 ref: 00007FFE11EC9CA4
PyErr_Format.PYTHON311 ref: 00007FFE11EC9CEF
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC9CFE
memcpy.VCRUNTIME140 ref: 00007FFE11EC9D1D
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC9D2B

Strings

read() returned too much data: %i bytes requested, %zd returned, xrefs: 00007FFE11EC9CDC
read() did not return a bytes object (type=%.400s), xrefs: 00007FFE11EC9C8F

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: DeallocErr_Format$CallFunctionObject_SubtypeType_memcpy
String ID: read() did not return a bytes object (type=%.400s)$read() returned too much data: %i bytes requested, %zd returned
API String ID: 3745068949-2560037398
Opcode ID: e59036ee43dd320841d96838c023520db304a8875f6a0a8073a88f4c421c5c7f
Instruction ID: 23096363321041bb14f1b596f6b3217737c36967ab6f67e9261e6f6f729c221d
Opcode Fuzzy Hash: e59036ee43dd320841d96838c023520db304a8875f6a0a8073a88f4c421c5c7f
Instruction Fuzzy Hash: 79310671A08E4381EF548BA7EC4077A27A8AB45FB4F98A0B1D91E477B4EE2CE5458340

Function 00007FFE11EC9DD0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FFE11EC9DF3
PyLong_AsLong.PYTHON311 ref: 00007FFE11EC9E24
PyErr_Occurred.PYTHON311 ref: 00007FFE11EC9E31
PyMem_Free.PYTHON311 ref: 00007FFE11EC9E6E
PyMem_Malloc.PYTHON311 ref: 00007FFE11EC9E77
PyErr_NoMemory.PYTHON311 ref: 00007FFE11EC9E86

Strings

buffer_size must be an integer, xrefs: 00007FFE11EC9E18
buffer_size must be greater than zero, xrefs: 00007FFE11EC9E43
Cannot delete attribute, xrefs: 00007FFE11EC9DE9

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Err_$Mem_$FreeLongLong_MallocMemoryOccurredString
String ID: Cannot delete attribute$buffer_size must be an integer$buffer_size must be greater than zero
API String ID: 2113995896-4286141126
Opcode ID: 9d81060e4026ea8831fd93ca298b91c7abb9b9380591521893864cfe7697f52b
Instruction ID: a9e97b1263f8647e742b384be5a3140cd956d3c29175a129db9f424b70c077ae
Opcode Fuzzy Hash: 9d81060e4026ea8831fd93ca298b91c7abb9b9380591521893864cfe7697f52b
Instruction Fuzzy Hash: B4210C25A08E03C5EF548BA7EC8533A23A8BF54BB9F5561B1E90D462B4EF3CF4848701

Function 00007FF7BD3B6680 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(WideCharToMultiByte,00007FF7BD3B1CE4,?,?,00000000,00007FF7BD3B6914), ref: 00007FF7BD3B66A7
FormatMessageW.KERNEL32 ref: 00007FF7BD3B66D6
WideCharToMultiByte.KERNEL32 ref: 00007FF7BD3B672C

Part of subcall function 00007FF7BD3B1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF7BD3B6914,?,?,?,?,?,?,?,?,?,?,?,00007FF7BD3B1023), ref: 00007FF7BD3B1CD7

Strings

WideCharToMultiByte, xrefs: 00007FF7BD3B6680, 00007FF7BD3B673D
No error messages generated., xrefs: 00007FF7BD3B66E0
FormatMessageW, xrefs: 00007FF7BD3B66E7
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF7BD3B6749
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7BD3B6736
PyInstaller: FormatMessageW failed., xrefs: 00007FF7BD3B66F3

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ErrorLast$ByteCharFormatMessageMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2383786077-2573406579
Opcode ID: 8af1543621e2225bbe5bffd5a6056578706e604aa2a65e437b117fd27dbfded5
Instruction ID: c0594de0d79d9287b83c5eb124a60ad215728328735715f8b49cf5a0ad33081e
Opcode Fuzzy Hash: 8af1543621e2225bbe5bffd5a6056578706e604aa2a65e437b117fd27dbfded5
Instruction Fuzzy Hash: E821652161CA42C1E768AB19E860266F365FBAA344FC40139E74D876AEFF3CD545CB20

Function 00007FFDFB2ACBA0 Relevance: 15.2, APIs: 1, Strings: 9, Instructions: 238stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB2ACC3B

Strings

..\s\crypto\conf\conf_mod.c, xrefs: 00007FFDFB2ACD03, 00007FFDFB2ACD48, 00007FFDFB2ACD9E, 00007FFDFB2ACDC8, 00007FFDFB2ACDE1, 00007FFDFB2ACE52, 00007FFDFB2ACE81, 00007FFDFB2ACE97, 00007FFDFB2ACEAF, 00007FFDFB2ACED6
OPENSSL_init, xrefs: 00007FFDFB2ACCA5
path, xrefs: 00007FFDFB2ACC65
, value=, xrefs: 00007FFDFB2ACF0F
, path=, xrefs: 00007FFDFB2ACD15
module=, xrefs: 00007FFDFB2ACD24, 00007FFDFB2ACD5E, 00007FFDFB2ACF27
, retcode=, xrefs: 00007FFDFB2ACF16
%-8d, xrefs: 00007FFDFB2ACEEC
OPENSSL_finish, xrefs: 00007FFDFB2ACCC2

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: strncmp
String ID: %-8d$, path=$, retcode=$, value=$..\s\crypto\conf\conf_mod.c$OPENSSL_finish$OPENSSL_init$module=$path
API String ID: 1114863663-3652895664
Opcode ID: 3ecb68e670bea93246ef5374c4d0d7ba0649ab831daedc309e66f1fd15480d7f
Instruction ID: 25daa884303333772e6495a7938e2e820e5152fc08806be47a76a3d1e064b72c
Opcode Fuzzy Hash: 3ecb68e670bea93246ef5374c4d0d7ba0649ab831daedc309e66f1fd15480d7f
Instruction Fuzzy Hash: E5A1A262B0A64391FB209B55EA30AB92294AF44BC8F444135DE6D8BBFDEF3CF5458740

Function 00007FFE1A458BA4 Relevance: 15.2, APIs: 10, Instructions: 150COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458C6E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458C7E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458CCA
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458CDA
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458CEA
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458D5D
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458D6E
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458D80
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458DAC
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A458DBB

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: ea53d01b8add9f065da6da89440d1b5514e5cb284af6834d09ce1e9fb4639f71
Instruction ID: 56f909d69b1f1cf20fb15c748fcca14e974003353800fc56cc72e71922b216bb
Opcode Fuzzy Hash: ea53d01b8add9f065da6da89440d1b5514e5cb284af6834d09ce1e9fb4639f71
Instruction Fuzzy Hash: 326170A2F14B5698FB01EBA2D8400FC37B1BB04BA8F5044B6DE0D6BA69DF78D555C740

Function 00007FFDFB1A4B42 Relevance: 15.1, APIs: 3, Strings: 7, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB3D3AFD
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB3D3B60
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB3D3B8F

Strings

/, xrefs: 00007FFDFB3D3C18
ASN1:, xrefs: 00007FFDFB3D3B85
, value=, xrefs: 00007FFDFB3D3C33
..\s\crypto\x509v3\v3_conf.c, xrefs: 00007FFDFB3D3C20
DER:, xrefs: 00007FFDFB3D3B56
name=, xrefs: 00007FFDFB3D3C42
critical,, xrefs: 00007FFDFB3D3AF6

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: strncmp
String ID: , value=$..\s\crypto\x509v3\v3_conf.c$/$ASN1:$DER:$critical,$name=
API String ID: 1114863663-1429737502
Opcode ID: 143978fd2adef66388680b9fe0611a0269c67ac45c0586c6bec754c205a70508
Instruction ID: 864a91ff66f8c3a6ce999b68db13b2cfcb82cafe83d5f31c6729823e556d04ec
Opcode Fuzzy Hash: 143978fd2adef66388680b9fe0611a0269c67ac45c0586c6bec754c205a70508
Instruction Fuzzy Hash: D141E922F0A68B46F710AB21A920B7AA6D1FF49BD8F444130DD6D077EDDE3DE9008700

Function 00007FF7BD3BF5D8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3BF618
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3BF9E0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3BFC7F

Strings

f, xrefs: 00007FF7BD3BF6B0
p, xrefs: 00007FF7BD3BF722
f, xrefs: 00007FF7BD3BF865
p, xrefs: 00007FF7BD3BF6BD
f, xrefs: 00007FF7BD3BF71A

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 5b8d5396a44c552a0cc4e48ad8092be8cf806d396b8c8f6251230df5f0eb9214
Instruction ID: 269c89211061b848dca959544a91fdc492e0bd3d647a81a66cab1e842b20abf4
Opcode Fuzzy Hash: 5b8d5396a44c552a0cc4e48ad8092be8cf806d396b8c8f6251230df5f0eb9214
Instruction Fuzzy Hash: D1128222A0E143C6FB68BA18D054679F351EBA2754FC45139F789476CEEB7FE4808B21

Function 00007FFE1A4533E0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1A45357E
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45358B

Part of subcall function 00007FFE1A4569C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4525CE), ref: 00007FFE1A4569CE

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453839
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453884
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A4538B9

Strings

csm, xrefs: 00007FFE1A4535A7
csm, xrefs: 00007FFE1A4534C5
csm, xrefs: 00007FFE1A453527

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 211107550-393685449
Opcode ID: 688fb15556d862c72de40c94a9225dad620afe04ad3ce9f2b8c9a53cb021efd3
Instruction ID: 20cd599cd6a96cf8b22c4d9fa5763be91f5c11988486441bffc663a94f426c4f
Opcode Fuzzy Hash: 688fb15556d862c72de40c94a9225dad620afe04ad3ce9f2b8c9a53cb021efd3
Instruction Fuzzy Hash: 68E1A2B3A08A818AE714AF36D4903BD77A0FB45F68F1441B6DA8D47766CF38E595CB00

Function 00007FFDFB1A41DD Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFDFB26A54E
WSAGetLastError.WS2_32 ref: 00007FFDFB26A558

Strings

o, xrefs: 00007FFDFB26A67F
..\s\crypto\bio\b_sock2.c, xrefs: 00007FFDFB26A4DE, 00007FFDFB26A56E, 00007FFDFB26A58A, 00007FFDFB26A5F3, 00007FFDFB26A60F, 00007FFDFB26A66B, 00007FFDFB26A687

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: ErrorLastsetsockopt
String ID: ..\s\crypto\bio\b_sock2.c$o
API String ID: 1729277954-1872632005
Opcode ID: f8faf1672888dd055ca767ddbd6e928684f186272bd270f584dbc43e0a9459f0
Instruction ID: 835951790f9e6f0087fa514098c18f01f64d99b6cd7c4a3377c29f1431ddaefd
Opcode Fuzzy Hash: f8faf1672888dd055ca767ddbd6e928684f186272bd270f584dbc43e0a9459f0
Instruction Fuzzy Hash: 8D519C32B095838AE720DF21E824AAD77A1FB85748F444135EA6847BEDCF3DE509CB40

Function 00007FFE1A45C1D8 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C38C

Part of subcall function 00007FFE1A458EE4: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A459455
Part of subcall function 00007FFE1A458EE4: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45948A

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C33E

Strings

cli::pin_ptr<, xrefs: 00007FFE1A45C355
void, xrefs: 00007FFE1A45C222
void , xrefs: 00007FFE1A45C24A
std::nullptr_t , xrefs: 00007FFE1A45C2CA
std::nullptr_t, xrefs: 00007FFE1A45C2B7
cli::array<, xrefs: 00007FFE1A45C30B

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: Name::operator+
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 2943138195-2239912363
Opcode ID: e6d89d71e33ac373f0738e0b515b9d7d47b180a069a0d86b59b00a9470073de2
Instruction ID: 6687bc44508bd485d866c25ff530da5c347406c5587ee02f6a3bf1957e2a0818
Opcode Fuzzy Hash: e6d89d71e33ac373f0738e0b515b9d7d47b180a069a0d86b59b00a9470073de2
Instruction Fuzzy Hash: B1514CA2F18F4598FB11DB62D8412BD77B0BB08B64F4442F6DA4D13AA5DF3C90A4C754

Function 00007FF7BD3B6140 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BD3B6DC0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF7BD3B6DFA

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF7BD3B2B60,?,?,?,?,?,?), ref: 00007FF7BD3B618F
GetStartupInfoW.KERNEL32 ref: 00007FF7BD3B61AE

Part of subcall function 00007FF7BD3C92F4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C9308

Part of subcall function 00007FF7BD3C706C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C70D3

GetCommandLineW.KERNEL32 ref: 00007FF7BD3B624E
CreateProcessW.KERNEL32 ref: 00007FF7BD3B6290
WaitForSingleObject.KERNEL32 ref: 00007FF7BD3B62A4
GetExitCodeProcess.KERNEL32 ref: 00007FF7BD3B62B4

Strings

CreateProcessW, xrefs: 00007FF7BD3B62C7
Error creating child process!, xrefs: 00007FF7BD3B62C0

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: f9329e10ecf7cd9add790cd54d80bd1613acac9f8f0a608475d9c7ff608cd0f3
Instruction ID: 9d114a1be8cab9415e207323e7e19a21b95f1a9e75d2d632595eaa1dba65ec20
Opcode Fuzzy Hash: f9329e10ecf7cd9add790cd54d80bd1613acac9f8f0a608475d9c7ff608cd0f3
Instruction Fuzzy Hash: 8A410571A0C782C1DA24AB68F4552AAF364FBA5360F900739E7AD477DAEF7CD0548B10

Function 00007FFDFB1A377E Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 85stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB249B51
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFDFB249B6C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB249C16

Strings

nombstr, xrefs: 00007FFDFB249B8F
utf8only, xrefs: 00007FFDFB249C0C
default, xrefs: 00007FFDFB249C3A
MASK:, xrefs: 00007FFDFB249B4A
pkix, xrefs: 00007FFDFB249BCF

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: strcmpstrncmpstrtoul
String ID: MASK:$default$nombstr$pkix$utf8only
API String ID: 1175158921-3483942737
Opcode ID: 0eb005829b5090700deec3fa77c1e89360f57b44948d3d3a333400b0d416245b
Instruction ID: 3abd8173b473a1e4cc2ca1856a0234dba99b0db78cd7b296f8ef861f405b5719
Opcode Fuzzy Hash: 0eb005829b5090700deec3fa77c1e89360f57b44948d3d3a333400b0d416245b
Instruction Fuzzy Hash: 41312C22B1D58386EB518B2CE570BB93790EB46754F444132EB6E87AFDDE2CE591C700

Function 00007FFE11EC9860 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

PyType_GetModuleState.PYTHON311 ref: 00007FFE11EC9882
_PyObject_LookupAttr.PYTHON311 ref: 00007FFE11EC9897
PyErr_SetString.PYTHON311 ref: 00007FFE11EC98BA
PyErr_Occurred.PYTHON311 ref: 00007FFE11EC9904
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC993A
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC9963
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC998D

Strings

argument must have 'read' attribute, xrefs: 00007FFE11EC98B0

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$Err_$AttrLookupModuleObject_OccurredStateStringType_
String ID: argument must have 'read' attribute
API String ID: 2477349089-3754724333
Opcode ID: 47c45e2a14a7238e8279dac10566541dc6ab048936419c40543f633382c39a16
Instruction ID: 5ab0cb613d9555dccddad61e28757a23e78559a34f9bf410827d875a796bb361
Opcode Fuzzy Hash: 47c45e2a14a7238e8279dac10566541dc6ab048936419c40543f633382c39a16
Instruction Fuzzy Hash: FD313A22A09E4382EF549BA79C5037B67A8AF84FB0F9850B1DE4D47B74EE2DF4408740

Function 00007FF7BD3BCFA0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF7BD3BCFFD

Part of subcall function 00007FF7BD3BDF10: __GetUnwindTryBlock.LIBCMT ref: 00007FF7BD3BDF53
Part of subcall function 00007FF7BD3BDF10: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF7BD3BDF78

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7BD3BD0D5
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF7BD3BD32A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7BD3BD436

Strings

csm, xrefs: 00007FF7BD3BD017
csm, xrefs: 00007FF7BD3BD0F8
csm, xrefs: 00007FF7BD3BD07E

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: f65cca0dd748533ec0e0c8100e92ec79f40903f330e835159906267943919e52
Instruction ID: 468d5dd6d38b11ca986ba912bd2d922aa65ad38380a56717e026a5e73c6b1c46
Opcode Fuzzy Hash: f65cca0dd748533ec0e0c8100e92ec79f40903f330e835159906267943919e52
Instruction Fuzzy Hash: FDE1753690C745C6EB68AB69A4403ADF7A0FB56798F440139EF8E5775AEF38E041C710

Function 00007FFDFB1A60D2 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 227COMMON

Download Yara Rule

APIs

SwitchToFiber.KERNEL32 ref: 00007FFDFB2635D4
CreateFiber.KERNEL32 ref: 00007FFDFB26364C
memmove.VCRUNTIME140 ref: 00007FFDFB2636A5
SwitchToFiber.KERNEL32 ref: 00007FFDFB2636C8
DeleteFiber.KERNEL32 ref: 00007FFDFB2637AB

Strings

*, xrefs: 00007FFDFB26350F
..\s\crypto\async\async.c, xrefs: 00007FFDFB2634F1, 00007FFDFB263508, 00007FFDFB263550, 00007FFDFB263679, 00007FFDFB2636E0, 00007FFDFB263760, 00007FFDFB263796, 00007FFDFB2637B7, 00007FFDFB2637E4

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: Fiber$Switch$CreateDeletememmove
String ID: *$..\s\crypto\async\async.c
API String ID: 81049052-1471988776
Opcode ID: 4f9f709306536e867257e9e687ef2b36e2c087ecf2beff4b4f2d57b4d80d708d
Instruction ID: a7c3355cbb2bebe3e0f6a8c29dfe823e88d223b672da7264784b92eeeef6aa43
Opcode Fuzzy Hash: 4f9f709306536e867257e9e687ef2b36e2c087ecf2beff4b4f2d57b4d80d708d
Instruction Fuzzy Hash: 64A17E72B0A64389EB24DF19E4A0A7963A5EF58B84F044031DAAD877EDDF3CE555C700

Function 00007FFE1A4561AA Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456690: RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A4566D4
Part of subcall function 00007FFE1A456690: RaiseException.KERNEL32 ref: 00007FFE1A45671A

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A456247
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00007FFE1A4562A3

Strings

Bad read pointer - no RTTI data!, xrefs: 00007FFE1A4563A8
Bad dynamic_cast!, xrefs: 00007FFE1A456312
Attempted a typeid of nullptr pointer!, xrefs: 00007FFE1A456385
Access violation - no RTTI data!, xrefs: 00007FFE1A4561AA, 00007FFE1A4563CB

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
API String ID: 1852475696-928371585
Opcode ID: ca6cf6770a5e62d56dc10247fecd8c14e7675c1b430a8679457d8e3be21ba961
Instruction ID: ec8f4461fab7ece41ab71fbbe15d9c9515926b36fe585e8b5474011d9effbad8
Opcode Fuzzy Hash: ca6cf6770a5e62d56dc10247fecd8c14e7675c1b430a8679457d8e3be21ba961
Instruction Fuzzy Hash: DC51A1A2B18E4692EE20EB56F4802B9A360FF44FA4F5441B3EA4E43675DF3CE525C700

Function 00007FF7BD3B67D0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7BD3B1023), ref: 00007FF7BD3B686F
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7BD3B1023), ref: 00007FF7BD3B68BF

Strings

WideCharToMultiByte, xrefs: 00007FF7BD3B6908
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7BD3B68E8
win32_utils_to_utf8, xrefs: 00007FF7BD3B68F8
Failed to get UTF-8 buffer size., xrefs: 00007FF7BD3B6901
Out of memory., xrefs: 00007FF7BD3B68F1

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 842819fd0de434b72f89aea08788796a3a6fbb43ae32da6e9284d85ccd3845d2
Instruction ID: 92af4557c0dff79542e140b82ab8862b59e1798be57e24192fb7cf8b642f02dc
Opcode Fuzzy Hash: 842819fd0de434b72f89aea08788796a3a6fbb43ae32da6e9284d85ccd3845d2
Instruction Fuzzy Hash: 47419532A0DB82C1D624EF19B85016AF764FBA5790F984139EB8D47B9AEF3CD055C710

Function 00007FFDFB1A1D48 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FFDFB3E4D3B
GetModuleHandleA.KERNEL32 ref: 00007FFDFB3E4D4D
GetModuleHandleW.KERNEL32 ref: 00007FFDFB3E4D5A
GetProcAddress.KERNEL32 ref: 00007FFDFB3E4DC2

Strings

_ssl_d.pyd, xrefs: 00007FFDFB3E4D46
OPENSSL_Uplink(%p,%02X): , xrefs: 00007FFDFB3E4CD2
_ssl.pyd, xrefs: 00007FFDFB3E4D34

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: OPENSSL_Uplink(%p,%02X): $_ssl.pyd$_ssl_d.pyd
API String ID: 1883125708-4200109347
Opcode ID: f2636a76e782a0e1fa67e1c2fe2d0083f1ed94c4a280093996525d6ffba33d81
Instruction ID: 725c571440d3c441ee53e9119317844894b8997dc19fa3ab9dbcffeb4404594e
Opcode Fuzzy Hash: f2636a76e782a0e1fa67e1c2fe2d0083f1ed94c4a280093996525d6ffba33d81
Instruction Fuzzy Hash: 42512021F4AB4396F7119F24EA2097863E1BF58768B055736D97C022F9EF7CB1958300

Function 00007FFE1A456B5C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A456D1B,?,?,00000000,00007FFE1A456B4C,?,?,?,?,00007FFE1A456885), ref: 00007FFE1A456BE1
GetLastError.KERNEL32(?,?,?,00007FFE1A456D1B,?,?,00000000,00007FFE1A456B4C,?,?,?,?,00007FFE1A456885), ref: 00007FFE1A456BEF
wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A456D1B,?,?,00000000,00007FFE1A456B4C,?,?,?,?,00007FFE1A456885), ref: 00007FFE1A456C08
LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A456D1B,?,?,00000000,00007FFE1A456B4C,?,?,?,?,00007FFE1A456885), ref: 00007FFE1A456C1A
FreeLibrary.KERNEL32(?,?,?,00007FFE1A456D1B,?,?,00000000,00007FFE1A456B4C,?,?,?,?,00007FFE1A456885), ref: 00007FFE1A456C60
GetProcAddress.KERNEL32(?,?,?,00007FFE1A456D1B,?,?,00000000,00007FFE1A456B4C,?,?,?,?,00007FFE1A456885), ref: 00007FFE1A456C6C

Strings

api-ms-, xrefs: 00007FFE1A456C01

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
String ID: api-ms-
API String ID: 916704608-2084034818
Opcode ID: 936032d40fa96b032ac86a2d89c5a398f87e2a2d839e469644f99c68bf1566a7
Instruction ID: c3f432e5d3511cab6fd39c14fd46c7bff2044fef2dfb103abe1d927c75857ece
Opcode Fuzzy Hash: 936032d40fa96b032ac86a2d89c5a398f87e2a2d839e469644f99c68bf1566a7
Instruction Fuzzy Hash: CB31AE61B1AF4281EE22AB07A8005B5B2A4FB49FB5F5D05B6DD2D073A4EF3CE164C200

Function 00007FFE11EC8BAC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EC8BE0

Part of subcall function 00007FFE11EBA690: PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EBA6C3
Part of subcall function 00007FFE11EBA690: PyDict_GetItemWithError.PYTHON311 ref: 00007FFE11EBA6E6
Part of subcall function 00007FFE11EBA690: PyErr_Occurred.PYTHON311 ref: 00007FFE11EBA6F4
Part of subcall function 00007FFE11EBA690: PyDict_SetItem.PYTHON311 ref: 00007FFE11EBA70D

Part of subcall function 00007FFE11EBA690: _Py_Dealloc.PYTHON311 ref: 00007FFE11EBA75C

Py_BuildValue.PYTHON311 ref: 00007FFE11EC8C46

Part of subcall function 00007FFE11EBB98C: PyObject_Call.PYTHON311 ref: 00007FFE11EBB9AC

_Py_Dealloc.PYTHON311 ref: 00007FFE11EC8C8B
PyLong_AsLong.PYTHON311 ref: 00007FFE11EC8C99
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC8CAA

Strings

ExternalEntityRef, xrefs: 00007FFE11EC8C58
(O&NNN), xrefs: 00007FFE11EC8C3F

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$Dict_Err_ItemOccurred$BuildCallDecodeErrorLongLong_Object_Unicode_ValueWith
String ID: (O&NNN)$ExternalEntityRef
API String ID: 1931057526-2495634347
Opcode ID: a3cda369f29552a83d93154c4b3623624351f277dccc2a5cc164bf2d60f1e1ed
Instruction ID: f39856f4ba6b6e673e29cbc9fa3965d1ff180c82e225b209cb0e5f89811e9b2a
Opcode Fuzzy Hash: a3cda369f29552a83d93154c4b3623624351f277dccc2a5cc164bf2d60f1e1ed
Instruction Fuzzy Hash: DF314C31A09E4286EB149FA7AD006AB63A8BB88FF4F480576EE4D07765DE3CE0418344

Function 00007FFE11EBA690 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EBA6C3
PyDict_GetItemWithError.PYTHON311 ref: 00007FFE11EBA6E6
PyErr_Occurred.PYTHON311 ref: 00007FFE11EBA6F4
PyDict_SetItem.PYTHON311 ref: 00007FFE11EBA70D
_Py_Dealloc.PYTHON311 ref: 00007FFE11EBA75C

Strings

strict, xrefs: 00007FFE11EBA6B9

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dict_Item$DeallocDecodeErr_ErrorOccurredUnicode_With
String ID: strict
API String ID: 3144736171-2947452218
Opcode ID: 5e8470bef52a21db2194219a123e6440e9148900759755f32bdfd493a8d5e30c
Instruction ID: 1f52f3be9108529b249a643f713932f8cf2d39a3566e4f519eea2f8e389a7525
Opcode Fuzzy Hash: 5e8470bef52a21db2194219a123e6440e9148900759755f32bdfd493a8d5e30c
Instruction Fuzzy Hash: CD210E65A0DF5381EF558BA7AD4427663A8BF89FB1F086271DA1F077B4DE2CE4418304

Function 00007FFE11EB1354 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

PyList_New.PYTHON311(?,?,00000000,00007FFE11EB116C), ref: 00007FFE11EB1371
Py_BuildValue.PYTHON311(?,?,00000000,00007FFE11EB116C), ref: 00007FFE11EB139F
PyList_Append.PYTHON311(?,?,00000000,00007FFE11EB116C), ref: 00007FFE11EB13B7
PyModule_AddObject.PYTHON311(?,?,00000000,00007FFE11EB116C), ref: 00007FFE11EB13F0
_Py_Dealloc.PYTHON311(?,?,00000000,00007FFE11EB116C), ref: 00007FFE11EC088D
_Py_Dealloc.PYTHON311(?,?,00000000,00007FFE11EB116C), ref: 00007FFE11EC08A6

Strings

features, xrefs: 00007FFE11EB13E6

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: DeallocList_$AppendBuildModule_ObjectValue
String ID: features
API String ID: 2094461166-3217087507
Opcode ID: 917ee4d600048b695800ecefbb4c9788cd921cf0f75658e09afc9bc6072e2315
Instruction ID: 12a1c552358c7aff762f1d1ca885b0083dbd68596e6187bd68f4ed262d207842
Opcode Fuzzy Hash: 917ee4d600048b695800ecefbb4c9788cd921cf0f75658e09afc9bc6072e2315
Instruction Fuzzy Hash: 6C213A32A08F0386EB108BA7BC0016B66A8BF45BB1F446576DD0E436A8EE3CE4568340

Function 00007FF7BD3B6ED0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00007FF7BD3B2D35,?,?,?,?,?,?), ref: 00007FF7BD3B6F11

Part of subcall function 00007FF7BD3B1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF7BD3B6914,?,?,?,?,?,?,?,?,?,?,?,00007FF7BD3B1023), ref: 00007FF7BD3B1CD7

WideCharToMultiByte.KERNEL32(00000000,00007FF7BD3B2D35,?,?,?,?,?,?), ref: 00007FF7BD3B6F85

Strings

WideCharToMultiByte, xrefs: 00007FF7BD3B6F25, 00007FF7BD3B6F96
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7BD3B6F8F
win32_utils_to_utf8, xrefs: 00007FF7BD3B6F52
Failed to get UTF-8 buffer size., xrefs: 00007FF7BD3B6F1E
Out of memory., xrefs: 00007FF7BD3B6F4B

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 1717984340-27947307
Opcode ID: df947e153a4d297c551ea8f0f320faf028395d0bacfd384824c4aacdb755590f
Instruction ID: 33583444744e37d7b763640a9d7c862e1353f99fd043b47e74ca177c4c561d71
Opcode Fuzzy Hash: df947e153a4d297c551ea8f0f320faf028395d0bacfd384824c4aacdb755590f
Instruction Fuzzy Hash: 9E21932161DB42C5EB18AB1AAC50079FB61ABA5B80B984139E74D4776BFF3CE544C710

Function 00007FFE11EC9998 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON311 ref: 00007FFE11EC99D2
PyUnicode_AsUTF8AndSize.PYTHON311 ref: 00007FFE11EC99E2
PyErr_SetString.PYTHON311 ref: 00007FFE11EC9A14

Strings

argument, xrefs: 00007FFE11EC99C4
embedded null character, xrefs: 00007FFE11EC9A0A
SetBase, xrefs: 00007FFE11EC99CB
str, xrefs: 00007FFE11EC99BD

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Arg_ArgumentErr_SizeStringUnicode_
String ID: SetBase$argument$embedded null character$str
API String ID: 4155279725-2697211746
Opcode ID: f0598db1ceddcb6529a4d36ce2328f930b62fbd93ac59356a2237b55f5fe339e
Instruction ID: 11c9425752150205e958758dd2113cd7ee6fab1a323da0a6a4b5e7487008090b
Opcode Fuzzy Hash: f0598db1ceddcb6529a4d36ce2328f930b62fbd93ac59356a2237b55f5fe339e
Instruction Fuzzy Hash: 7311FE61A18E4791EF448B9BEC502B66364EF44BB4F9562B1D92E077B4EE2CF5858300

Function 00007FFDFB3A25B0 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 190stringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00000000,00007FFDFB3A14C2), ref: 00007FFDFB3A25F4
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB3A2759

Strings

, status text: , xrefs: 00007FFDFB3A286C
status code: , xrefs: 00007FFDFB3A2880
, failure codes: , xrefs: 00007FFDFB3A285C
..\s\crypto\ts\ts_rsp_verify.c, xrefs: 00007FFDFB3A269D, 00007FFDFB3A26B7, 00007FFDFB3A2835, 00007FFDFB3A2892
unknown code, xrefs: 00007FFDFB3A261D
unspecified, xrefs: 00007FFDFB3A2855

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: memsetstrncpy
String ID: , failure codes: $, status text: $..\s\crypto\ts\ts_rsp_verify.c$status code: $unknown code$unspecified
API String ID: 388311670-2553778726
Opcode ID: 4039b7292d998a5d8bce370844a9dd603b654c47650d4ae50a8630767a9223f1
Instruction ID: b4f199b90fd5b80299c31b1441cccb8469494e1394dc376c4aa45ec65f067008
Opcode Fuzzy Hash: 4039b7292d998a5d8bce370844a9dd603b654c47650d4ae50a8630767a9223f1
Instruction Fuzzy Hash: AC81C426F0E68386EB10FB11A960BB973D8EB85B84F500035D96D4B7EADF3CE1059700

Function 00007FFE1A452818 Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4528D0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4528EE
__AdjustPointer.LIBCMT ref: 00007FFE1A45292F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45293C
__AdjustPointer.LIBCMT ref: 00007FFE1A452978
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45298D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4529D2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4529D9

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: cf0ce418dbf8095189d4875bbd922365259c44d693191a2e82a2bfde5589004d
Instruction ID: b073622a3ceda261b0e01387bbdde0ab96bfadc6a741147bf3c4341d91097703
Opcode Fuzzy Hash: cf0ce418dbf8095189d4875bbd922365259c44d693191a2e82a2bfde5589004d
Instruction Fuzzy Hash: A751B1B1F09F4281EA69BB57944427963A0AF44FA4F0945F7EA4E077B5DE3CE461C300

Function 00007FFE1A4529FC Relevance: 12.1, APIs: 8, Instructions: 148COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452AB6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452AD5
__AdjustPointer.LIBCMT ref: 00007FFE1A452B16
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452B23
__AdjustPointer.LIBCMT ref: 00007FFE1A452B5F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452B74
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452BB9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A452BC0

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: abort$AdjustPointer
String ID:
API String ID: 1501936508-0
Opcode ID: 33b9a28e85c1583a9e53f416898540066328f1663c9e5eff4cdc8514e51169f9
Instruction ID: d69d25f26ad970d347bc150744c37bca5baeb512cba4ef2993ac404ef6882b0a
Opcode Fuzzy Hash: 33b9a28e85c1583a9e53f416898540066328f1663c9e5eff4cdc8514e51169f9
Instruction Fuzzy Hash: 7551B0A1B0AF4281FA65AF17944463863A4AF04FA1F0985F7EA4E077A5DF7CE861C310

Function 00007FFE11EB1BC0 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

PyModule_AddStringConstant.PYTHON311(?,?,00000000,00007FFE11EB1B11,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1C16
PyLong_FromLong.PYTHON311(?,?,00000000,00007FFE11EB1B11,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1C26
PyDict_SetItemString.PYTHON311(?,?,00000000,00007FFE11EB1B11,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1C3D
PyUnicode_FromString.PYTHON311(?,?,00000000,00007FFE11EB1B11,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1C4E
PyDict_SetItem.PYTHON311(?,?,00000000,00007FFE11EB1B11,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1C69
_Py_Dealloc.PYTHON311(?,?,00000000,00007FFE11EB1B11,?,?,?,00007FFE11EB114C), ref: 00007FFE11EC0BD3
_Py_Dealloc.PYTHON311(?,?,00000000,00007FFE11EB1B11,?,?,?,00007FFE11EB114C), ref: 00007FFE11EC0BE2
_Py_Dealloc.PYTHON311(?,?,00000000,00007FFE11EB1B11,?,?,?,00007FFE11EB114C), ref: 00007FFE11EC0BF1

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: DeallocString$Dict_FromItem$ConstantLongLong_Module_Unicode_
String ID:
API String ID: 3707016883-0
Opcode ID: 9894eb32ba501caf1d6953d2abb9eb4bde9c72cae1566bb8ef2456994ddd0a82
Instruction ID: cadd556ceb030309cf8b1b5c017d3b094e9e4a74c1f5ac8ee6c6935ebf16ce22
Opcode Fuzzy Hash: 9894eb32ba501caf1d6953d2abb9eb4bde9c72cae1566bb8ef2456994ddd0a82
Instruction Fuzzy Hash: D3315E21A08E0782EB198FA3AC4453B62ACBF45FF0F085575DD0E06764DE3CE4428344

Function 00007FFE11EB1504 Relevance: 12.1, APIs: 8, Instructions: 61stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1526
PyModule_New.PYTHON311(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1532
PyUnicode_FromString.PYTHON311(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB1543
_PyImport_SetModule.PYTHON311(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB155B
PyModule_AddObject.PYTHON311(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EB157D
_Py_Dealloc.PYTHON311(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EC08F2
_Py_Dealloc.PYTHON311(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EC0905
_Py_Dealloc.PYTHON311(?,?,00000000,00007FFE11EB1AC1,?,?,?,00007FFE11EB114C), ref: 00007FFE11EC0914

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$Module_$FromImport_ModuleObjectStringUnicode_strrchr
String ID:
API String ID: 261865307-0
Opcode ID: 210302b627e122efd3cef78b55169a79baa6ac8e2b2f46d66b12df1c2c4bfee5
Instruction ID: cf45215c7eb4ef84664e04a74686927dc22651db104dc25515ca7df325e9dd41
Opcode Fuzzy Hash: 210302b627e122efd3cef78b55169a79baa6ac8e2b2f46d66b12df1c2c4bfee5
Instruction Fuzzy Hash: 7721FC35E1DE4385EF544BA3AD1427B66A9AF46FF0F4C5071DA4E06774DE2CE5418340

Function 00007FF7BD3C93D4 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C9417
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C9804
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C9AA0

Strings

p, xrefs: 00007FF7BD3C94C9
p, xrefs: 00007FF7BD3C9541
f, xrefs: 00007FF7BD3C9539

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: d478605e8072a694eb9a9d804e4987f1596106984b5661be3eee2fb972e34d58
Instruction ID: 4cc6ef968586023c12b3e987560ed59142393eb3db0a1b3862314240e5cf4513
Opcode Fuzzy Hash: d478605e8072a694eb9a9d804e4987f1596106984b5661be3eee2fb972e34d58
Instruction Fuzzy Hash: 2D12A122A0C343C6FB28BE19D464279E251EB62752FDE4139D789476CEEE3DE5908730

Function 00007FFE1A4557C0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A455889
_local_unwind.LIBVCRUNTIME ref: 00007FFE1A45592C

Strings

RCC, xrefs: 00007FFE1A45580E
MOC, xrefs: 00007FFE1A455802
csm, xrefs: 00007FFE1A455824
csm, xrefs: 00007FFE1A45596F

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: FileHeader_local_unwind
String ID: MOC$RCC$csm$csm
API String ID: 2627209546-1441736206
Opcode ID: 48d146a85fba6cc68383d4a357e19a92ddcb549a58e0a70336f33e234ca841ed
Instruction ID: af3261410b8b57851e1c5ea53baac3f38bf4cde2f13c01307c8b3dcb3715ac65
Opcode Fuzzy Hash: 48d146a85fba6cc68383d4a357e19a92ddcb549a58e0a70336f33e234ca841ed
Instruction Fuzzy Hash: ED5163B2B09E1286EB60AB26904137D66A0FF44FB4F1410F3DA4D977A5DF3CE465C642

Function 00007FFE1A45E520 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45E594
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45E5A3

Part of subcall function 00007FFE1A45C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C81D
Part of subcall function 00007FFE1A45C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C856
Part of subcall function 00007FFE1A45C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CB83

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45E643
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45E653
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45E6FF

Strings

{for , xrefs: 00007FFE1A45E5CC

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: Name::operator+
String ID: {for
API String ID: 2943138195-864106941
Opcode ID: 416ecf82abdc7693f83b664dab0e642ebc660969777f9551cf3e7d4c265d34da
Instruction ID: 97ed77b46a60022236015673ed4870fce22d5ef1c1a3cbaa0c846a6da1d03f47
Opcode Fuzzy Hash: 416ecf82abdc7693f83b664dab0e642ebc660969777f9551cf3e7d4c265d34da
Instruction Fuzzy Hash: 2A514AB2B08A85A9E711EF26D4413F867A1EB44B98F8084F2EA5C47BA5DF7CD564C340

Function 00007FFDFB1A54CA Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 121stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140 ref: 00007FFDFB3A6E6A
strchr.VCRUNTIME140 ref: 00007FFDFB3A6E7B
memmove.VCRUNTIME140 ref: 00007FFDFB3A6F9D

Strings

..\s\crypto\ui\ui_lib.c, xrefs: 00007FFDFB3A6F04, 00007FFDFB3A6F7D
characters, xrefs: 00007FFDFB3A6F18
You must type in , xrefs: 00007FFDFB3A6F3F
to , xrefs: 00007FFDFB3A6F29

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: strchr$memmove
String ID: characters$ to $..\s\crypto\ui\ui_lib.c$You must type in
API String ID: 1080442166-3422546668
Opcode ID: e1d467c1ab8b172e9e243a46dfee5ce5121d718340360ba0c754f62a78f21d98
Instruction ID: 36359a27c9a2fd2e788fafab139d770c6b26a39b4e72474298592f41ce88d26b
Opcode Fuzzy Hash: e1d467c1ab8b172e9e243a46dfee5ce5121d718340360ba0c754f62a78f21d98
Instruction Fuzzy Hash: A551B576B4A6938BEB21AF24D96097877A4EB45B48F104135DA6C0B7EDCF3CE944C740

Function 00007FFE11EC95C0 Relevance: 10.6, APIs: 7, Instructions: 106COMMON

Download Yara Rule

APIs

PyType_GetModuleState.PYTHON311 ref: 00007FFE11EC95E0
_PyObject_GC_New.PYTHON311 ref: 00007FFE11EC95E9
PyMem_Malloc.PYTHON311 ref: 00007FFE11EC9653
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC966B
PyErr_NoMemory.PYTHON311 ref: 00007FFE11EC9671
PyMem_Malloc.PYTHON311 ref: 00007FFE11EC96CB
PyObject_GC_Track.PYTHON311 ref: 00007FFE11EC9730

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: MallocMem_Object_$DeallocErr_MemoryModuleStateTrackType_
String ID:
API String ID: 702796062-0
Opcode ID: 7cb1b6b14d9fbbf55148c9a9e73415ff782f4526333f6db7c09006cb15fc7f27
Instruction ID: dd9338db5409b806a3f14486c0f7050eb63b4d4714cb72a316d3e9f5b568391d
Opcode Fuzzy Hash: 7cb1b6b14d9fbbf55148c9a9e73415ff782f4526333f6db7c09006cb15fc7f27
Instruction Fuzzy Hash: 3B413A72A15F4286EB648FA6EC5437A33A8FB48BA4F445275DA5E477A4EF3CE440C300

Function 00007FF7BD3B6FC0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7BD3B7055
MultiByteToWideChar.KERNEL32 ref: 00007FF7BD3B7097

Strings

MultiByteToWideChar, xrefs: 00007FF7BD3B70DD
win32_utils_from_utf8, xrefs: 00007FF7BD3B70CD
Failed to decode wchar_t from UTF-8, xrefs: 00007FF7BD3B70BD
Failed to get wchar_t buffer size., xrefs: 00007FF7BD3B70D6
Out of memory., xrefs: 00007FF7BD3B70C6

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 626452242-876015163
Opcode ID: c63a8705ae77710e22cb38bb79ea38e96bc84988aed726f017d1a1a1dd5352b3
Instruction ID: d2f47c1a21062996c9d1d6f679df1a63038ff6c4db0f2bbd3238e7bc3481b3cc
Opcode Fuzzy Hash: c63a8705ae77710e22cb38bb79ea38e96bc84988aed726f017d1a1a1dd5352b3
Instruction Fuzzy Hash: 7541C372A0CB42C5E614EF19A840265F6A5FB65780F984139EB8D47BAAEF3CD051C710

Function 00007FFE11EC8A38 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EC8A72

Part of subcall function 00007FFE11EBA690: PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EBA6C3
Part of subcall function 00007FFE11EBA690: PyDict_GetItemWithError.PYTHON311 ref: 00007FFE11EBA6E6
Part of subcall function 00007FFE11EBA690: PyErr_Occurred.PYTHON311 ref: 00007FFE11EBA6F4
Part of subcall function 00007FFE11EBA690: PyDict_SetItem.PYTHON311 ref: 00007FFE11EBA70D

Part of subcall function 00007FFE11EBA690: _Py_Dealloc.PYTHON311 ref: 00007FFE11EBA75C

Py_BuildValue.PYTHON311 ref: 00007FFE11EC8B1E

Part of subcall function 00007FFE11EBB98C: PyObject_Call.PYTHON311 ref: 00007FFE11EBB9AC

_Py_Dealloc.PYTHON311 ref: 00007FFE11EC8B69
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC8B7D

Strings

EntityDecl, xrefs: 00007FFE11EC8B30
NiNNNNN, xrefs: 00007FFE11EC8AFF

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$Dict_Err_ItemOccurred$BuildCallDecodeErrorObject_Unicode_ValueWith
String ID: EntityDecl$NiNNNNN
API String ID: 2384994390-924104366
Opcode ID: 133638af195f1dd530839e5bfe393b065e0c6411a05adc9108dccaa6754db0fe
Instruction ID: bc41982ed81927b01528f6f313ea2b71aa08c47631d5c9886b89766a0f5a552e
Opcode Fuzzy Hash: 133638af195f1dd530839e5bfe393b065e0c6411a05adc9108dccaa6754db0fe
Instruction Fuzzy Hash: FC315C66A08B8281EB109B93AD047AB73A8BB89FF4F484476EE4D07765DF3CE0418744

Function 00007FFDFB1A2E4B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FFDFB2ADA52

Strings

~, xrefs: 00007FFDFB2ADB1C
~, xrefs: 00007FFDFB2ADA87
~, xrefs: 00007FFDFB2ADA6C
OPENSSL_ia32cap, xrefs: 00007FFDFB2ADA28
~, xrefs: 00007FFDFB2ADB04

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: EnvironmentVariable
String ID: OPENSSL_ia32cap$~$~$~$~
API String ID: 1431749950-1981414212
Opcode ID: cf480c52fdec152708fcec39c4b82c05f8550ca0c57a004c4734a86e6d7d47de
Instruction ID: 06393246a6c51dfca754fb5bf20b76412e675109945b19e71fb16182ca72a5ab
Opcode Fuzzy Hash: cf480c52fdec152708fcec39c4b82c05f8550ca0c57a004c4734a86e6d7d47de
Instruction Fuzzy Hash: B6419D65F0E65795E7149B01AA619B833A4EB04BD4F844135D97E8BAFCEF3CE481C740

Function 00007FFE1A45DB00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

atol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE1A45D217), ref: 00007FFE1A45DBC4
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45DBE3

Strings

void, xrefs: 00007FFE1A45DB46
`template-parameter, xrefs: 00007FFE1A45DBF1

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: NameName::atol
String ID: `template-parameter$void
API String ID: 2130343216-4057429177
Opcode ID: 7b7e14213947c3780e213c190a7c5fdcdd2a49ff05635447eaaef3bd9456bf2e
Instruction ID: d799e140f4e2e25e6ee784e37a1a86591171988aadf1b5130a3f4c64bf3e4f20
Opcode Fuzzy Hash: 7b7e14213947c3780e213c190a7c5fdcdd2a49ff05635447eaaef3bd9456bf2e
Instruction Fuzzy Hash: EA417B62F08F4688FB00DB66D8512FC2371BF48BA8F5401B6DE5C67A68DF789465C340

Function 00007FF7BD3B55E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BD3B6DC0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF7BD3B6DFA

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF7BD3B5931,?,?,00000000,?,?,00007FF7BD3B58AD), ref: 00007FF7BD3B563F

Strings

LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF7BD3B5616
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7BD3B569A
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7BD3B5653

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 2001182103-3498232454
Opcode ID: 22df63ef2f3e76b3626f1eb672273def7074d3b8183cbbd32400c4ff734ed995
Instruction ID: 43494b8ce88491b37edf37ec4e7fb5141a3698f6d491cecec88d530dcd0ac7d8
Opcode Fuzzy Hash: 22df63ef2f3e76b3626f1eb672273def7074d3b8183cbbd32400c4ff734ed995
Instruction Fuzzy Hash: 6E316851B1D742C0FA69B72999153B9F251AFBA780FC44439EB4E4369FFE2CE1048720

Function 00007FF7BD3BC258 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7BD3BC50A,?,?,?,00007FF7BD3BC1FC,?,?,00000001,00007FF7BD3BBE19), ref: 00007FF7BD3BC2DD
GetLastError.KERNEL32(?,?,?,00007FF7BD3BC50A,?,?,?,00007FF7BD3BC1FC,?,?,00000001,00007FF7BD3BBE19), ref: 00007FF7BD3BC2EB
LoadLibraryExW.KERNEL32(?,?,?,00007FF7BD3BC50A,?,?,?,00007FF7BD3BC1FC,?,?,00000001,00007FF7BD3BBE19), ref: 00007FF7BD3BC315
FreeLibrary.KERNEL32(?,?,?,00007FF7BD3BC50A,?,?,?,00007FF7BD3BC1FC,?,?,00000001,00007FF7BD3BBE19), ref: 00007FF7BD3BC35B
GetProcAddress.KERNEL32(?,?,?,00007FF7BD3BC50A,?,?,?,00007FF7BD3BC1FC,?,?,00000001,00007FF7BD3BBE19), ref: 00007FF7BD3BC367

Strings

api-ms-, xrefs: 00007FF7BD3BC2FD

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 9fa3fe7d6df773d1c5bf24e67e430f6ff715784c160aee4fa5e303400e9c878a
Instruction ID: 3e159bd9ae40d57ab114fb486dd6fbf3d946eac754b7529e0357083ffdcbeebc
Opcode Fuzzy Hash: 9fa3fe7d6df773d1c5bf24e67e430f6ff715784c160aee4fa5e303400e9c878a
Instruction Fuzzy Hash: D531E725A0E602C1EE69BB2A9410575F294BF6AB90FCD0538EF1D4735AFF3CE0448724

Function 00007FFE11EC918C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EC91C4

Part of subcall function 00007FFE11EBA690: PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EBA6C3
Part of subcall function 00007FFE11EBA690: PyDict_GetItemWithError.PYTHON311 ref: 00007FFE11EBA6E6
Part of subcall function 00007FFE11EBA690: PyErr_Occurred.PYTHON311 ref: 00007FFE11EBA6F4
Part of subcall function 00007FFE11EBA690: PyDict_SetItem.PYTHON311 ref: 00007FFE11EBA70D

Part of subcall function 00007FFE11EBA690: _Py_Dealloc.PYTHON311 ref: 00007FFE11EBA75C

Py_BuildValue.PYTHON311 ref: 00007FFE11EC9244

Part of subcall function 00007FFE11EBB98C: PyObject_Call.PYTHON311 ref: 00007FFE11EBB9AC

_Py_Dealloc.PYTHON311 ref: 00007FFE11EC928C
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC92A0

Strings

UnparsedEntityDecl, xrefs: 00007FFE11EC9256
(NNNNN), xrefs: 00007FFE11EC923D

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$Dict_Err_ItemOccurred$BuildCallDecodeErrorObject_Unicode_ValueWith
String ID: (NNNNN)$UnparsedEntityDecl
API String ID: 2384994390-4202326955
Opcode ID: 002de062773e735def128884d516483ff06dc4c12868f817e564735d270edbbd
Instruction ID: dd84867ab9a463ecd84ab7e5251c4822c8dac556e908d4aa8ca04a2cec4e9abd
Opcode Fuzzy Hash: 002de062773e735def128884d516483ff06dc4c12868f817e564735d270edbbd
Instruction Fuzzy Hash: 69313C71A08E4282EF159B93AC0426BB7A9BF89FE0F4845B5DE8D17779DE3CE0419344

Function 00007FFE1A458900 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A45874C: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A4587CB

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A4589B2

Strings

void, xrefs: 00007FFE1A458A24
..., xrefs: 00007FFE1A4589EF
,<ellipsis>, xrefs: 00007FFE1A458990
<ellipsis>, xrefs: 00007FFE1A4589FF
,..., xrefs: 00007FFE1A458980

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: Name::operator+Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 1405650943-2211150622
Opcode ID: 463b429a368d480f938697e6d099cec3f907049628b5d1349ecbd199c78a6655
Instruction ID: 4b7c24c9c4c32a3e6b0cc09325b764d7474eed1009fb21bd1135b9d4b64c048f
Opcode Fuzzy Hash: 463b429a368d480f938697e6d099cec3f907049628b5d1349ecbd199c78a6655
Instruction Fuzzy Hash: 114146A2F08F8699F7129B26D8402B877B0BB08B58F4445F6CA5C533A4DF7CA5A1D341

Function 00007FFE1A45A6E4 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A7D5

Strings

char , xrefs: 00007FFE1A45A770
int , xrefs: 00007FFE1A45A758
long , xrefs: 00007FFE1A45A749
short , xrefs: 00007FFE1A45A767
unsigned , xrefs: 00007FFE1A45A7A9

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: Name::operator+
String ID: char $int $long $short $unsigned
API String ID: 2943138195-3894466517
Opcode ID: 01c330b6d3460536b725c75710ede4031362a47bdaf6c5878ce89829e4b6ba2f
Instruction ID: 2e23e24836c591e60cb760a3ae457d19dbb094d1e5b238fa4d6f5533e3d4cc64
Opcode Fuzzy Hash: 01c330b6d3460536b725c75710ede4031362a47bdaf6c5878ce89829e4b6ba2f
Instruction Fuzzy Hash: 88313AB2F18B4589F7019B2AC8583B827B1BB05B68F5481F2CA1C16AB8DF3CD564C750

Function 00007FFE11EC8DB4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EC8DE7

Part of subcall function 00007FFE11EBA690: PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EBA6C3
Part of subcall function 00007FFE11EBA690: PyDict_GetItemWithError.PYTHON311 ref: 00007FFE11EBA6E6
Part of subcall function 00007FFE11EBA690: PyErr_Occurred.PYTHON311 ref: 00007FFE11EBA6F4
Part of subcall function 00007FFE11EBA690: PyDict_SetItem.PYTHON311 ref: 00007FFE11EBA70D

Part of subcall function 00007FFE11EBA690: _Py_Dealloc.PYTHON311 ref: 00007FFE11EBA75C

Py_BuildValue.PYTHON311 ref: 00007FFE11EC8E52

Part of subcall function 00007FFE11EBB98C: PyObject_Call.PYTHON311 ref: 00007FFE11EBB9AC

_Py_Dealloc.PYTHON311 ref: 00007FFE11EC8E98
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC8EAC

Strings

(NNNN), xrefs: 00007FFE11EC8E48
NotationDecl, xrefs: 00007FFE11EC8E64

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$Dict_Err_ItemOccurred$BuildCallDecodeErrorObject_Unicode_ValueWith
String ID: (NNNN)$NotationDecl
API String ID: 2384994390-1686118283
Opcode ID: 32622afc7d9457b4187bcf57a7d64f2c6b28dfe7c7cbb8abc10128d104fd37f5
Instruction ID: 9d6ef79bece1eb3f5640c5a7c266af4176e41b08499dd8bb8f5d7c67f9579fe8
Opcode Fuzzy Hash: 32622afc7d9457b4187bcf57a7d64f2c6b28dfe7c7cbb8abc10128d104fd37f5
Instruction Fuzzy Hash: 53312F71A08A8289EF149F93AD0467B73A8BB85FF4F480176EE4D07765DE3CE4418748

Function 00007FFE11EC8798 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EC87C3
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC8803
Py_BuildValue.PYTHON311 ref: 00007FFE11EC8842
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC8897
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC88AA

Part of subcall function 00007FFE11EC8458: PyTuple_New.PYTHON311 ref: 00007FFE11EC8479
Part of subcall function 00007FFE11EC8458: Py_BuildValue.PYTHON311 ref: 00007FFE11EC84DE

Part of subcall function 00007FFE11EBA690: PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EBA6C3
Part of subcall function 00007FFE11EBA690: PyDict_GetItemWithError.PYTHON311 ref: 00007FFE11EBA6E6
Part of subcall function 00007FFE11EBA690: PyErr_Occurred.PYTHON311 ref: 00007FFE11EBA6F4
Part of subcall function 00007FFE11EBA690: PyDict_SetItem.PYTHON311 ref: 00007FFE11EBA70D

Strings

ElementDecl, xrefs: 00007FFE11EC8854

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$BuildDict_Err_ItemOccurredValue$DecodeErrorTuple_Unicode_With
String ID: ElementDecl
API String ID: 3369064983-3989113327
Opcode ID: 5f6f0c3fdefc0d30e23ae9e97e15a80f9e75311a9d222ede4bb6d68e2c3893ff
Instruction ID: 274ed815bc9f138abbb6b65d0639d1ac3bf604f1a3009ec63002b86753f05191
Opcode Fuzzy Hash: 5f6f0c3fdefc0d30e23ae9e97e15a80f9e75311a9d222ede4bb6d68e2c3893ff
Instruction Fuzzy Hash: 1C310A26A09F4281EF149B93AE0437BA3A8AF45BB4F985175DE0D07BA5EF3CF4418340

Function 00007FFDFB1A39BD Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74fileCOMMON

Download Yara Rule

APIs

_stat64i32.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FFDFB36E559
_chmod.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FFDFB36E61D
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFB36E636
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDFB36E642

Strings

Filename=, xrefs: 00007FFDFB36E592, 00007FFDFB36E601
..\s\crypto\rand\randfile.c, xrefs: 00007FFDFB36E57C, 00007FFDFB36E5E0

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: _chmod_stat64i32fclosefwrite
String ID: ..\s\crypto\rand\randfile.c$Filename=
API String ID: 4260490851-2201148535
Opcode ID: 8e0a9474f630242c8024cca5bc5f23566c113e024c103529736493676b206fa0
Instruction ID: fa3eca2ddd6498b3ac5b7b4d8378cc2d8a7363ab0c467cd3c2e34f91470131ba
Opcode Fuzzy Hash: 8e0a9474f630242c8024cca5bc5f23566c113e024c103529736493676b206fa0
Instruction Fuzzy Hash: C9318F72B0E64786EB10EB15E960BA963A5EF85748F404135DA2D47AEDEF3CF518C700

Function 00007FFE11EBC320 Relevance: 10.6, APIs: 7, Instructions: 74COMMON

Download Yara Rule

APIs

PyObject_GC_UnTrack.PYTHON311 ref: 00007FFE11EBC33D
_Py_Dealloc.PYTHON311 ref: 00007FFE11EBC3B9
PyMem_Free.PYTHON311 ref: 00007FFE11EBC3DF
PyMem_Free.PYTHON311 ref: 00007FFE11EBC3F7
PyObject_GC_Del.PYTHON311 ref: 00007FFE11EBC408
_Py_Dealloc.PYTHON311 ref: 00007FFE11EBC436

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: DeallocFreeMem_Object_$Track
String ID:
API String ID: 2141335114-0
Opcode ID: 20dd7b8d0dbc48d714609b2b9538a0f5e7241d86dea07c5d1e8cb36cfad0da5a
Instruction ID: 84aeb769f20eb2e2983a56b5f153c3fe3fb023d0bc8338825da7ef70067612b3
Opcode Fuzzy Hash: 20dd7b8d0dbc48d714609b2b9538a0f5e7241d86dea07c5d1e8cb36cfad0da5a
Instruction Fuzzy Hash: 08310D36909F42C6DB149FA2AC4017E73A8FB49BB4B5815B5EA4E47A24CF3CD560C344

Function 00007FFE11EC9074 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EC90A8

Part of subcall function 00007FFE11EBA690: PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EBA6C3
Part of subcall function 00007FFE11EBA690: PyDict_GetItemWithError.PYTHON311 ref: 00007FFE11EBA6E6
Part of subcall function 00007FFE11EBA690: PyErr_Occurred.PYTHON311 ref: 00007FFE11EBA6F4
Part of subcall function 00007FFE11EBA690: PyDict_SetItem.PYTHON311 ref: 00007FFE11EBA70D

Part of subcall function 00007FFE11EBA690: _Py_Dealloc.PYTHON311 ref: 00007FFE11EBA75C

Py_BuildValue.PYTHON311 ref: 00007FFE11EC9106

Part of subcall function 00007FFE11EBB98C: PyObject_Call.PYTHON311 ref: 00007FFE11EBB9AC

_Py_Dealloc.PYTHON311 ref: 00007FFE11EC914C
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC9160

Strings

StartDoctypeDecl, xrefs: 00007FFE11EC9118
(NNNi), xrefs: 00007FFE11EC90FC

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$Dict_Err_ItemOccurred$BuildCallDecodeErrorObject_Unicode_ValueWith
String ID: (NNNi)$StartDoctypeDecl
API String ID: 2384994390-3468646127
Opcode ID: 09eeef058cbb449473f66dbba458fd5a0346be9f47bd87c939b78e6464927644
Instruction ID: 7f6689ed99851952c8433c37e295ea84170ca32f5d579fb54eb932e5fd02ff66
Opcode Fuzzy Hash: 09eeef058cbb449473f66dbba458fd5a0346be9f47bd87c939b78e6464927644
Instruction Fuzzy Hash: 02212F31A08B5286EB149B939C0526BA7E8BB89FE4F4901B9DE4D07775EF3CE4418344

Function 00007FFE11EC85AC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EC85DE

Part of subcall function 00007FFE11EBA690: PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EBA6C3
Part of subcall function 00007FFE11EBA690: PyDict_GetItemWithError.PYTHON311 ref: 00007FFE11EBA6E6
Part of subcall function 00007FFE11EBA690: PyErr_Occurred.PYTHON311 ref: 00007FFE11EBA6F4
Part of subcall function 00007FFE11EBA690: PyDict_SetItem.PYTHON311 ref: 00007FFE11EBA70D

Py_BuildValue.PYTHON311 ref: 00007FFE11EC8646

Part of subcall function 00007FFE11EBB98C: PyObject_Call.PYTHON311 ref: 00007FFE11EBB9AC

_Py_Dealloc.PYTHON311 ref: 00007FFE11EC868F
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC86A3

Strings

AttlistDecl, xrefs: 00007FFE11EC8658
(NNO&O&i), xrefs: 00007FFE11EC8635

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: DeallocDict_Err_ItemOccurred$BuildCallDecodeErrorObject_Unicode_ValueWith
String ID: (NNO&O&i)$AttlistDecl
API String ID: 3887327737-3385402447
Opcode ID: 957addba2489eccb0ee01b3d5cd7dcea7b6e51bcc7c4e6b3cdecece487c79ae1
Instruction ID: 5f494c24f1d66122e0a0e87f7351ec4730dbb6f96c02d92355c7e32112388d12
Opcode Fuzzy Hash: 957addba2489eccb0ee01b3d5cd7dcea7b6e51bcc7c4e6b3cdecece487c79ae1
Instruction Fuzzy Hash: CF314F31A08F4282EB149B93AE4477A73A8FB98BE4F484175EA4D07B65DF3CE0558744

Function 00007FF7BD3B6DC0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF7BD3B6DFA

Part of subcall function 00007FF7BD3B1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF7BD3B6914,?,?,?,?,?,?,?,?,?,?,?,00007FF7BD3B1023), ref: 00007FF7BD3B1CD7

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF7BD3B6E80

Strings

MultiByteToWideChar, xrefs: 00007FF7BD3B6E0E, 00007FF7BD3B6E91
win32_utils_from_utf8, xrefs: 00007FF7BD3B6E49
Failed to decode wchar_t from UTF-8, xrefs: 00007FF7BD3B6E8A
Failed to get wchar_t buffer size., xrefs: 00007FF7BD3B6E07
Out of memory., xrefs: 00007FF7BD3B6E42

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 1717984340-876015163
Opcode ID: 13a0b7f3fd21cee1c2cd62ee385234548c1439332c91f829e0dfe80559821203
Instruction ID: 43019b4954d51c81cb7c509cd164a11531004945b6041284c7f790dd7be236ee
Opcode Fuzzy Hash: 13a0b7f3fd21cee1c2cd62ee385234548c1439332c91f829e0dfe80559821203
Instruction Fuzzy Hash: A021D725B1CA42C1EB54EB2DF810166E361EBAA7C4F8C4139EB4C8376EFE2CD5818700

Function 00007FFE13302250 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON311(?,?,00000000,00007FFE13302110), ref: 00007FFE1330226A
_Py_hashtable_get.PYTHON311(?,?,00000000,00007FFE13302110), ref: 00007FFE1330227A
EVP_get_digestbyname.LIBCRYPTO-1_1(?,?,00000000,00007FFE13302110), ref: 00007FFE133022BA
EVP_get_digestbyname.LIBCRYPTO-1_1(?,?,00000000,00007FFE13302110), ref: 00007FFE133022D2

Strings

unsupported hash type %s, xrefs: 00007FFE133022DE

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: P_get_digestbyname$Module_Py_hashtable_getState
String ID: unsupported hash type %s
API String ID: 3106711627-1604032313
Opcode ID: 67812a4578febaac995a36f8f4713c82c213913e0e18a1f50772f87860905fed
Instruction ID: fba9289d2250e93518e8861502ce37280abe907186cf37db0e60d7f1ed0f345e
Opcode Fuzzy Hash: 67812a4578febaac995a36f8f4713c82c213913e0e18a1f50772f87860905fed
Instruction Fuzzy Hash: 36212132A08E4689EAA58B57D44423D63A9EFA9BB0F1501B5D96D637B4CF3CE580C308

Function 00007FF7BD3CA790 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F,?,?,?,00007FF7BD3C9483), ref: 00007FF7BD3CA79F
FlsGetValue.KERNEL32(?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F,?,?,?,00007FF7BD3C9483), ref: 00007FF7BD3CA7B4
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F,?,?,?,00007FF7BD3C9483), ref: 00007FF7BD3CA7D5
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F,?,?,?,00007FF7BD3C9483), ref: 00007FF7BD3CA802
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F,?,?,?,00007FF7BD3C9483), ref: 00007FF7BD3CA813
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F,?,?,?,00007FF7BD3C9483), ref: 00007FF7BD3CA824
SetLastError.KERNEL32(?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F,?,?,?,00007FF7BD3C9483), ref: 00007FF7BD3CA83F

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 0e939324b748cc2434b205d84fc0d0a7dc89f7974af049da77980cbf7db2f024
Instruction ID: 29f4fc0e4a7f8aee5534c9c7f14c1e7fc5a4232ad2de6063861c5116dfcd1ed4
Opcode Fuzzy Hash: 0e939324b748cc2434b205d84fc0d0a7dc89f7974af049da77980cbf7db2f024
Instruction Fuzzy Hash: 47215E20F0D302C2F56C73696551239E6525FA77A0F98463CDA3E076CFFE2CA4418324

Function 00007FFE11EC92D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EC9302
Py_BuildValue.PYTHON311 ref: 00007FFE11EC933E

Part of subcall function 00007FFE11EBB98C: PyObject_Call.PYTHON311 ref: 00007FFE11EBB9AC

_Py_Dealloc.PYTHON311 ref: 00007FFE11EC9387
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC939B

Strings

XmlDecl, xrefs: 00007FFE11EC9350
(O&O&i), xrefs: 00007FFE11EC9337

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$BuildCallErr_Object_OccurredValue
String ID: (O&O&i)$XmlDecl
API String ID: 1677464630-1850199684
Opcode ID: c8029abda4df616d2335b34727fd60721a7f93f955b8ed55be75da175484939c
Instruction ID: dcdcfc67567e6ac963b9a31a34cc822018e19f43e4f7fb3410eab3ddf8f8f004
Opcode Fuzzy Hash: c8029abda4df616d2335b34727fd60721a7f93f955b8ed55be75da175484939c
Instruction Fuzzy Hash: 53215E31A08F5282EB148BA6ED4036A63B8FF44BA4F485175DA4D0BBB5EF3DE4518740

Function 00007FFE11EC8CD8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EC8CFF
Py_BuildValue.PYTHON311 ref: 00007FFE11EC8D25

Part of subcall function 00007FFE11EBB98C: PyObject_Call.PYTHON311 ref: 00007FFE11EBB9AC

_Py_Dealloc.PYTHON311 ref: 00007FFE11EC8D6B
PyLong_AsLong.PYTHON311 ref: 00007FFE11EC8D79
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC8D8A

Strings

NotStandalone, xrefs: 00007FFE11EC8D37

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$BuildCallErr_LongLong_Object_OccurredValue
String ID: NotStandalone
API String ID: 1294825290-2808886647
Opcode ID: 9f5384b9e1f92a79eb95630dfebb662f1c8ea3b42a38f01036de380a72164f26
Instruction ID: 56a2d41674288c6fb6192157a8c1869f89a310149a4a1b1b6716554a87ca75fe
Opcode Fuzzy Hash: 9f5384b9e1f92a79eb95630dfebb662f1c8ea3b42a38f01036de380a72164f26
Instruction Fuzzy Hash: 3D215031A08E4286EB509BA3AD4027BA7A8FF54BB4F980175DA4D07B74DF3DE451C300

Function 00007FFE11EBBA74 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EBBA9B

Part of subcall function 00007FFE11EBA690: PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EBA6C3
Part of subcall function 00007FFE11EBA690: PyDict_GetItemWithError.PYTHON311 ref: 00007FFE11EBA6E6
Part of subcall function 00007FFE11EBA690: PyErr_Occurred.PYTHON311 ref: 00007FFE11EBA6F4
Part of subcall function 00007FFE11EBA690: PyDict_SetItem.PYTHON311 ref: 00007FFE11EBA70D

Py_BuildValue.PYTHON311 ref: 00007FFE11EBBAD5

Part of subcall function 00007FFE11EBB98C: PyObject_Call.PYTHON311 ref: 00007FFE11EBB9AC

_Py_Dealloc.PYTHON311 ref: 00007FFE11EBBB1B
_Py_Dealloc.PYTHON311 ref: 00007FFE11EBBB2F

Strings

(NO&), xrefs: 00007FFE11EBBACE
ProcessingInstruction, xrefs: 00007FFE11EBBAE7

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: DeallocDict_Err_ItemOccurred$BuildCallDecodeErrorObject_Unicode_ValueWith
String ID: (NO&)$ProcessingInstruction
API String ID: 3887327737-1976967776
Opcode ID: 531e1765fc80bffab221f944b5c4f86a7fe5b05bbe1c959d904660c2f32b6865
Instruction ID: 822f59674d1416224f7d50d34b51d03ccefe0afe3486cd225d05294a5085b824
Opcode Fuzzy Hash: 531e1765fc80bffab221f944b5c4f86a7fe5b05bbe1c959d904660c2f32b6865
Instruction Fuzzy Hash: 39213021A08E5242EF249B93ED842BA63A8BF45BE4F0845B6DE4D077B5DF2CE4458344

Function 00007FFE11EBC06C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EBC090

Part of subcall function 00007FFE11EBA690: PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EBA6C3
Part of subcall function 00007FFE11EBA690: PyDict_GetItemWithError.PYTHON311 ref: 00007FFE11EBA6E6
Part of subcall function 00007FFE11EBA690: PyErr_Occurred.PYTHON311 ref: 00007FFE11EBA6F4
Part of subcall function 00007FFE11EBA690: PyDict_SetItem.PYTHON311 ref: 00007FFE11EBA70D

Py_BuildValue.PYTHON311 ref: 00007FFE11EBC0BC

Part of subcall function 00007FFE11EBB98C: PyObject_Call.PYTHON311 ref: 00007FFE11EBB9AC

_Py_Dealloc.PYTHON311 ref: 00007FFE11EBC102

Strings

EndNamespaceDecl, xrefs: 00007FFE11EBC0CE
(N), xrefs: 00007FFE11EBC0B5

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dict_Err_ItemOccurred$BuildCallDeallocDecodeErrorObject_Unicode_ValueWith
String ID: (N)$EndNamespaceDecl
API String ID: 3568289713-1490285299
Opcode ID: 126c8f59c007d7fc377e8d958a162895bb3311542544022065567f7085a7e536
Instruction ID: d9a9c5c1cfb46b538417c6777a6faaf5e5931a06f168e70ac40ce9fe08a43fb2
Opcode Fuzzy Hash: 126c8f59c007d7fc377e8d958a162895bb3311542544022065567f7085a7e536
Instruction Fuzzy Hash: 18213B25A0CE4382EB148B93AD0427B63B8BF45BE4F1851B6DA4D177B5EF3CE8558344

Function 00007FFE11EC86C8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EC86EF
Py_BuildValue.PYTHON311 ref: 00007FFE11EC871E

Part of subcall function 00007FFE11EBB98C: PyObject_Call.PYTHON311 ref: 00007FFE11EBB9AC

_Py_Dealloc.PYTHON311 ref: 00007FFE11EC8764
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC8778

Strings

Default, xrefs: 00007FFE11EC8730
(N), xrefs: 00007FFE11EC8717

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$BuildCallErr_Object_OccurredValue
String ID: (N)$Default
API String ID: 1677464630-894064132
Opcode ID: 28ecd4c5d4025a43b47768154c354b68746e2180b86aa5994ce0e4dc2e6449bf
Instruction ID: 8cfaa7802b5d439c5918a8a541f0a2ff3289b1226ded5d796c80e2372f06173f
Opcode Fuzzy Hash: 28ecd4c5d4025a43b47768154c354b68746e2180b86aa5994ce0e4dc2e6449bf
Instruction Fuzzy Hash: EA218121A08F5282EB144B93DE0437E63A8BF45BB4F884175DA4C57BB5EF3CE4528340

Function 00007FFE11EBB8C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EBB8E8
Py_BuildValue.PYTHON311 ref: 00007FFE11EBB910

Part of subcall function 00007FFE11EBB98C: PyObject_Call.PYTHON311 ref: 00007FFE11EBB9AC

_Py_Dealloc.PYTHON311 ref: 00007FFE11EBB956
_Py_Dealloc.PYTHON311 ref: 00007FFE11EBB96A

Strings

Comment, xrefs: 00007FFE11EBB922
(O&), xrefs: 00007FFE11EBB909

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$BuildCallErr_Object_OccurredValue
String ID: (O&)$Comment
API String ID: 1677464630-4157610253
Opcode ID: e52393e59cd8ab4a03cec79f56ae0c19b82339798d1374d714194a96a62e189f
Instruction ID: b24f7edb52faef6c831632dd59fd2c49ba33475afd63d75504334c74d8489c75
Opcode Fuzzy Hash: e52393e59cd8ab4a03cec79f56ae0c19b82339798d1374d714194a96a62e189f
Instruction Fuzzy Hash: 1E111A21A08E5682FF249BA3ED0437A63A8BF45BE4F0841B6DA4D077B1EF2DE4558344

Function 00007FF7BD3D70FC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7BD3D712D
GetLastError.KERNEL32 ref: 00007FF7BD3D7139
CloseHandle.KERNEL32 ref: 00007FF7BD3D7151
CreateFileW.KERNEL32 ref: 00007FF7BD3D717C
WriteConsoleW.KERNEL32 ref: 00007FF7BD3D719B

Strings

CONOUT$, xrefs: 00007FF7BD3D715D

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 2b1705eb60c5a9ea67d3abf5815f39d96026ea1e9a70ddd12955119ba33cdf2b
Instruction ID: b842a94c9f96ababdf988789b92d1f6feeaba91113d7d4c8505609732cad9c64
Opcode Fuzzy Hash: 2b1705eb60c5a9ea67d3abf5815f39d96026ea1e9a70ddd12955119ba33cdf2b
Instruction Fuzzy Hash: AE11B721A1CA42C6E7549B0AF854325E2A0FB69BE4F444238DB1D437A9EF7CD4048714

Function 00007FFE11EBDF10 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

PyObject_IsTrue.PYTHON311 ref: 00007FFE11EBDF25
PyMem_Malloc.PYTHON311 ref: 00007FFE11EBDF42
PyErr_SetString.PYTHON311 ref: 00007FFE11EC6153
PyErr_NoMemory.PYTHON311 ref: 00007FFE11EC615F
PyMem_Free.PYTHON311 ref: 00007FFE11EC6188

Strings

Cannot delete attribute, xrefs: 00007FFE11EC6149

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Err_Mem_$FreeMallocMemoryObject_StringTrue
String ID: Cannot delete attribute
API String ID: 3601117635-1790985853
Opcode ID: d8124877790e7622a097d5a22737a4627b7f6c18e69dfbd447250a29ffa55de6
Instruction ID: 0c9aea4386f87a1d9f9689d9a1976e22894f4d6d6337679aede44fcc3ed9c497
Opcode Fuzzy Hash: d8124877790e7622a097d5a22737a4627b7f6c18e69dfbd447250a29ffa55de6
Instruction Fuzzy Hash: F711F765A0DE0381EF249BE39C5433A22A8BF48B79F1461B2D91E862B1DF2DF484C305

Function 00007FFDFB1A648D Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB3D3D48
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB3D3DB6
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB3D3DE1

Strings

ASN1:, xrefs: 00007FFDFB3D3DD4
DER:, xrefs: 00007FFDFB3D3DA9
critical,, xrefs: 00007FFDFB3D3D41

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: strncmp
String ID: ASN1:$DER:$critical,
API String ID: 1114863663-369496153
Opcode ID: 73dbe8a7fb2b7298154a64a71f77702ab256a3369e9a1f498dc58ab828e17128
Instruction ID: 7bf67fb358306f1fba2a6adb738f0eda382df29d888f9de18ad5289979fa3e29
Opcode Fuzzy Hash: 73dbe8a7fb2b7298154a64a71f77702ab256a3369e9a1f498dc58ab828e17128
Instruction Fuzzy Hash: 0941E812B4A69B06F7106B26A920B3AA6D5AF09FD8F084034DD7D477FDDE3DE8048740

Function 00007FFDFB1A4DF9 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 108stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB3D3867

Strings

ASN1:, xrefs: 00007FFDFB3D38F4
DER:, xrefs: 00007FFDFB3D38C9
critical,, xrefs: 00007FFDFB3D3860

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: strncmp
String ID: ASN1:$DER:$critical,
API String ID: 1114863663-369496153
Opcode ID: f62d61b209e271971fe335ffc6509810b63e2710eb999574c42c4a8ef04bc1b2
Instruction ID: 30fef4a9201e5a5dd0e24c955cfbbf523360e02f4a904b2d470593808064691f
Opcode Fuzzy Hash: f62d61b209e271971fe335ffc6509810b63e2710eb999574c42c4a8ef04bc1b2
Instruction Fuzzy Hash: 1C41E522B1A68742FB106B26A960B79A6D1FB49BD8F445030DD7D47BEDDE3DE8048700

Function 00007FFE1A456570 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON

Download Yara Rule

APIs

__unDName.LIBVCRUNTIME ref: 00007FFE1A4565C6
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A456609
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE1A456633
InterlockedPushEntrySList.KERNEL32 ref: 00007FFE1A456650
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A45665C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1A456665

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
String ID:
API String ID: 3741236498-0
Opcode ID: de3a4ec1d6e9946eef6b348e6d8a6ead344041b39e9dfd9c2ce66c677152b10d
Instruction ID: 46bfee7169a7b774ce68bc71c4467136af0c612f772fbebac381b7c865fffa3f
Opcode Fuzzy Hash: de3a4ec1d6e9946eef6b348e6d8a6ead344041b39e9dfd9c2ce66c677152b10d
Instruction Fuzzy Hash: 1031B261B19B9591EB119B27B804579A3A4FF08FF4B5946B6DD2D433A0EE3DD462C300

Function 00007FFE13303760 Relevance: 9.1, APIs: 6, Instructions: 59COMMON

Download Yara Rule

APIs

_Py_hashtable_new_full.PYTHON311 ref: 00007FFE13303787
PyMem_Malloc.PYTHON311 ref: 00007FFE133037B9
_Py_hashtable_set.PYTHON311 ref: 00007FFE133037EA
_Py_hashtable_set.PYTHON311 ref: 00007FFE13303810
PyMem_Free.PYTHON311 ref: 00007FFE133052CB
_Py_hashtable_destroy.PYTHON311 ref: 00007FFE133052D4

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: Mem_Py_hashtable_set$FreeMallocPy_hashtable_destroyPy_hashtable_new_full
String ID:
API String ID: 3987031744-0
Opcode ID: 4d3727f9dcbb20985ec9bf9f97716139e44a5e8b477380798206113630c02f70
Instruction ID: bf0af012d8784f87c6baf6b89c69bfb55be7966c81196b98056d529be1cd18e8
Opcode Fuzzy Hash: 4d3727f9dcbb20985ec9bf9f97716139e44a5e8b477380798206113630c02f70
Instruction Fuzzy Hash: 8D215E21A1CF4686F7118B26D44037D63A4FF64BA5F0451B1DA5D227B0DF3CE199C308

Function 00007FF7BD3CA908 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7BD3C60A1,?,?,?,?,00007FF7BD3CDF2F,?,?,00000000,00007FF7BD3CAA26,?,?,?), ref: 00007FF7BD3CA917
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3C60A1,?,?,?,?,00007FF7BD3CDF2F,?,?,00000000,00007FF7BD3CAA26,?,?,?), ref: 00007FF7BD3CA94D
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3C60A1,?,?,?,?,00007FF7BD3CDF2F,?,?,00000000,00007FF7BD3CAA26,?,?,?), ref: 00007FF7BD3CA97A
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3C60A1,?,?,?,?,00007FF7BD3CDF2F,?,?,00000000,00007FF7BD3CAA26,?,?,?), ref: 00007FF7BD3CA98B
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3C60A1,?,?,?,?,00007FF7BD3CDF2F,?,?,00000000,00007FF7BD3CAA26,?,?,?), ref: 00007FF7BD3CA99C
SetLastError.KERNEL32(?,?,?,00007FF7BD3C60A1,?,?,?,?,00007FF7BD3CDF2F,?,?,00000000,00007FF7BD3CAA26,?,?,?), ref: 00007FF7BD3CA9B7

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: fd355e16ec1b8389c326bb7a0c1288e1e744e38f9cf313ad355fe3b15a8e35c3
Instruction ID: ba54a310d88874236fbdb84d322050d41d40ac447218f561f1c323d22ed5de28
Opcode Fuzzy Hash: fd355e16ec1b8389c326bb7a0c1288e1e744e38f9cf313ad355fe3b15a8e35c3
Instruction Fuzzy Hash: 4D115E21A0C346C2F65C7329A552279E2424FAB7B0F89473CDA3E476DFFD2CA4418724

Function 00007FFE13306168 Relevance: 9.0, APIs: 6, Instructions: 34threadCOMMON

Download Yara Rule

APIs

PyThread_acquire_lock.PYTHON311(?,?,?,00007FFE1330535E), ref: 00007FFE13306188
PyEval_SaveThread.PYTHON311(?,?,?,00007FFE1330535E), ref: 00007FFE13306192
PyThread_acquire_lock.PYTHON311(?,?,?,00007FFE1330535E), ref: 00007FFE133061A4
PyEval_RestoreThread.PYTHON311(?,?,?,00007FFE1330535E), ref: 00007FFE133061AD
HMAC_CTX_copy.LIBCRYPTO-1_1(?,?,?,00007FFE1330535E), ref: 00007FFE133061BA
PyThread_release_lock.PYTHON311(?,?,?,00007FFE1330535E), ref: 00007FFE133061CB

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: Eval_ThreadThread_acquire_lock$RestoreSaveThread_release_lockX_copy
String ID:
API String ID: 1756194536-0
Opcode ID: 8fff098642709bb73204b4a8ac8639e22a3ced04d8aabff8f524475106d8fc93
Instruction ID: fc166a830a4a00cab6d35dbb1f7eabbf6b4aed59167b1ceed831cc3a7e002548
Opcode Fuzzy Hash: 8fff098642709bb73204b4a8ac8639e22a3ced04d8aabff8f524475106d8fc93
Instruction Fuzzy Hash: 9201E825B09F4286FB498B63E95412D2360FFA8FA0B1450B4DE6E53B29CF3CE4A58744

Function 00007FFE1A453AEC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A4569C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4525CE), ref: 00007FFE1A4569CE

EncodePointer.KERNEL32 ref: 00007FFE1A453B5C
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1A453BA7
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453DD5

Strings

MOC, xrefs: 00007FFE1A453B70
RCC, xrefs: 00007FFE1A453B78

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: bc23f9d190e68b0d649da4772cf0aebac2cf99f7a7c8ea39b120ae49b64f19ea
Instruction ID: 5c64eea22f5e13ad19ae8b0426fc0bbcd175eecf271101e4558b188fb0d97d02
Opcode Fuzzy Hash: bc23f9d190e68b0d649da4772cf0aebac2cf99f7a7c8ea39b120ae49b64f19ea
Instruction Fuzzy Hash: CA91B2B3B08B818AE711DB66E4502BD77B0F745B98F1041AAEB4D17765DF38E1A5CB00

Function 00007FFE1A45BF20 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C1C0

Strings

volatile, xrefs: 00007FFE1A45BF96, 00007FFE1A45C0C7
std::nullptr_t , xrefs: 00007FFE1A45C150
std::nullptr_t, xrefs: 00007FFE1A45C179
volatile , xrefs: 00007FFE1A45BF87, 00007FFE1A45C0B8

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: Name::operator+
String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
API String ID: 2943138195-757766384
Opcode ID: e51d893b916fd38dc1e020bc8963aa6f83aa847b46c3d095f24d6897074767ca
Instruction ID: 29c53ade6ae3f4328f2829b6d4b15d187fcb185a19ff92ec2a2bb5f26bb3bcdb
Opcode Fuzzy Hash: e51d893b916fd38dc1e020bc8963aa6f83aa847b46c3d095f24d6897074767ca
Instruction Fuzzy Hash: 14716AB2F08E4294EB14AF6699400BC67A1BB05FA4F4446F6DA5D83A74DF3CE5B0CB40

Function 00007FFE1A4538D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A4569C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4525CE), ref: 00007FFE1A4569CE

EncodePointer.KERNEL32 ref: 00007FFE1A45391C
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1A45396B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A453AE3

Strings

RCC, xrefs: 00007FFE1A453939
MOC, xrefs: 00007FFE1A453930

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: abort$CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 2889003569-2084237596
Opcode ID: 227e5baf7e5e9155f58c31c3fecc157e2e687fbe3eaaf077a93d355b17988fc2
Instruction ID: 4eb49792d1089a7686f51271e6a78c53ac0f7dc4092eaef492428ecd1f46ecac
Opcode Fuzzy Hash: 227e5baf7e5e9155f58c31c3fecc157e2e687fbe3eaaf077a93d355b17988fc2
Instruction Fuzzy Hash: 3C612BB2A08B458AEB109F66D4403BD77A0FB44B98F0442A6EE4D17BA9CF78E565C700

Function 00007FF7BD3BBC18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7BD3BBC43
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7BD3BBCD8
RtlUnwindEx.KERNEL32 ref: 00007FF7BD3BBD27

Strings

csm, xrefs: 00007FF7BD3BBCBE
f, xrefs: 00007FF7BD3BBC56

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: c81fa8b68ebdc3525af754f24f91b9dd724933d7398a71cb8b59e34543720a2d
Instruction ID: c5102b279eed2fc118f84790d36a2eadaecb3b6f248f11b9dfcba135aaf7349f
Opcode Fuzzy Hash: c81fa8b68ebdc3525af754f24f91b9dd724933d7398a71cb8b59e34543720a2d
Instruction Fuzzy Hash: C4519031A0E602CADB18AF19D504A29F755FB65B88F908538EB4A0774EEE3CE941C720

Function 00007FFDFB266E10 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 129networkCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?,00007FFDFB2665C3), ref: 00007FFDFB266E5D
getnameinfo.WS2_32 ref: 00007FFDFB266EAB
htons.WS2_32 ref: 00007FFDFB266F1B

Strings

..\s\crypto\bio\b_addr.c, xrefs: 00007FFDFB266EC4, 00007FFDFB266F46, 00007FFDFB266F65, 00007FFDFB266F95, 00007FFDFB266FB2, 00007FFDFB266FD4
, xrefs: 00007FFDFB266E91

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: getnameinfohtonsmemset
String ID: $..\s\crypto\bio\b_addr.c
API String ID: 165288700-1606403076
Opcode ID: e223affc2ac3203e319be5c56c676065cae7187c143fb2084f86007e6ab65d6f
Instruction ID: 652387f771552d0eca20721bc49780ec700f7f68058b8a25205c76becbfb163d
Opcode Fuzzy Hash: e223affc2ac3203e319be5c56c676065cae7187c143fb2084f86007e6ab65d6f
Instruction Fuzzy Hash: 0F51C562B0A6838AFB219B11E520AB977A1FB40748F404035EBAD875FDDF3DF5958B40

Function 00007FFE11EC8ED8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EC8F02

Part of subcall function 00007FFE11EBA690: PyUnicode_DecodeUTF8.PYTHON311 ref: 00007FFE11EBA6C3
Part of subcall function 00007FFE11EBA690: PyDict_GetItemWithError.PYTHON311 ref: 00007FFE11EBA6E6
Part of subcall function 00007FFE11EBA690: PyErr_Occurred.PYTHON311 ref: 00007FFE11EBA6F4
Part of subcall function 00007FFE11EBA690: PyDict_SetItem.PYTHON311 ref: 00007FFE11EBA70D

Py_BuildValue.PYTHON311 ref: 00007FFE11EC8F39

Part of subcall function 00007FFE11EBB98C: PyObject_Call.PYTHON311 ref: 00007FFE11EBB9AC

_Py_Dealloc.PYTHON311 ref: 00007FFE11EC8F82
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC8F96

Strings

SkippedEntity, xrefs: 00007FFE11EC8F4B

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: DeallocDict_Err_ItemOccurred$BuildCallDecodeErrorObject_Unicode_ValueWith
String ID: SkippedEntity
API String ID: 3887327737-2419268895
Opcode ID: d79c4e74fda7ba8cb6aedecf0c6f9dd1662a63f4c51f772058032f8eb0f39330
Instruction ID: 576ea9f09cb1a8157b3d105b645c86a7a99e9104c06a184d938e43e0c7852d27
Opcode Fuzzy Hash: d79c4e74fda7ba8cb6aedecf0c6f9dd1662a63f4c51f772058032f8eb0f39330
Instruction Fuzzy Hash: AE215E21A08E9742EB145B939E047BA63A9BF45BF4F4840B5DA4D17BA5EF3CE4958300

Function 00007FFE11EC8974 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EC8998
Py_BuildValue.PYTHON311 ref: 00007FFE11EC89BA

Part of subcall function 00007FFE11EBB98C: PyObject_Call.PYTHON311 ref: 00007FFE11EBB9AC

_Py_Dealloc.PYTHON311 ref: 00007FFE11EC8A03
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC8A17

Strings

EndDoctypeDecl, xrefs: 00007FFE11EC89CC

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$BuildCallErr_Object_OccurredValue
String ID: EndDoctypeDecl
API String ID: 1677464630-3017262571
Opcode ID: 56267da99f7f46cb6b54bced766cc3e329760953c7680eb73a88b59284aa4109
Instruction ID: 981dfa13408001bb2d1633c13c65e259e30b939a010ed5c6cb7d21bf26bd6cf1
Opcode Fuzzy Hash: 56267da99f7f46cb6b54bced766cc3e329760953c7680eb73a88b59284aa4109
Instruction Fuzzy Hash: 9D116A31A18E4282EB548F96AE0477A63A8BF45BB4F5841B5DA4D037A4DF3DE4458300

Function 00007FFE11EC88B8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EC88D9
Py_BuildValue.PYTHON311 ref: 00007FFE11EC88F7

Part of subcall function 00007FFE11EBB98C: PyObject_Call.PYTHON311 ref: 00007FFE11EBB9AC

_Py_Dealloc.PYTHON311 ref: 00007FFE11EC893D
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC8951

Strings

EndCdataSection, xrefs: 00007FFE11EC8909

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$BuildCallErr_Object_OccurredValue
String ID: EndCdataSection
API String ID: 1677464630-4040879477
Opcode ID: 7763d68e44867354b0986dafccaaa0a8a9b2a83968429e2a9df45a2e95ad3a30
Instruction ID: fd5864084930880007d8e0fe753797ac4967f93ba0a9819f15b89249976b3391
Opcode Fuzzy Hash: 7763d68e44867354b0986dafccaaa0a8a9b2a83968429e2a9df45a2e95ad3a30
Instruction Fuzzy Hash: 4F113731A08E4382EB509BA2AE047BA63B8BF45FB4F4801B5DA8D177A5DF3DE4458341

Function 00007FFE11EC8FB8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON311 ref: 00007FFE11EC8FD9
Py_BuildValue.PYTHON311 ref: 00007FFE11EC8FF7

Part of subcall function 00007FFE11EBB98C: PyObject_Call.PYTHON311 ref: 00007FFE11EBB9AC

_Py_Dealloc.PYTHON311 ref: 00007FFE11EC903D
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC9051

Strings

StartCdataSection, xrefs: 00007FFE11EC9009

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$BuildCallErr_Object_OccurredValue
String ID: StartCdataSection
API String ID: 1677464630-113579994
Opcode ID: 62eca9a9599ab21fed1b3beb81f00a1a0d815c8fb695054c03675e8efc047639
Instruction ID: c51283a8717cf92b0e8c2bf191f22bdae348c181e3f15356834328175105f479
Opcode Fuzzy Hash: 62eca9a9599ab21fed1b3beb81f00a1a0d815c8fb695054c03675e8efc047639
Instruction Fuzzy Hash: D4114F31A08E4282EB508B92AD0537A63A8FF44FA4F980175DE4D077B5EF3DE5858340

Function 00007FFE11ECC580 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35timeCOMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FFE11ECC596
GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE11ECC5D7
GetCurrentProcessId.KERNEL32 ref: 00007FFE11ECC5E5

Strings

fallback(4), xrefs: 00007FFE11ECC5ED
rand_s, xrefs: 00007FFE11ECC5C9

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Time$CurrentFileProcessSystemrand_s
String ID: fallback(4)$rand_s
API String ID: 2124637630-25474216
Opcode ID: e4ca9bb7183159477e85330442c830f61963799a3a423287df70db553be7dc1c
Instruction ID: 96c1c26bccac540c43fb20adba03f411e1fe60312a713f7a8d8329ebd7208afc
Opcode Fuzzy Hash: e4ca9bb7183159477e85330442c830f61963799a3a423287df70db553be7dc1c
Instruction Fuzzy Hash: 1C017532A3C94286EB44CBA2ECD457B6369EBA4724F442075E54B464B4DE2CF498CB00

Function 00007FFE13303A60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON311 ref: 00007FFE13303A6D
PyErr_NewException.PYTHON311 ref: 00007FFE13303A8A
PyModule_AddObjectRef.PYTHON311 ref: 00007FFE13303AA6

Strings

_hashlib.UnsupportedDigestmodError, xrefs: 00007FFE13303A7A
UnsupportedDigestmodError, xrefs: 00007FFE13303A9C

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: Module_$Err_ExceptionObjectState
String ID: UnsupportedDigestmodError$_hashlib.UnsupportedDigestmodError
API String ID: 2341384915-1819944972
Opcode ID: cab25cee2ef474877533d6a272ae1fc29fafa22f63a0b338fcbf87a30af39434
Instruction ID: 5d696f4788c6810408d026b128b4b1a9a3dc964c29495ec49087981b61356779
Opcode Fuzzy Hash: cab25cee2ef474877533d6a272ae1fc29fafa22f63a0b338fcbf87a30af39434
Instruction Fuzzy Hash: 16F06D61718E428AEA128B2AE44017E23A4AF18BF0B585171DD3D267B4DF2CD0848708

Function 00007FF7BD3C8A50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7BD3C8A75
GetProcAddress.KERNEL32 ref: 00007FF7BD3C8A8B
FreeLibrary.KERNEL32 ref: 00007FF7BD3C8AB2

Strings

mscoree.dll, xrefs: 00007FF7BD3C8A6C
CorExitProcess, xrefs: 00007FF7BD3C8A84

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7b1d64ab01259317c918a4692f10d75b0eff9ac50a6035860a5edd4d678e03f2
Instruction ID: c647239916c546d9985f5d89d7f9e4c67baf5d8d49787aca7db6d191eab41ae8
Opcode Fuzzy Hash: 7b1d64ab01259317c918a4692f10d75b0eff9ac50a6035860a5edd4d678e03f2
Instruction Fuzzy Hash: 75F0312561D702C1EA186B18E854379D360AFAB7A1F980239C76D465F9EF2CD1498724

Function 00007FFDFB1A1064 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB3B16DF
memmove.VCRUNTIME140 ref: 00007FFDFB3B18C5

Strings

..\s\crypto\x509\x509_obj.c, xrefs: 00007FFDFB3B16C0, 00007FFDFB3B198F, 00007FFDFB3B19B3
0123456789ABCDEF, xrefs: 00007FFDFB3B18E4
NO X509_NAME, xrefs: 00007FFDFB3B16D2

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: memmovestrncpy
String ID: ..\s\crypto\x509\x509_obj.c$0123456789ABCDEF$NO X509_NAME
API String ID: 3054264757-3422593365
Opcode ID: 2a13e74aeeda28ae24d471c2d973058ce87a4573439dfd2e625c5b86b5f17ddd
Instruction ID: 9a8d816de8a7cbecacc46cf52e7513c4dba7e46d6d54e4353e9d55074924b739
Opcode Fuzzy Hash: 2a13e74aeeda28ae24d471c2d973058ce87a4573439dfd2e625c5b86b5f17ddd
Instruction Fuzzy Hash: DBB1D422F5AA8786EB10AB55A460B7AB7D0FB44B8CF148035DA6D477EDCE7CE4058B00

Function 00007FFDFB1A1762 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 203COMMON

Download Yara Rule

Strings

$, xrefs: 00007FFDFB37FD73
..\s\crypto\rsa\rsa_sign.c, xrefs: 00007FFDFB37FC6D, 00007FFDFB37FCA0, 00007FFDFB37FCB7, 00007FFDFB37FD2B, 00007FFDFB37FD85, 00007FFDFB37FF0A, 00007FFDFB37FF27

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID:
String ID: $$..\s\crypto\rsa\rsa_sign.c
API String ID: 0-1864662394
Opcode ID: 8fbe36633cc90c93da8880bff56d1cee6c4dec6f08620a777a438a0f211b4450
Instruction ID: 09a0d29dbceb7eb199e82323951b94f34be8364feb4a99952037b238266cd1cd
Opcode Fuzzy Hash: 8fbe36633cc90c93da8880bff56d1cee6c4dec6f08620a777a438a0f211b4450
Instruction Fuzzy Hash: F691AE62B0E6C787E720AB15F560BBA62D0FB45B88F104035DAAD07BEADF7CE5458740

Function 00007FFDFB1A1ED3 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFDFB353131

Strings

Enter PEM pass phrase:, xrefs: 00007FFDFB353147
..\s\crypto\pem\pem_lib.c, xrefs: 00007FFDFB35317A, 00007FFDFB3531E3, 00007FFDFB3532CC
;, xrefs: 00007FFDFB353172

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: memmove
String ID: ..\s\crypto\pem\pem_lib.c$;$Enter PEM pass phrase:
API String ID: 2162964266-3733131234
Opcode ID: 6cc576c22c478878ec6ca791cb9a6137f743475b9df210abaa33c7174fb92cd2
Instruction ID: 5b5083515d92be66305fe2ffe02a4cb54196daca1528ced6b0ad305717038448
Opcode Fuzzy Hash: 6cc576c22c478878ec6ca791cb9a6137f743475b9df210abaa33c7174fb92cd2
Instruction Fuzzy Hash: 09718362B1E68386E720EB61E460BAA7395FB84798F400135EB6E476DDDF3CE505CB40

Function 00007FFDFB1A158C Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 131COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FFDFB3E4ABF

Strings

TRUE, xrefs: 00007FFDFB3E17C9, 00007FFDFB3E17E2
FALSE, xrefs: 00007FFDFB3E17EB, 00007FFDFB3E1803
..\s\crypto\x509v3\v3_utl.c, xrefs: 00007FFDFB3E4A94, 00007FFDFB3E4AD0, 00007FFDFB3E4AED, 00007FFDFB3E4B49, 00007FFDFB3E4B74, 00007FFDFB3E4B89, 00007FFDFB3E4B9E
E, xrefs: 00007FFDFB3E4B41

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: memchr
String ID: ..\s\crypto\x509v3\v3_utl.c$E$FALSE$TRUE
API String ID: 3297308162-1433594941
Opcode ID: a5fc59c9387210eb1afaa89b7669a569dfafa16f6a2f0790f0b1b6bf5b71d08e
Instruction ID: 7f798393286d969460e0c434aed28f5376cce52ef38708501296051ed5719d6d
Opcode Fuzzy Hash: a5fc59c9387210eb1afaa89b7669a569dfafa16f6a2f0790f0b1b6bf5b71d08e
Instruction Fuzzy Hash: 7E51CC22B0BA838AFB14AB529420B6962D0AF48B84F444036DE6D0B7FDDF7CF5558300

Function 00007FFE1A45A340 Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A45A3B9
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A3DB
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45A3EA
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45A421
DName::DName.LIBVCRUNTIME ref: 00007FFE1A45A42C

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID:
API String ID: 826178784-0
Opcode ID: bce8ca39c1d4cdf7971423a01a1e8e868c385637c9e3d3eec5322708e8c4e6dd
Instruction ID: b029dc21146869ec79ed8f9616f236c7ab6478d00e32a27ae3c843548e7260f5
Opcode Fuzzy Hash: bce8ca39c1d4cdf7971423a01a1e8e868c385637c9e3d3eec5322708e8c4e6dd
Instruction Fuzzy Hash: 1A415AA2B08F9694EB10EB62D8940B82774BB15FA8F6444F3DA5D533A5DF38E465C300

Function 00007FF7BD3D8834 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7BD3D885C
_set_statfp.LIBCMT ref: 00007FF7BD3D8877
_set_statfp.LIBCMT ref: 00007FF7BD3D8893
_set_statfp.LIBCMT ref: 00007FF7BD3D88CF

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction ID: e3c27ec6b527f42052d3c2c9959b2106fffc2fe0b8eae23766fc3a14d1e34fa5
Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction Fuzzy Hash: 22114C22E1CA0391F65D312CE466375D0426FB6364EA80A38E77E072DFEE2C7941CB20

Function 00007FF7BD3CA9D0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7BD3C9BE3,?,?,00000000,00007FF7BD3C9E7E,?,?,?,?,?,00007FF7BD3C1A50), ref: 00007FF7BD3CA9EF
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3C9BE3,?,?,00000000,00007FF7BD3C9E7E,?,?,?,?,?,00007FF7BD3C1A50), ref: 00007FF7BD3CAA0E
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3C9BE3,?,?,00000000,00007FF7BD3C9E7E,?,?,?,?,?,00007FF7BD3C1A50), ref: 00007FF7BD3CAA36
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3C9BE3,?,?,00000000,00007FF7BD3C9E7E,?,?,?,?,?,00007FF7BD3C1A50), ref: 00007FF7BD3CAA47
FlsSetValue.KERNEL32(?,?,?,00007FF7BD3C9BE3,?,?,00000000,00007FF7BD3C9E7E,?,?,?,?,?,00007FF7BD3C1A50), ref: 00007FF7BD3CAA58

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: af209601a09311a3587330aca2a21a13e881bea2e2d7b2dbe8accb447d71c115
Instruction ID: 59194b0d37bfc73cba979a393629374cb6b84439a0779f473ab1b6d942d507bb
Opcode Fuzzy Hash: af209601a09311a3587330aca2a21a13e881bea2e2d7b2dbe8accb447d71c115
Instruction Fuzzy Hash: 76114D14A0C342C2F99C7329A65127AE2415FA77E0F8C963CEA3E476DFFD2CA4118324

Function 00007FF7BD3CA864 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F), ref: 00007FF7BD3CA875
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F), ref: 00007FF7BD3CA894
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F), ref: 00007FF7BD3CA8BC
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F), ref: 00007FF7BD3CA8CD
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7BD3D24C3,?,?,?,00007FF7BD3CCCFC,?,?,00000000,00007FF7BD3C387F), ref: 00007FF7BD3CA8DE

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 93f3b8861a56d932bc2e3a1539e3fbd9290d8e2a07b170c6c7e787ab1a2613e4
Instruction ID: 5c27a8d0a23a98b6fa89a3ff85655f900ec52981e6f314d4c528d8e6b6ca2180
Opcode Fuzzy Hash: 93f3b8861a56d932bc2e3a1539e3fbd9290d8e2a07b170c6c7e787ab1a2613e4
Instruction Fuzzy Hash: C311C810E0D30AC2F9AC72695852279D6424FAB3A0E9C563CDB3D5B2CBFD2CB4519735

Function 00007FFE148E1000 Relevance: 7.5, APIs: 5, Instructions: 35threadCOMMON

Download Yara Rule

APIs

PyEval_SaveThread.PYTHON311 ref: 00007FFE148E1019
UuidCreateSequential.RPCRT4 ref: 00007FFE148E1027
PyEval_RestoreThread.PYTHON311 ref: 00007FFE148E1032
PyErr_SetFromWindowsErr.PYTHON311 ref: 00007FFE148E104D
_Py_BuildValue_SizeT.PYTHON311 ref: 00007FFE148E1069

Memory Dump Source

Source File: 00000002.00000002.1740691190.00007FFE148E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000002.00000002.1740628690.00007FFE148E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1740718938.00007FFE148E2000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1740772023.00007FFE148E3000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000002.00000002.1740797470.00007FFE148E4000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe148e0000_PDF_Resave.jbxd

Similarity

API ID: Eval_Thread$BuildCreateErr_FromRestoreSaveSequentialSizeUuidValue_Windows
String ID:
API String ID: 170011378-0
Opcode ID: 6b100998d7ddf39f079f4caf39b09ff1818fa8c7589a3d9e3de9bb19b7a62f6b
Instruction ID: a714c42c2b35ab8aba1268966f814a52c2d80cf6a5c8c0c776e2e5432539866e
Opcode Fuzzy Hash: 6b100998d7ddf39f079f4caf39b09ff1818fa8c7589a3d9e3de9bb19b7a62f6b
Instruction Fuzzy Hash: 6201D821A18E4646EA109B52E4C4079A361FF8BBA0F440074FA4E13778DE3DE60C8700

Function 00007FFE11ECC8CC Relevance: 7.5, APIs: 5, Instructions: 28stringCOMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,00007FFE11ECA00B), ref: 00007FFE11ECC8D2
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFE11ECA00B), ref: 00007FFE11ECC8E0
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,00007FFE11ECA00B), ref: 00007FFE11ECC8FC
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFE11ECA00B), ref: 00007FFE11ECC904
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFE11ECA00B), ref: 00007FFE11ECC91D

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: _errno$getenvstrtoul
String ID:
API String ID: 1872403029-0
Opcode ID: 3e97d55b2a3031ca8e4358d0765d4259702a99d34e6bc1f7ee7be820d9b91776
Instruction ID: 390f9fdb84e9cecdbeb4cffdc2bd433139e5ec20a4b247209b9936b78a1fa73b
Opcode Fuzzy Hash: 3e97d55b2a3031ca8e4358d0765d4259702a99d34e6bc1f7ee7be820d9b91776
Instruction Fuzzy Hash: 8AF01236E09B0287EF114BE29C4537A32A9AF45B71F4490B0D64D077A0DF7DE894C710

Function 00007FF7BD3CF228 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3CF507

Part of subcall function 00007FF7BD3D5504: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D5521

Strings

ccs, xrefs: 00007FF7BD3CF442
UTF-16LEUNICODE, xrefs: 00007FF7BD3CF4A5
UTF-8, xrefs: 00007FF7BD3CF486

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: c382c1c977a669aecc7822defb6d065999e88b5839408fc9f42df24ac2fd9b51
Instruction ID: 9cdd842acd2f923cff1bfc5d4412d29f831739f658cae44d336a9dfc89414a46
Opcode Fuzzy Hash: c382c1c977a669aecc7822defb6d065999e88b5839408fc9f42df24ac2fd9b51
Instruction Fuzzy Hash: 5A819232D0F342D5E76C6E2D8550278E790AB23788FD9407DCB099729FEA2EE5019321

Function 00007FFE1A454288 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A4569C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4525CE), ref: 00007FFE1A4569CE

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A454407

Strings

csm, xrefs: 00007FFE1A4542D7
csm, xrefs: 00007FFE1A454441
, xrefs: 00007FFE1A454358

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: abort
String ID: $csm$csm
API String ID: 4206212132-1512788406
Opcode ID: 0334d4e6c50ab9b6f685e521b3ae1a91d89b048a29f68cf2dce9c00bf400fe87
Instruction ID: 1f72a46c834549d45eb11ed1d147bc08c03d31bb0ee9ea56f6e0bc8d4b14b8c4
Opcode Fuzzy Hash: 0334d4e6c50ab9b6f685e521b3ae1a91d89b048a29f68cf2dce9c00bf400fe87
Instruction Fuzzy Hash: 8F71B4B2708A9186D7209F26D44067D7BA1FB05FA8F1481B6DB4D0BAA6CF3CD571C701

Function 00007FF7BD3BD478 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7BD3BD4C4
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7BD3BD513

Strings

MOC, xrefs: 00007FF7BD3BD4D8
RCC, xrefs: 00007FF7BD3BD4E1

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 9b170d5fd3c93297408b7667d730af6b03d447aa0970c9ad65c03f5590751db3
Instruction ID: 2491a4b6078eafa01a2e98c327d1514655d89949ec5a1c1c6e85c6e082fb8b79
Opcode Fuzzy Hash: 9b170d5fd3c93297408b7667d730af6b03d447aa0970c9ad65c03f5590751db3
Instruction Fuzzy Hash: 86618D36A08B45CAE7249F69E4403ADF7A0FB55B8CF44012AEF4E17B9ADB78E151C710

Function 00007FF7BD3BD7D4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7BD3BD7FC
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF7BD3BD8E4

Strings

csm, xrefs: 00007FF7BD3BD81E
csm, xrefs: 00007FF7BD3BD936

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 637ab8e9c70e0df228760242cb149b7cb456e558a6c876299bf740c7ea814677
Instruction ID: 053b6a667b65d02205ce1cb63a92c8b126f2bd286cac6245723587ee3abe6c53
Opcode Fuzzy Hash: 637ab8e9c70e0df228760242cb149b7cb456e558a6c876299bf740c7ea814677
Instruction Fuzzy Hash: A751A53290C641C6DB78AB19A140368F7A0EB66B84F984139EB9E47B9EDF3CE450C710

Function 00007FFE1A45F050 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A45F110
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1A45EE15), ref: 00007FFE1A45F15F

Strings

f, xrefs: 00007FFE1A45F08E
csm, xrefs: 00007FFE1A45F0F6

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind
String ID: csm$f
API String ID: 451473138-629598281
Opcode ID: 94627d9c7195f9c36ee16ac86650ab8a4e652cd15aa300a0b5f08846187e0d97
Instruction ID: 7e831c63e7f39ba5bea0feed3d577344677cbe944ed3091fee3527b0d662808e
Opcode Fuzzy Hash: 94627d9c7195f9c36ee16ac86650ab8a4e652cd15aa300a0b5f08846187e0d97
Instruction Fuzzy Hash: FF51D1B6F09A0286DB14EB16E444A3937A5FB44FA8F1081F2EA1E43758DF39ED51C701

Function 00007FFE1A454060 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A4569C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4525CE), ref: 00007FFE1A4569CE

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A454157
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE1A454167

Strings

csm, xrefs: 00007FFE1A4541B9
csm, xrefs: 00007FFE1A4540AA

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: Frameabort$EmptyHandler3::StateUnwind
String ID: csm$csm
API String ID: 4108983575-3733052814
Opcode ID: d96c539858820a31a9c1340fe1861477bc26c032fcc487563b75466d3052f7d1
Instruction ID: 58992b9c435c5bbc932f50acbf3265273fe226f0ae3696863c92f27f8a329ed3
Opcode Fuzzy Hash: d96c539858820a31a9c1340fe1861477bc26c032fcc487563b75466d3052f7d1
Instruction Fuzzy Hash: 995174B6B08B4286EB649B12944427877A1FB55FA4F1441F7DA9D4BBA6CF3CE470CB00

Function 00007FFDFB1A2838 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

..\s\crypto\async\async.c, xrefs: 00007FFDFB26317F, 00007FFDFB2631CD, 00007FFDFB2631E6, 00007FFDFB26321C, 00007FFDFB263266, 00007FFDFB2632BC, 00007FFDFB2632DD, 00007FFDFB2632FB, 00007FFDFB263335, 00007FFDFB26335A
T, xrefs: 00007FFDFB2632F3

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID:
String ID: ..\s\crypto\async\async.c$T
API String ID: 0-2182492907
Opcode ID: d429df3d22b628225212d233b30d019ad47286c3daee9723a66c5744efd77ded
Instruction ID: bf106e025ae16d82291163fa321f049f98aceed43dcf0bfded20e0170c4b1da3
Opcode Fuzzy Hash: d429df3d22b628225212d233b30d019ad47286c3daee9723a66c5744efd77ded
Instruction Fuzzy Hash: 2751BF32B0A64386E724AB65D460AB977A1EF84B84F004031DA6D4BBFDDF3CF5188740

Function 00007FFE1A45AAD8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A45AB32

Strings

%lf, xrefs: 00007FFE1A45AB6D, 00007FFE1A45ABA1, 00007FFE1A45ABD1

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: NameName::
String ID: %lf
API String ID: 1333004437-2891890143
Opcode ID: ce39b8ddb33b1742c1c733f8d1258caa8bc8f3cdabe38b30e72aebe8897d44a3
Instruction ID: ce0494d6ca2f1158f8dd5910f0907ff8ce922109df9029a0d76a768f3fce7af2
Opcode Fuzzy Hash: ce39b8ddb33b1742c1c733f8d1258caa8bc8f3cdabe38b30e72aebe8897d44a3
Instruction Fuzzy Hash: C431D3A1B08F8685E621EB13A8510B9B360BF45FA0F4481F7EA6E57771DF3CE1658740

Function 00007FFDFB1A4E9E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85COMMON

Download Yara Rule

Strings

BIO[%p]: , xrefs: 00007FFDFB26CA62
bio callback - unknown type (%d), xrefs: 00007FFDFB26CC69

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID:
String ID: BIO[%p]: $bio callback - unknown type (%d)
API String ID: 0-3830480438
Opcode ID: 37402eaaac69d4977c204fa2d8aacd64ee20ba5ad1b9fa36187e989d609f7c14
Instruction ID: acd48971cdfbf3ba7f83f04186f6f04735a4d2818944521678bb961ca12ccba5
Opcode Fuzzy Hash: 37402eaaac69d4977c204fa2d8aacd64ee20ba5ad1b9fa36187e989d609f7c14
Instruction Fuzzy Hash: 58312863B0A68346FB119B59AC60FBA6755BF89788F504131EE1E877E9EE3CE445C200

Function 00007FFDFB1A3846 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON

Download Yara Rule

Strings

host=, xrefs: 00007FFDFB269DCE
..\s\crypto\bio\b_sock.c, xrefs: 00007FFDFB269CDA, 00007FFDFB269D5D
J, xrefs: 00007FFDFB269D55

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID:
String ID: ..\s\crypto\bio\b_sock.c$J$host=
API String ID: 0-1729655730
Opcode ID: 941f2fbceea9f6781c3ad95e534017a9b341198856a0048fa999bb3705f921b3
Instruction ID: cde7727360e0aa5638d33a08f2593e7975f163d5cff832fea9ed28043a13e077
Opcode Fuzzy Hash: 941f2fbceea9f6781c3ad95e534017a9b341198856a0048fa999bb3705f921b3
Instruction Fuzzy Hash: 69318E22B0964286EB109B55F460AAEA364FB85794F400035EBAC87BEEDE3DE5558B00

Function 00007FFE11EC8458 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

PyTuple_New.PYTHON311 ref: 00007FFE11EC8479
Py_BuildValue.PYTHON311 ref: 00007FFE11EC84DE
_Py_Dealloc.PYTHON311 ref: 00007FFE11EC850E

Strings

(iiO&N), xrefs: 00007FFE11EC84CB

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: BuildDeallocTuple_Value
String ID: (iiO&N)
API String ID: 2051921541-152595445
Opcode ID: 7823d2b72ccc724d5a661d7deb3397bc2856816dbaecbfd8ca80badbcaec080f
Instruction ID: 5c4faa818bb18f2d1cb2e1ea3db5eac208e733bcef270944315d04223f543e0e
Opcode Fuzzy Hash: 7823d2b72ccc724d5a661d7deb3397bc2856816dbaecbfd8ca80badbcaec080f
Instruction Fuzzy Hash: 16213B32A04F4286EB24CB96ED4056AB7A8FB58BA0B494575DA9E43B74DF3CF441C740

Function 00007FFDFB1A139D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FFDFB26AB10
WSAGetLastError.WS2_32 ref: 00007FFDFB26AB1B

Strings

2, xrefs: 00007FFDFB26AB45
..\s\crypto\bio\b_sock2.c, xrefs: 00007FFDFB26AB31, 00007FFDFB26AB4D

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: ErrorLastsocket
String ID: ..\s\crypto\bio\b_sock2.c$2
API String ID: 1120909799-2051290508
Opcode ID: b87478d39e550b6278b10c6495ad9d7c2480af2d970ddb1f34380d70319f0b12
Instruction ID: 884f1c7849c75b6f1f4541bc5a9b24cd90feb00333cdeb65c00f2471137a98ba
Opcode Fuzzy Hash: b87478d39e550b6278b10c6495ad9d7c2480af2d970ddb1f34380d70319f0b12
Instruction Fuzzy Hash: 8401E932B0919386E3109B25E4209AE6265FB407A8F204231E27C87AE9CF3CE9158B80

Function 00007FF7BD3B2CD0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7BD3B27C9,?,?,?,?,?,?), ref: 00007FF7BD3B2D01

Part of subcall function 00007FF7BD3B1CB0: GetLastError.KERNEL32(?,?,00000000,00007FF7BD3B6914,?,?,?,?,?,?,?,?,?,?,?,00007FF7BD3B1023), ref: 00007FF7BD3B1CD7

Strings

Failed to get executable path., xrefs: 00007FF7BD3B2D0B
Failed to convert executable path to UTF-8., xrefs: 00007FF7BD3B2D3A
GetModuleFileNameW, xrefs: 00007FF7BD3B2D12

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2776309574-1977442011
Opcode ID: 03418fa9b2e628d931ab4da9c5673be06a47612831d463e21a3e8fef2e510276
Instruction ID: 27384000befb7e05524c57c3c5200b51ba7d392859e3654e7c3acc8a16e0f3ef
Opcode Fuzzy Hash: 03418fa9b2e628d931ab4da9c5673be06a47612831d463e21a3e8fef2e510276
Instruction Fuzzy Hash: 4D017520B1D642D1FA69B728D4553B5E251AF7A380FC0003DEA4D872AFFE1CE145C724

Function 00007FFE1A452630 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A4569C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4525CE), ref: 00007FFE1A4569CE

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45266E

Strings

MOC, xrefs: 00007FFE1A452648
RCC, xrefs: 00007FFE1A452640
csm, xrefs: 00007FFE1A452650

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: abortterminate
String ID: MOC$RCC$csm
API String ID: 661698970-2671469338
Opcode ID: e63037d86fd6ed08c01758bd2d278b6a49b1453d2f75febe4acf0c3d16fc865e
Instruction ID: 1406a3691859c820e7c6b7b2eb8b42ec6b3705f1f4027804d61b479fb79fc8c7
Opcode Fuzzy Hash: e63037d86fd6ed08c01758bd2d278b6a49b1453d2f75febe4acf0c3d16fc865e
Instruction Fuzzy Hash: 5FF03CB2A18A0682E7506B66A18117877A4EF48F64F0951F3DB4806266CF3CD4B0CA41

Function 00007FFE13305F50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

HMAC_CTX_get_md.LIBCRYPTO-1_1 ref: 00007FFE13305F61

Part of subcall function 00007FFE13302B10: EVP_MD_type.LIBCRYPTO-1_1(?,?,?,00007FFE13302A4F), ref: 00007FFE13302B16
Part of subcall function 00007FFE13302B10: OBJ_nid2ln.LIBCRYPTO-1_1(?,?,?,00007FFE13302A4F), ref: 00007FFE13302B41

PyUnicode_FromFormat.PYTHON311 ref: 00007FFE13305F84
_Py_Dealloc.PYTHON311 ref: 00007FFE13305F96

Strings

<%U HMAC object @ %p>, xrefs: 00007FFE13305F7A

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: D_typeDeallocFormatFromJ_nid2lnUnicode_X_get_md
String ID: <%U HMAC object @ %p>
API String ID: 3107003933-749664232
Opcode ID: 823f7f4223b6ea06d6d4820c057e660dc204683fd4f0f0d394d23a59cb4c9db1
Instruction ID: 484be0da5edbf146bc4132642b7f1770439c00ad417ac1d8a7715f2442c7b8d3
Opcode Fuzzy Hash: 823f7f4223b6ea06d6d4820c057e660dc204683fd4f0f0d394d23a59cb4c9db1
Instruction Fuzzy Hash: 72F0A021B09F4289EE059B27F90417D63A0AF68FE0B480470ED2E277B4DE3CE4408308

Function 00007FFE13305844 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

HMAC_CTX_get_md.LIBCRYPTO-1_1 ref: 00007FFE1330584E

Part of subcall function 00007FFE13302B10: EVP_MD_type.LIBCRYPTO-1_1(?,?,?,00007FFE13302A4F), ref: 00007FFE13302B16
Part of subcall function 00007FFE13302B10: OBJ_nid2ln.LIBCRYPTO-1_1(?,?,?,00007FFE13302A4F), ref: 00007FFE13302B41

PyUnicode_FromFormat.PYTHON311 ref: 00007FFE13305873
_Py_Dealloc.PYTHON311 ref: 00007FFE13305885

Strings

hmac-%U, xrefs: 00007FFE1330586C

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: D_typeDeallocFormatFromJ_nid2lnUnicode_X_get_md
String ID: hmac-%U
API String ID: 3107003933-3757664071
Opcode ID: 38543325c9a58b19710b73aaee43961f9cfd1a21f3fd3a664d110f44dce9644c
Instruction ID: fb2036c386526f9938cf719e274a4a12c4e5c08f6bd0f543429df85c673b50a1
Opcode Fuzzy Hash: 38543325c9a58b19710b73aaee43961f9cfd1a21f3fd3a664d110f44dce9644c
Instruction Fuzzy Hash: B4F06521F19E06C5EE199B67E85417C6391BF68BE1B481470DD2E277B4DE2CE0418348

Function 00007FFDFB3C9C10 Relevance: 6.5, APIs: 5, Instructions: 232COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFDFB3CA323), ref: 00007FFDFB3C9DA5
memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFDFB3CA323), ref: 00007FFDFB3C9DBD
memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFDFB3CA323), ref: 00007FFDFB3C9DD5
memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFDFB3CA323), ref: 00007FFDFB3C9E11
memcmp.VCRUNTIME140(?,?,?,00000000,?,00007FFDFB3CA323), ref: 00007FFDFB3C9EF6

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: ca894cce3bd78d2642ea1bcb458eb66fcd1cc6eb7eacde8df9891b13e2823d55
Instruction ID: 0ba404c9d708b7a499d51352c8edab62d19b103275ed0af18fdd4a51c1285d8b
Opcode Fuzzy Hash: ca894cce3bd78d2642ea1bcb458eb66fcd1cc6eb7eacde8df9891b13e2823d55
Instruction Fuzzy Hash: E891B5B2F4A65386FB11ABA6C9609BD23E5BF41788F415131DE1D5BAEDEE38E405C300

Function 00007FFDFB1A643D Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 395COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFDFB38790D
memset.VCRUNTIME140 ref: 00007FFDFB387979

Strings

..\s\crypto\sm2\sm2_crypt.c, xrefs: 00007FFDFB387946, 00007FFDFB387984, 00007FFDFB387998, 00007FFDFB3879B0, 00007FFDFB387A13, 00007FFDFB387A5A, 00007FFDFB387A82, 00007FFDFB387AC7, 00007FFDFB387AE3, 00007FFDFB387AF5, 00007FFDFB387B15, 00007FFDFB387B70, 00007FFDFB387E5B, 00007FFDFB387EA3, 00007FFDFB387ECD, 00007FFDFB387EFC
@, xrefs: 00007FFDFB387C9A

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: memset
String ID: ..\s\crypto\sm2\sm2_crypt.c$@
API String ID: 2221118986-485510600
Opcode ID: 59937788e76babb823402f7aa2bb2dcd071829aef404cc5ed2f3e2b9851a66de
Instruction ID: c86b759d7430b95b5fbdf90c51fe496e166ed867e3d9125e38b5d04dfb03c5d8
Opcode Fuzzy Hash: 59937788e76babb823402f7aa2bb2dcd071829aef404cc5ed2f3e2b9851a66de
Instruction Fuzzy Hash: 7A029333B4AB8386EB20EB55E4609B967A1FB85B84F408135DA9C077E9DF3DE505CB40

Function 00007FF7BD3CBBE0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7BD3CBC5F
WriteFile.KERNEL32 ref: 00007FF7BD3CBF27
WriteFile.KERNEL32 ref: 00007FF7BD3CBF6D
GetLastError.KERNEL32 ref: 00007FF7BD3CC023

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 89395c3cea06f18251b83f2629999b57cc62c4450565b522e677bf7b2279916c
Instruction ID: a9cb4ea5f669012141e1e3486195a00278acf6da7f37215adf90e947c09d2117
Opcode Fuzzy Hash: 89395c3cea06f18251b83f2629999b57cc62c4450565b522e677bf7b2279916c
Instruction Fuzzy Hash: ECD1F072B08B85C9E714DF69D4401ACB7B1FB25798B884239CF4E57B9AEE38E046C710

Function 00007FFDFB1A3832 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

), xrefs: 00007FFDFB32A8FB
..\s\crypto\evp\p5_crpt.c, xrefs: 00007FFDFB32A60C, 00007FFDFB32A6B6, 00007FFDFB32A8A5, 00007FFDFB32A8D4, 00007FFDFB32A903

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID:
String ID: )$..\s\crypto\evp\p5_crpt.c
API String ID: 0-3563398421
Opcode ID: 3447cb7305a06ee0e73fa9c8685d2ef131f742793ef80daca158727beab2407e
Instruction ID: 30d59bb6838dc12fa6723c8a85c04db02f2638dcf00bfe2f7ebf3d35f85597b5
Opcode Fuzzy Hash: 3447cb7305a06ee0e73fa9c8685d2ef131f742793ef80daca158727beab2407e
Instruction Fuzzy Hash: D1918362F4E28787FB20AB25A420ABA6394EF85784F444131DE6D4B6EDDF3CF5458700

Function 00007FFE1A45A058 Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A45C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C81D
Part of subcall function 00007FFE1A45C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C856
Part of subcall function 00007FFE1A45C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CB83

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A1B3
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A212
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A244
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A254

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: Name::operator+
String ID:
API String ID: 2943138195-0
Opcode ID: 648336d396e82ff845145f22116d02ab074a94aa94e21a1e761fb2f6b175ab31
Instruction ID: 7cffc8259f363674fcbccbc7fddc10bcbe89d4e6fa2fc52a99d6043b0db07be4
Opcode Fuzzy Hash: 648336d396e82ff845145f22116d02ab074a94aa94e21a1e761fb2f6b175ab31
Instruction Fuzzy Hash: AD9159A2F08B9289FB119B62D8453BC27B1BB04B28F5480F7DA4D576A5DF3CA865C340

Function 00007FF7BD3CE96C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7BD3CEA5C
_get_daylight.LIBCMT ref: 00007FF7BD3CEA6D
_get_daylight.LIBCMT ref: 00007FF7BD3CEA7E
_isindst.LIBCMT ref: 00007FF7BD3CEB49

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 7c116d52e869d70fe36170fafcd4453455d7a89aa2c255f713b58b82420c40e6
Instruction ID: b3e3ed580e8b1492829c924ad517ca4eaa5adbd984c187ed48e21132101f0ad5
Opcode Fuzzy Hash: 7c116d52e869d70fe36170fafcd4453455d7a89aa2c255f713b58b82420c40e6
Instruction Fuzzy Hash: BA51F972F0D311CAEB1CEF28995167CE765AB21359F94013DEF1E636DAEB38A4118710

Function 00007FFDFB1A153C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFDFB2AFB95
memmove.VCRUNTIME140 ref: 00007FFDFB2AFC43
memmove.VCRUNTIME140 ref: 00007FFDFB2AFCCD

Strings

..\s\crypto\ct\ct_oct.c, xrefs: 00007FFDFB2AFAC5, 00007FFDFB2AFBBD, 00007FFDFB2AFBDB, 00007FFDFB2AFC57, 00007FFDFB2AFC73, 00007FFDFB2AFC9D, 00007FFDFB2AFCB5

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: memmove
String ID: ..\s\crypto\ct\ct_oct.c
API String ID: 2162964266-1972679481
Opcode ID: 30f54181be1fc9f89472802893a00c732398e9ac6cccc628088a92dc21b80f1c
Instruction ID: 1ebe675179b90036c8e8c0784d6c02a0225b29fdb9ccf35a943a9a48aff63878
Opcode Fuzzy Hash: 30f54181be1fc9f89472802893a00c732398e9ac6cccc628088a92dc21b80f1c
Instruction Fuzzy Hash: 4971D362B0E69399E711CF26C0205BC3B71EB15B88F144132DEAD8B7EADE2CE655C700

Function 00007FFDFB253690 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 155stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB253753
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB25376B
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB253788

Strings

content-type, xrefs: 00007FFDFB25369A

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: strncmp
String ID: content-type
API String ID: 1114863663-3266185539
Opcode ID: bf53f0bda5b18ea8a6db5564624a96e5e23242bcbab55d1f3e52cd3e6e3dc342
Instruction ID: b863f3c4b89ce2e80c482edf5d1890067b2cdd7990dd16cbccca29dc1557caeb
Opcode Fuzzy Hash: bf53f0bda5b18ea8a6db5564624a96e5e23242bcbab55d1f3e52cd3e6e3dc342
Instruction Fuzzy Hash: 71511852F2E64341FB249726A5B0BBA5294BF45B9CF442630DD7EC76EDDE2CE5018300

Function 00007FFE1A45A814 Relevance: 6.1, APIs: 4, Instructions: 133COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE1A45A8C6
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A8D6
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A8F3

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: 98efd56155e24b1ceec94087ea0ccb087ffd731ce7e45ec66b02000ff67e82c1
Instruction ID: a1e437d170aa1544db8bc42d17c7c28063bf885a19cfb1ec2374dab86c07ae47
Opcode Fuzzy Hash: 98efd56155e24b1ceec94087ea0ccb087ffd731ce7e45ec66b02000ff67e82c1
Instruction Fuzzy Hash: 055179B2B18F6689E711DF22D8443BC37A0BB44F64F1448B2DA1D477A5DF38A460C740

Function 00007FF7BD3C484C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF7BD3C487F
GetFileInformationByHandle.KERNEL32 ref: 00007FF7BD3C48E1
GetLastError.KERNEL32 ref: 00007FF7BD3C4972
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF7BD3C4784), ref: 00007FF7BD3C49BE

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 1de9790e05870a994c8cd512dc0bf73c5d0095e8d25e0a1662523fa2deb398d1
Instruction ID: e3dfa5a85605567d9155ec7b302fe11245d513346fec6761870e2eb321187fbd
Opcode Fuzzy Hash: 1de9790e05870a994c8cd512dc0bf73c5d0095e8d25e0a1662523fa2deb398d1
Instruction Fuzzy Hash: D8519F22A0C752C5FB58EF68D4503BDA3A1AB66B48F548538DF4D5768EEF38E4808720

Function 00007FFE1A45CC48 Relevance: 6.1, APIs: 4, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A45E72C: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE1A45E786

Part of subcall function 00007FFE1A45C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C81D
Part of subcall function 00007FFE1A45C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45C856
Part of subcall function 00007FFE1A45C78C: DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CB83

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CCC6
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CCD5
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CD52
DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45CD61

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: Name::operator+$Replicator::operator[]
String ID:
API String ID: 3863519203-0
Opcode ID: 59a8e1a8bea4fa0d3053ac7b282f3cf586ef513a0d49dabd13085b0ba4a6c699
Instruction ID: 808aaa399ed648a811891340229277dda68c3743c18f443813332c5838aa8627
Opcode Fuzzy Hash: 59a8e1a8bea4fa0d3053ac7b282f3cf586ef513a0d49dabd13085b0ba4a6c699
Instruction Fuzzy Hash: FE4164B2B08B8589EB01DF65D8403BC3BB0BB45B68F5481B6DA4D97769DF3C9861C740

Function 00007FFE11EB1420 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

PyDescr_NewGetSet.PYTHON311(?,?,?,00007FFE11EB1057), ref: 00007FFE11EB1488
PyDict_SetDefault.PYTHON311(?,?,?,00007FFE11EB1057), ref: 00007FFE11EB14A7
_Py_Dealloc.PYTHON311(?,?,?,00007FFE11EB1057), ref: 00007FFE11EC08B5
_Py_Dealloc.PYTHON311(?,?,?,00007FFE11EB1057), ref: 00007FFE11EC08CD

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$DefaultDescr_Dict_
String ID:
API String ID: 2801783965-0
Opcode ID: 0cb0a0d7c4dba4ba2394bbe7a91d855d4f8c3687e99bccf36430c39352716f8a
Instruction ID: 90353a2f780a4263c7e878e93e8c442a1cb473e77eb4b72ee85e1ae7fe7684f9
Opcode Fuzzy Hash: 0cb0a0d7c4dba4ba2394bbe7a91d855d4f8c3687e99bccf36430c39352716f8a
Instruction Fuzzy Hash: DA213736A09F4285EB548B96EC4026A33A8FB49FB1F595176DA4E43760EF3CE481C344

Function 00007FFDFB1A1C76 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFB35675A

Strings

DH PARAMETERS, xrefs: 00007FFDFB35670B
X9.42 DH PARAMETERS, xrefs: 00007FFDFB356749
..\s\crypto\pem\pem_pkey.c, xrefs: 00007FFDFB356784, 00007FFDFB3567A9, 00007FFDFB3567C0

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: strcmp
String ID: ..\s\crypto\pem\pem_pkey.c$DH PARAMETERS$X9.42 DH PARAMETERS
API String ID: 1004003707-3633731555
Opcode ID: 4572dd0f7fa3ae89848ab64a9b5a8af87d8caaf2ece5ebb710d7e1f4848d8ae1
Instruction ID: eb055c88ce7867ca77b52f1b355b93ed4cec744862b4b56b4a92304a7123e51d
Opcode Fuzzy Hash: 4572dd0f7fa3ae89848ab64a9b5a8af87d8caaf2ece5ebb710d7e1f4848d8ae1
Instruction Fuzzy Hash: 5221A922B0AA4781EB10EB55E4209A963A4FF84798F404031EA9C477EDDF7DF154CB00

Function 00007FFDFB1A440D Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FFDFB3788AB
memmove.VCRUNTIME140 ref: 00007FFDFB3788BF

Strings

..\s\crypto\rsa\rsa_none.c, xrefs: 00007FFDFB37887D
$, xrefs: 00007FFDFB378884

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: memmovememset
String ID: $$..\s\crypto\rsa\rsa_none.c
API String ID: 1288253900-779172340
Opcode ID: de5f583c7a3756590fc2426c2a0cc6b33ad44590f8bf8e756a1bf535920b5d69
Instruction ID: b7ddf763a9f9465602fcf8bcee3a5834d2f4e0f5f8b3d9e340d431076dc132a2
Opcode Fuzzy Hash: de5f583c7a3756590fc2426c2a0cc6b33ad44590f8bf8e756a1bf535920b5d69
Instruction Fuzzy Hash: B301F122F1924387E710EF26A9504A9A7A1EB84780F188530FB6C07BEECF3CE1058700

Function 00007FFE11EB2098 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

PyLong_FromLong.PYTHON311(?,?,-00000001,00007FFE11EB2036), ref: 00007FFE11EB20B0
PyObject_SetAttrString.PYTHON311(?,?,-00000001,00007FFE11EB2036), ref: 00007FFE11EB20C7
_Py_Dealloc.PYTHON311(?,?,-00000001,00007FFE11EB2036), ref: 00007FFE11EC0C1F
_Py_Dealloc.PYTHON311(?,?,-00000001,00007FFE11EB2036), ref: 00007FFE11EC0C37

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$AttrFromLongLong_Object_String
String ID:
API String ID: 391580422-0
Opcode ID: 9a338a268811a4e858a024dc520ceb1571b8b14ee28904e10b92bbda1fa405e7
Instruction ID: 3b80a09af79439dd5c6a1a30984613c57673a74206d77f82e6ed1118cdd50c4b
Opcode Fuzzy Hash: 9a338a268811a4e858a024dc520ceb1571b8b14ee28904e10b92bbda1fa405e7
Instruction Fuzzy Hash: B7012C31A1EF4382EF144B97AC0013A6299AF49FB0F585571E94E577B4DE2CE482C304

Function 00007FF7BD3BA920 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7BD3BA94C
GetCurrentThreadId.KERNEL32 ref: 00007FF7BD3BA95A
GetCurrentProcessId.KERNEL32 ref: 00007FF7BD3BA966
QueryPerformanceCounter.KERNEL32 ref: 00007FF7BD3BA976

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: be9da76585353bf4ff120931e3f5bbaf95a19439f17c7ee9af2afa7da57e9186
Instruction ID: 6288fe12811421a8e06ab3f27ac4ff6fb891c1ad4a21f938270666553730db28
Opcode Fuzzy Hash: be9da76585353bf4ff120931e3f5bbaf95a19439f17c7ee9af2afa7da57e9186
Instruction Fuzzy Hash: D7114F22B18F01CAEB00DF64E8542A8B3A4F729758F840D35DB6D477A9EF78D1548350

Function 00007FFE11EBF4F8 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

PyModule_GetState.PYTHON311 ref: 00007FFE11EBF506
_Py_Dealloc.PYTHON311 ref: 00007FFE11EBF551
_Py_Dealloc.PYTHON311 ref: 00007FFE11EBF559
_Py_Dealloc.PYTHON311 ref: 00007FFE11EBF561

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Dealloc$Module_State
String ID:
API String ID: 3434497292-0
Opcode ID: 292c251840d4f5b8aa219338b90566aef11cb9e2afb7bce25e29caef6a64fe2b
Instruction ID: 4bb7223db6d382b2fe98d4aee4d2bf98348d40269e02870ded3554dad88b7632
Opcode Fuzzy Hash: 292c251840d4f5b8aa219338b90566aef11cb9e2afb7bce25e29caef6a64fe2b
Instruction Fuzzy Hash: F301D676D0AD0382EB598FF69C5833A22A8BF44F24F1855B2C91E055B08F2EAD818316

Function 00007FFE13302460 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

EVP_MD_CTX_md.LIBCRYPTO-1_1 ref: 00007FFE1330246A
EVP_MD_type.LIBCRYPTO-1_1 ref: 00007FFE13302473
OBJ_nid2ln.LIBCRYPTO-1_1 ref: 00007FFE13304F2A
OBJ_nid2sn.LIBCRYPTO-1_1 ref: 00007FFE13304F3B

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: D_typeJ_nid2lnJ_nid2snX_md
String ID:
API String ID: 1665016204-0
Opcode ID: ed77c7e200b5a299f4367d3d5b17755c8672caa46e550946c74c720bbe9b0c91
Instruction ID: 180dda91b5648a1aecfe912491c486ecec372a01cce43197735d5fbc8a8e650a
Opcode Fuzzy Hash: ed77c7e200b5a299f4367d3d5b17755c8672caa46e550946c74c720bbe9b0c91
Instruction Fuzzy Hash: 0801C921E09E028AFF5A5B62985433D22A0AF68B76F1415B9C52E653F1DF3CA4858348

Function 00007FFE13302860 Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

_PyObject_New.PYTHON311(?,?,?,00007FFE13302826), ref: 00007FFE13302866
EVP_MD_CTX_new.LIBCRYPTO-1_1(?,?,?,00007FFE13302826), ref: 00007FFE1330287C
_Py_Dealloc.PYTHON311(?,?,?,00007FFE13302826), ref: 00007FFE13305129
PyErr_NoMemory.PYTHON311(?,?,?,00007FFE13302826), ref: 00007FFE1330512F

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: DeallocErr_MemoryObject_X_new
String ID:
API String ID: 30467670-0
Opcode ID: ff40f30a92d5eed2e742e76349bf853d5a257016a328a92baeabcb4a8d59bfb5
Instruction ID: 667bf0405b650e40888ea38738b5c4f7fb58dfec7cbb91be58c0c89a0b76d244
Opcode Fuzzy Hash: ff40f30a92d5eed2e742e76349bf853d5a257016a328a92baeabcb4a8d59bfb5
Instruction Fuzzy Hash: B0F0C025D1DF0389FF6A5B63A84433C22A4AF29B62F0C14B4C92E653B0DF3CA4548358

Function 00007FFE13305E74 Relevance: 6.0, APIs: 4, Instructions: 21threadCOMMON

Download Yara Rule

APIs

PyThread_free_lock.PYTHON311 ref: 00007FFE13305E8E
HMAC_CTX_free.LIBCRYPTO-1_1 ref: 00007FFE13305E98
PyObject_Free.PYTHON311 ref: 00007FFE13305EA1
_Py_Dealloc.PYTHON311 ref: 00007FFE13305EB0

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: DeallocFreeObject_Thread_free_lockX_free
String ID:
API String ID: 133976240-0
Opcode ID: 57730f3bc79dfce44f660b9b0e6df719bd62e154393204126429c72edc4f63f9
Instruction ID: b82d12141f49e4b8e93a08f3514cc9d274ee113f8e69e6c34aed9f990f67eb43
Opcode Fuzzy Hash: 57730f3bc79dfce44f660b9b0e6df719bd62e154393204126429c72edc4f63f9
Instruction Fuzzy Hash: 4DE0C035A19E42C9FB199F67E55407D2320EF58FA5B185070DE6E16274CF3CD495C348

Function 00007FFDFB1A6A23 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 330COMMON

Download Yara Rule

Strings

..\s\crypto\engine\eng_ctrl.c, xrefs: 00007FFDFB301859, 00007FFDFB30192C, 00007FFDFB30199D, 00007FFDFB301A2E, 00007FFDFB301B13, 00007FFDFB301B51, 00007FFDFB301B72, 00007FFDFB301B92, 00007FFDFB301BB6, 00007FFDFB301BD4, 00007FFDFB301BFC, 00007FFDFB301C2C, 00007FFDFB301C4E
b, xrefs: 00007FFDFB301A26

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID:
String ID: ..\s\crypto\engine\eng_ctrl.c$b
API String ID: 0-1836817417
Opcode ID: 2f64efd3c35e40f30812e63d939679b1a2fc46fb0eca14743626378916f2d28d
Instruction ID: 5cd106947d015be296decfd18a45a7b125747a9df5399258be1518fbbfaf1e4b
Opcode Fuzzy Hash: 2f64efd3c35e40f30812e63d939679b1a2fc46fb0eca14743626378916f2d28d
Instruction Fuzzy Hash: C1E18222B4EA4383F7649B11D520B7936A1BF84788F184135EAAD07AEDCF3CF9459741

Function 00007FF7BD3D4DCC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7BD3D0930: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3D0963

_get_daylight.LIBCMT ref: 00007FF7BD3D4EE4
_get_daylight.LIBCMT ref: 00007FF7BD3D4EF5

Strings

?, xrefs: 00007FF7BD3D4E75

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: d9780ce076add9e9831f1cfb185e72a00ff476f32ad1e0024c6e5aca1437e75c
Instruction ID: d17d9ba8bb0e8347fdc6c9ddac3e3dc2d5c432fb368b4154733dda25059e991a
Opcode Fuzzy Hash: d9780ce076add9e9831f1cfb185e72a00ff476f32ad1e0024c6e5aca1437e75c
Instruction Fuzzy Hash: 3341D812A1C38395FB686729A451379D650EBA2BA4F544239EF5C07ADEFE3CD441CB10

Function 00007FFDFB1A2748 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDFB24A592

Strings

%04d%02d%02d%02d%02d%02dZ, xrefs: 00007FFDFB24A698
%02d%02d%02d%02d%02d%02dZ, xrefs: 00007FFDFB24A6A5

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: _time64
String ID: %02d%02d%02d%02d%02d%02dZ$%04d%02d%02d%02d%02d%02dZ
API String ID: 1670930206-2648760357
Opcode ID: 4f01d9f861e9c6c8f70647b046dc82b808f72db07d97631f436a9c698cc874c8
Instruction ID: 1ad08c35f579d7e45ae1cf077c7b430c292fae4d404f848a316af32f89027961
Opcode Fuzzy Hash: 4f01d9f861e9c6c8f70647b046dc82b808f72db07d97631f436a9c698cc874c8
Instruction Fuzzy Hash: 4B519372F097828AE760DF18E45066AB7A0FB8A744F544131EA9D87BADDF3CE5408F00

Function 00007FFDFB1A1613 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FFDFB26691E
getaddrinfo.WS2_32 ref: 00007FFDFB26695F

Strings

..\s\crypto\bio\b_addr.c, xrefs: 00007FFDFB26698C, 00007FFDFB2669D3, 00007FFDFB2669FF

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: getaddrinfo
String ID: ..\s\crypto\bio\b_addr.c
API String ID: 300660673-2547254400
Opcode ID: a2c99f71c7972fb3b7ba828c59694e00382d0b8ec626129309ba30accd8ab733
Instruction ID: dd2f73f51ec438dfea23aa656f9fe1133f9f0da079aece3d0b5a6fa913ebca8d
Opcode Fuzzy Hash: a2c99f71c7972fb3b7ba828c59694e00382d0b8ec626129309ba30accd8ab733
Instruction Fuzzy Hash: F6410772B196838BE7119B22A850AF9B791FB84744F004135EA9987BE9DF3CE8458F40

Function 00007FFE1A4549B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A4569C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4525CE), ref: 00007FFE1A4569CE

_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE1A454A86
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A454AE4

Strings

csm, xrefs: 00007FFE1A454B8A

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: abort$CreateFrameInfo
String ID: csm
API String ID: 2697087660-1018135373
Opcode ID: 5e4671b1cbff3658d511699c3cf653202505efa909c7ec854f7fa1af4338784c
Instruction ID: ddd726ff11c4f69a2b64972a1da2433f4786721e8ed4bd159520cc3cc2a0e7ae
Opcode Fuzzy Hash: 5e4671b1cbff3658d511699c3cf653202505efa909c7ec854f7fa1af4338784c
Instruction Fuzzy Hash: 20511CB6718B4186E660AB16E44027E77B4F788FA0F1405B6DB8D07B66DF3CE465CB40

Function 00007FF7BD3C7FE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3C8012

Part of subcall function 00007FF7BD3C9F88: HeapFree.KERNEL32(?,?,?,00007FF7BD3D1ED2,?,?,?,00007FF7BD3D1F0F,?,?,00000000,00007FF7BD3D23D5,?,?,00000000,00007FF7BD3D2307), ref: 00007FF7BD3C9F9E
Part of subcall function 00007FF7BD3C9F88: GetLastError.KERNEL32(?,?,?,00007FF7BD3D1ED2,?,?,?,00007FF7BD3D1F0F,?,?,00000000,00007FF7BD3D23D5,?,?,00000000,00007FF7BD3D2307), ref: 00007FF7BD3C9FA8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7BD3BA495), ref: 00007FF7BD3C8030

Strings

C:\Users\user\Desktop\PDF_Resave.exe, xrefs: 00007FF7BD3C801E

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\PDF_Resave.exe
API String ID: 3580290477-2412123782
Opcode ID: 6d7d95bebc1c7e9c2ca04ba4a518ba82f51154095bcf1e32176823eeda0f2bff
Instruction ID: b04708d4d979ec27fb3d421536f1bc1447a313af7229441e7e5bdac0ce27de34
Opcode Fuzzy Hash: 6d7d95bebc1c7e9c2ca04ba4a518ba82f51154095bcf1e32176823eeda0f2bff
Instruction Fuzzy Hash: A7418136A0C716D5EB1CAF2998500B9E694EF56780F994039EB4D03B8BEF39E5858320

Function 00007FF7BD3CC278 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7BD3CC38F
GetLastError.KERNEL32 ref: 00007FF7BD3CC3B1

Strings

U, xrefs: 00007FF7BD3CC33B

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4ebfda0eb3dddeb426bdf92ebf3ecfca638941ee1d5aabdffb869394d8dbdab1
Instruction ID: f190a49516a6666e16bcd2807a639ab5eee144e43fa92977ca968a1be397fd67
Opcode Fuzzy Hash: 4ebfda0eb3dddeb426bdf92ebf3ecfca638941ee1d5aabdffb869394d8dbdab1
Instruction Fuzzy Hash: 87419132A1CB41C1DB649F29E8443A9E760FBA9794F884039EB4D87799EF3CD441C710

Function 00007FFE11EBC560 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON311 ref: 00007FFE11EBC612
PyErr_SetString.PYTHON311 ref: 00007FFE11EC5993

Strings

Cannot delete attribute, xrefs: 00007FFE11EC5989

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: DeallocErr_String
String ID: Cannot delete attribute
API String ID: 1259552197-1790985853
Opcode ID: de2af97183b5ab665fbd892aa82625e99ad3be16cb07556211671bbe331626aa
Instruction ID: aa569b6edee327bda632d673f9cf74f9b989a24f7f5042f662488e24798de991
Opcode Fuzzy Hash: de2af97183b5ab665fbd892aa82625e99ad3be16cb07556211671bbe331626aa
Instruction Fuzzy Hash: F8318F76B09E4286EB648B97EC4026A6368FF48BB4F1851B2DA1E47B74CF3DE4518704

Function 00007FFE1A459F44 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1A45A042

Strings

void, xrefs: 00007FFE1A459FA4
void , xrefs: 00007FFE1A459FCC

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: 7dcf970a61f58172c3a4f39e178d28c376ed2dbead67cac1058dce2bd18ce07b
Instruction ID: 875731d20529edb4b255745a62000598e67eb6746bd7be3a9cadca225dcbe56d
Opcode Fuzzy Hash: 7dcf970a61f58172c3a4f39e178d28c376ed2dbead67cac1058dce2bd18ce07b
Instruction Fuzzy Hash: 223146A2F18B5598FB01DFA1E8410FC37B0BB48B58B4405B6EA4EA3B69DF3C9164C750

Function 00007FF7BD3CE598 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF7BD3CE5D8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF7BD3CE62A

Strings

:, xrefs: 00007FF7BD3CE5EE

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 132199adc714e9629c61c67295dcba21de8455e3cfff0b1badab354436fabe04
Instruction ID: c2cf92d24edbd2137cc49e877df280306f526e7003ea89c126b4233fa3620c2a
Opcode Fuzzy Hash: 132199adc714e9629c61c67295dcba21de8455e3cfff0b1badab354436fabe04
Instruction Fuzzy Hash: 11210622B1C781C1EB28AB19D04426DF3A1FBA5B44FC9403DD74D1328AEF7CE9658B60

Function 00007FFE13302B70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

PyObject_IsTrue.PYTHON311 ref: 00007FFE13302BEB

Part of subcall function 00007FFE13301000: PyModule_GetState.PYTHON311 ref: 00007FFE13301063
Part of subcall function 00007FFE13301000: _Py_hashtable_get.PYTHON311 ref: 00007FFE13301073
Part of subcall function 00007FFE13301000: EVP_MD_flags.LIBCRYPTO-1_1 ref: 00007FFE133010A7
Part of subcall function 00007FFE13301000: PyModule_GetState.PYTHON311 ref: 00007FFE133010B8
Part of subcall function 00007FFE13301000: _PyObject_New.PYTHON311 ref: 00007FFE133010C1
Part of subcall function 00007FFE13301000: EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 00007FFE133010D3
Part of subcall function 00007FFE13301000: EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 00007FFE133010FB

_PyArg_UnpackKeywords.PYTHON311 ref: 00007FFE13302C3B

Strings

sha256, xrefs: 00007FFE13302BAE

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: Module_Object_State$Arg_D_flagsDigestInit_exKeywordsPy_hashtable_getTrueUnpackX_new
String ID: sha256
API String ID: 3901364687-1556616439
Opcode ID: 8605687528c92a14fcc0294d2b696536008bcb8e906118a4c96b97f44988ac05
Instruction ID: a34a448ab0fa928c03317823f8f6114615e24435948aa0b3be2653a6d44a09b8
Opcode Fuzzy Hash: 8605687528c92a14fcc0294d2b696536008bcb8e906118a4c96b97f44988ac05
Instruction Fuzzy Hash: 8721B032A09F418AEE648F13E44066DA2A4FF68BE4F094170EE6DA3764DF7DD440C704

Function 00007FFE13303270 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

PyObject_IsTrue.PYTHON311 ref: 00007FFE133032EB

Part of subcall function 00007FFE13301000: PyModule_GetState.PYTHON311 ref: 00007FFE13301063
Part of subcall function 00007FFE13301000: _Py_hashtable_get.PYTHON311 ref: 00007FFE13301073
Part of subcall function 00007FFE13301000: EVP_MD_flags.LIBCRYPTO-1_1 ref: 00007FFE133010A7
Part of subcall function 00007FFE13301000: PyModule_GetState.PYTHON311 ref: 00007FFE133010B8
Part of subcall function 00007FFE13301000: _PyObject_New.PYTHON311 ref: 00007FFE133010C1
Part of subcall function 00007FFE13301000: EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 00007FFE133010D3
Part of subcall function 00007FFE13301000: EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 00007FFE133010FB

_PyArg_UnpackKeywords.PYTHON311 ref: 00007FFE1330333B

Strings

sha3_256, xrefs: 00007FFE133032AE

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: Module_Object_State$Arg_D_flagsDigestInit_exKeywordsPy_hashtable_getTrueUnpackX_new
String ID: sha3_256
API String ID: 3901364687-59190292
Opcode ID: c67b15245a0b545474ba9a20e3969ec6ab456242c73f3d5027aae6fae515f439
Instruction ID: d5a930b219ec0978b8890533fb29618426519f774b70261b3f87cecd43882f13
Opcode Fuzzy Hash: c67b15245a0b545474ba9a20e3969ec6ab456242c73f3d5027aae6fae515f439
Instruction Fuzzy Hash: 4F21C232B08F418AEE608B13E4406AE62A8FB68BE4F184170EE6D63764DF3CD900C704

Function 00007FFE13303350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

PyObject_IsTrue.PYTHON311 ref: 00007FFE133033CB

Part of subcall function 00007FFE13301000: PyModule_GetState.PYTHON311 ref: 00007FFE13301063
Part of subcall function 00007FFE13301000: _Py_hashtable_get.PYTHON311 ref: 00007FFE13301073
Part of subcall function 00007FFE13301000: EVP_MD_flags.LIBCRYPTO-1_1 ref: 00007FFE133010A7
Part of subcall function 00007FFE13301000: PyModule_GetState.PYTHON311 ref: 00007FFE133010B8
Part of subcall function 00007FFE13301000: _PyObject_New.PYTHON311 ref: 00007FFE133010C1
Part of subcall function 00007FFE13301000: EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 00007FFE133010D3
Part of subcall function 00007FFE13301000: EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 00007FFE133010FB

_PyArg_UnpackKeywords.PYTHON311 ref: 00007FFE1330341B

Strings

sha3_224, xrefs: 00007FFE1330338E

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: Module_Object_State$Arg_D_flagsDigestInit_exKeywordsPy_hashtable_getTrueUnpackX_new
String ID: sha3_224
API String ID: 3901364687-2731072511
Opcode ID: 56e49af4b8ea5246fdcc7845f3c1ff5b02ac791c8e8e097f65d51e2a5707a248
Instruction ID: f08fccf590dedf8ff2c2cd3d1c9fba338e3628e0fdb993dfa15ee199153b9e47
Opcode Fuzzy Hash: 56e49af4b8ea5246fdcc7845f3c1ff5b02ac791c8e8e097f65d51e2a5707a248
Instruction Fuzzy Hash: 2A21C832B19F418AEE60CB23E48066E6294FB68BE4F1C41B1DE6D53764DF7CD4008744

Function 00007FFE13302C50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

PyObject_IsTrue.PYTHON311 ref: 00007FFE13302CCB

Part of subcall function 00007FFE13301000: PyModule_GetState.PYTHON311 ref: 00007FFE13301063
Part of subcall function 00007FFE13301000: _Py_hashtable_get.PYTHON311 ref: 00007FFE13301073
Part of subcall function 00007FFE13301000: EVP_MD_flags.LIBCRYPTO-1_1 ref: 00007FFE133010A7
Part of subcall function 00007FFE13301000: PyModule_GetState.PYTHON311 ref: 00007FFE133010B8
Part of subcall function 00007FFE13301000: _PyObject_New.PYTHON311 ref: 00007FFE133010C1
Part of subcall function 00007FFE13301000: EVP_MD_CTX_new.LIBCRYPTO-1_1 ref: 00007FFE133010D3
Part of subcall function 00007FFE13301000: EVP_DigestInit_ex.LIBCRYPTO-1_1 ref: 00007FFE133010FB

_PyArg_UnpackKeywords.PYTHON311 ref: 00007FFE13302D1B

Strings

md5, xrefs: 00007FFE13302C8E

Memory Dump Source

Source File: 00000002.00000002.1740521667.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1740496540.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740547562.00007FFE13307000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740573296.00007FFE1330C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1740602702.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_PDF_Resave.jbxd

Similarity

API ID: Module_Object_State$Arg_D_flagsDigestInit_exKeywordsPy_hashtable_getTrueUnpackX_new
String ID: md5
API String ID: 3901364687-3899452385
Opcode ID: 980258609fd57627985029a1359037be3026fba797028a88728b7d60e3954ae3
Instruction ID: 88691f3c74635bb3b137fad796518c790e2d0924671ec2be90b544d4ad386b5c
Opcode Fuzzy Hash: 980258609fd57627985029a1359037be3026fba797028a88728b7d60e3954ae3
Instruction Fuzzy Hash: B121C232A08F428AEE61CB13E40066D62A4FB68BD4F194171EE6DA7764DF3ED8408748

Function 00007FFDFB1A338C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON

Download Yara Rule

APIs

getsockname.WS2_32 ref: 00007FFDFB269F47
WSAGetLastError.WS2_32 ref: 00007FFDFB269F52

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFDFB269F06, 00007FFDFB269F68, 00007FFDFB269F84, 00007FFDFB269FB7

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: ErrorLastgetsockname
String ID: ..\s\crypto\bio\b_sock.c
API String ID: 566540725-540685895
Opcode ID: 6b4fc8a7a88fb01f9812228e0b07841756f3377f257988557045c535e6cc1a7b
Instruction ID: ee998cf734aad2fc31051bd79425c3e3175c97fcf563b671fa82e5d2fff22ce4
Opcode Fuzzy Hash: 6b4fc8a7a88fb01f9812228e0b07841756f3377f257988557045c535e6cc1a7b
Instruction Fuzzy Hash: 98218072B0910786E720DB60D820AEE77A0EF84718F404135E66C46AF8DF7DF599DB40

Function 00007FFDFB1A2522 Relevance: 5.3, APIs: 4, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904c1ddc1ac2b7d51a3733fdc4c934fa97721c2ab28c691eea5c0e6f115cc51a
Instruction ID: 4fe10b373ad06de8bcd10f55e396b9559588ed2a25e5a8c0cfc23a7b3c71c47a
Opcode Fuzzy Hash: 904c1ddc1ac2b7d51a3733fdc4c934fa97721c2ab28c691eea5c0e6f115cc51a
Instruction Fuzzy Hash: 4AC1B572B0968186D720DF59A450BAEB7A5FB89BC4F044136EE4D97B9DDF3CE0058B40

Function 00007FFE1A4562EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A456690: RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A4566D4
Part of subcall function 00007FFE1A456690: RaiseException.KERNEL32 ref: 00007FFE1A45671A

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A45635F

Strings

Bad dynamic_cast!, xrefs: 00007FFE1A456312
Access violation - no RTTI data!, xrefs: 00007FFE1A4562EF

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: FileHeader$ExceptionRaise
String ID: Access violation - no RTTI data!$Bad dynamic_cast!
API String ID: 3685223789-3176238549
Opcode ID: 7bbd72394c3e749fc10370465baa4d9a755cb91736d17097c685b3404c0deaff
Instruction ID: e172b658535d01e83bd57d5162ab50a7ca66e582ba5a7e9cdacb51fc8cdf2ccc
Opcode Fuzzy Hash: 7bbd72394c3e749fc10370465baa4d9a755cb91736d17097c685b3404c0deaff
Instruction Fuzzy Hash: F0015EA1B29E8691EE40AB16F450178A321FF40FA4F4850F3E65E07675EF6CE564C700

Function 00007FFE1A456690 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE1A4566D4
RaiseException.KERNEL32 ref: 00007FFE1A45671A

Strings

csm, xrefs: 00007FFE1A456707

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 51a2530866bc70b3fa6e7487cc130fe87b9602d28e5a22477376607ad08b6180
Instruction ID: 7bc0cbed7bf8ecaba938c7922a3b33647ad9e37d51fd8fc8727a111cf8f43bc5
Opcode Fuzzy Hash: 51a2530866bc70b3fa6e7487cc130fe87b9602d28e5a22477376607ad08b6180
Instruction Fuzzy Hash: 52113D72608F8182EB108F16F440269B7A5FB88F94F1842B6DF8C07B68DF3DD5658700

Function 00007FF7BD3BE320 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF7BD3BE364
RaiseException.KERNEL32 ref: 00007FF7BD3BE3AA

Strings

csm, xrefs: 00007FF7BD3BE397

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: ca300da370bc200b47a9e29752d724a25d804681f54f6f31a4c62ce82835f912
Instruction ID: 64289bdfc823a9ddaa8e3dd3567965a6a858180e18b3cfcba344a957ba26770c
Opcode Fuzzy Hash: ca300da370bc200b47a9e29752d724a25d804681f54f6f31a4c62ce82835f912
Instruction Fuzzy Hash: A6113A3260CB4182EB259F19E540269F7A1FB99B84F584238EF8D07769EF3CD551CB40

Function 00007FFE11EBB98C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

PyObject_Call.PYTHON311 ref: 00007FFE11EBB9AC
_PyTraceback_Add.PYTHON311 ref: 00007FFE11EC52A5

Strings

D:\a\1\s\Modules\pyexpat.c, xrefs: 00007FFE11EC529B

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: CallObject_Traceback_
String ID: D:\a\1\s\Modules\pyexpat.c
API String ID: 1142842016-3460214922
Opcode ID: 92ad9d6fa8c185cfce829b5c419b3f96376c9b3af91439abfd41e60d363adc12
Instruction ID: 6328433d796d4b446ce15af6d672cad07ec46e8fc2f72939820df7a5f7b01e16
Opcode Fuzzy Hash: 92ad9d6fa8c185cfce829b5c419b3f96376c9b3af91439abfd41e60d363adc12
Instruction Fuzzy Hash: BA01A766B08F4282EF688B57E84427A63A9FB48FE0F589575DE4D07B68DE3CD5418700

Function 00007FF7BD3CF09C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7BD3CF0CC
GetDriveTypeW.KERNEL32 ref: 00007FF7BD3CF10C

Strings

:, xrefs: 00007FF7BD3CF0F5

Memory Dump Source

Source File: 00000002.00000002.1736450646.00007FF7BD3B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7BD3B0000, based on PE: true

Associated: 00000002.00000002.1736425005.00007FF7BD3B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736482273.00007FF7BD3DA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3ED000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736509681.00007FF7BD3FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1736581353.00007FF7BD3FE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7bd3b0000_PDF_Resave.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 5bb9208f1dd75f8da1bf4b84d43d2649c4580fde4fdc4700cc46879c1844a841
Instruction ID: d60ea243c01b6f0165575908ce6eea43b20058adc4d7d487a53a972b5e6e5cd9
Opcode Fuzzy Hash: 5bb9208f1dd75f8da1bf4b84d43d2649c4580fde4fdc4700cc46879c1844a841
Instruction Fuzzy Hash: 9A01B12291D312C6F768BB28946127EE3A0EF66704FC8103DD74C4729BFE2DE5448B24

Function 00007FFDFB1A15AF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFDFB2B0AE4

Strings

..\s\crypto\ct\ct_policy.c, xrefs: 00007FFDFB2B0AA3, 00007FFDFB2B0ABA
!, xrefs: 00007FFDFB2B0AC1

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: _time64
String ID: !$..\s\crypto\ct\ct_policy.c
API String ID: 1670930206-3401457818
Opcode ID: f18ed828a28c6ab51aa7041c4afaf51f6b8b90cc747c6e012aca78e72ff6fbca
Instruction ID: 5a4c5aa4df6e3d5d33bc067c845eda86f75e15dd43652731777d39263266e089
Opcode Fuzzy Hash: f18ed828a28c6ab51aa7041c4afaf51f6b8b90cc747c6e012aca78e72ff6fbca
Instruction Fuzzy Hash: 2BF0CD32F1760B86EB119B20D421BEE2354EF40308F540434DA2E067EAEE3CF655DB40

Function 00007FFE11EC9F2C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FFE11EC9F4B
PyObject_IsTrue.PYTHON311 ref: 00007FFE11EC9F59

Strings

Cannot delete attribute, xrefs: 00007FFE11EC9F41

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Err_Object_StringTrue
String ID: Cannot delete attribute
API String ID: 1323943456-1790985853
Opcode ID: a9b9417798d186abded7274f866e88ba46e5fd2a0e6bd8a384be0658d3fbe29e
Instruction ID: 5b65bc1e586fe9d3c79ba7aa9089e09d1788cd2d366d9a28dc13bd35ad2db3b6
Opcode Fuzzy Hash: a9b9417798d186abded7274f866e88ba46e5fd2a0e6bd8a384be0658d3fbe29e
Instruction Fuzzy Hash: 6EF09665B09F4382FF158BBB8C5423622A9AF85B74F545271DD2D862B4EE2CE4818304

Function 00007FFE11EC9FF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE11ECC8CC: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,00007FFE11ECA00B), ref: 00007FFE11ECC8D2
Part of subcall function 00007FFE11ECC8CC: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFE11ECA00B), ref: 00007FFE11ECC8E0
Part of subcall function 00007FFE11ECC8CC: strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,00007FFE11ECA00B), ref: 00007FFE11ECC8FC
Part of subcall function 00007FFE11ECC8CC: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFE11ECA00B), ref: 00007FFE11ECC904

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE11ECA015

Part of subcall function 00007FFE11ECC53C: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFE11ECC572

Strings

expat: Entropy: %s --> 0x%0*lx (%lu bytes), xrefs: 00007FFE11ECA023
EXPAT_ENTROPY_DEBUG, xrefs: 00007FFE11EC9FFF

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: _errno$__acrt_iob_func__stdio_common_vfprintfgetenvstrtoul
String ID: EXPAT_ENTROPY_DEBUG$expat: Entropy: %s --> 0x%0*lx (%lu bytes)
API String ID: 1947085748-401753140
Opcode ID: 3c21e4b76e0c7f3b008b0b68308483547d3def289599a0f61e0cadeabc434970
Instruction ID: 7e4a9f00f7a1d624661bc6d307a267b47b4d51e03597aefb0eaa55e15d87c5a1
Opcode Fuzzy Hash: 3c21e4b76e0c7f3b008b0b68308483547d3def289599a0f61e0cadeabc434970
Instruction Fuzzy Hash: FAF0A026B08A4282EB005B96FC8427AA764BB887E4F844079DA4D477B6CE2CE5458B04

Function 00007FFE1A45EE00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A45F050: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A45F110
Part of subcall function 00007FFE1A45F050: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1A45EE15), ref: 00007FFE1A45F15F

Part of subcall function 00007FFE1A4569C0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4525CE), ref: 00007FFE1A4569CE

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A45EE3A

Strings

f, xrefs: 00007FFE1A45EE15
csm, xrefs: 00007FFE1A45EE1B

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: CurrentImageNonwritableUnwindabortterminate
String ID: csm$f
API String ID: 4189928240-629598281
Opcode ID: 41dc89b1ce5f079b65ce2aaee024a8a434243f0f20765bf48ba2e403aae6c5bc
Instruction ID: 439b4ab186a30d8487f58195f1504811de730e969a15e9b3a06dd8e9fb9fa11c
Opcode Fuzzy Hash: 41dc89b1ce5f079b65ce2aaee024a8a434243f0f20765bf48ba2e403aae6c5bc
Instruction Fuzzy Hash: 99E065F1E18B4281EB607B63B58517D67A4AF05F74F1C80F6DA8807666CF3DD8B08641

Function 00007FFE11EBE114 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

PyObject_IsTrue.PYTHON311 ref: 00007FFE11EBE129
PyErr_SetString.PYTHON311 ref: 00007FFE11EC61AD

Strings

Cannot delete attribute, xrefs: 00007FFE11EC61A3

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Err_Object_StringTrue
String ID: Cannot delete attribute
API String ID: 1323943456-1790985853
Opcode ID: bd6ed47d6c8feddeade60c45839d130a54cff1d29265f0cbc8fe3103c7dac3b0
Instruction ID: 2f9e63d07b281e3b8daae7c189b5aea2e26673df8e5ba6b53c43cdb7742e41f0
Opcode Fuzzy Hash: bd6ed47d6c8feddeade60c45839d130a54cff1d29265f0cbc8fe3103c7dac3b0
Instruction Fuzzy Hash: CAE06D65B08E0381EF148BB39D8017622A9AF49BB5F6061B1CA2D8A2B0DE3CE0818304

Function 00007FFDFB1A6BEA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32 ref: 00007FFDFB26A102
WSAGetLastError.WS2_32 ref: 00007FFDFB26A10E

Strings

..\s\crypto\bio\b_sock.c, xrefs: 00007FFDFB26A124

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: ErrorLastioctlsocket
String ID: ..\s\crypto\bio\b_sock.c
API String ID: 1021210092-540685895
Opcode ID: 4d68a102142dda0a141e0aa41e49ba71bac8bdbe77c0eb6d10dc70971b8a66ca
Instruction ID: 73991d00a0cfa02ed4e3732baeababfc1b26bb7d67bf13b27c0f0ddd25344bc5
Opcode Fuzzy Hash: 4d68a102142dda0a141e0aa41e49ba71bac8bdbe77c0eb6d10dc70971b8a66ca
Instruction Fuzzy Hash: F3E01A61F1A5138AF7126B60A834FB92354AF05709F004534E92D866F9EE2DB6598A50

Function 00007FFE11EC9FAC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FFE11EC9FCB
PyObject_IsTrue.PYTHON311 ref: 00007FFE11EC9FD9

Strings

Cannot delete attribute, xrefs: 00007FFE11EC9FC1

Memory Dump Source

Source File: 00000002.00000002.1740121186.00007FFE11EB1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE11EB0000, based on PE: true

Associated: 00000002.00000002.1740092134.00007FFE11EB0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740156853.00007FFE11ED2000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740200829.00007FFE11EDB000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000002.00000002.1740250340.00007FFE11EDE000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe11eb0000_PDF_Resave.jbxd

Similarity

API ID: Err_Object_StringTrue
String ID: Cannot delete attribute
API String ID: 1323943456-1790985853
Opcode ID: bc7705b4852f145fe3769901dd8926da39069cb191b86ca93b042b14d9c8c169
Instruction ID: 1fb15faaa9e8d348a7cb7e6e2381ac02af08fbfb87c4d5b87d49d0342fe2c881
Opcode Fuzzy Hash: bc7705b4852f145fe3769901dd8926da39069cb191b86ca93b042b14d9c8c169
Instruction Fuzzy Hash: 5AE01265F14D4781EF188BB79C4027A22A9AF54BB4B5091B1D92D4A2B0EE2CE1958701

Function 00007FFDFB3DB690 Relevance: 5.2, APIs: 4, Instructions: 239COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(00007FFDFB3DB5FB,00000000,?,00000000,00007FFDFB3DA899), ref: 00007FFDFB3DB7CB
memchr.VCRUNTIME140(00007FFDFB3DB5FB,00000000,?,00000000,00007FFDFB3DA899), ref: 00007FFDFB3DB813
memchr.VCRUNTIME140(00007FFDFB3DB5FB,00000000,?,00000000,00007FFDFB3DA899), ref: 00007FFDFB3DB82D

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: memchr
String ID:
API String ID: 3297308162-0
Opcode ID: c5053ac5122ae20ce2bba16029e3ae9fdfc9990fab1c8ee538e04b1850252035
Instruction ID: 2e2e89d2978da15bc8a08575c1d31362be77648bf2039a66e06a7ba8ddf69315
Opcode Fuzzy Hash: c5053ac5122ae20ce2bba16029e3ae9fdfc9990fab1c8ee538e04b1850252035
Instruction Fuzzy Hash: B391C66AF496CA83EB10AB16D4A0539A7E0FB8DBC4F584035DF5C837A9DE2EE445C701

Function 00007FFE1A4569DC Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFE1A456859,?,?,?,?,00007FFE1A45FF42,?,?,?,?,?), ref: 00007FFE1A4569FB
SetLastError.KERNEL32(?,?,?,00007FFE1A456859,?,?,?,?,00007FFE1A45FF42,?,?,?,?,?), ref: 00007FFE1A456A84

Memory Dump Source

Source File: 00000002.00000002.1740949605.00007FFE1A451000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFE1A450000, based on PE: true

Associated: 00000002.00000002.1740857247.00007FFE1A450000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741019337.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741049295.00007FFE1A466000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.1741078012.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe1a450000_PDF_Resave.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: bbe9895d534b658101cce7e74ca5bd95b80ee12bf15f37732e53d0ee5c009e2b
Instruction ID: c537d69b825f7dc53fcf8138677aa6a089e144648b5cfd350e592b649c7ac000
Opcode Fuzzy Hash: bbe9895d534b658101cce7e74ca5bd95b80ee12bf15f37732e53d0ee5c009e2b
Instruction Fuzzy Hash: 46112160F0DA4242FA14AB27B844134B2A16F49FF4F1C86F6D96E077F5DF2CE8619640

Function 00007FFDFB1A53E9 Relevance: 5.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FFDFB299A00
memmove.VCRUNTIME140 ref: 00007FFDFB299A10
memmove.VCRUNTIME140 ref: 00007FFDFB299A20
memmove.VCRUNTIME140 ref: 00007FFDFB299A30

Memory Dump Source

Source File: 00000002.00000002.1736635525.00007FFDFB1A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFDFB1A0000, based on PE: true

Associated: 00000002.00000002.1736611386.00007FFDFB1A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB1AD000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB205000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB219000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB229000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB23D000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736635525.00007FFDFB3ED000.00000020.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB3EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB41A000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB44C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1736965522.00007FFDFB471000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737115322.00007FFDFB4BF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737139761.00007FFDFB4C0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4C7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E4000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1737166133.00007FFDFB4E8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfb1a0000_PDF_Resave.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: c7954e11c4b5c180aee147f19bd23452bbd2d047806da0b6489b870047a3b121
Instruction ID: c7838f6c02d5b39d5256ac95594c23dc47f74f2f856e24ea6a957377a5b2023f
Opcode Fuzzy Hash: c7954e11c4b5c180aee147f19bd23452bbd2d047806da0b6489b870047a3b121
Instruction Fuzzy Hash: 3411D062B0564286D710EB1AE4501ED7360FB447D4F448132EB6E87BEAEF28E6A4C700

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PDF_Resave.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI73042\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI73042\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI73042\_decimal.pyd

C:\Users\user\AppData\Local\Temp\_MEI73042\_hashlib.pyd

C:\Users\user\AppData\Local\Temp\_MEI73042\_lzma.pyd

C:\Users\user\AppData\Local\Temp\_MEI73042\_socket.pyd

C:\Users\user\AppData\Local\Temp\_MEI73042\_ssl.pyd

C:\Users\user\AppData\Local\Temp\_MEI73042\_uuid.pyd

C:\Users\user\AppData\Local\Temp\_MEI73042\base_library.zip

C:\Users\user\AppData\Local\Temp\_MEI73042\libcrypto-1_1.dll

C:\Users\user\AppData\Local\Temp\_MEI73042\libssl-1_1.dll

C:\Users\user\AppData\Local\Temp\_MEI73042\pyexpat.pyd

C:\Users\user\AppData\Local\Temp\_MEI73042\python311.dll

C:\Users\user\AppData\Local\Temp\_MEI73042\select.pyd

C:\Users\user\AppData\Local\Temp\_MEI73042\unicodedata.pyd

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
PDF_Resave.exe

Function 00007FF7BD3D4EB0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Function 00007FF7BD3B58E0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 141
COMMON

Function 00007FF7BD3D5DFC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Function 00007FF7BD3D512C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Function 00007FF7BD3B17B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144
COMMON

Function 00007FF7BD3B1440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133
COMMON

Function 00007FF7BD3B6A70 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91
COMMON

Function 00007FF7BD3B6140 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
processsynchronizationCOMMON

Function 00007FF7BD3B1000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 274
COMMON

Function 00007FF7BD3B1050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Function 00007FF7BD3CDF40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Function 00007FF7BD3CB09C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Function 00007FF7BD3CC5A0 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Function 00007FF7BD3CE96C Relevance: 6.2, APIs: 4, Instructions: 162
COMMON

Function 00007FF7BD3C46F8 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON