Edit tour

Windows Analysis Report
run0796.exe

Overview

General Information

Sample name:	run0796.exe
Analysis ID:	1530692
MD5:	6e912c37e25ed34d27440036de24c71a
SHA1:	8d2173a6e5239616f131c3c72b6572c56123dac1
SHA256:	6e120026e8e7473a4d12f13a157c773b82a04fe90a841d9a8c46da438a8bb58d
Tags:	exeuser-QuangNguyen
Infos:

Detection

Score:	29
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Found pyInstaller with non standard icon

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

run0796.exe (PID: 6472 cmdline: "C:\Users\user\Desktop\run0796.exe" MD5: 6E912C37E25ED34D27440036DE24C71A)

conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

run0796.exe (PID: 6632 cmdline: "C:\Users\user\Desktop\run0796.exe" MD5: 6E912C37E25ED34D27440036DE24C71A)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: run0796.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681336615.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: run0796.exe, 00000000.00000003.1678682813.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: run0796.exe, run0796.exe, 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: ucrtbase.pdb source: run0796.exe, 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-memory-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: run0796.exe, 00000000.00000003.1680583247.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681198263.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680904078.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\python38.pdb source: run0796.exe, 00000002.00000002.1691664835.00007FFDFB75D000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: run0796.exe, 00000000.00000003.1679187945.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681805406.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-string-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678508272.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: run0796.exe, 00000000.00000003.1678781344.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l2-1-0.dll.0.dr
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: run0796.exe, 00000000.00000003.1677458140.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679621455.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679107388.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678587999.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681028597.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679035664.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\select.pdb source: run0796.exe, run0796.exe, 00000002.00000002.1692491940.00007FFE148E1000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679820104.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: run0796.exe, 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source:	Binary string: vcruntime140.amd64.pdb source: run0796.exe, 00000000.00000003.1677458140.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681252863.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681742787.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.0.dr

Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F196888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F1A0A44 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF60F1A0A44
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F1869F0 FindFirstFileExW,FindClose,	0_2_00007FF60F1869F0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F196888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F196888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	2_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F1A0A44 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF60F1A0A44
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F1869F0 FindFirstFileExW,FindClose,	2_2_00007FF60F1869F0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F196888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	2_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013C2DFC FindFirstFileExW,	2_2_00007FFE013C2DFC
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013EEFEC FindFirstFileExW,FindClose,FindNextFileW,	2_2_00007FFE013EEFEC

Source: C:\Users\user\Desktop\run0796.exe

Code function: 2_2_00007FFE132763D8 recv,

2_2_00007FFE132763D8

Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: run0796.exe, 00000000.00000003.1677458140.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: run0796.exe, 00000000.00000003.1681742787.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/
Source: run0796.exe, 00000000.00000003.1681742787.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678587999.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679621455.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679820104.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.usert
Source: run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.usertrtok
Source: run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.usertrtokstrtok_sucrtbase.strtok_sstrxfrmucrtbase.strxfrmtolowerucrtbase.tolowertoupperuc
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: run0796.exe, 00000000.00000003.1681742787.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678587999.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679621455.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679107388.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: run0796.exe, 00000000.00000003.1678587999.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: run0796.exe, 00000000.00000003.1681742787.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678587999.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679621455.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679107388.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: run0796.exe, 00000002.00000002.1691664835.00007FFDFB75D000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: run0796.exe, 00000000.00000003.1681742787.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678781344.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678587999.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.eclipse.org/0
Source: run0796.exe, 00000002.00000003.1687968485.000001AA09DAE000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687917821.000001AA09D83000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: http://www.python.org/
Source: run0796.exe, 00000000.00000003.1683564349.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: run0796.exe, 00000002.00000002.1691089775.000001AA0A490000.00000004.00001000.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687549544.000001AA09DB5000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: base_library.zip.0.dr	String found in binary or memory: http://www.robotstxt.org/norobots-rfc.txt
Source: run0796.exe, 00000002.00000003.1689777496.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689693482.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688367932.000001AA09D71000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687263356.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688342137.000001AA09D9D000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1690470228.000001AA09D7F000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688953295.000001AA09D72000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688481101.000001AA09DA0000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689983516.000001AA09D7C000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689837022.000001AA09D76000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687390844.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688803710.000001AA09DCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: run0796.exe, 00000002.00000002.1690891791.000001AA0A110000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: run0796.exe, 00000002.00000002.1690879972.000001AA09DCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: run0796.exe, 00000002.00000003.1689777496.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689693482.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688367932.000001AA09D71000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687263356.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688342137.000001AA09D9D000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1690470228.000001AA09D7F000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688953295.000001AA09D72000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688481101.000001AA09DA0000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689983516.000001AA09D7C000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689837022.000001AA09D76000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687390844.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688803710.000001AA09DCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: run0796.exe, 00000002.00000003.1689777496.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689693482.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688367932.000001AA09D71000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687263356.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688342137.000001AA09D9D000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1690470228.000001AA09D7F000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688953295.000001AA09D72000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688481101.000001AA09DA0000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689983516.000001AA09D7C000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689837022.000001AA09D76000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687390844.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688803710.000001AA09DCC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: run0796.exe, 00000002.00000003.1687968485.000001AA09DAE000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687917821.000001AA09D83000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: https://mahler:8092/site-updates.py
Source: run0796.exe, 00000000.00000003.1681742787.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678587999.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679621455.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679820104.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr	String found in binary or memory: https://www.openssl.org/H

Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F196888	0_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F1858E0	0_2_00007FF60F1858E0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F1A4EB0	0_2_00007FF60F1A4EB0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F1A5DFC	0_2_00007FF60F1A5DFC
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F19FA98	0_2_00007FF60F19FA98
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F1A58B0	0_2_00007FF60F1A58B0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F19D888	0_2_00007FF60F19D888
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F1A512C	0_2_00007FF60F1A512C
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F19710C	0_2_00007FF60F19710C
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F190774	0_2_00007FF60F190774
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F18FF54	0_2_00007FF60F18FF54
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F194FD0	0_2_00007FF60F194FD0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F1916D4	0_2_00007FF60F1916D4
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F1966D4	0_2_00007FF60F1966D4
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F190570	0_2_00007FF60F190570
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F19CD74	0_2_00007FF60F19CD74
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F18FD50	0_2_00007FF60F18FD50
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F19FA98	0_2_00007FF60F19FA98
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F1A2DC0	0_2_00007FF60F1A2DC0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F192624	0_2_00007FF60F192624
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F198D10	0_2_00007FF60F198D10
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F190364	0_2_00007FF60F190364
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F19133C	0_2_00007FF60F19133C
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F187430	0_2_00007FF60F187430
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F1A8BF8	0_2_00007FF60F1A8BF8
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F1A325C	0_2_00007FF60F1A325C
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F1A0A44	0_2_00007FF60F1A0A44
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F190160	0_2_00007FF60F190160
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F1921EC	0_2_00007FF60F1921EC
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F196888	0_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F192A28	0_2_00007FF60F192A28
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F19D208	0_2_00007FF60F19D208
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F1A4EB0	2_2_00007FF60F1A4EB0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F1A5DFC	2_2_00007FF60F1A5DFC
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F1A58B0	2_2_00007FF60F1A58B0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F196888	2_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F19D888	2_2_00007FF60F19D888
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F1858E0	2_2_00007FF60F1858E0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F1A512C	2_2_00007FF60F1A512C
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F19710C	2_2_00007FF60F19710C
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F190774	2_2_00007FF60F190774
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F18FF54	2_2_00007FF60F18FF54
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F194FD0	2_2_00007FF60F194FD0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F1916D4	2_2_00007FF60F1916D4
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F1966D4	2_2_00007FF60F1966D4
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F190570	2_2_00007FF60F190570
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F19CD74	2_2_00007FF60F19CD74
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F18FD50	2_2_00007FF60F18FD50
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F19FA98	2_2_00007FF60F19FA98
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F1A2DC0	2_2_00007FF60F1A2DC0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F192624	2_2_00007FF60F192624
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F198D10	2_2_00007FF60F198D10
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F190364	2_2_00007FF60F190364
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F19133C	2_2_00007FF60F19133C
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F187430	2_2_00007FF60F187430
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F1A8BF8	2_2_00007FF60F1A8BF8
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F1A325C	2_2_00007FF60F1A325C
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F1A0A44	2_2_00007FF60F1A0A44
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F19FA98	2_2_00007FF60F19FA98
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F190160	2_2_00007FF60F190160
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F1921EC	2_2_00007FF60F1921EC
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F196888	2_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F192A28	2_2_00007FF60F192A28
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F19D208	2_2_00007FF60F19D208
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE0138423C	2_2_00007FFE0138423C
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE0138B0B0	2_2_00007FFE0138B0B0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE01389120	2_2_00007FFE01389120
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE0139D408	2_2_00007FFE0139D408
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE0138A400	2_2_00007FFE0138A400
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE0139641C	2_2_00007FFE0139641C
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013822A4	2_2_00007FFE013822A4
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE0140B2AC	2_2_00007FFE0140B2AC
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013922F0	2_2_00007FFE013922F0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013A0580	2_2_00007FFE013A0580
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013A654C	2_2_00007FFE013A654C
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013AC570	2_2_00007FFE013AC570
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE01394788	2_2_00007FFE01394788
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013957B8	2_2_00007FFE013957B8
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013887D0	2_2_00007FFE013887D0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013C2694	2_2_00007FFE013C2694
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013826A0	2_2_00007FFE013826A0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE0139C6B0	2_2_00007FFE0139C6B0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE01388650	2_2_00007FFE01388650
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013AD6E0	2_2_00007FFE013AD6E0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013E46F8	2_2_00007FFE013E46F8
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE01383984	2_2_00007FFE01383984
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE0142495C	2_2_00007FFE0142495C
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE0139195E	2_2_00007FFE0139195E
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE01385A20	2_2_00007FFE01385A20
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013EEA3C	2_2_00007FFE013EEA3C
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013EE864	2_2_00007FFE013EE864
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE01382B90	2_2_00007FFE01382B90
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE0138BBB0	2_2_00007FFE0138BBB0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013AAB55	2_2_00007FFE013AAB55
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE0138DC30	2_2_00007FFE0138DC30
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE0139CAE4	2_2_00007FFE0139CAE4
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE01381AF8	2_2_00007FFE01381AF8
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013A8D50	2_2_00007FFE013A8D50
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013ABE10	2_2_00007FFE013ABE10
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE01396E30	2_2_00007FFE01396E30
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013EDDF0	2_2_00007FFE013EDDF0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE0139DC60	2_2_00007FFE0139DC60
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE01388D30	2_2_00007FFE01388D30
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013BACC4	2_2_00007FFE013BACC4
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE01425CC0	2_2_00007FFE01425CC0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE01383000	2_2_00007FFE01383000
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE0138A030	2_2_00007FFE0138A030
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE01388EA0	2_2_00007FFE01388EA0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013EEE44	2_2_00007FFE013EEE44
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013C2EC0	2_2_00007FFE013C2EC0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE0139CEC0	2_2_00007FFE0139CEC0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013ECEC0	2_2_00007FFE013ECEC0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE13271000	2_2_00007FFE13271000
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE13287170	2_2_00007FFE13287170
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE13273BC0	2_2_00007FFE13273BC0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE133071CC	2_2_00007FFE133071CC
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE1330D130	2_2_00007FFE1330D130
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE148EAB70	2_2_00007FFE148EAB70
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE148E21C0	2_2_00007FFE148E21C0

Source: C:\Users\user\Desktop\run0796.exe	Code function: String function: 00007FFE13279580 appears 148 times
Source: C:\Users\user\Desktop\run0796.exe	Code function: String function: 00007FF60F181CB0 appears 38 times
Source: C:\Users\user\Desktop\run0796.exe	Code function: String function: 00007FFE132794D8 appears 35 times
Source: C:\Users\user\Desktop\run0796.exe	Code function: String function: 00007FFE01386448 appears 32 times
Source: C:\Users\user\Desktop\run0796.exe	Code function: String function: 00007FF60F181C50 appears 90 times

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Source: run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs run0796.exe
Source: run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs run0796.exe
Source: run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1677458140.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679107388.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681252863.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681742787.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681805406.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678508272.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679035664.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1682880825.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679187945.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1680583247.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681028597.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681198263.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679820104.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1681336615.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678781344.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1679621455.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1680904078.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678682813.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe, 00000000.00000003.1678587999.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs run0796.exe
Source: run0796.exe	Binary or memory string: OriginalFilename vs run0796.exe
Source: run0796.exe, 00000002.00000003.1687263356.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs run0796.exe
Source: run0796.exe, 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs run0796.exe
Source: run0796.exe, 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs run0796.exe
Source: run0796.exe, 00000002.00000003.1687390844.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs run0796.exe
Source: run0796.exe, 00000002.00000003.1686458281.000001AA09D6F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs run0796.exe
Source: run0796.exe, 00000002.00000002.1692113514.00007FFDFB89F000.00000004.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamepython38.dll. vs run0796.exe
Source: run0796.exe, 00000002.00000002.1692562185.00007FFE148EC000.00000004.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs run0796.exe
Source: run0796.exe, 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs run0796.exe
Source: run0796.exe, 00000002.00000003.1686711023.000001AA09D6F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs run0796.exe

Source: libcrypto-1_1.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9987125577836082
Source: libssl-1_1.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9899651759530792
Source: python38.dll.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.999172404661017
Source: unicodedata.pyd.0.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9939845202137546

Source: classification engine

Classification label: sus29.winEXE@4/51@0/0

Source: C:\Users\user\Desktop\run0796.exe

Code function: 0_2_00007FF60F186680 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF60F186680

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_03

Source: C:\Users\user\Desktop\run0796.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI64722

Jump to behavior

Source: run0796.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\run0796.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: run0796.exe	String found in binary or memory: can't send non-None value to a just-started generator
Source: run0796.exe	String found in binary or memory: --help
Source: run0796.exe	String found in binary or memory: --help

Source: C:\Users\user\Desktop\run0796.exe

File read: C:\Users\user\Desktop\run0796.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\run0796.exe "C:\Users\user\Desktop\run0796.exe"
Source: C:\Users\user\Desktop\run0796.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\run0796.exe	Process created: C:\Users\user\Desktop\run0796.exe "C:\Users\user\Desktop\run0796.exe"
Source: C:\Users\user\Desktop\run0796.exe	Process created: C:\Users\user\Desktop\run0796.exe "C:\Users\user\Desktop\run0796.exe"	Jump to behavior

Source: C:\Users\user\Desktop\run0796.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\run0796.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: run0796.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: run0796.exe

Static file information: File size 5364263 > 1048576

Source: run0796.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: run0796.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: run0796.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: run0796.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: run0796.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: run0796.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: run0796.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: run0796.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681336615.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678885962.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: run0796.exe, 00000000.00000003.1678682813.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: run0796.exe, run0796.exe, 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp
Source:	Binary string: ucrtbase.pdb source: run0796.exe, 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-memory-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-debug-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: run0796.exe, 00000000.00000003.1680583247.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680647486.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681198263.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679539476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680904078.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\python38.pdb source: run0796.exe, 00000002.00000002.1691664835.00007FFDFB75D000.00000040.00000001.01000000.00000005.sdmp
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: run0796.exe, 00000000.00000003.1679187945.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681137160.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-environment-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681805406.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-utility-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-string-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678508272.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: run0796.exe, 00000000.00000003.1678781344.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l2-1-0.dll.0.dr
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: run0796.exe, 00000000.00000003.1677458140.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679621455.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678150888.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679107388.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1678587999.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681028597.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679035664.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: C:\A\21\b\bin\amd64\select.pdb source: run0796.exe, run0796.exe, 00000002.00000002.1692491940.00007FFE148E1000.00000040.00000001.01000000.00000008.sdmp
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1679820104.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: run0796.exe, 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source:	Binary string: vcruntime140.amd64.pdb source: run0796.exe, 00000000.00000003.1677458140.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681252863.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: run0796.exe, 00000000.00000003.1681742787.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.0.dr

Source: run0796.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: run0796.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: run0796.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: run0796.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: run0796.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: api-ms-win-core-file-l1-1-0.dll.0.dr

Static PE information: 0xC4F451B9 [Sun Sep 16 17:54:01 2074 UTC]

Source: C:\Users\user\Desktop\run0796.exe

Code function: 2_2_00007FFE13287170 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FFE13287170

Source: run0796.exe

Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013A44F9 push rdi; ret	2_2_00007FFE013A4502
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013A983D push rdi; ret	2_2_00007FFE013A9844
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013A4A15 push rdi; ret	2_2_00007FFE013A4A1B
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013A9F52 push rdi; ret	2_2_00007FFE013A9F56
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE1330CB1B push rbp; retf	2_2_00007FFE1330CB28

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\run0796.exe

Process created: "C:\Users\user\Desktop\run0796.exe"

Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\run0796.exe

Code function: 0_2_00007FF60F1850B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF60F1850B0

Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\run0796.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\run0796.exe

API coverage: 3.3 %

Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F196888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F1A0A44 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF60F1A0A44
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F1869F0 FindFirstFileExW,FindClose,	0_2_00007FF60F1869F0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F196888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F196888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	2_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F1A0A44 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF60F1A0A44
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F1869F0 FindFirstFileExW,FindClose,	2_2_00007FF60F1869F0
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F196888 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	2_2_00007FF60F196888
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013C2DFC FindFirstFileExW,	2_2_00007FFE013C2DFC
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013EEFEC FindFirstFileExW,FindClose,FindNextFileW,	2_2_00007FFE013EEFEC

Source: run0796.exe, 00000002.00000003.1688367932.000001AA09D71000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689189339.000001AA09D8C000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688953295.000001AA09D72000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1690694229.000001AA09D8F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\run0796.exe

Code function: 0_2_00007FF60F199C54 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF60F199C54

Source: C:\Users\user\Desktop\run0796.exe

Code function: 2_2_00007FFE13287170 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,

2_2_00007FFE13287170

Source: C:\Users\user\Desktop\run0796.exe

Code function: 0_2_00007FF60F1A2630 GetProcessHeap,

0_2_00007FF60F1A2630

Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F199C54 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF60F199C54
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F18ABE4 SetUnhandledExceptionFilter,	0_2_00007FF60F18ABE4
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F18AA3C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF60F18AA3C
Source: C:\Users\user\Desktop\run0796.exe	Code function: 0_2_00007FF60F18A190 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF60F18A190
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F199C54 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF60F199C54
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F18ABE4 SetUnhandledExceptionFilter,	2_2_00007FF60F18ABE4
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F18AA3C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF60F18AA3C
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FF60F18A190 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF60F18A190
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013C22DC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFE013C22DC
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE013ECC28 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFE013ECC28
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE13273AD4 SetUnhandledExceptionFilter,	2_2_00007FFE13273AD4
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE13273E0E SetUnhandledExceptionFilter,	2_2_00007FFE13273E0E
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE13279040 SetUnhandledExceptionFilter,	2_2_00007FFE13279040
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE132738EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFE132738EC
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE1330D414 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFE1330D414
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE148E1EEC IsProcessorFeaturePresent,00007FFE1330CEB0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FFE1330CEB0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFE148E1EEC

Source: C:\Users\user\Desktop\run0796.exe

Process created: C:\Users\user\Desktop\run0796.exe "C:\Users\user\Desktop\run0796.exe"

Jump to behavior

Source: C:\Users\user\Desktop\run0796.exe

Code function: 0_2_00007FF60F1A8A40 cpuid

0_2_00007FF60F1A8A40

Source: C:\Users\user\Desktop\run0796.exe	Code function: GetPrimaryLen,EnumSystemLocalesW,	2_2_00007FFE013EB074
Source: C:\Users\user\Desktop\run0796.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_00007FFE013EB62C
Source: C:\Users\user\Desktop\run0796.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_00007FFE013EB4B8
Source: C:\Users\user\Desktop\run0796.exe	Code function: GetProcAddress,GetLocaleInfoW,	2_2_00007FFE01383AE0
Source: C:\Users\user\Desktop\run0796.exe	Code function: EnterCriticalSection,EnumSystemLocalesW,LeaveCriticalSection,	2_2_00007FFE013E8FB8
Source: C:\Users\user\Desktop\run0796.exe	Code function: EnumSystemLocalesW,	2_2_00007FFE013EAF64
Source: C:\Users\user\Desktop\run0796.exe	Code function: GetPrimaryLen,EnumSystemLocalesW,	2_2_00007FFE013EAFC4

Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\Desktop VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\Desktop\run0796.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\Desktop\run0796.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\Desktop\run0796.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\run0796.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI64722\select.pyd VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\run0796.exe

Code function: 0_2_00007FF60F18A920 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF60F18A920

Source: C:\Users\user\Desktop\run0796.exe

Code function: 0_2_00007FF60F1A4EB0 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF60F1A4EB0

Source: C:\Users\user\Desktop\run0796.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE1327622C listen,		2_2_00007FFE1327622C
Source: C:\Users\user\Desktop\run0796.exe	Code function: 2_2_00007FFE132720F0 htons,htonl,bind,htons,		2_2_00007FFE132720F0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	11 Process Injection	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	21 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	33 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
run0796.exe	4%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\_MEI64722\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\VCRUNTIME140.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\_bz2.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\_hashlib.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\_lzma.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\_socket.pyd	1%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\_ssl.pyd	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-console-l1-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-datetime-l1-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-debug-l1-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-errorhandling-l1-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l1-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l1-2-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l2-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-handle-l1-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-heap-l1-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-interlocked-l1-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-libraryloader-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-libraryloader-l1-1-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-localization-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-localization-l1-2-0.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-memory-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-memory-l1-1-0.dll	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://www.openssl.org/H	0%	URL Reputation	safe
http://www.eclipse.org/0	0%	Virustotal		Browse
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	0%	Virustotal		Browse
http://www.robotstxt.org/norobots-rfc.txt	0%	Virustotal		Browse
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	0%	Virustotal		Browse
http://www.python.org/	0%	Virustotal		Browse
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	0%	Virustotal		Browse
http://python.org/dev/peps/pep-0263/	0%	Virustotal		Browse
http://www.python.org/download/releases/2.3/mro/.	0%	Virustotal		Browse
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	0%	Virustotal		Browse
http://crl.sectigo.com/	0%	Virustotal		Browse
http://www.python.org/dev/peps/pep-0205/	0%	Virustotal		Browse
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.usertrtok	run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	run0796.exe, 00000002.00000002.1690891791.000001AA0A110000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://python.org/dev/peps/pep-0263/	run0796.exe, 00000002.00000002.1691664835.00007FFDFB75D000.00000040.00000001.01000000.00000005.sdmp	false	0%, Virustotal, Browse	unknown
http://www.eclipse.org/0	run0796.exe, 00000000.00000003.1681742787.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678781344.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678587999.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://mahler:8092/site-updates.py	run0796.exe, 00000002.00000003.1687968485.000001AA09DAE000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687917821.000001AA09D83000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	false		unknown
https://sectigo.com/CPS0	run0796.exe, 00000000.00000003.1681742787.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678587999.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679621455.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679820104.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.usertrtokstrtok_sucrtbase.strtok_sstrxfrmucrtbase.strxfrmtolowerucrtbase.tolowertoupperuc	run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.robotstxt.org/norobots-rfc.txt	base_library.zip.0.dr	false	0%, Virustotal, Browse	unknown
http://ocsp.sectigo.com0	run0796.exe, 00000000.00000003.1681742787.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678587999.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679621455.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679107388.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.thawte.com0	run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	false	URL Reputation: safe	unknown
http://www.python.org/	run0796.exe, 00000002.00000003.1687968485.000001AA09DAE000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687917821.000001AA09D83000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	false	0%, Virustotal, Browse	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	run0796.exe, 00000002.00000003.1689777496.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689693482.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688367932.000001AA09D71000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687263356.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688342137.000001AA09D9D000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1690470228.000001AA09D7F000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688953295.000001AA09D72000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688481101.000001AA09DA0000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689983516.000001AA09D7C000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689837022.000001AA09D76000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687390844.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688803710.000001AA09DCC000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://crl.mic	run0796.exe, 00000000.00000003.1677458140.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	run0796.exe, 00000002.00000003.1689777496.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689693482.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688367932.000001AA09D71000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687263356.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688342137.000001AA09D9D000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1690470228.000001AA09D7F000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688953295.000001AA09D72000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688481101.000001AA09DA0000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689983516.000001AA09D7C000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689837022.000001AA09D76000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687390844.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688803710.000001AA09DCC000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.python.org/download/releases/2.3/mro/.	run0796.exe, 00000002.00000002.1691089775.000001AA0A490000.00000004.00001000.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687549544.000001AA09DB5000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	false	0%, Virustotal, Browse	unknown
http://crl.usert	run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	run0796.exe, 00000002.00000003.1689777496.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689693482.000001AA09DCD000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688367932.000001AA09D71000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687263356.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688342137.000001AA09D9D000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000002.1690470228.000001AA09D7F000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688953295.000001AA09D72000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688481101.000001AA09DA0000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689983516.000001AA09D7C000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1689837022.000001AA09D76000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1687390844.000001AA09D6B000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000002.00000003.1688803710.000001AA09DCC000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	run0796.exe, 00000000.00000003.1681742787.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678587999.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679621455.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679820104.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678262675.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.digicert	run0796.exe, 00000000.00000003.1678587999.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.sectigo.com/	run0796.exe, 00000000.00000003.1681742787.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	run0796.exe, 00000000.00000003.1677944411.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677740906.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678031196.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682715900.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1682381381.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677849666.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1677629022.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681918413.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1683177471.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _lzma.pyd.0.dr, unicodedata.pyd.0.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	run0796.exe, 00000000.00000003.1681742787.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679696975.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680096274.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681612849.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678411716.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681552537.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678976772.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681487748.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679281369.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680723879.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681416886.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1678587999.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680647486.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1681675476.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679428367.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680805677.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679621455.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679919709.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1679107388.000002523F8F7000.00000004.00000020.00020000.00000000.sdmp, run0796.exe, 00000000.00000003.1680502072.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.openssl.org/H	run0796.exe, 00000000.00000003.1682202100.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr	false	URL Reputation: safe	unknown
http://www.python.org/dev/peps/pep-0205/	run0796.exe, 00000000.00000003.1683564349.000002523F8EA000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	false	0%, Virustotal, Browse	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	run0796.exe, 00000002.00000002.1690879972.000001AA09DCE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1530692
Start date and time:	2024-10-10 12:02:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	run0796.exe
Detection:	SUS
Classification:	sus29.winEXE@4/51@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI64722\VCRUNTIME140.dll	SecuriteInfo.com.Trojan.Siggen29.42959.20394.9110.exe	Get hash	malicious	AsyncRAT, MicroClip, PureLog Stealer, RedLine	Browse
	PCUEAYj8Pj.exe	Get hash	malicious	AsyncRAT, MicroClip, PureLog Stealer, RedLine	Browse
	rD5Uox2mkB.exe	Get hash	malicious	AsyncRAT, MicroClip, PureLog Stealer, RedLine	Browse
	MtIILyYuxa.exe	Get hash	malicious	Unknown	Browse
	d2qKVXWmRI.exe	Get hash	malicious	Unknown	Browse
	2SSgZ5GqU5.exe	Get hash	malicious	AsyncRAT, MicroClip, PureLog Stealer, RedLine	Browse
	Google%20Chrome1.exe	Get hash	malicious	Unknown	Browse
	Chrome.exe	Get hash	malicious	Unknown	Browse
	mQcnqAaN5t.exe	Get hash	malicious	AsyncRAT, MicroClip, RedLine	Browse
	ZGxHXcufSf.exe	Get hash	malicious	AsyncRAT, MicroClip, PureLog Stealer, RedLine	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI64722\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	89752
Entropy (8bit):	6.5021374229557996
Encrypted:	false
SSDEEP:	1536:EFmmAQ77IPzHql9a2k+2v866Xc/0i+N1WtYil42TZiCvecbtjawN+o/J:EQmI+NnXertP42xvecbtjd+ox
MD5:	0E675D4A7A5B7CCD69013386793F68EB
SHA1:	6E5821DDD8FEA6681BDA4448816F39984A33596B
SHA-256:	BF5FF4603557C9959ACEC995653D052D9054AD4826DF967974EFD2F377C723D1
SHA-512:	CAE69A90F92936FEBDE67DACD6CE77647CB3B3ED82BB66463CD9047E90723F633AA2FC365489DE09FECDC510BE15808C183B12E6236B0893AF19633F6A670E66
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: SecuriteInfo.com.Trojan.Siggen29.42959.20394.9110.exe, Detection: malicious, Browse Filename: PCUEAYj8Pj.exe, Detection: malicious, Browse Filename: rD5Uox2mkB.exe, Detection: malicious, Browse Filename: MtIILyYuxa.exe, Detection: malicious, Browse Filename: d2qKVXWmRI.exe, Detection: malicious, Browse Filename: 2SSgZ5GqU5.exe, Detection: malicious, Browse Filename: Google%20Chrome1.exe, Detection: malicious, Browse Filename: Chrome.exe, Detection: malicious, Browse Filename: mQcnqAaN5t.exe, Detection: malicious, Browse Filename: ZGxHXcufSf.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............x.D.x.D.x.D..AD.x.D..=D.x.D.x.D.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx..E.x.Dx.QD.x.Dx..E.x.DRich.x.D........PE..d....}.Y.........." .........T...............................................`.......Y....`A........................................p...4............@.......0..(.... ...>...P..p.......8...........................@................................................text...$........................... ..`.rdata...6.......8..................@..@.data...0.... ......................@....pdata..(....0......................@..@.rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	46664
Entropy (8bit):	7.766447771155745
Encrypted:	false
SSDEEP:	768:J28BQFZi1JKUqxVB4VHOVp6Ej1JxETxcLon5A8DzApS0IG4VAyWDG4yTs:JHBQFZOJKNVB4VHOX6y1JxEtKon5A8BC
MD5:	12A39756E876304E73338EA4A103A22B
SHA1:	DFFDCCFE8310F823DBBB5CD8BE1E019EE47C518C
SHA-256:	FA2A5C074E47CD3348A243A3AD7C87BC60B4073ABFC320271D9BD083917AEA48
SHA-512:	5D99CC4D10A08B65A16CFBA43F795FAE0B62AB1F6C1BB1A8755A9B0F87F8DC44B3B9E306EFC8A50EBA9B9DBC433B483F7CD4A2C70CC4587EB1A85492ECA46488
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H.1.).b.).b.).b.Qib.).b.A.c.).bM.=b.).b.A.c.).b.A.c.).b.A.c.).bD@.c.).b.O.c.).b.).b.).bD@.c.).bD@.c.).bD@.b.).bD@.c.).bRich.).b................PE..d.....].........." ................@.....................................................`.........................................X...H......\|............@..(...................................................@...............................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.10.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64722\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27720
Entropy (8bit):	7.442566826937686
Encrypted:	false
SSDEEP:	384:lnwXNQJMrltGDXzMv7YGY6h/77QZa7gJXePIGsI9lnYPLxDG4y86x+:hwMMJsrAvkKDkpuPIGsI9lWDG4yw
MD5:	C7BDD28CD1246C357E437B30F9A9ED5F
SHA1:	A12BC40EB8C2CE7F612F7C3EBBBB367E556D5E92
SHA-256:	D346215EB358F5998518A24C67C830D1AB1B42D522BE70B3111FD42405BBB615
SHA-512:	15CA6B93EE9ABB2D9CAB76C50480D3BFB4DD395A5E7EABB9969B38B62CF82FE6AF01705163CD5C018D4AE1DAC159FB7E1848CE1AEFC5C052AAF627D8A275D6FC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2..&v.uv.uv.u...ur.u$..tt.u$..t}.u$..t~.u$..tt.u...tt.u.ts.uv.u..u.tw.u.tw.u.iuw.u.tw.uRichv.u................PE..d.....].........." .....@................................................................`.............................................P...........................................................................................................................UPX0....................................UPX1.....@.......@..................@....rsrc................D..............@......................................................................................................................................................................................................................................................................................................................................................4.10.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64722\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83528
Entropy (8bit):	7.912413306742412
Encrypted:	false
SSDEEP:	1536:DH927ZDiyANpqVkxHz+aHhcC1WfV357JKjN/a9hGlBt5pZD0RkRgXwek0E8ZSIGL:DC5eqVEHiaHhcC1Wf7Jk6h8lPRgO/8AR
MD5:	7C60B9680A1D2D78AD86BCBAC9E10092
SHA1:	DC5A5FDD085980AD638E11C612FB505266E09D0D
SHA-256:	128A9C2E1C3219A68DF34F9D179B58B45DA6C9436E57F6C2503CB5EF74DCBBF5
SHA-512:	CF3E33BF032688D5A2EE132077A2CA9D9FB274F3979AA195801570D726B6F8B86CA6C646C2076446860349FBCDE32BB9D30E04733B890E80B05A709348CCACC0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0d..^7..^7..^7..7..^7.._6..^7..[6..^7..Z6..^7..]6..^7Q._6..^7.._6..^7.._7..^7Q.S6..^7Q.^6..^7Q..7..^7Q.\6..^7Rich..^7........PE..d.....].........." ..... ...................................................@............`.........................................t;..L....9.......0.......................;.......................................)..............................................UPX0....................................UPX1..... ..........................@....rsrc........0....... ..............@..............................................................................................................................................................................................................................................................................................................................................................4.10.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64722\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	40008
Entropy (8bit):	7.6732513003349245
Encrypted:	false
SSDEEP:	768:7besQa2/aonoXQH73hWmH646oOjcpwOhIGVwwgxWDG4yMPbi:7besQlnoI8ma4CjXOhIGVwwgsyMPbi
MD5:	80E1228E13CE851C468A32CDADE03737
SHA1:	C1944A2813E1A650E3F96B79A8CEB3394142B078
SHA-256:	70CC97D25C93225E53AA6A8766E3E395EE8463D24EC9718974953EE1B48500FF
SHA-512:	5C4865A5A56A2A1367C55474EE356786F56EEB4F00810747FFB3373C1F4DD237C1CF2D9AF2162EF0FFCACEF4A4B3F2C486ECF2E941F88CF61586FFC826211876
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........1..._..._..._....._...^.._...Z..._...[..._...\.._.a.^.._...^.._...^.B._.a.R..._.a._..._.a..._.a.]..._.Rich.._.................PE..d.....].........." .....p..........pq....................................................`............................................P....................0..............8........................................}..............................................UPX0....................................UPX1.....p.......p..................@....rsrc................t..............@......................................................................................................................................................................................................................................................................................................................................................4.10.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64722\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	50760
Entropy (8bit):	7.790116886875569
Encrypted:	false
SSDEEP:	1536:sbZuwAYgwyBiwFjMLot/OsfHjQIG47AK2yX:st12wyEa+oMqcIG47Au
MD5:	D899804D511B77AC0236C52390E84E57
SHA1:	6B117E58E03C52DC15D6B1B15BF07DB3912FAD75
SHA-256:	630A3CBF877DE5A0DD42FB9787F905A0186797D6E256E9FE0D2B00608A62556F
SHA-512:	FBF22E76BD80ADB49819B75890B2E7B2AA6F55FA5D67AD54419237D535DAF85298768904C25B6C28DAFE2138FFC5A48C9C4D6C6514DC229169BF7373EEC39A17
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0.u.0.u.0.u.9...6.u.b.t.2.u.b.p.<.u.b.q.8.u.b.v.2.u..t.6.u.U.t.7.u.0.t.C.u..x.2.u..u.1.u...1.u..w.1.u.Rich0.u.........PE..d.....].........." .................+.......................................P............`..........................................L..d....I.......@.......................M.......................................7..............................................UPX0....................................UPX1................................@....rsrc........@......................@..............................................................................................................................................................................................................................................................................................................................................................4.10.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14216
Entropy (8bit):	7.0174155073545235
Encrypted:	false
SSDEEP:	384:2W1hWtiU8JIYiaHZ8ZpH3GCJEJsyxl2rgk/:Ns1YiQZiRBEa03k/
MD5:	2E4F85267E771160C79FB0287B8B8EF0
SHA1:	7559CFAA8B3318B766A60D88F4864F39BD0FBFC4
SHA-256:	08CEAAC727149A83B78A3EA89DED1B502D2C85EE096342466B17DF945D4FBA6C
SHA-512:	B0B2A50F80192D9706D2159682425916F28257BB8699CC48466A0A086E7CE4D13684419B010909617B140DE41173752CB7604F6ACB8F221704AC980744872D40
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d................." .........................................................0.......h....`.........................................`...,............ ...................)..............T............................................................................rdata..,...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13704
Entropy (8bit):	7.032822365507646
Encrypted:	false
SSDEEP:	192:2UW1hWaUSwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEfRayHv+JEXD:TW1hWaU8JIYiaHZ8ZpH3GCJEJayP+JEz
MD5:	7F8835ACCA566B2FADF1206A5AE9D218
SHA1:	90117F6D1EB7520E6EE90DE5DFF3F7FEE7F8C188
SHA-256:	F1B65C3E9FB6957DBE07481802B57D737EC9FC2A0797F9C4A9BFB13A5BAA46E0
SHA-512:	055A18B3EE0FD661ADBF19411F6287B333953680FCB724D16A22D370054D965990031AFDEE0F6CBCEFEED9CA790BC0F9BBBA177D7D741A369E0F5ACB064682C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d....F.L.........." .........................................................0............`.........................................`................ ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13704
Entropy (8bit):	7.034051679366827
Encrypted:	false
SSDEEP:	192:+W1hWyUSwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEfRqykNBtFLEcj:+W1hWyU8JIYiaHZ8ZpH3GCJEJqykhFhj
MD5:	8275A559C686E8DC47687CA0F7ABA0BA
SHA1:	5ABD66FDA7CA16EBA90ABBE6ED0C9185F67A12A3
SHA-256:	0AD4310AA13F99B7682D43037AF781A5734D4EC566EADBE19D3AD166BFE50B39
SHA-512:	E4E217BD5246B0AC7053EE1CBFC08BE5DD07AC679D6F65AE4979E1E23D125D15E8ECCCD39C43800D8DE6DBFD5544159B773F1A97AB14C96D48C1DC3CC07209E6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d....C............" .........................................................0.......<....`.........................................`................ ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13704
Entropy (8bit):	7.081752607443639
Encrypted:	false
SSDEEP:	384:dBLW1hWHU8JIYiaHZ8ZpH3GCJEJQOxyIVorVoR:dBOrYiQZiRBEJcO
MD5:	638C989141351C85D1CC0B334AB687EE
SHA1:	8B8DB99B0BBACEC6BE96CEBC19947C280646483E
SHA-256:	49DF60FDE25C4D8124EFED8056DB6445BC01A9F2541B1770E8FAEEFB2EF71313
SHA-512:	8C583C868246A39C727DB23680E40D4C20D1C9C01C79CC440DB52521CFA8F3FF11B81BFC3C5764F1980D56DB1CF6A15FFBF6AF7C4428FB060B9270546CE638E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d.....Z..........." .........................................................0......0.....`.........................................`................ ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17288
Entropy (8bit):	6.918526561976521
Encrypted:	false
SSDEEP:	384:6BPvVXcW1hW0OU8JIYiaHZ8ZpH3GCJEJbyYcFZz:aPvVX/xxYiQZiRBE9xE
MD5:	2E4988944E2E96EBD5387A1A4DC9E880
SHA1:	E991423D119E0E457C1D278664BEBAFC20E239C6
SHA-256:	7E3B1CE81E2DC0BA3E725C836765FD9552D5969EAFDB9E3269FE18C56F3F8039
SHA-512:	9E3930AA9B016596E4A0DF9ADFD85A2BE52A07F32A42339F503CE5D052CFEA8F3EF6A7B27A6DBC3AD8E7F1A9FFC171A6D7AA9C37194A51B1F1C4B3CB0EC78E56
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d....Q............" .........................................................@............`.........................................`................0...................)..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13704
Entropy (8bit):	7.051877537322967
Encrypted:	false
SSDEEP:	384:SW1hWnU8JIYiaHZ8ZpH3GCJEJCyZAVjf/f7y:BXYiQZiRBEMqiPO
MD5:	C0A08223267DCA75CC2B59D44D58F7BD
SHA1:	BC78B24084E11A8A81976F65B2C6AC51FEE0AD6D
SHA-256:	7F7AA25F8CF3A6AD223075158FFADECDBB2113F199E78BD96C90E59575C02533
SHA-512:	CE78534E2F022806093547DCA1A46995AC9677BC05AAA41718A91B2B68A8EFD30E0612A721C4E8E0A4E5ABCE558BB7A6E24A5430B74885D770A5119293B3B145
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...,,.W.........." .........................................................0.......N....`.........................................`...L............ ...................)..............T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13704
Entropy (8bit):	7.140886801110957
Encrypted:	false
SSDEEP:	384:eVrW1hWpU8JIYiaHZ8ZpH3GCJEJHyRQP5:eVuZYiQZiRBEB6+
MD5:	756D1BCE2C2FC7E527E48247FD8B3EF4
SHA1:	66B26444D249277BBAED0D7F487618795FE91EF4
SHA-256:	11A86EDC5CA1D6A83C1D8709F8C3E69D9A1FF763BA85FECD49ADB6647BA0E9A5
SHA-512:	78E5BB42CE8CFF66F0E58D865FAED881D1B9214CA1470276BEEB0A7810D5926776E0121F5DBBD7A7F01D0B5ED0A8C0EC57112FCD6FDD45D7A19F39311A2469AC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...4.F>.........." .........................................................0............`.........................................`................ ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13704
Entropy (8bit):	7.055329601565526
Encrypted:	false
SSDEEP:	384:8W1hWoCU8JIYiaHZ8ZpH3GCJEJ9y2lP/RG:fBYiQZiRBEbDRG
MD5:	D574549183528054B01BE86B96F21826
SHA1:	AD3BAEC43159A73F88BA8D922286A0F04F40F746
SHA-256:	1E08E1CAFC2814E5FDF5DE72D5E4094B1473D48D79F56341D032778D13E0E9B1
SHA-512:	DDB7EB111B988D7F26CBE1A0EE326CD2AC49C9A8E7024D23F601E0EBAE2FF1E1CCA494934F2DC36646436315EF9985CC3BC4CFB3AD5827CC302E4B24B5CBE8EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d.....QN.........." .........................................................0......H.....`.........................................`...`............ ...................)..............T............................................................................rdata..`...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14216
Entropy (8bit):	7.007995972954854
Encrypted:	false
SSDEEP:	384:vlgW1hWPU8JIYiaHZ8ZpH3GCJEJXyrkI57:RTYiQZiRBE1Y57
MD5:	9445CAC9CEA53F7A2BFEBF5670D48EB6
SHA1:	128D651F49795A7A4A52697AFBE4A9E46571D7F6
SHA-256:	9588879E9405008D3D87E8EC69ECF651C8C72090E0465F07D6D722BA926F8799
SHA-512:	83D6FEB29EE16BE0289D6CFC89E71F2D743C84B3BD66ED207F5804C37BBBC13FA911E7D0C2239D0D90E375B43D3170B948DA70F26563352D672F6C3FD95E25CE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...T.*..........." .........................................................0............`.........................................`................ ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13704
Entropy (8bit):	7.0688980162141535
Encrypted:	false
SSDEEP:	384:dW1hWMU8JIYiaHZ8ZpH3GCJEJBy9K15qv9:0uYiQZiRBE/95M
MD5:	B446188BB09EB290BC91E41129BBAD4B
SHA1:	C38A367662C3C9FDA1A701BF15C376BF48442134
SHA-256:	1CB26D221450861DEEB6C02090CAD937DA106C08C9B07D20A52B4A40C4063D7A
SHA-512:	F682AA8783C91C1322DB6C350A4098D24EE8AFF279B81A99AAC488242AADBEB1C994ECB033C82A19364DFE1BFD978E186476D70376C48EAA5BAD8C526921AA0E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...3Qb..........." .........................................................0......,.....`.........................................`................ ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14728
Entropy (8bit):	7.001273656167035
Encrypted:	false
SSDEEP:	384:uvuBL3BYW1hW+U8JIYiaHZ8ZpH3GCJEJOydabfOhyV:JBL3BTMYiQZiRBEM2bq
MD5:	BC94AEA23DFF7CFDD61809EFB9D6B1FA
SHA1:	2521909A838941BB7B1AFFCCA3B17BEAF7B3E659
SHA-256:	B7E392B2014AAA72F2C7CC40F879148B529F91138F0D9A858C6337C475EAD3E2
SHA-512:	94F5C2FAE37F6D8A9A6DAFE579384A8B96647E3CAAC1EF1035D4F42AA81B3141C5865532FF1CDCA6C690C06977365D2B68E806EC3F29EA6E680BDEEFB680F0D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...:............." .........................................................0......Ie....`.........................................`................ ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16264
Entropy (8bit):	7.034177404129586
Encrypted:	false
SSDEEP:	384:YOMw3zdp3bwjGjue9/0jCRrndb6kW1hWsU8JIYiaHZ8ZpH3GCJEJNyV4i+:YOMwBprwjGjue9/0jCRrndb0uYiQZiRc
MD5:	946B6834271543C2BF51EC8844AA5253
SHA1:	69017DADF33E099DA04350C2733479759D5A8CAE
SHA-256:	9D4CAEF81CFA17A92D17F4F412BEC75F02C3F36C746C3736374F1BC51CE17154
SHA-512:	B8BF7D3CAC6620BB6985E374B7C676AB69401C552D15AD80E527BC791D8DA73EEA5C5F78CF6DA6A20640CE5A63349370C30E2560A0DAAE8CE4382F1AD39D939C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d.....=X.........." .........................................................0......-.....`.........................................`................ ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14216
Entropy (8bit):	7.040938441057245
Encrypted:	false
SSDEEP:	384:U8W1hWjU8JIYiaHZ8ZpH3GCJEJXyY3eBT:wLYiQZiRBElQ
MD5:	939FFD71556467880A01D5A950CDE068
SHA1:	EE6ABCAAAEA9FB7919B3D5AA38670AF5317200AE
SHA-256:	7D8457E28D11F53D79350F0656188D49042AEA094A8A032F8BEC7B65FBF805EE
SHA-512:	7CD6C401EB8580657D34B5F911994FF13910D3D8D510E5ED2237C8FF820902A0126896B0D9500502101568305E9B427997F6D91DA4CD578E45FF12360157A059
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d....`Z.........." .........................................................0......_K....`.........................................`...l............ ...................)..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13704
Entropy (8bit):	7.140061654923134
Encrypted:	false
SSDEEP:	384:OW1hWsU8JIYiaHZ8ZpH3GCJEJjyB40Nox:FKYiQZiRBEBc43x
MD5:	24FE695EA91DEB28BD52DFC179AC75F2
SHA1:	DE228486DD783D6CF545C5260C2CE4C4102AEC02
SHA-256:	7488EB051A42E3F5C11D3F6083D9F5805A35B086600C63885CC8FE6AFAE9CBF9
SHA-512:	9A461ABF91EF85520811ADEFBF160B7EA4A9338BE54221A57A990806C4882D2109DD450798AA3D21C3F940FDAC1AD3A1B6A0E0922BBF5E727C0981AC3572CF34
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...h..&.........." .........................................................0......7.....`.........................................`................ ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14728
Entropy (8bit):	7.008102795229075
Encrypted:	false
SSDEEP:	384:5nW1hW8U8JIYiaHZ8ZpH3GCJEJxyQAHeFCj:EqYiQZiRBErZCj
MD5:	52BD42F710986A76F6F23BC90C1DC9BA
SHA1:	7D6CADC05343B33C1D1B745E2CFDC0E21BC0FCE1
SHA-256:	59EC9C2494ECF3BA1AFCAE6D3EDDF4BE08E8AA307F723BBF8731F673171587A2
SHA-512:	F76EDB0D15243DCC1CE5C350E3E4000D7C690B2B28FD714B64968E5487242ADC48EFCD4C669A91956C597D858829891910E34C59DCC5CBE312C3AE90E62D2B38
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...+;P..........." .........................................................0............`.........................................`...H............ ...................)..............T............................................................................rdata..T...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15752
Entropy (8bit):	7.03942394566338
Encrypted:	false
SSDEEP:	384:tWXk1JzNcKSIXW1hWWU8JIYiaHZ8ZpH3GCJEJAyL5xbx:tbcKSbcYiQZiRBEq45f
MD5:	3ECC10492EE3440C642ADCCE55E97305
SHA1:	ADC4096F472799802A6050CB4ADDF13BB3E5D63C
SHA-256:	381140052908FB4F3932CAF5199ABA971E7FCFFA8970FEF80EACEEAFE9404F1D
SHA-512:	2F287482FA5A6891B829E4EE3DB7E48682829FD4E8F3EE9007C0FFA8025B41CEE3F0E1B1AF96AB09CE5A7044905703AC41E4243FBCF37D6F62B21CFC6AE98D4B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...m..c.........." .........................................................0......*.....`.........................................`................ ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14216
Entropy (8bit):	7.070502240135819
Encrypted:	false
SSDEEP:	384:gtgDfIeFrW1hWvU8JIYiaHZ8ZpH3GCJEJyybVxvh:gpeFuzYiQZiRBE46
MD5:	4EFC47CA2D7CCD126D48EF7D1215CB3B
SHA1:	1071B4606191D294851EB61B3674CD65E5B7AECA
SHA-256:	F898B6033ED993A1D83D095BEFA6F045E8823D13469000D755496EC2FF5CC50F
SHA-512:	C8BCB3E890D10FF5902B233BCE8F1CE277E0BF9FCD1F38F7F91F0D2F6A9B3D039016914D44CD860EA8A05D50AF048FB2F60E5848B3FDF056785C7CF8694E0521
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d................." .........................................................0............`.........................................`................ ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13192
Entropy (8bit):	7.180492022182741
Encrypted:	false
SSDEEP:	384:2yW1hWtU8JIYiaHZ8ZpH3GCJEJiyiXeAF5u:yxYiQZiRBEAdXu
MD5:	DAC9191D1E48D2568119CF3CE39CEDBC
SHA1:	C8EFE6483BAD06AA2CC0C6065D2B1A039D6496E7
SHA-256:	FA05D571233A4BC85637FEE7ED84566E82B99F7E9A435C0B395B231A369B3F15
SHA-512:	5196FBA0D42B4B9063F5427BD13BD451AAC089A850B31CF8B7509640FC11A7D7A68098EE77E2ECDB6198A4BF2EE709A04C3C0A5AE3591E29F19FF013E1DF31AF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...kl^w.........." .........................................................0.......?....`.........................................`................ ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14216
Entropy (8bit):	7.019072129784289
Encrypted:	false
SSDEEP:	384:fGeVWW1hWqU8JIYiaHZ8ZpH3GCJEJSyt+t5BW:fGeVtYYiQZiRBEcEOBW
MD5:	F738C1AAC72D288F5C43253A7FE9A501
SHA1:	A0B9E067DB9CB136EE0D7BAB2DF3F0555D4E079C
SHA-256:	B1FA37183D4CA19DD526F642BCFECF7F9854A763041A7C5B45F9827E2D693AF8
SHA-512:	6672C0579E5C8041CAAE66B442C6ED891954195AE91EFE139E9CB75E2184750DC0B2FF0995376F668C163E9917845C08B5C852101FC91346B4C5E71AA35952B9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...9..\.........." .........................................................0......f=....`.........................................`................ ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13704
Entropy (8bit):	7.093533659456731
Encrypted:	false
SSDEEP:	384:RyMvxW1hWKU8JIYiaHZ8ZpH3GCJEJ8yeIBuLzbwY:RyMvgUYiQZiRBE+TI0LHf
MD5:	EBA0EC61E69A01EBE32926D84E571D87
SHA1:	57D6F7E348619972156EA4CC42E9DF019256E8D4
SHA-256:	7D61724110CA87A13FF774B58A08312CCF6F99BF91970CF831DED4708C6DF0B9
SHA-512:	E45E492AC039DED781C5311FD1A4288E9A50EAA4EDC0BCA9A7E689C7D7C84D7BB58D7460311EB375ADE7ABD46B070F1EF8DF479B31919F9F322307C7595D9FAD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...c`.g.........." .........................................................0...........`.........................................`................ ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15752
Entropy (8bit):	6.9628818101862855
Encrypted:	false
SSDEEP:	384:Kdv3V0dfpkXc0vVaRW1hWRU8JIYiaHZ8ZpH3GCJEJdyxte5019f:Kdv3VqpkXc0vVaAJYiQZiRBEzctea
MD5:	ADD6DFC26F77127C05357850EFB0F7CF
SHA1:	B716ED833239143169A5E5297A7DAB53926647CE
SHA-256:	EE7528903491E96828860C881826E7C0CB605E8E0C3DC2B52EE69B63F454BBAF
SHA-512:	8B14D52EFF6A938D63E6DB2F64E57488EC1C76B6447332E3527601A74A5564D6682129FF1F39263A23DD2D15C261AFFF4573A9BBC36D8D053D20A8BA7745E85B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d................." .........................................................0............`.........................................`...X............ ...................)..............T............................................................................rdata..X...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14216
Entropy (8bit):	7.104365323176682
Encrypted:	false
SSDEEP:	384:ltZ3mW1hWOU8JIYiaHZ8ZpH3GCJEJDy4pW/:T8YiQZiRBEBt0
MD5:	D7D14C6422E373F626CEEEC6D04E9432
SHA1:	A30132FCC2BBAB9090870EA5E3E329D342C4CFA2
SHA-256:	04DF3969C51EBB1A05CED4DDB9F780D36B26ADBF5D538800BDC5B2D101782504
SHA-512:	D4195F95AEEE8C2AFAEEAA4E609749F4FA2311EC7F9AFEE21C9634D955A62C91D57B55FE21472DF60FBE1E5F0D541809674A52ACBDCD0BC599472565B4482692
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d......&.........." .........................................................0......P%....`.........................................`...x............ ...................)..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14728
Entropy (8bit):	7.012830447421948
Encrypted:	false
SSDEEP:	192:gdKIMF8XW1hWiUSwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEfRFNyuZawbt:kZXW1hWiU8JIYiaHZ8ZpH3GCJEJ3y6aq
MD5:	D4413B906754781A1B809F9FA350221E
SHA1:	8833348041339BE62811CCD7C04F43EB0731D299
SHA-256:	E7995096AF5BD5A84FE82FACF91B028771EF069618BE566F1FB27854E277A190
SHA-512:	A7DB754A1E314368F7487B016564E1D52773760139BD36F2BA6890B4B87BB404BFA54A0A3E7F43EB0AF828247064AAA13D496E53DE48C7AF37AF042ACE2874E5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...B............." .........................................................0......,.....`.........................................`...H............ ...................)..............T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14216
Entropy (8bit):	7.100845640207154
Encrypted:	false
SSDEEP:	384:tW1hWBU8JIYiaHZ8ZpH3GCJEJ9yGRO6VTh:kRYiQZiRBEfPbTh
MD5:	B47EBDD6D53056C8F47766952EA44D1D
SHA1:	7E687C1F75205AE7154A03D7A07AD8B2E3962432
SHA-256:	73CEAAA0C05AA62F8629AB074EECE8096F2069C772677763C0D85DBF58B06A4D
SHA-512:	C1517A5CF5A58BE9D5CC6B35BFB66D63FAFDAA18F62F74A29F1D50FB36261676C00EBA6C33F4CAC545908EC4D998163FC7F8D59397E5EC044A3284EFB612B8B7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...)3............" .........................................................0.......[....`.........................................`...H............ ...................)..............T............................................................................rdata..H...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13704
Entropy (8bit):	7.041628815802477
Encrypted:	false
SSDEEP:	384:AVGW1hWLU8JIYiaHZ8ZpH3GCJEJqySABdrv4:ODYiQZiRBEsVQ4
MD5:	86C75E0E3C5781D4DE4CF48BBE3BB9AD
SHA1:	D32E069FD55D410C50E7F31BB5CE5490385D994D
SHA-256:	DB56D1B11DB5F697556EE5CB1A2D03054765881C7DB0081A455B538BD8C75B64
SHA-512:	1991019CAB00961A0180115D3F0CD68390BF29D4A733F2E47A56009A33DF48BA450FF49C2E418A1516ABFFC9F968DB560180B822B8135FB186487994E2314E01
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d....8d..........." .........................................................0.......0....`.........................................`...<............ ...................)..............T............................................................................rdata..8...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14728
Entropy (8bit):	7.042768887277326
Encrypted:	false
SSDEEP:	384:v1W1hW1U8JIYiaHZ8ZpH3GCJEJCuyDvy0:vMlYiQZiRBEouC
MD5:	99405A36355336A5B0FC2D38976FBE34
SHA1:	613C9A4FAB9E18AE5C1C0BC35635A339F4175B2B
SHA-256:	F3FDDFD86FB29A50D2BE19045F730A7A0D5150E002E8D0BB761383D6927CB017
SHA-512:	0A4E126B4F39EF66FBB029F7D251FBFF8D41294386D91A603777440CCE389C9D1857E434E5E5C3067907F92C18D01FDAA62F481944E2878F9A5DD940B40BD96C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d....G.#.........." .........................................................0.......R....`.......................................................... ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17800
Entropy (8bit):	6.819176073659551
Encrypted:	false
SSDEEP:	384:xuyhW1hWtU8JIYiaHZ8ZpH3GCJEJTyxRnV:cBYiQZiRBE9w7
MD5:	AFA92B4501D50A4A8842907321D24A3A
SHA1:	B7E54E28AA92BA8A2291F823675249BEEE34ACAB
SHA-256:	441D48DE10554574382AAEC90F4319024CC4B420FC9C7C46F6E55B69EAF0389D
SHA-512:	4DC29AADEDDCBE5A2B9E4C4CF501D08C5A7BCB2F7636691C64A1EFFDBE06822CFB37EF77D181EA9D151A36787E364258E0C25027F695A3BA819931B545752B53
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d.....(j.........." .........................................................@............`..........................................................0...................)..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14216
Entropy (8bit):	7.016802714034603
Encrypted:	false
SSDEEP:	192:vfW1hW9USwv7s8jtGBIYiYF8oDbnPZ2oEhZnpH3GCwgEfRAybgVuQERc:vfW1hW9U8JIYiaHZ8ZpH3GCJEJAyEVj
MD5:	E0678146732234884E297D122B77A379
SHA1:	51355978B28A14093BEDF854C3EB327F81E35D49
SHA-256:	C530E82229B653283AA26DC6E4A9FBDCCA94FB2AA9009229287FA4D14D88B33E
SHA-512:	E85D4581D7D36B8D4FF68BC735929228F454E6ECEB4518063C9A7C45A3862F59D2F89367D7D1FB03AA1BD982F2F5E206A508C7ED06AB5073DA945CEE90AF612F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d................" .........................................................0............`............................................."............ ...................)..............T............................................................................rdata..2...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15752
Entropy (8bit):	7.0276418307282205
Encrypted:	false
SSDEEP:	384:uq6nWm5CZW1hWFU8JIYiaHZ8ZpH3GCJEJeyHwVeU/:P6nWm5CIhYiQZiRBEoawZ/
MD5:	59F114FCAEE18D121A9157A4FBF5CD63
SHA1:	FFB167BD1A99BF03F0AD3055B011410EE26912E1
SHA-256:	35762CA49FFB0601F452506FCA8159833A836AAB2998C043DA26CEA129B2E0CC
SHA-512:	644A173FDB4EA9906311FEB704106D0A138032804C173B9AC9E7E0FA4D6E0A12489AA58C9B59CC25702A312B70F4EE738152D76A79D5D184A5357875D1535675
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...#..j.........." .........................................................0............`.......................................................... ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14728
Entropy (8bit):	6.985174652816443
Encrypted:	false
SSDEEP:	384:wY3eBW1hWaU8JIYiaHZ8ZpH3GCJEJ5ye/F2s:IQoYiQZiRBEvP1
MD5:	A296F161BC462CF5CBAC3DB1DE896152
SHA1:	2AA2866487F092F314C3980112D188BB67FEAEBB
SHA-256:	EE2477890551192E1FFDED00B7F52691555257362CA5BE98A885E7563B5A9D8F
SHA-512:	35D1D340123AAF7C4BFAC602D3162E8D05839C18A76190176882E846927C960274B24AC688BDAFCCE795AB427A813E9A1E36BFC3C9F9E1C88AFE2CD6236E5D26
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d.....#..........." .........................................................0............`.......................................................... ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14216
Entropy (8bit):	7.101054839961238
Encrypted:	false
SSDEEP:	384:+W1hWSU8JIYiaHZ8ZpH3GCJEJjVyaW+x9a:VEYiQZiRBE/0
MD5:	F1D3B8FABC8E3F5D2EE1AF7B96DC2AB1
SHA1:	ADD58C250C4737F83CAA07B5CB4E5BAE7AC463CF
SHA-256:	2D6F62541D5A998BA096655D5E9FADBB256AAD1DD4EC6811089ED5DFC2FC2996
SHA-512:	C9543C74723F7F321AB7BE4C16CD508E19EB987DBAAA9AE436CB2F22FD828097CA4FA332B1DF976692FC49794F19F6525B591FE03E81D1E3FE395C499FD16A42
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d................" .........................................................0.......e....`.............................................e............ ...................)..............T............................................................................rdata..u...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22920
Entropy (8bit):	6.546685862284554
Encrypted:	false
SSDEEP:	384:TQUbM4Oe59Ckb1hgmLNW1hW4U8JIYiaHZ8ZpH3GCJEJiylpd8vYiE:TRMq59Bb1jECYiQZiRBEMm/
MD5:	BBB079B564E6370524F79B95B3D18FCB
SHA1:	978DB6F13EF785AD9BBDE8B078B7F3247736EAC5
SHA-256:	F4709F4CE42DA18A012A5EA643172EE31BA42058D8FA53E1089E9D4D57043522
SHA-512:	BD04D57AF9EF0ED86605374B842C207DFE860BE2FCE7EE2FDE276457148A7D8AF58CEA5939DC4A7A91816ADEC40808244F96F139015CA4CCC671B160DD3AD851
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...+H............" .........,...............................................P.......W....`..............................................%...........@...............0...)..............T............................................................................rdata...&.......(..................@..@.rsrc........@.......,..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14728
Entropy (8bit):	7.005157499664524
Encrypted:	false
SSDEEP:	384:QSKwW1hW6U8JIYiaHZ8ZpH3GCJEJoPy7bvNUYH:QjIYiQZiRBEWPQbbH
MD5:	7EB5E7F8F7330FBE45D84591838B48FA
SHA1:	D3173386725A755B4451242AAA09086FC8714A5D
SHA-256:	E787441815B9A2B04363C4394CFB459451803C9EC8EEBF3942CB2A1C6B86D9A7
SHA-512:	070315BF2521625014C98749F35E264B1DF53F28835D31945694B5DD4C261CBEBD22B2574FC0D69ED6F881EEC26B2E6E0FED6DD8907152B8ED360448881AC51E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...*j............" .........................................................0............`.............................................x............ ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18312
Entropy (8bit):	6.82111186841236
Encrypted:	false
SSDEEP:	384:ZtYr7zW1hWnU8JIYiaHZ8ZpH3GCJEJtyl4mJ:Zmr7WnYiQZiRBELy
MD5:	0996C0C41555C946131F35D3F94AE9E2
SHA1:	3B79B0F59F908E24C1886EEC882C892681087AB5
SHA-256:	AB5FC13C6B5332677DA685A6C5218217169BCD8DE8926575A4EC8C933816105A
SHA-512:	5ED3D7B53B8807119ACCE1370CC50F3B59CE2EEE3B8595CBC0277ADF5D4709E9105E156E70241495577E00D9D8A977238E17CED09DE871387AB9A171B7179C51
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d....V.4.........." .........................................................@............`.............................................4............0...................)..............T............................................................................rdata..D...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19848
Entropy (8bit):	6.753649746969567
Encrypted:	false
SSDEEP:	384:0ZpFVhHW1hWeU8JIYiaHZ8ZpH3GCJEJoymuLH2n:oowYiQZiRBEiT
MD5:	62B2BC705F6885B97E66F1A5874C19C3
SHA1:	413A1F93046E810BCEE37E92997BE254B6D0F827
SHA-256:	C14B49BCAE64A7F378BDF7ED1967D6BA203107D5500D183F4079ADEB76D4F22C
SHA-512:	417DCC39CFD6F773EDA02B2B1EE4C9042F297A7B2E66CBC45415F07D58179C05D86F055AAFC824131C7F5973C5E3955763546133378009ADB367FE6B1E5E25D7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d....Z?..........." ......... ...............................................@......c6....`.............................................a............0...............$...)..............T............................................................................rdata..a...........................@..@.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19848
Entropy (8bit):	6.7355545537163195
Encrypted:	false
SSDEEP:	384:CiFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGlbW1hWlU8JIYiaHZ8ZpH3GCJEJPyampS:C6S5yguNvZ5VQgx3SbwA71IkFhlYiQZH
MD5:	E9501EFF2A537703BB135497135CCA30
SHA1:	F1ED4C82EC2E10BE0CA0D7CE0DCB006DF1843AA6
SHA-256:	40F4176481C7F3733A04577211CB519B4C35AAE943E166471A33D3A83807F712
SHA-512:	CFA272F9966259920CF515E928A8459980C71BFEDDBBC93C0A8744D29FB9D25A20298435EEC6355463DFE9DED3F44C04668866EDD556E8BAD67736F177322BA4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...\|P=z.........." ......... ...............................................@......vE....`..........................................................0...............$...)..............T............................................................................rdata..............................@..@.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16264
Entropy (8bit):	6.926731414512969
Encrypted:	false
SSDEEP:	384:EUW1hWLU8JIYiaHZ8ZpH3GCJEJYyDPASn:ojYiQZiRBEmi
MD5:	F0CEAF5FF74A71E3372704C21D9CC035
SHA1:	4E30B432569656ECB88D2DEB3D4EB800797F9C6D
SHA-256:	2CF3736B625FD897BBFAA5F28F3A5B723D7EBF04B88B01899DEF99BC864B127B
SHA-512:	0450A1E61FBC0DFDB515AFD3FA6B08CE382DC095E0EA3CB30E90D7A7F98FBF597E2D8CE412A49DEB1B04EB896558B244B6238FB4874DA819885FFC966154F115
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d................" .........................................................0......Y.....`.......................................................... ...................)..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14216
Entropy (8bit):	7.088393037131793
Encrypted:	false
SSDEEP:	384:/fVW1hWbU8JIYiaHZ8ZpH3GCJEJByo2E0is:/fsDYiQZiRBEDlrs
MD5:	45262442DFB0743389F390146AFC75FF
SHA1:	5BE66BDB1D00F4EBAD7EAFD67FAC2C13E299991A
SHA-256:	61EBF1F0263A91EAC9531E556588132F145A448AF57D481D462B09936A600A85
SHA-512:	5CC7E61BDC13A0EAFADCBAEBC7322AE1B0B4A47C57791D372A34DAF01AEBEC99F2B651322EE1C875EC3881452B43A800C89F9AD32D38F8DA8FC06DDF1EFF14A7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d..............." .........................................................0............`.............................................^............ ...................)..............T............................................................................rdata..n...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\base_library.zip

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1028082
Entropy (8bit):	5.501416218831693
Encrypted:	false
SSDEEP:	24576:fhidpNtosQNRs54PK4IMoVw59bfCEzXxTPEo0nR32x:fhidpNtosQNRs54PK4IM9pTPp01C
MD5:	712AF246B95197C33BA75746FDBAE9E8
SHA1:	6762F1B0B70DC522AAEE5FE957F2926393F07D7A
SHA-256:	80B065F3DA13ED055DF355AA8B894368A28984500AF5FC485F9BDE8623FE29D0
SHA-512:	770BACAADDC6225B6ED2B47DD51D5D07C6A1D05267978444F6959196967A4FD47AA2B5194C7433407E35CF4E52E1FCD90FEDF2BCE8905F6409C7CB8C3A98622D
Malicious:	false
Preview:	PK..........!...7............._bootlocale.pycU....................................@....z...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nJz.e.j...W.n4..e.k.rj......e.e.d...r\d.d.d...Z.n.d.d.d...Z.Y.n.X.d.d.d...Z.d.S.)...A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C........t.j.j.r.d.S.t.....d...S.).N..UTF-8.........sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r......_bootlocale.py..getpreferredencoding...............r......getandroidapilevelc....................C........d.S.).Nr....r....r....r....r....r....r...............c....................C........t.j.j.r.d.S.d.d.l.}.\|...\|...S.).Nr....r......r....r....r......localer......r....r....r....r....r....r.....................c....................C....6...\|.r.t...t.j.j.r.d.S.t...t.j...}.\|.s2t.j.d.k.r2d.}.\|.S.).Nr......darwin....A

C:\Users\user\AppData\Local\Temp\_MEI64722\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1165344
Entropy (8bit):	7.943154860736068
Encrypted:	false
SSDEEP:	24576:mQ1eNb4trV08LfYeMAmnZsMr9BPiNvkNW6Azoa8nuBU9QnC7jHvSZyPEpBY1CPw2:24tJieHmZhZBP+kN8zYuBU9QC7jaMPLo
MD5:	E6E16EC7D018DA9F6C3617CC6047B76D
SHA1:	4B247D528AF85CB2815526E15A1E74BFDECD8BE7
SHA-256:	6C0F5D7EB4BF14CD1B08935728E2847BAC0710ADB53CCF898FE4D7AE088370D7
SHA-512:	7774B07A6847EBEE8B0AE39C1D3EB35C7D68B7D602CC9A7D1CE6CCF9BD52D1570183DE96FD9305E6CA85B48CAEF67DF0FD9A9EDC790B094B3C69BA1540467D95
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3...3...3...K...3..[...3..[...3..[...3..[...3..U...3...3..{3..qZ...3..qZ..1..qZ...3..qZf..3..qZ...3..Rich.3..................PE..d....k.].........." ..............$.@d4...$...................................6...........`......................................... .4.D.....4.h.....4.......1.............d.6......................................p4.............................................UPX0......$.............................UPX1..........$.....................@....rsrc.........4.....................@......................................................................................................................................................................................................................................................................................................................................................4.10.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64722\libssl-1_1.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	200736
Entropy (8bit):	7.917418043848761
Encrypted:	false
SSDEEP:	3072:5lM6bdemhWev84dBLSels63IXDV2q5kkT2131upKtk8rNGAhG6Rda6JwV:U6bdzhb1DubXDQqmkT21lupIpNBaZ
MD5:	9B267E2D5FB3FC71107FCC9049A673B2
SHA1:	23A3FDBEB3FE931603A09CD14D3ABBC6B22CB78A
SHA-256:	4AB239C7DA5D08EDBF05168327B087BD7866D018764AE4E660E05939D6D4FBBE
SHA-512:	6361530239E63B189071DC75903F4AC1194BF3D6225B45493D1F10CDE1540BF48EDE0F3AED3202EB24219F632BBF9E8F4FA79FBD120521B29C5C73B7B4D22BF1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8<..YRT.YRT.YRT.!.T.YRT.1SU.YRT.?SU.YRT.1WU.YRT.1VU.YRT.1QU.YRTf0SU.YRT.YST.XRTf0VU.YRTf0RU.YRTf0.T.YRTf0PU.YRTRich.YRT................PE..d....k.].........." .........P...@..@....P...................................P............`.............................................4@.......................K...........F......................................@...............................................UPX0.....@..............................UPX1.........P......................@....rsrc....P.......H..................@......................................................................................................................................................................................................................................................................................................................................................4.10.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64722\python38.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1420872
Entropy (8bit):	7.991145312851321
Encrypted:	true
SSDEEP:	24576:ERwYj1KTAAsOJxRmtvO3i75n6q0qcDFm8ZNtWTdK158EvnDDHsFr87O+pkMXgVki:dYj1oRsGvZSNtcxTtR1mY/MFr9+pkMXW
MD5:	E2C5960438D7CD94B1E09CD2C0026048
SHA1:	F7BDCD290D36E47D0AE59181D404A36A47792211
SHA-256:	DA55D7935F13BFA55F280B1D12729622F63C841BA181FAB330634D47D51D7A60
SHA-512:	965C46ADB518C2F2749BB48EF5A41859C71BCC6ED9EB05A3EE0F6F0C964783E408847F6383BC436E702B62735E006A1B41C441C861A6799B8B824DF1571910A0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................7[.........................................B............c...........Rich............................PE..d.....].........." ............. .. .B..0....................................C...........`.........................................0.B.......B.L.....B.......?.P...........H.C.....................................8.B.............................................UPX0..... ..............................UPX1.........0......................@....rsrc.........B.....................@..............................................................................................................................................................................................................................................................................................................................................4.10.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64722\select.pyd

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21576
Entropy (8bit):	7.2853758582276065
Encrypted:	false
SSDEEP:	384:nFMvDdZ1QFmOZsRKKc4Za7gJXtjHrIGqG9d7nYPLxDG4y8KxS:nFMvJLkmOsRZXpdjLIGqG9ZWDG4y4
MD5:	AF2D6B40BECEAC14D4F5685BDE16DDC1
SHA1:	08F4191CDCACED292BF469A8C9E50A8BDE347933
SHA-256:	2C774A62073B14944483C89F626F2559F98B29EAD7D66475E40E869337AB5105
SHA-512:	E60C51FF6A77267E38B1BD3FCA3ADDE21EEE39D18F9216B1EA0FF7D9DD328ECEEFEC2FE2D6AD40589A22415BDF6CA8A07E784EE9D37766A9DCDF9A62513FA482
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................)............................M................M......M......M.E....M......Rich...........PE..d.....].........." .....0..........p.....................................................`.........................................\...L.......\|............`......................................................................................................UPX0....................................UPX1.....0.......*..................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.10.UPX!.$..

C:\Users\user\AppData\Local\Temp\_MEI64722\ucrtbase.dll

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1011592
Entropy (8bit):	6.662485557659338
Encrypted:	false
SSDEEP:	24576:WkmZDEMHhp9v1Ikbn3ND0TNVOsIut8P4zmxvSZX0yplkf:TmZFHhp9v1Io3h0TN3pvkf
MD5:	A4781A4C41ADA12C5420EE2B9BCBFDA3
SHA1:	7C394165FAFD176908F38C6C5FFE065751B6A868
SHA-256:	0EF5CC705F0752489EA8F2A79116CA842142CEE9F2BBB60EF24E2524B0066A09
SHA-512:	0055A67D02C59D5F63A3D7B56FE934AE56A80FC56E11819DE62AE567FCA74724AC6BC885BAC37CD3F11A7ABD243B9990F8EDD674BECD7B7A4F89A3325EBAB104
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W..l9F.l9F.l9F...F.l9F.l8F.l9F...F.l9F..9G.l9F..:G.l9F..<G.l9F..7G.n9F..=G.l9F...F.l9F..;G.l9FRich.l9F........PE..d.....}X.........." .........`............................................................`A................................................p......................F...)......p...PX..T............................'...............O...............................text............................... ..`.rdata..<u.......v..................@..@.data....$...........r..............@....pdata.............................@..@.rsrc................4..............@..@.reloc..p............:..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI64722\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\run0796.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	286792
Entropy (8bit):	7.984977302461466
Encrypted:	false
SSDEEP:	6144:EWa++XuGxbp8WIgofQm7TuW3R+VXwm0rMIsmdxHYzl:EWnmFbprIgoIYTPhwoI9mdx4zl
MD5:	24CB3725B8EFB906E12F4EFEF4BD7CDC
SHA1:	CE1102C9DA67B7383870525CB58AD215273EDDDC
SHA-256:	6B3C41D359EE40A3FFBBE338A894D79404B973BB9D1AD7D945DF7C0947E1D626
SHA-512:	779B71ADE33512E20D5B17F16269A89596C184F17D30569538BEE7CAA6AB2717C6576BB0C5856EDED76AF57DA64A76934FA5B8E6DA4FDF6C21E72C737CC99B09
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.0v..^%..^%..^%.f.%..^%Tv_$..^%Tv[$..^%TvZ$..^%Tv]$..^%.w_$..^%cx_$..^%.._%N.^%.wS$..^%.w^$..^%.w.%..^%.w\$..^%Rich..^%................PE..d.....].........." .....@..........p........................................ ............`.............................................X...................................<.......................................p...............................................UPX0....................................UPX1.....@.......4..................@....rsrc................8..............@......................................................................................................................................................................................................................................................................................................................................................4.10.UPX!.$..

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.984755669621709
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	run0796.exe
File size:	5'364'263 bytes
MD5:	6e912c37e25ed34d27440036de24c71a
SHA1:	8d2173a6e5239616f131c3c72b6572c56123dac1
SHA256:	6e120026e8e7473a4d12f13a157c773b82a04fe90a841d9a8c46da438a8bb58d
SHA512:	dc5dabc20ded934cc58b8755844d8b8995f10ac762a5c373da146979153314db925b20aeddbc626ef0f24b0c3f51b856395b281902afd629f878c11785b33872
SSDEEP:	98304:FE8ElwP+57GNUOiGyUu+6bDv1v8XUsZ79HMFdV0xyH8iJEWHSyeqX1YIqI:FE9VoFfTu+6bDvlsUs/QV0AHZHSYXV
TLSH:	AA463351B39108F8EDBB113EC992D21AE6753C2B0751D84F03F459A7AF23A119E3B761
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R........................c...........y.L.....y.......y.......y.......................................Rich...................

File Icon


Icon Hash:	2e1e7c4c4c61e979

Static PE Info

General

Entrypoint:	0x14000a6b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x650911DA [Tue Sep 19 03:13:30 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	ba5546933531fafa869b1f86a4e2a959

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FE9B0F5101Ch
dec eax
add esp, 28h
jmp 00007FE9B0F50C1Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007FE9B0F51564h
test eax, eax
je 00007FE9B0F50DD3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007FE9B0F50DB7h
dec eax
cmp ecx, eax
je 00007FE9B0F50DC6h
xor eax, eax
dec eax
cmpxchg dword ptr [00041E7Ch], ecx
jne 00007FE9B0F50DA0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007FE9B0F50DA9h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [00041E67h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [00041E57h], al
call 00007FE9B0F51363h
call 00007FE9B0F52492h
test al, al
jne 00007FE9B0F50DB6h
xor al, al
jmp 00007FE9B0F50DC6h
call 00007FE9B0F5F871h
test al, al
jne 00007FE9B0F50DBBh
xor ecx, ecx
call 00007FE9B0F524A2h
jmp 00007FE9B0F50D9Ch
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [00041E1Ch], 00000000h
mov ebx, ecx
jne 00007FE9B0F50E19h
cmp ecx, 01h
jnbe 00007FE9B0F50E1Ch
call 00007FE9B0F514CAh
test eax, eax
je 00007FE9B0F50DDAh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3bb5c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0xf010	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4e000	0x20c4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x62000	0x75c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x39350	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39210	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a000	0x350	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x288a0	0x28a00	cd519058a1cc7a614054b311d84d179b	False	0.5563401442307693	zlib compressed data	6.490694010276288	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2a000	0x126e2	0x12800	6ac77a035de0924c811c7eda0b3df220	False	0.5156381967905406	data	5.846063161745269	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x103f8	0xe00	9bd2cebaa3285e8e266c4c373a15119d	False	0.13337053571428573	DOS executable (block device driver \377\3)	1.808915577448681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x4e000	0x20c4	0x2200	47e5659f5cd2366c7761336e5e8f1fbd	False	0.4763327205882353	data	5.30946295758841	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x51000	0x15c	0x200	739c14bf73dcb926054c7e1038da65e4	False	0.384765625	data	2.7733452366771543	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0xf010	0xf200	7c3130af8730238e7ffcbe62d30adb45	False	0.7952285640495868	data	7.356312649477091	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x62000	0x75c	0x800	b7279c82d58eeae8dc663879402c6f2e	False	0.54296875	data	5.238892234772638	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x52208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.56636460554371
RT_ICON	0x530b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7287906137184116
RT_ICON	0x53958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.7471098265895953
RT_ICON	0x53ec0	0x909b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9971636186822983
RT_ICON	0x5cf5c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.38309128630705397
RT_ICON	0x5f504	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4826454033771107
RT_ICON	0x605ac	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.699468085106383
RT_GROUP_ICON	0x60a14	0x68	data	0.7019230769230769
RT_MANIFEST	0x60a7c	0x592	XML 1.0 document, ASCII text, with CRLF line terminators	0.4488078541374474

Imports

DLL

Import

KERNEL32.dll

GetCommandLineW, GetEnvironmentVariableW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, WriteConsoleW, GetProcAddress, GetModuleFileNameW, SetDllDirectoryW, FreeLibrary, GetLastError, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetModuleHandleW, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, GetCurrentDirectoryW, FlushFileBuffers, HeapReAlloc, GetFileAttributesExW, GetStringTypeW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, SetEndOfFile

ADVAPI32.dll

ConvertSidToStringSidW, GetTokenInformation, OpenProcessToken, ConvertStringSecurityDescriptorToSecurityDescriptorW

Target ID:	0
Start time:	06:02:59
Start date:	10/10/2024
Path:	C:\Users\user\Desktop\run0796.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\run0796.exe"
Imagebase:	0x7ff60f180000
File size:	5'364'263 bytes
MD5 hash:	6E912C37E25ED34D27440036DE24C71A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:02:59
Start date:	10/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:03:00
Start date:	10/10/2024
Path:	C:\Users\user\Desktop\run0796.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\run0796.exe"
Imagebase:	0x7ff60f180000
File size:	5'364'263 bytes
MD5 hash:	6E912C37E25ED34D27440036DE24C71A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	72

Executed Functions

Function 00007FF60F1A4EB0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF60F1A4EF5

Part of subcall function 00007FF60F1A4848: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A485C

Part of subcall function 00007FF60F199F88: RtlFreeHeap.NTDLL(?,?,?,00007FF60F1A1ED2,?,?,?,00007FF60F1A1F0F,?,?,00000000,00007FF60F1A23D5,?,?,00000000,00007FF60F1A2307), ref: 00007FF60F199F9E
Part of subcall function 00007FF60F199F88: GetLastError.KERNEL32(?,?,?,00007FF60F1A1ED2,?,?,?,00007FF60F1A1F0F,?,?,00000000,00007FF60F1A23D5,?,?,00000000,00007FF60F1A2307), ref: 00007FF60F199FA8

Part of subcall function 00007FF60F199F40: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF60F199F1F,?,?,?,?,?,00007FF60F191A50), ref: 00007FF60F199F49
Part of subcall function 00007FF60F199F40: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF60F199F1F,?,?,?,?,?,00007FF60F191A50), ref: 00007FF60F199F6E

_get_daylight.LIBCMT ref: 00007FF60F1A4EE4

Part of subcall function 00007FF60F1A48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A48BC

_get_daylight.LIBCMT ref: 00007FF60F1A515A
_get_daylight.LIBCMT ref: 00007FF60F1A516B
_get_daylight.LIBCMT ref: 00007FF60F1A517C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF60F1A53BC), ref: 00007FF60F1A51A3

Strings

Eastern Standard Time, xrefs: 00007FF60F1A5249
Eastern Summer Time, xrefs: 00007FF60F1A5261

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 094aa0b8d65919baa3d0772ff3767fd2675aa8a4e03dc9ca21af0ffdcdca806f
Instruction ID: 71f9883345d5a7dadbebb44a9de875d8e6fdd5626254157d273668a8dbe434fd
Opcode Fuzzy Hash: 094aa0b8d65919baa3d0772ff3767fd2675aa8a4e03dc9ca21af0ffdcdca806f
Instruction Fuzzy Hash: 02D1E136E1C24286EB24DF26E9401B977A1FF84B84F6440BAEA1DC7695DF7CE445C780

Function 00007FF60F1858E0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,?,?,00007FF60F1858AD), ref: 00007FF60F185977
GetCurrentProcessId.KERNEL32(?,?,00000000,?,?,00007FF60F1858AD), ref: 00007FF60F18597D

Part of subcall function 00007FF60F185AF0: GetEnvironmentVariableW.KERNEL32(00007FF60F182817,?,?,?,?,?,?), ref: 00007FF60F185B2A
Part of subcall function 00007FF60F185AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF60F185B47

Part of subcall function 00007FF60F196828: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F196841

SetEnvironmentVariableW.KERNEL32(?,?,00000000,?,?,00007FF60F1858AD), ref: 00007FF60F185A31

Strings

TMP, xrefs: 00007FF60F18591A, 00007FF60F1859D9, 00007FF60F185A67
TMP, xrefs: 00007FF60F185940
_MEI%d, xrefs: 00007FF60F185985
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF60F18595A

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: Environment$Variable$CurrentExpandPathProcessStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 1556224225-1116378104
Opcode ID: 01a46a9a65a39ff1d58c313a88a664a0d39fffa59273ca9ce6eb9bf9af19ca8f
Instruction ID: b6a80f263035e1aabbf44c7e267f313bd9b1f703b08a67b40e5412dddb1ac5e1
Opcode Fuzzy Hash: 01a46a9a65a39ff1d58c313a88a664a0d39fffa59273ca9ce6eb9bf9af19ca8f
Instruction Fuzzy Hash: 5E517D35B0D65341FE14A722AA912BA5382DF85BD0F6844B1ED0ECB797EF6DE4078340

Function 00007FF60F1A5DFC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF60F1A5B30: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A5B71
Part of subcall function 00007FF60F1A5B30: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A5BEF
Part of subcall function 00007FF60F1A5B30: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A5C40

CreateFileW.KERNELBASE ref: 00007FF60F1A5F02
CreateFileW.KERNEL32 ref: 00007FF60F1A5F52
GetLastError.KERNEL32 ref: 00007FF60F1A5F82
GetFileType.KERNELBASE ref: 00007FF60F1A5F97
GetLastError.KERNEL32 ref: 00007FF60F1A5FA1
CloseHandle.KERNEL32 ref: 00007FF60F1A5FD4
CloseHandle.KERNEL32 ref: 00007FF60F1A6137
CreateFileW.KERNEL32 ref: 00007FF60F1A616C
GetLastError.KERNEL32 ref: 00007FF60F1A617B

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: f4a66a793454549687445e322010bf0c8aa55a7819c853dce57e356f604717af
Instruction ID: 5f932c4cff2a71ab5cbf149a0b3041c08d873aefc0bebfa0fc401b973b4db778
Opcode Fuzzy Hash: f4a66a793454549687445e322010bf0c8aa55a7819c853dce57e356f604717af
Instruction Fuzzy Hash: ACC1DF32B2CA4285EB10CFA4C5906BC37B1FB49BA8B250275DE2E97795DF39E459C340

Function 00007FF60F1A512C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF60F1A515A

Part of subcall function 00007FF60F1A48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A48BC

_get_daylight.LIBCMT ref: 00007FF60F1A516B

Part of subcall function 00007FF60F1A4848: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A485C

_get_daylight.LIBCMT ref: 00007FF60F1A517C

Part of subcall function 00007FF60F1A4878: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A488C

Part of subcall function 00007FF60F199F88: RtlFreeHeap.NTDLL(?,?,?,00007FF60F1A1ED2,?,?,?,00007FF60F1A1F0F,?,?,00000000,00007FF60F1A23D5,?,?,00000000,00007FF60F1A2307), ref: 00007FF60F199F9E
Part of subcall function 00007FF60F199F88: GetLastError.KERNEL32(?,?,?,00007FF60F1A1ED2,?,?,?,00007FF60F1A1F0F,?,?,00000000,00007FF60F1A23D5,?,?,00000000,00007FF60F1A2307), ref: 00007FF60F199FA8

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF60F1A53BC), ref: 00007FF60F1A51A3

Strings

Eastern Standard Time, xrefs: 00007FF60F1A5249
Eastern Summer Time, xrefs: 00007FF60F1A5261

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: fd078edb7ea8857bbddca5cb379a768099f63ff1987e7d86fa41c3a02db3c977
Instruction ID: 38acbc584f84989e3b486e51793f3560ec2cf114bad2888dcdcd7cf93dea3b5f
Opcode Fuzzy Hash: fd078edb7ea8857bbddca5cb379a768099f63ff1987e7d86fa41c3a02db3c977
Instruction Fuzzy Hash: 93518D32A1C64286E710DF22E9801B9B7A1FF88784F6455BAEA5DC37A6DF3CE405C740

Function 00007FF60F19FA98 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 77b634f070b5d0425022c69dd6fb332ff82a5336b27442bcf42cac2e1250e46a
Instruction ID: 7e53ff6ecd3cbfd1af9299ab40440a090efb049edc2e4b2cd3d688b408d75800
Opcode Fuzzy Hash: 77b634f070b5d0425022c69dd6fb332ff82a5336b27442bcf42cac2e1250e46a
Instruction Fuzzy Hash: 6102B132F0D69350FA659B21A4112796780EF45BA0FB849B9DD6EC77D2DF3DE8028380

Function 00007FF60F1817B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fread_nolock.LIBCMT ref: 00007FF60F18185C
_fread_nolock.LIBCMT ref: 00007FF60F18190E

Part of subcall function 00007FF60F18E6E0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F18E6F4

Strings

MEI, xrefs: 00007FF60F1817EF
Error on file., xrefs: 00007FF60F18193D
fseek, xrefs: 00007FF60F181836
Cannot read Table of Contents., xrefs: 00007FF60F181995
Could not read full TOC!, xrefs: 00007FF60F181919
Failed to read cookie!, xrefs: 00007FF60F181867
malloc, xrefs: 00007FF60F1818EA
fread, xrefs: 00007FF60F18186E
Failed to seek to cookie position!, xrefs: 00007FF60F18182F
Could not allocate buffer for TOC!, xrefs: 00007FF60F1818E3

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _fread_nolock$_invalid_parameter_noinfo
String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 3405171723-4158440160
Opcode ID: 84763b409ffefaeafb6b7d4785f14c57d5f11daf0945f8cc1ec6fe977dfebcdb
Instruction ID: f42261027cbde2e239c9811e22ddacf527898e21de98bad1e435bd04293adab8
Opcode Fuzzy Hash: 84763b409ffefaeafb6b7d4785f14c57d5f11daf0945f8cc1ec6fe977dfebcdb
Instruction Fuzzy Hash: 16514D72A0DA4296EB54CF29D55127833A0FF48B88B608576DA0DD7399DFBCE446C740

Function 00007FF60F181440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to open target file!, xrefs: 00007FF60F18148A
Failed to extract %s: failed to open archive file!, xrefs: 00007FF60F1814CA
fseek, xrefs: 00007FF60F181500
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF60F1815E5
fwrite, xrefs: 00007FF60F1815DC
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF60F1815D5
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF60F1814F9
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF60F181559
fopen, xrefs: 00007FF60F181491
fread, xrefs: 00007FF60F1815EC
malloc, xrefs: 00007FF60F181560

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 0-666925554
Opcode ID: 1263ffe4802157f0869bfd811baca3ed4696afe89ae68e0db96ca42f9cae616b
Instruction ID: e8c53f8531a64fcc7aaddd73785cd38b7b2b881a8f562bd7cd1eceaea1725a01
Opcode Fuzzy Hash: 1263ffe4802157f0869bfd811baca3ed4696afe89ae68e0db96ca42f9cae616b
Instruction Fuzzy Hash: C951AC72B0CA42A1EA109B51E6006B963A0EF45BE4F7445B1DE1DD76A2EFBCE14BC700

Function 00007FF60F186A70 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00007FF60F1859BA,?,?,00000000,?,?,00007FF60F1858AD), ref: 00007FF60F186AB0
OpenProcessToken.ADVAPI32(?,?,00000000,?,?,00007FF60F1858AD), ref: 00007FF60F186AC1
GetTokenInformation.KERNELBASE(?,?,00000000,?,?,00007FF60F1858AD), ref: 00007FF60F186AE3
GetLastError.KERNEL32(?,?,00000000,?,?,00007FF60F1858AD), ref: 00007FF60F186AED
GetTokenInformation.KERNELBASE(?,?,00000000,?,?,00007FF60F1858AD), ref: 00007FF60F186B2A
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF60F186B3C
CloseHandle.KERNEL32(?,?,00000000,?,?,00007FF60F1858AD), ref: 00007FF60F186B54
LocalFree.KERNEL32(?,?,00000000,?,?,00007FF60F1858AD), ref: 00007FF60F186B86
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF60F186BAD
CreateDirectoryW.KERNELBASE(?,?,00000000,?,?,00007FF60F1858AD), ref: 00007FF60F186BBE

Strings

S-1-3-4, xrefs: 00007FF60F186B5F
D:(A;;FA;;;%s), xrefs: 00007FF60F186B69

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 4998090-2855260032
Opcode ID: 91f206f193b68330ebd28d0cb2e5982b23392e5c7638bf7621f932f987ca90f9
Instruction ID: e1b53a99506eeb90e7e010dbdb0e5760a018c5812519856529bef1fb56d2967c
Opcode Fuzzy Hash: 91f206f193b68330ebd28d0cb2e5982b23392e5c7638bf7621f932f987ca90f9
Instruction Fuzzy Hash: BC419031A0CA8382EB509F20E5447BA73A1FF84794F600271EA5E87AD5DF7DE449CB40

Function 00007FF60F186140 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF60F186DC0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF60F186DFA

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF60F182B60,?,?,?,?,?,?), ref: 00007FF60F18618F
GetStartupInfoW.KERNEL32 ref: 00007FF60F1861AE

Part of subcall function 00007FF60F1992F4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F199308

Part of subcall function 00007FF60F19706C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1970D3

GetCommandLineW.KERNEL32 ref: 00007FF60F18624E
CreateProcessW.KERNELBASE ref: 00007FF60F186290
WaitForSingleObject.KERNEL32 ref: 00007FF60F1862A4
GetExitCodeProcess.KERNELBASE ref: 00007FF60F1862B4

Strings

Error creating child process!, xrefs: 00007FF60F1862C0
CreateProcessW, xrefs: 00007FF60F1862C7

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: f9329e10ecf7cd9add790cd54d80bd1613acac9f8f0a608475d9c7ff608cd0f3
Instruction ID: 9948c28bd22c2bb9993f022334a39d6d29824fd06712a99c8bba43fe0a775271
Opcode Fuzzy Hash: f9329e10ecf7cd9add790cd54d80bd1613acac9f8f0a608475d9c7ff608cd0f3
Instruction Fuzzy Hash: 60414731A0CB8281DA20DB64F5552AAB3A1FF95360F600379E6AD87BD5DF7CD059CB40

Function 00007FF60F181000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF60F182CD0: GetModuleFileNameW.KERNEL32(?,00007FF60F1827C9,?,?,?,?,?,?), ref: 00007FF60F182D01

SetDllDirectoryW.KERNEL32 ref: 00007FF60F1829D5

Part of subcall function 00007FF60F185AF0: GetEnvironmentVariableW.KERNEL32(00007FF60F182817,?,?,?,?,?,?), ref: 00007FF60F185B2A
Part of subcall function 00007FF60F185AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF60F185B47

Strings

_MEIPASS2, xrefs: 00007FF60F182803, 00007FF60F18286C, 00007FF60F182B1B, 00007FF60F182B2B
Failed to convert DLL search path!, xrefs: 00007FF60F1829BD
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF60F1828BE
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF60F18295C
MEI, xrefs: 00007FF60F182917
_PYI_ONEDIR_MODE, xrefs: 00007FF60F18282C, 00007FF60F182857

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-3602715111
Opcode ID: 6a28c33e22898031b80fb512893e07fd0cd100b3512c2502032b978ee29aa1aa
Instruction ID: d514e8a73e6732a384ea52bb459570d788e1907a290763abd1bfb07f5b3b84b9
Opcode Fuzzy Hash: 6a28c33e22898031b80fb512893e07fd0cd100b3512c2502032b978ee29aa1aa
Instruction Fuzzy Hash: 9BC18031A1C6C351EA65AB22DA602FD6391FF44784F6040B2EA4DC769AEFBCE507C740

Function 00007FF60F181050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF60F1810F1
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF60F181249
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF60F18111F
1.2.13, xrefs: 00007FF60F18107E
malloc, xrefs: 00007FF60F1810F8, 00007FF60F181126
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF60F1810B4

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 0-1655038675
Opcode ID: 1a8844bf67229d1899e895c5de39fde8d842d05050e1b2cb9d7974bf2e428afa
Instruction ID: 46cb2c0f7f1e4877a94a88e9b6ae2abcc918e7b4cbe2e38dc3143f0962339492
Opcode Fuzzy Hash: 1a8844bf67229d1899e895c5de39fde8d842d05050e1b2cb9d7974bf2e428afa
Instruction Fuzzy Hash: 9151CA32A0C68291EA609B51E5403BA6391FB85B94F7441B6EE4ED7785EF7CE407C700

Function 00007FF60F19DF40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,00000000,?,00007FF60F19E2DA,?,?,-00000018,00007FF60F19A393,?,?,?,00007FF60F19A28A,?,?,?,00007FF60F1954F2), ref: 00007FF60F19E0BC
GetProcAddress.KERNEL32(?,00000000,?,00007FF60F19E2DA,?,?,-00000018,00007FF60F19A393,?,?,?,00007FF60F19A28A,?,?,?,00007FF60F1954F2), ref: 00007FF60F19E0C8

Strings

api-ms-, xrefs: 00007FF60F19E006
ext-ms-, xrefs: 00007FF60F19E019

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: aad9aede478575e979b907d5906f12f078c77a7925399981a7c8c7e1570d79b3
Instruction ID: 3dd968a5d1fd01637da1673a32421abc3d1f186b9656e931eed85fb45db9a454
Opcode Fuzzy Hash: aad9aede478575e979b907d5906f12f078c77a7925399981a7c8c7e1570d79b3
Instruction Fuzzy Hash: 7D41CD31B1DA1281FA56DB16E9006792391FF48BA0F6C4579DD1DC7784EF3EE8498390

Function 00007FF60F19B09C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F19B4C9

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f51be05eff67105166a8e0974f5b8922bd2b6cae86938e82961f641d8e49780a
Instruction ID: fef5076ae37b6f82f7bcfceba3c113fc18604a0db98855059d893e79d8f2cdd4
Opcode Fuzzy Hash: f51be05eff67105166a8e0974f5b8922bd2b6cae86938e82961f641d8e49780a
Instruction Fuzzy Hash: 1CC10332A0C68791E760CB55A4402BD3BA1EFD1B80F7901B9DA4E83791CF7DEA498380

Function 00007FF60F19C5A0 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF60F19C58B), ref: 00007FF60F19C6BC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF60F19C58B), ref: 00007FF60F19C747

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 47869f412bece76eb023dbb07aa2cba14259a80e0a96d05eb24eea3b46299af7
Instruction ID: e6cf51d1f73916b1d2bd5f9a27f395b6c02d36593e39364bcea37bd998ad2c3b
Opcode Fuzzy Hash: 47869f412bece76eb023dbb07aa2cba14259a80e0a96d05eb24eea3b46299af7
Instruction Fuzzy Hash: C5919032E1C69385F7548F6594802BD3BA1FB44B88F6441B9DE8EA7A94DF38E446C7C0

Function 00007FF60F19E96C Relevance: 6.2, APIs: 4, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF60F19EA5C
_get_daylight.LIBCMT ref: 00007FF60F19EA6D
_get_daylight.LIBCMT ref: 00007FF60F19EA7E
_isindst.LIBCMT ref: 00007FF60F19EB49

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 7c116d52e869d70fe36170fafcd4453455d7a89aa2c255f713b58b82420c40e6
Instruction ID: d0d0c75ca962e43ef561abd9aadbb6c4e3103ee5c2a1a727d67b03ad8f060a9a
Opcode Fuzzy Hash: 7c116d52e869d70fe36170fafcd4453455d7a89aa2c255f713b58b82420c40e6
Instruction Fuzzy Hash: 6651E272F0C2128AFB28DF64D9556BC27A1FB50368F640179EE1F93AE5DF38A4068740

Function 00007FF60F1946F8 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F194725
CreateFileW.KERNELBASE ref: 00007FF60F194764
CloseHandle.KERNEL32 ref: 00007FF60F194799

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 2e14a9a22f8bbc959da1ddaf4bea7386fc9969426b98b87380e1d1a6b88a1f24
Instruction ID: 315dcb31d9b0e207c685762dca199ca53a690e22a81eab77dc2f0040f365addf
Opcode Fuzzy Hash: 2e14a9a22f8bbc959da1ddaf4bea7386fc9969426b98b87380e1d1a6b88a1f24
Instruction Fuzzy Hash: 4A41BE32E2C78283E754CB61955037973A0FF957A4F209374EA9C83AD6DF7CA5A18780

Function 00007FF60F18A52C Relevance: 4.6, APIs: 3, Instructions: 102COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF60F18A540

Part of subcall function 00007FF60F18A70C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF60F18A72E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF60F18A555
__scrt_release_startup_lock.LIBCMT ref: 00007FF60F18A5C3

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 3058843127-0
Opcode ID: 1be6874be7b06f60d2a206459abee2dcc30803262f01e71d3cdcfcaefe82dc60
Instruction ID: 46300659b5f5946a15bf2d62f387cebea70d76213ce8a798b1f538a9d432566f
Opcode Fuzzy Hash: 1be6874be7b06f60d2a206459abee2dcc30803262f01e71d3cdcfcaefe82dc60
Instruction Fuzzy Hash: B2315C31E0D64393FA54AB2496113B92391EF86B80FB444B6EA0DC72D7DFADE846C740

Function 00007FF60F1989F8 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF60F1989F4), ref: 00007FF60F198A09
TerminateProcess.KERNEL32(?,?,?,00007FF60F1989F4), ref: 00007FF60F198A14
ExitProcess.KERNEL32 ref: 00007FF60F198A23

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cdaea237e1b592d6c154aaf0f90f60ef9ca2b577adbaa54e82ff2db6f3b91dce
Instruction ID: e53f0898531aebb5c1cf29d2bc0bc7b919155556059eff832c733de132859ace
Opcode Fuzzy Hash: cdaea237e1b592d6c154aaf0f90f60ef9ca2b577adbaa54e82ff2db6f3b91dce
Instruction Fuzzy Hash: 62D09230B1D603C6EA182B7058951792391EF8A761F6028B8C84FC6397CF7DA89D8280

Function 00007FF60F18E70C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F18E750
_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F18E847

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 91f838de0bf1c0634cfb639a0c406c35748c40ae1573d712d08faa75350ec251
Instruction ID: 2c9de7b3d986d9c0b87a5270586f15a673ab2e5f4a268f5954d2b71e8dea2f59
Opcode Fuzzy Hash: 91f838de0bf1c0634cfb639a0c406c35748c40ae1573d712d08faa75350ec251
Instruction Fuzzy Hash: 6C51E731F0D68246FB689AA6960067A6791FF85BA4F284674ED7C837C5CFBCE4028740

Function 00007FF60F19BA58 Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF60F19BAD1
GetFileType.KERNELBASE ref: 00007FF60F19BAE7

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: ea0bf9139acf7e29816fcd0aba872ae9fa759e19ef548db38860721d431a1d9c
Instruction ID: 4693968223535430b2a283139e4ba2af16fb3d9f81fc360c706a9ca5afbf5bf3
Opcode Fuzzy Hash: ea0bf9139acf7e29816fcd0aba872ae9fa759e19ef548db38860721d431a1d9c
Instruction Fuzzy Hash: ED317E32A1DB4682EB64CB15A5801782750FB85BB0B780379DB6F873E4CF38E5A1D380

Function 00007FF60F19B774 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF60F19B760,00000000,?,?,?,00007FF60F181023,00007FF60F19B869), ref: 00007FF60F19B7C0
GetLastError.KERNEL32(?,?,?,?,?,00007FF60F19B760,00000000,?,?,?,00007FF60F181023,00007FF60F19B869), ref: 00007FF60F19B7CA

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3ffa62e109f94fb18d3b2cbff054a6c81447e1b6aec8cf58aa39285ecb5c62cf
Instruction ID: 09801d6c33929af24e1aa1a426e59469eb24ec4e748aedba8f3f1a52d4671cf0
Opcode Fuzzy Hash: 3ffa62e109f94fb18d3b2cbff054a6c81447e1b6aec8cf58aa39285ecb5c62cf
Instruction Fuzzy Hash: 9211C172A1CA8281DA50CB26B8040A96761EB84BF4F684371EE7D8B7E9CF7CD1558780

Function 00007FF60F196AF8 Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF60F196975), ref: 00007FF60F196B1B
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF60F196975), ref: 00007FF60F196B31

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 695a997772c6d588bd3c19a829da3cd4efb67dac24a46cf8f274d2962167cdc2
Instruction ID: 162d97ec01a81180414104c205a233445b82217b539af29d69805e37dd18edd2
Opcode Fuzzy Hash: 695a997772c6d588bd3c19a829da3cd4efb67dac24a46cf8f274d2962167cdc2
Instruction Fuzzy Hash: AC01C032A0C651C2E7648F14E40223AB7B1FB81B61F740276F6AE819D8EF3DD014DB60

Function 00007FF60F199F88 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF60F1A1ED2,?,?,?,00007FF60F1A1F0F,?,?,00000000,00007FF60F1A23D5,?,?,00000000,00007FF60F1A2307), ref: 00007FF60F199F9E
GetLastError.KERNEL32(?,?,?,00007FF60F1A1ED2,?,?,?,00007FF60F1A1F0F,?,?,00000000,00007FF60F1A23D5,?,?,00000000,00007FF60F1A2307), ref: 00007FF60F199FA8

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 635cad2e0ff3992951b7a77c4f2b8b42bf407885737c95784d501ba83ef464ff
Instruction ID: ab1c5f32bb03510e9b88d194f7d4b77667116bde9bbfa34941363ad4ea2977d5
Opcode Fuzzy Hash: 635cad2e0ff3992951b7a77c4f2b8b42bf407885737c95784d501ba83ef464ff
Instruction Fuzzy Hash: 24E08C70F0D20382FF18ABB2A8850786391DF84740B6948B8C80DD6291EF2CA89D82A0

Function 00007FF60F196860 Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE(?,?,?,?,?), ref: 00007FF60F196864
GetLastError.KERNEL32(?,?,?,?,?), ref: 00007FF60F19686E

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 6ee4c4c1d826b64487a110c2ae4246bf529d87c63a5704ba62e6a74145362de3
Instruction ID: 254fa130e6180d945dcfa2825c1c9c7b183863bec4b9c8e265bf25316b38eeee
Opcode Fuzzy Hash: 6ee4c4c1d826b64487a110c2ae4246bf529d87c63a5704ba62e6a74145362de3
Instruction Fuzzy Hash: 46D0C930F1C603C1E65827B228450791390EF44724F7006B4C029C12D0EF2DA49D9162

Function 00007FF60F1970E4 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00007FF60F1970E8
GetLastError.KERNEL32 ref: 00007FF60F1970F2

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: e62d151a604f4e0a1f97514f12a36258322d99d4e44f7b0e6aef129f7c091d96
Instruction ID: 4fb7aaebbc0b9fcccd1857049e4c606e2aeed09c07cfcff7083ab3772433ab9b
Opcode Fuzzy Hash: e62d151a604f4e0a1f97514f12a36258322d99d4e44f7b0e6aef129f7c091d96
Instruction Fuzzy Hash: 72D01234F2C503C2EA1627B21D8907A13E0EF45720F7006F4C42EC02E0EF2EA0AD9261

Function 00007FF60F19A198 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF60F19A015,?,?,00000000,00007FF60F19A0CA), ref: 00007FF60F19A206
GetLastError.KERNEL32(?,?,?,00007FF60F19A015,?,?,00000000,00007FF60F19A0CA), ref: 00007FF60F19A210

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 176045b7523cf5febd9284a5f88f2e5d392980a8c79d008abc553eacec4aafb7
Instruction ID: 25d594e04c43e51d6c9110a1b9e8066ea8bdad2a92605038be5bc247b8567d6b
Opcode Fuzzy Hash: 176045b7523cf5febd9284a5f88f2e5d392980a8c79d008abc553eacec4aafb7
Instruction Fuzzy Hash: EA219331F1C68241EA94976195A427D2392EF85BA4F3843B9DA2EC73C5DF6DE4898380

Function 00007FF60F185E00 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF60F186DC0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF60F186DFA

_findclose.LIBCMT ref: 00007FF60F186059

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ByteCharMultiWide_findclose
String ID:
API String ID: 2772937645-0
Opcode ID: f49b861ea7d3f103746b3a21f9c25844a1af0d2aa27eefd751e744e4ab09ae28
Instruction ID: 42093c23902dc87589de3a937679a5efc7e482808e0b0b06caa7b0b2688ce334
Opcode Fuzzy Hash: f49b861ea7d3f103746b3a21f9c25844a1af0d2aa27eefd751e744e4ab09ae28
Instruction Fuzzy Hash: AC718D62E1CAC581E611CB2CD6452FD7360F7A9B4CF64E321DB8C52592EF28E2DAC700

Function 00007FF60F19B4EC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F19B514

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 57107eaa3566968eb61c891c6bf60f53c3ecf75195df01cb8ace664919c894e2
Instruction ID: 875d6026db56458103a3a3e13f6c9f62de1137ed1f086114aacec70ad56b76d1
Opcode Fuzzy Hash: 57107eaa3566968eb61c891c6bf60f53c3ecf75195df01cb8ace664919c894e2
Instruction Fuzzy Hash: 0941BE3290C24187FA24CB2AB58427973A0EB96B84F640175DA9EC36D1CF6CE603CB91

Function 00007FF60F186370 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF60F18641A

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 3c4f26b11e4462b6a968b3c82cc7ee6ac725b1771f3ecff43d43be629d0efc0e
Instruction ID: 24a8f237d244b0ce86e396d75f4f376e80cf4fc57e205123619831d652fd4065
Opcode Fuzzy Hash: 3c4f26b11e4462b6a968b3c82cc7ee6ac725b1771f3ecff43d43be629d0efc0e
Instruction Fuzzy Hash: 7A219F31B0C29646FA159B52AA043BAA751FF55BD4FA84071EE4D87786CFBCE842C300

Function 00007FF60F19AF7C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F19B002

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5c21e00b33c8f2b45ceb84e2d38ad87eb1f0bac44c293c41f89c92cf48f3706b
Instruction ID: 26762846c0da8f8f61ebf613db41e8509c0858d3aef8516bf71b2f64c99fed9e
Opcode Fuzzy Hash: 5c21e00b33c8f2b45ceb84e2d38ad87eb1f0bac44c293c41f89c92cf48f3706b
Instruction Fuzzy Hash: 8C31B272A1C60281F7159B25988137C3760EF80F90F7905B5EA2D833D2DFBDE84587A0

Function 00007FF60F198929 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF60F198957

Part of subcall function 00007FF60F198A50: GetModuleHandleExW.KERNEL32 ref: 00007FF60F198A75
Part of subcall function 00007FF60F198A50: GetProcAddress.KERNEL32 ref: 00007FF60F198A8B
Part of subcall function 00007FF60F198A50: FreeLibrary.KERNEL32 ref: 00007FF60F198AB2

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 4364183f743529bba0b1b8a1ab3c287b648935f4c13821245ef64b361732f161
Instruction ID: f4c111a600c1e68c6cf9d4f62a37b2d7e13d5fb59a8c67d6cf6863d4026b50bf
Opcode Fuzzy Hash: 4364183f743529bba0b1b8a1ab3c287b648935f4c13821245ef64b361732f161
Instruction Fuzzy Hash: 8D21B032E0CB0289EB249F64C4502FC33B0EB86729FA41A39D76C86AC5DF38D584C781

Function 00007FF60F195548 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1954AD

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction ID: 5095234b5dcf3cd085f843457fb71b1f119317e429a0a901b4a26e17ae72bbaa
Opcode Fuzzy Hash: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction Fuzzy Hash: 5F11A232A0D64181FAA19F51E40127DA3A1FF95B80F6C44B5EA8CE7B86DF3DE4409B80

Function 00007FF60F1A57EC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A580F

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ae9bd99ce62d3538fe7d29b8c80f6b7eb83d48e2b866bc47fbdf5b394f043f57
Instruction ID: aeb20b0c40d69fa6c1413b5648f7642db8ff016eb3c3343248c7612ec0b0eb36
Opcode Fuzzy Hash: ae9bd99ce62d3538fe7d29b8c80f6b7eb83d48e2b866bc47fbdf5b394f043f57
Instruction Fuzzy Hash: 94214232A1CA8187D7618F1AE44037977A1FB84B94F784274E65DC76D9DF3DD4058B40

Function 00007FF60F18E98C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F18E9E0

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction ID: b0da4bfab6f448c846df4b51fe8c0b8a429707375e37a57e278b251b1fbc0516
Opcode Fuzzy Hash: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction Fuzzy Hash: 4201C831A0C78241EA44DBA29A01079A791FF86FE0F6846B5EE5C93BD6CFBCD1024300

Function 00007FF60F1964EC Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F19652A

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 89f1a6046394815f14ac2edb09e2e5d8c749716ba98b122b0912a1bcf1d4c737
Instruction ID: 0b405f2aeb36cb0343c6b480e03f7b434bdb1234c4d8eb8b5c942828c05e84b7
Opcode Fuzzy Hash: 89f1a6046394815f14ac2edb09e2e5d8c749716ba98b122b0912a1bcf1d4c737
Instruction Fuzzy Hash: ED01B171E0D68281FE64AB21E5411796390EF047E4F7845B9EA1CC2BCADF3CEC418AE1

Function 00007FF60F196828 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F196841

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d8ddd072cb9aeb27808c6bd09a31392064f42f391621abce153dcee42f6a1f6e
Instruction ID: 7a70e80acce349ae7d8903089d05bf14505ea2c374793b556cf444d1ea26f049
Opcode Fuzzy Hash: d8ddd072cb9aeb27808c6bd09a31392064f42f391621abce153dcee42f6a1f6e
Instruction Fuzzy Hash: 46E0ECB1E0C30642FA543AB545C227C1351DF54340F6444F9D90886387DF1E784956B1

Function 00007FF60F1864A0 Relevance: 1.3, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: efc5bac48e0eb0ffe74c9f21acabb1ae742049e90b115f0f612458e6ed3a3079
Instruction ID: c8f58cda27b1e330b2e98a9f3301654f658182713ea1ca964debc75024a28bed
Opcode Fuzzy Hash: efc5bac48e0eb0ffe74c9f21acabb1ae742049e90b115f0f612458e6ed3a3079
Instruction Fuzzy Hash: 3141A426D1C7C681EA119B24D6012FC7360FFA5784F64A272EB8D92187EF6CE5D9C700

Function 00007FF60F19DEC8 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF60F19AA26,?,?,?,00007FF60F199BE3,?,?,00000000,00007FF60F199E7E), ref: 00007FF60F19DF1D

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5680686827257c125c79c0b434b54bb6693b4c02053300f6c32a97532040a367
Instruction ID: 1a55410bf38949abb7873eff166a2fc1a8a8fd5ecbd5bf2b325a4b1535cdf27f
Opcode Fuzzy Hash: 5680686827257c125c79c0b434b54bb6693b4c02053300f6c32a97532040a367
Instruction Fuzzy Hash: 00F09074B0D20380FE585761B8523B57390DF55B80F6C54B4C94EC67D2EF2CE48682A0

Function 00007FF60F19CC3C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF60F18F1F4,?,?,?,00007FF60F190706,?,?,?,?,?,00007FF60F19276D), ref: 00007FF60F19CC7A

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: b11fc6a16e25d187a1b91613ce7ef6c78f7eee5e93957fcc5bb755ad2e5a5504
Instruction ID: 8cb9aa4621921c2db3ca6b5f7e82f4e1195e421a59003670a8e8c1afb51a7b95
Opcode Fuzzy Hash: b11fc6a16e25d187a1b91613ce7ef6c78f7eee5e93957fcc5bb755ad2e5a5504
Instruction Fuzzy Hash: FCF05870B0D24384FE2496B159512BA2780CF54BB0F280AB4E86EC52C2EF2CA44482E1

Non-executed Functions

Function 00007FF60F1850B0 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F1850C7
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F185106
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F18512B
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F185150
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F185178
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F1851A0
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F1851C8
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F1851F0
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F185218

Strings

Tcl_DeleteInterp, xrefs: 00007FF60F1851BE
Tcl_GetObjResult, xrefs: 00007FF60F185466
Tcl_GetCurrentThread, xrefs: 00007FF60F18520E
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF60F1851DA
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF60F185482
Failed to get address for Tcl_GetVar2, xrefs: 00007FF60F18536A
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF60F18527A
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF60F18522A
Failed to get address for Tcl_SetVar2, xrefs: 00007FF60F185392
Tcl_MutexLock, xrefs: 00007FF60F185236
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF60F1852CA
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF60F1851B2
GetProcAddress, xrefs: 00007FF60F1850E0
Tk_GetNumMainWindows, xrefs: 00007FF60F18557E
Tcl_ConditionWait, xrefs: 00007FF60F1852D6
Tcl_GetString, xrefs: 00007FF60F1853C6
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF60F1852A2
Tcl_Alloc, xrefs: 00007FF60F185506
Failed to get address for Tcl_Free, xrefs: 00007FF60F18554A
Tcl_GetVar2, xrefs: 00007FF60F18534E
Tcl_ConditionNotify, xrefs: 00007FF60F1852AE
Failed to get address for Tcl_EvalEx, xrefs: 00007FF60F1854D2
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF60F18531A
Tcl_SetVar2, xrefs: 00007FF60F185376
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF60F1852F2
Failed to get address for Tcl_GetString, xrefs: 00007FF60F1853E2
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF60F185118
Tcl_SetVar2Ex, xrefs: 00007FF60F18543E
Tcl_ThreadAlert, xrefs: 00007FF60F185326
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF60F18540A
Tcl_NewStringObj, xrefs: 00007FF60F1853EE
Tcl_MutexUnlock, xrefs: 00007FF60F18525E
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF60F185432
Tcl_NewByteArrayObj, xrefs: 00007FF60F185416
Tk_Init, xrefs: 00007FF60F185556
Tcl_Init, xrefs: 00007FF60F1850C0
Failed to get address for Tk_Init, xrefs: 00007FF60F185572
Tcl_CreateObjCommand, xrefs: 00007FF60F18539E
Tcl_DoOneEvent, xrefs: 00007FF60F185146
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF60F18513D
Tcl_EvalObjv, xrefs: 00007FF60F1854DE
Tcl_ConditionFinalize, xrefs: 00007FF60F185286
Failed to get address for Tcl_EvalFile, xrefs: 00007FF60F1854AA
Tcl_CreateThread, xrefs: 00007FF60F1851E6
Tcl_CreateInterp, xrefs: 00007FF60F1850FC
Tcl_Free, xrefs: 00007FF60F18552E
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF60F185162
Tcl_Finalize, xrefs: 00007FF60F18516E
Failed to get address for Tcl_CreateThread, xrefs: 00007FF60F185202
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF60F1853BA
Tcl_FinalizeThread, xrefs: 00007FF60F185196
Failed to get address for Tcl_Finalize, xrefs: 00007FF60F18518A
Failed to get address for Tcl_Init, xrefs: 00007FF60F1850D9
Failed to get address for Tcl_MutexLock, xrefs: 00007FF60F185252
Tcl_EvalFile, xrefs: 00007FF60F18548E
Tcl_EvalEx, xrefs: 00007FF60F1854B6
Failed to get address for Tcl_Alloc, xrefs: 00007FF60F185522
Tcl_FindExecutable, xrefs: 00007FF60F185121
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF60F18559A
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF60F1854FA
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF60F185342
Tcl_ThreadQueueEvent, xrefs: 00007FF60F1852FE
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF60F18545A

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-2208601799
Opcode ID: 77b5a64d38601d97cc6f46ef17bc262d941289dca8cc320d3ff37db910af6723
Instruction ID: 56edb9b569ef60ff2d2885b7c327a08e2a12ad883c1598bf95737ca3d3269369
Opcode Fuzzy Hash: 77b5a64d38601d97cc6f46ef17bc262d941289dca8cc320d3ff37db910af6723
Instruction Fuzzy Hash: 1FE17574A0DB0790FA59DB14AA6017833E6EF047A0BB865B5C80E86364EFBDF55DD380

Function 00007FF60F1A325C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF60F1A32AA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A3916
_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A3A8C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A3D4A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A3F6A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A41A7
memcpy_s.LIBCPMT ref: 00007FF60F1A4282
memcpy_s.LIBCPMT ref: 00007FF60F1A432D
memcpy_s.LIBCPMT ref: 00007FF60F1A43FC

Strings

1#IND, xrefs: 00007FF60F1A3397
1#INF, xrefs: 00007FF60F1A33D3
1#QNAN, xrefs: 00007FF60F1A33C3
1#SNAN, xrefs: 00007FF60F1A33BA

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 8e3f32220dbedb6b83d3a56d93bef729e8f640f2dff9788303e755a102ce7513
Instruction ID: 64168c343398d3e3e350a01d38bb939f81a390de25c79cadce0e6403f80d6c50
Opcode Fuzzy Hash: 8e3f32220dbedb6b83d3a56d93bef729e8f640f2dff9788303e755a102ce7513
Instruction Fuzzy Hash: 80B20072A1C2828BE765CE68D4407FD37E1FB54388F605175DA1ED7A88DF79AA08CB40

Function 00007FF60F186680 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(WideCharToMultiByte,00007FF60F181CE4,?,?,00000000,00007FF60F186914), ref: 00007FF60F1866A7
FormatMessageW.KERNEL32 ref: 00007FF60F1866D6
WideCharToMultiByte.KERNEL32 ref: 00007FF60F18672C

Part of subcall function 00007FF60F181CB0: GetLastError.KERNEL32(?,?,00000000,00007FF60F186914,?,?,?,?,?,?,?,?,?,?,?,00007FF60F181023), ref: 00007FF60F181CD7

Strings

PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF60F186749
FormatMessageW, xrefs: 00007FF60F1866E7
No error messages generated., xrefs: 00007FF60F1866E0
Failed to encode wchar_t as UTF-8., xrefs: 00007FF60F186736
WideCharToMultiByte, xrefs: 00007FF60F186680, 00007FF60F18673D
PyInstaller: FormatMessageW failed., xrefs: 00007FF60F1866F3

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ErrorLast$ByteCharFormatMessageMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2383786077-2573406579
Opcode ID: 8af1543621e2225bbe5bffd5a6056578706e604aa2a65e437b117fd27dbfded5
Instruction ID: fc5bfe26bcd48835aa1f649b7eb3ef7b744652fd0e457ea17a425cc3bce0c49a
Opcode Fuzzy Hash: 8af1543621e2225bbe5bffd5a6056578706e604aa2a65e437b117fd27dbfded5
Instruction Fuzzy Hash: C0219231A0CA4392F7609F15E85427A33A5FF88384FA40175E54DC26A8EF7CE54EC740

Function 00007FF60F18AA3C Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF60F18AA58
RtlCaptureContext.KERNEL32 ref: 00007FF60F18AA85
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF60F18AA9F
RtlVirtualUnwind.KERNEL32 ref: 00007FF60F18AAE0
IsDebuggerPresent.KERNEL32 ref: 00007FF60F18AB34
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF60F18AB55
UnhandledExceptionFilter.KERNEL32 ref: 00007FF60F18AB60

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1bf0d945bdc6b6fdad2122b0a21604f4ba0b1612e3b53cdd76e1331efcd592fd
Instruction ID: 4fbfc91db0aec121f2aaccf7329165033150b3cffc106c1c4819675ac8afdcc9
Opcode Fuzzy Hash: 1bf0d945bdc6b6fdad2122b0a21604f4ba0b1612e3b53cdd76e1331efcd592fd
Instruction Fuzzy Hash: C2315A7260DB819AEB608F60E8403EE73A5FB84744F54443ADA4E87B98EF7CD649C710

Function 00007FF60F199C54 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF60F199CCD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF60F199CE5
RtlVirtualUnwind.KERNEL32 ref: 00007FF60F199D20
IsDebuggerPresent.KERNEL32 ref: 00007FF60F199D59
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF60F199D63
UnhandledExceptionFilter.KERNEL32 ref: 00007FF60F199D6E

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 397cea56bba315d20c834348c2ab8ed400ffbe874e1da4898cc87947d67c4ad4
Instruction ID: 767de5c79f89cd19189d9ee655ad11a0493a53bf2db1fe53b91ddbdc7f077156
Opcode Fuzzy Hash: 397cea56bba315d20c834348c2ab8ed400ffbe874e1da4898cc87947d67c4ad4
Instruction Fuzzy Hash: 5F316F3661CB8196EB60CF25E8402AE73A0FB88754F64017AEA9D83B55DF3CD546CB00

Function 00007FF60F1A0A44 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A0A90
FindFirstFileExW.KERNEL32 ref: 00007FF60F1A0B9A

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 539584bc973764fdeb57c39dee6d85e67abf5b785ab6bac293b25a2b00955d70
Instruction ID: 8c98a9e2b552da37c2defeea9a9253f4a03cad98cb25a22aaa84203bc894819b
Opcode Fuzzy Hash: 539584bc973764fdeb57c39dee6d85e67abf5b785ab6bac293b25a2b00955d70
Instruction Fuzzy Hash: 9EB1D536B1C69281EA60DB22D5102B967D1EF48BE4F6451B5EE5E8BBC9DF3CE449C300

Function 00007FF60F18A920 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF60F18A94C
GetCurrentThreadId.KERNEL32 ref: 00007FF60F18A95A
GetCurrentProcessId.KERNEL32 ref: 00007FF60F18A966
QueryPerformanceCounter.KERNEL32 ref: 00007FF60F18A976

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: be9da76585353bf4ff120931e3f5bbaf95a19439f17c7ee9af2afa7da57e9186
Instruction ID: 20bef7217564d57e6d6b8efc10b3d3bbabe09ce231f67aa7425c7cde3d1d0e13
Opcode Fuzzy Hash: be9da76585353bf4ff120931e3f5bbaf95a19439f17c7ee9af2afa7da57e9186
Instruction Fuzzy Hash: 0A111836B18B029AEB008F61E8552B833A4FB19758F540E31EA6D867A4DF7CD1998380

Function 00007FF60F1A2DC0 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF60F1A2E26
memcpy_s.LIBCPMT ref: 00007FF60F1A2E51

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: c6ab9cbcc9c03ebe4d21f99773db32e6b41e2ffaf9188457e8828ba1b1201a6a
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 73C1E372B1C28687E724CF59A14476AB7E1F798B84F548139DB5A83744DF3EE809CB40

Function 00007FF60F1A8BF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF60F1A8E47
RaiseException.KERNEL32 ref: 00007FF60F1A8E58

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 7f7800ade579f0d6f16bfab74bfde48d1f128962063d5dbe27371a705b590b7f
Instruction ID: f4c5ed4d40c5b5830dfbec2e69f0672b4d3f5f20fa4f2d8e57fad858a4478893
Opcode Fuzzy Hash: 7f7800ade579f0d6f16bfab74bfde48d1f128962063d5dbe27371a705b590b7f
Instruction Fuzzy Hash: 65B15B73618B85CAEB55CF29C8463687BE0F784B58F288961DB6D837A4CF39D459C700

Function 00007FF60F1869F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF60F186A21
FindClose.KERNEL32 ref: 00007FF60F186A30

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: dc40c5d753e30fe3fc1e8c3801fb870584b7f8e0a0b7135dd7118dd934c1c4bb
Instruction ID: 3394e8545f31de1483df4b41df10eefca2be9acd7299518aeea86b27b02efddd
Opcode Fuzzy Hash: dc40c5d753e30fe3fc1e8c3801fb870584b7f8e0a0b7135dd7118dd934c1c4bb
Instruction Fuzzy Hash: 05F0AF32A1C68286E7A08F60F59976A7390FB84724F105735E66D826D4DF7CE41DCA00

Function 00007FF60F192A28 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF60F192DD8
, xrefs: 00007FF60F192B96

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 7bbf33436acad36ae8a1b43dc77540a41ad4992d9fd982d144688fd018ad6b29
Instruction ID: 86b13d2eea9732ce0867a95d3597c0cf18c5e4102866ea16a1984165b21de683
Opcode Fuzzy Hash: 7bbf33436acad36ae8a1b43dc77540a41ad4992d9fd982d144688fd018ad6b29
Instruction Fuzzy Hash: FAE1AF32A0C68692EB788F29819017D33A0FF45B98F3452B5DA5E87795DF3DE852C780

Function 00007FF60F19D208 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF60F19D315
gfff, xrefs: 00007FF60F19D392

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 533175c5a31c969ed4ab8aeb227c1284adb18f6ecb4834c3077741e0ab5839c5
Instruction ID: 71d51726bf92742dbc1b6b83ab48ab3c1d31b556d6a40188c083a22e3a4eb6aa
Opcode Fuzzy Hash: 533175c5a31c969ed4ab8aeb227c1284adb18f6ecb4834c3077741e0ab5839c5
Instruction Fuzzy Hash: 90517572B1C6C586E7248E39E900769BB91F744B90F6882B9CBA88BAC5CF7DD4048740

Function 00007FF60F19CD74 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF60F19D0B6

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 7cb6c3f32e91a926ccbf64ab8ba01f2a38c928c6639247976dccb01524fe6e1b
Instruction ID: ade83c3bbad1318eb20cb8cedf7c55ec9c52015c18eefa9c1432ac661733027d
Opcode Fuzzy Hash: 7cb6c3f32e91a926ccbf64ab8ba01f2a38c928c6639247976dccb01524fe6e1b
Instruction Fuzzy Hash: C0A15573B0C7C686EB25CB29A0007AA7B90EB50B84F248171DE8D87781DF3EE506C781

Function 00007FF60F19710C Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF60F19712B

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 1f7d039c64384c012ba99c8160e4e4596aee6f87cbf59d2775302b4d0e04aaa9
Instruction ID: 1272eb557cc17a804b4430bfdb2c52c30cdabe0c15f93a8d75443836f3d1be63
Opcode Fuzzy Hash: 1f7d039c64384c012ba99c8160e4e4596aee6f87cbf59d2775302b4d0e04aaa9
Instruction Fuzzy Hash: 4551A131F2C64242FA68AB66591157A53D1EF95BC4F7844B8EE0EC77D6EF3CE4064280

Function 00007FF60F1A2630 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF60F1A2634

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: fe4f89a29164ef60706ac008de4aa1412735d6976d80202131d31ba446223f83
Instruction ID: dfdbad6ba6b101c1c575bc96ed8fe77d88fdbe81d28d667251024996d47c0421
Opcode Fuzzy Hash: fe4f89a29164ef60706ac008de4aa1412735d6976d80202131d31ba446223f83
Instruction Fuzzy Hash: 9AB09230E0BB02C2EA082B21AC8262423A4BF58B10FAA00B8C00C80320DF3C20AE9700

Function 00007FF60F1921EC Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6bd4aeaf1a32ba0a400cf215f270628cf800823f5191017f2ae2dcea54fc97
Instruction ID: aa706ad5ae9c774b7d6c59b6cfbfaa0408df24161e124f0a00e153e7b6fcd503
Opcode Fuzzy Hash: be6bd4aeaf1a32ba0a400cf215f270628cf800823f5191017f2ae2dcea54fc97
Instruction Fuzzy Hash: 0CE1C432A0C68296F7688E29C1543BC27A1EB59B54F3482B9CE0DC72D5CF3DE942C780

Function 00007FF60F192624 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7030e3183cde293472bd1af0c19cf6b5d71ff879be136be2a1b5beee93e2b61
Instruction ID: a2b12f8150fce883ecd2723c47dbf2601b51c08bd471b3e85bda9f25dbe8bb89
Opcode Fuzzy Hash: c7030e3183cde293472bd1af0c19cf6b5d71ff879be136be2a1b5beee93e2b61
Instruction Fuzzy Hash: 0AD1E036A0C692A6EB6CCE2A855027D27A0FB16B48F3442B5CE1D976D5CF3DE845C7C0

Function 00007FF60F187430 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87de8634ded3f4e8458923233739ad96d21dd7a231352b5b7c5ed9b2526c006a
Instruction ID: 9280a80f503659c3336f4451a44ecbd407d531b1e85fd80a4f7e7e16521d92d5
Opcode Fuzzy Hash: 87de8634ded3f4e8458923233739ad96d21dd7a231352b5b7c5ed9b2526c006a
Instruction Fuzzy Hash: A0C1D4722281E08BE689EB29F45987A37D2F788309FD9403AEB87477C5CA3DE415D750

Function 00007FF60F19133C Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afbdd63b75b42ad7439867ca4b24ab3856e6f83d1386856208b462784abde87f
Instruction ID: 8d7a9d9e5ef6f79624f9bc4931c46e9358e475ed14107afa06cfa763c66acb51
Opcode Fuzzy Hash: afbdd63b75b42ad7439867ca4b24ab3856e6f83d1386856208b462784abde87f
Instruction Fuzzy Hash: 7CB1A272A0C74295E7648F39C05027D3BA0EB4AF48F3941B5CA8E97399CF79E881C791

Function 00007FF60F1916D4 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc8fd975d7067d56c776f48e591c75802337bcef6e3071df9449d276b1abfcc
Instruction ID: 10e43dc4d246e0d2d7dfb2739451e1590b04af9d18069916c5e730047fe26876
Opcode Fuzzy Hash: 9fc8fd975d7067d56c776f48e591c75802337bcef6e3071df9449d276b1abfcc
Instruction Fuzzy Hash: 9AB16D76A0C78696EB658F2AC05027C3BA0F749F48F3441B6CA4EA7395CF39D881D785

Function 00007FF60F19D888 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd5d989e7635e1d0b21fa60e30f3936793c7b8db49fcf77cee77a31b8038a54
Instruction ID: 0f91a4e19523a687e44452052041ba71c9df5e5186d3125e79fcd542adae8685
Opcode Fuzzy Hash: fcd5d989e7635e1d0b21fa60e30f3936793c7b8db49fcf77cee77a31b8038a54
Instruction Fuzzy Hash: 5881C572A0C78146EB74CF29A490379B7A1FB86794F644275DADE83B99CF3CD4008B40

Function 00007FF60F1A58B0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d003bb86ff7f146e11c69d63177ddcecb431cf0828b5e126d5f920f3d1e621d2
Instruction ID: 09d7ab653ad2dfc465c831171f0ef26ecac55f4f381141374319defc8341b5f3
Opcode Fuzzy Hash: d003bb86ff7f146e11c69d63177ddcecb431cf0828b5e126d5f920f3d1e621d2
Instruction Fuzzy Hash: FE619E32F1C29246F7648A29946027D67C3EF40770F7C02B9EA5ECA6D5EF6DE8488740

Function 00007FF60F190774 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e009b45869f76b4bc0fd62373217406c0429eee7efa8b33e1f678da67ddd1256
Instruction ID: 4289565672663f69c65021dc6c410cc574d2188af7fa2ac43c3e05e876623a18
Opcode Fuzzy Hash: e009b45869f76b4bc0fd62373217406c0429eee7efa8b33e1f678da67ddd1256
Instruction Fuzzy Hash: E4516D76E1CA5186E7288B39C05423937A1EB48F68F344175CA8D97795DF3AE843CBC0

Function 00007FF60F18FF54 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7d583fdacf7a8c68166448a21aae8e03012e85621840fd7aae1b2904462282
Instruction ID: a373dbb811f0b7dcdb6fbf367d968ca1e3a8b64ad6063b06c2cc64d8c98027ac
Opcode Fuzzy Hash: 9a7d583fdacf7a8c68166448a21aae8e03012e85621840fd7aae1b2904462282
Instruction Fuzzy Hash: 12516037A1C65582E7288B29C14423833A0EB49F68F384171CA9D977E8DF7AE853C780

Function 00007FF60F190364 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0632a4a7e014686f42235b66fbebb9a54d6c0d44d943c89546efb0de6bc1d6
Instruction ID: 4d087fb50ce6512d6359118e9f749621182a4475501a6c9aae59ad2b4840ee80
Opcode Fuzzy Hash: 4e0632a4a7e014686f42235b66fbebb9a54d6c0d44d943c89546efb0de6bc1d6
Instruction Fuzzy Hash: 2A517D36A1CA5186E7248B39C04023C37A0EB58B68F345275CE8D97795CF3AED53CB80

Function 00007FF60F190570 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc3e59ea296ef31dc5cb467e3ef236485a99d13d7a42ba6bd49c72ea64a61b5
Instruction ID: 8b8d0c985473d0a72d4b2b39d2c93a7081ba45aa737c34f1d0e6aa9b6c278f13
Opcode Fuzzy Hash: bbc3e59ea296ef31dc5cb467e3ef236485a99d13d7a42ba6bd49c72ea64a61b5
Instruction Fuzzy Hash: B7514F76A2C65186E7648B39C05023D27A1EB89F68F358171CE8D97795CF3AEC53CB80

Function 00007FF60F18FD50 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1122cbedd3da6cae4974dcedcaf2c480ad91f4dcca857e3bd784bf5366bd6c74
Instruction ID: c359d10eecd1e7198ecf9a845b7ea04b249a2fe6e186ab614cedabbd190b0019
Opcode Fuzzy Hash: 1122cbedd3da6cae4974dcedcaf2c480ad91f4dcca857e3bd784bf5366bd6c74
Instruction Fuzzy Hash: 4E518D77A2CA5186E7248B29C24033837A0EB89B58F355171DE4D97799CFBAE843C780

Function 00007FF60F190160 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fed526c0ef6e22bd960d06d2221fad266d41c34a47db8c9ca14c01ed2528e2
Instruction ID: f4739d93a51faf233ddb4a6ba930da5feb833d76b3f21f1d16b2da721dc9527b
Opcode Fuzzy Hash: e8fed526c0ef6e22bd960d06d2221fad266d41c34a47db8c9ca14c01ed2528e2
Instruction Fuzzy Hash: 4F516A36A1CA5586E7648B39C04022C37A1EB9DF58F344175CE4D977A9CF3AE883C780

Function 00007FF60F194FD0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e13b74b0b529d91a8ac9ee6727b9f2d590474870fceb05c3e17ea5803dfc50d
Instruction ID: 98575afaecbd35597c7a60c64a7438e777592a385babd07d43598aa6d366beea
Opcode Fuzzy Hash: 7e13b74b0b529d91a8ac9ee6727b9f2d590474870fceb05c3e17ea5803dfc50d
Instruction Fuzzy Hash: 7141C072D0E64A09E997891805147B92BC2EF22BA4D3C53F4DD99B33CBCF0E258782D0

Function 00007FF60F198D10 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 4e626db8f672c8f9a68360c7389e8f7894e58d94442387c78e1b4a483649a916
Instruction ID: bdf2677460d0b24d6a692a6f4ef238c11af693962d7b5e697f5810f55713fb69
Opcode Fuzzy Hash: 4e626db8f672c8f9a68360c7389e8f7894e58d94442387c78e1b4a483649a916
Instruction Fuzzy Hash: 8241E272B1CA5582EF48CF2AE9241A9B3A1FB48FD0B589436EE0D87B54DF3CC4468340

Function 00007FF60F1966D4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff02aa40d47e1f81f312e06ee07fce20c9eb6e0e746124aa9fd8eb4087d69ca8
Instruction ID: dba286650fb31452d97906c1094cc6a7482e80de51a4c1e9891ebf0d30846cfa
Opcode Fuzzy Hash: ff02aa40d47e1f81f312e06ee07fce20c9eb6e0e746124aa9fd8eb4087d69ca8
Instruction Fuzzy Hash: F731B132B0CB4282E6689F26A89012E77D5EB84BE0F244279EA5D93BD5DF3CD0124754

Function 00007FF60F1A8A40 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f11e33a503e903f6fd17a98672f77b01e7338ee743f4d3b2c43cccbf09155b6
Instruction ID: 14e766172655b92eeb6aac74764d4134f1d74066411c7918ffc6a25076b55658
Opcode Fuzzy Hash: 1f11e33a503e903f6fd17a98672f77b01e7338ee743f4d3b2c43cccbf09155b6
Instruction Fuzzy Hash: F8F068B171C2558ADB988F6DB802629B7D0F7883C0F509579D59DC3B04DB3C90508F44

Function 00007FF60F18ABE4 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da48dd3124fb9caf3cd120bb8db444467ff7ae744a775920e6920fcf6cc11ced
Instruction ID: 2ada0a82b3138447755e30cf954d4ce65aca9b98aa99010c9b02e2478427a06f
Opcode Fuzzy Hash: da48dd3124fb9caf3cd120bb8db444467ff7ae744a775920e6920fcf6cc11ced
Instruction Fuzzy Hash: 76A0027194CC02F2E6858B00E9500303370FF55300B6101B2D04DC10A0EF7CF849C300

Function 00007FF60F182F20 Relevance: 291.0, APIs: 55, Strings: 111, Instructions: 457libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF60F1822DE,?,?,?,?), ref: 00007FF60F182F36
GetProcAddress.KERNEL32(?,?,00000000,00007FF60F1822DE,?,?,?,?), ref: 00007FF60F182F75
GetProcAddress.KERNEL32(?,?,00000000,00007FF60F1822DE,?,?,?,?), ref: 00007FF60F182F9A
GetProcAddress.KERNEL32(?,?,00000000,00007FF60F1822DE,?,?,?,?), ref: 00007FF60F182FBF
GetProcAddress.KERNEL32(?,?,00000000,00007FF60F1822DE,?,?,?,?), ref: 00007FF60F182FE7
GetProcAddress.KERNEL32(?,?,00000000,00007FF60F1822DE,?,?,?,?), ref: 00007FF60F18300F
GetProcAddress.KERNEL32(?,?,00000000,00007FF60F1822DE,?,?,?,?), ref: 00007FF60F183037
GetProcAddress.KERNEL32(?,?,00000000,00007FF60F1822DE,?,?,?,?), ref: 00007FF60F18305F
GetProcAddress.KERNEL32(?,?,00000000,00007FF60F1822DE,?,?,?,?), ref: 00007FF60F183087

Strings

Failed to get address for PyList_Append, xrefs: 00007FF60F1833E9
Failed to get address for Py_Initialize, xrefs: 00007FF60F183191
Py_UnbufferedStdioFlag, xrefs: 00007FF60F18307D
Failed to get address for PyList_New, xrefs: 00007FF60F183411
PyDict_GetItemString, xrefs: 00007FF60F18323D
PyObject_CallFunction, xrefs: 00007FF60F18346D
Failed to get address for PyLong_AsLong, xrefs: 00007FF60F183439
Failed to get address for Py_OptimizeFlag, xrefs: 00007FF60F183049
Py_NoUserSiteDirectory, xrefs: 00007FF60F183005
PyObject_CallFunctionObjArgs, xrefs: 00007FF60F183495
Py_DecodeLocale, xrefs: 00007FF60F18369D
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF60F183709
Failed to get address for PyObject_Str, xrefs: 00007FF60F183529
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF60F1834B1
Failed to get address for PyModule_GetDict, xrefs: 00007FF60F183461
PyRun_SimpleStringFlags, xrefs: 00007FF60F183535
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF60F183399
GetProcAddress, xrefs: 00007FF60F182F4F
Failed to get address for PyErr_Occurred, xrefs: 00007FF60F1832A9
PyObject_GetAttrString, xrefs: 00007FF60F1834E5
PyErr_Occurred, xrefs: 00007FF60F18328D
Py_SetPath, xrefs: 00007FF60F18319D
Failed to get address for PySys_SetObject, xrefs: 00007FF60F1835F1
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF60F1834D9
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF60F183551
Failed to get address for Py_GetPath, xrefs: 00007FF60F1831E1
Py_DontWriteBytecodeFlag, xrefs: 00007FF60F182F2F
PyUnicode_Replace, xrefs: 00007FF60F1837B5
PyList_New, xrefs: 00007FF60F1833F5
PyImport_ExecCodeModule, xrefs: 00007FF60F18337D
PyErr_Clear, xrefs: 00007FF60F183265
Failed to get address for Py_BuildValue, xrefs: 00007FF60F1830F1
Failed to get address for Py_FrozenFlag, xrefs: 00007FF60F182FAC
PyObject_SetAttrString, xrefs: 00007FF60F1834BD
Py_VerboseFlag, xrefs: 00007FF60F183055
Failed to get address for Py_UTF8Mode, xrefs: 00007FF60F1830C9
Failed to get address for PyUnicode_FromString, xrefs: 00007FF60F183691
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF60F183501
PyLong_AsLong, xrefs: 00007FF60F18341D
PyErr_Restore, xrefs: 00007FF60F183305
Failed to get address for PyErr_Clear, xrefs: 00007FF60F183281
PyUnicode_FromFormat, xrefs: 00007FF60F1836ED
PyObject_Str, xrefs: 00007FF60F18350D
PySys_AddWarnOption, xrefs: 00007FF60F18355D
Failed to get address for PyErr_Fetch, xrefs: 00007FF60F1832F9
Failed to get address for PyMem_RawFree, xrefs: 00007FF60F1836E1
Failed to get address for PyUnicode_Join, xrefs: 00007FF60F1837A9
Failed to get address for PyImport_ImportModule, xrefs: 00007FF60F1833C1
PyErr_Print, xrefs: 00007FF60F1832B5
PyUnicode_FromString, xrefs: 00007FF60F183675
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF60F183669
PySys_GetObject, xrefs: 00007FF60F1835AD
Failed to get address for PyErr_Restore, xrefs: 00007FF60F183321
Py_IgnoreEnvironmentFlag, xrefs: 00007FF60F182FB5
PyErr_NormalizeException, xrefs: 00007FF60F18332D
PyModule_GetDict, xrefs: 00007FF60F183445
Failed to get address for Py_Finalize, xrefs: 00007FF60F183141
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF60F183349
PyList_Append, xrefs: 00007FF60F1833CD
Py_FileSystemDefaultEncoding, xrefs: 00007FF60F182F6B
Failed to get address for PyEval_EvalCode, xrefs: 00007FF60F183641
Py_Finalize, xrefs: 00007FF60F183125
Py_FrozenFlag, xrefs: 00007FF60F182F90
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF60F183759
Failed to get address for Py_NoSiteFlag, xrefs: 00007FF60F182FF9
PyMem_RawFree, xrefs: 00007FF60F1836C5
Failed to get address for Py_SetPythonHome, xrefs: 00007FF60F183231
Py_SetPythonHome, xrefs: 00007FF60F183215
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF60F183781
Py_NoSiteFlag, xrefs: 00007FF60F182FDD
Py_IncRef, xrefs: 00007FF60F18314D
PySys_SetObject, xrefs: 00007FF60F1835D5
Failed to get address for PyDict_GetItemString, xrefs: 00007FF60F183259
Failed to get address for Py_NoUserSiteDirectory, xrefs: 00007FF60F183021
Failed to get address for PySys_SetPath, xrefs: 00007FF60F183619
Py_Initialize, xrefs: 00007FF60F183175
Py_DecRef, xrefs: 00007FF60F1830FD
PyUnicode_Decode, xrefs: 00007FF60F183715
PyUnicode_DecodeFSDefault, xrefs: 00007FF60F18373D
Failed to get address for Py_DecodeLocale, xrefs: 00007FF60F1836B9
Failed to get address for PyImport_AddModule, xrefs: 00007FF60F183371
Failed to get address for Py_DontWriteBytecodeFlag, xrefs: 00007FF60F182F48
Failed to get address for PySys_AddWarnOption, xrefs: 00007FF60F183579
Failed to get address for Py_FileSystemDefaultEncoding, xrefs: 00007FF60F182F87
Failed to get address for PyObject_CallFunction, xrefs: 00007FF60F183489
PySys_SetPath, xrefs: 00007FF60F1835FD
PyImport_AddModule, xrefs: 00007FF60F183355
PySys_SetArgvEx, xrefs: 00007FF60F183585
Failed to get address for Py_SetPath, xrefs: 00007FF60F1831B9
Py_GetPath, xrefs: 00007FF60F1831C5
Failed to get address for Py_UnbufferedStdioFlag, xrefs: 00007FF60F183099
Py_OptimizeFlag, xrefs: 00007FF60F18302D
Failed to get address for Py_DecRef, xrefs: 00007FF60F183119
PyErr_Fetch, xrefs: 00007FF60F1832DD
Failed to get address for Py_IgnoreEnvironmentFlag, xrefs: 00007FF60F182FD1
Failed to get address for Py_IncRef, xrefs: 00007FF60F183169
Failed to get address for Py_SetProgramName, xrefs: 00007FF60F183209
Failed to get address for PyUnicode_Decode, xrefs: 00007FF60F183731
PyUnicode_Join, xrefs: 00007FF60F18378D
Py_UTF8Mode, xrefs: 00007FF60F1830AD
Failed to get address for Py_VerboseFlag, xrefs: 00007FF60F183071
PyUnicode_AsUTF8, xrefs: 00007FF60F183765
Failed to get address for PySys_SetArgvEx, xrefs: 00007FF60F1835A1
Failed to get address for PyUnicode_Replace, xrefs: 00007FF60F1837D1
Failed to get address for PySys_GetObject, xrefs: 00007FF60F1835C9
Py_BuildValue, xrefs: 00007FF60F1830D5
Py_SetProgramName, xrefs: 00007FF60F1831ED
PyEval_EvalCode, xrefs: 00007FF60F183625
Failed to get address for PyErr_Print, xrefs: 00007FF60F1832D1
PyImport_ImportModule, xrefs: 00007FF60F1833A5
PyMarshal_ReadObjectFromString, xrefs: 00007FF60F18364D

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
API String ID: 190572456-3109299426
Opcode ID: 3bea514fa4f08e80501ab3dc7f797134890914dfa2bea7b2bd18d9992429628c
Instruction ID: 9982d910e40495ca36de67a4fa312897301c3b6713d473bcdfcf9d326fa36cae
Opcode Fuzzy Hash: 3bea514fa4f08e80501ab3dc7f797134890914dfa2bea7b2bd18d9992429628c
Instruction Fuzzy Hash: 15428F74A0DB83D1EA5ADB08BA9017823E1EF44790FB455B5C84E863A8FFBDA55DD300

Function 00007FF60F186C00 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 113COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF60F186C3C

Part of subcall function 00007FF60F181CB0: GetLastError.KERNEL32(?,?,00000000,00007FF60F186914,?,?,?,?,?,?,?,?,?,?,?,00007FF60F181023), ref: 00007FF60F181CD7

Strings

Failed to get wchar_t buffer size., xrefs: 00007FF60F186C49
win32_wcs_to_mbs, xrefs: 00007FF60F186D1B
Out of memory., xrefs: 00007FF60F186C80, 00007FF60F186D22
win32_utils_from_utf8, xrefs: 00007FF60F186C79
MultiByteToWideChar, xrefs: 00007FF60F186C50, 00007FF60F186CBD
Failed to get ANSI buffer size., xrefs: 00007FF60F186CFD
Failed to decode wchar_t from UTF-8, xrefs: 00007FF60F186CB6
Failed to encode filename as ANSI., xrefs: 00007FF60F186D55
WideCharToMultiByte, xrefs: 00007FF60F186D5C

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$WideCharToMultiByte$win32_utils_from_utf8$win32_wcs_to_mbs
API String ID: 203985260-1562484376
Opcode ID: c6af48c2a72f93560c75fce8b7fe5bee055e0ffe2315a87dca28ecb6449ed662
Instruction ID: 72d0fe624cd10abe36288dce0c02c548b7dce81a0abdc8b0bd7158c2a32827f8
Opcode Fuzzy Hash: c6af48c2a72f93560c75fce8b7fe5bee055e0ffe2315a87dca28ecb6449ed662
Instruction Fuzzy Hash: 0241A031A0CB4391E620DB21ED4007A77E2EF84BD0F644675D98ED7AA5DF7CE5068340

Function 00007FF60F18F5D8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F18F618
_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F18F9E0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F18FC7F

Strings

f, xrefs: 00007FF60F18F71A
f, xrefs: 00007FF60F18F6B0
f, xrefs: 00007FF60F18F865
p, xrefs: 00007FF60F18F6BD
p, xrefs: 00007FF60F18F722

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 5b8d5396a44c552a0cc4e48ad8092be8cf806d396b8c8f6251230df5f0eb9214
Instruction ID: f7cf79eb501a5e4db1a67f68daa2b81e43513232ae722cd14b5b92e5196eda61
Opcode Fuzzy Hash: 5b8d5396a44c552a0cc4e48ad8092be8cf806d396b8c8f6251230df5f0eb9214
Instruction Fuzzy Hash: BF12C536E0C28386FB20AE14E2547B97791FB80754FA44175E68AC76C8DFBCE5838B51

Function 00007FF60F1812B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF60F1812E2
fseek, xrefs: 00007FF60F181319
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF60F1813E2
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF60F181312
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF60F18134C
fread, xrefs: 00007FF60F1813E9
malloc, xrefs: 00007FF60F181353

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 0-3659356012
Opcode ID: 0ece3a955acdc2189749ff5ff00da7320da20d9062027264bcafa9bd28b34b79
Instruction ID: 8deb96ac6ee62c849a446c0bca842eb6476daea894413d8d5ef3604aeb3d8c17
Opcode Fuzzy Hash: 0ece3a955acdc2189749ff5ff00da7320da20d9062027264bcafa9bd28b34b79
Instruction Fuzzy Hash: FC418E32B0CA4292EA24DB11E9006BA63A0FF54BD0F644472DE4D97B55EFBCE547C700

Function 00007FF60F18CFA0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF60F18CFFD

Part of subcall function 00007FF60F18DF10: __GetUnwindTryBlock.LIBCMT ref: 00007FF60F18DF53
Part of subcall function 00007FF60F18DF10: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF60F18DF78

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF60F18D0D5
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF60F18D32A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF60F18D436

Strings

csm, xrefs: 00007FF60F18D07E
csm, xrefs: 00007FF60F18D0F8
csm, xrefs: 00007FF60F18D017

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: f65cca0dd748533ec0e0c8100e92ec79f40903f330e835159906267943919e52
Instruction ID: 3db6a2a12532db25356c97449c61b75496b4010a93b714c0c365fbaf16852d4e
Opcode Fuzzy Hash: f65cca0dd748533ec0e0c8100e92ec79f40903f330e835159906267943919e52
Instruction Fuzzy Hash: 36E19272A0C7418AEB20DF65E6803AD77A0FB55B98F200175EE8D97B95CF78E582C740

Function 00007FF60F1867D0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF60F181023), ref: 00007FF60F18686F
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF60F181023), ref: 00007FF60F1868BF

Strings

Failed to get UTF-8 buffer size., xrefs: 00007FF60F186901
Out of memory., xrefs: 00007FF60F1868F1
win32_utils_to_utf8, xrefs: 00007FF60F1868F8
Failed to encode wchar_t as UTF-8., xrefs: 00007FF60F1868E8
WideCharToMultiByte, xrefs: 00007FF60F186908

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 842819fd0de434b72f89aea08788796a3a6fbb43ae32da6e9284d85ccd3845d2
Instruction ID: 056d153447e79b455a22ca9a1beda261d8e57c51115bb578fc54f89bc33ceb53
Opcode Fuzzy Hash: 842819fd0de434b72f89aea08788796a3a6fbb43ae32da6e9284d85ccd3845d2
Instruction Fuzzy Hash: 6D419E32A0CB8286E620CF16F95017AB7A4FB84B90F644175DE8D87BA4DF7CE456C740

Function 00007FF60F186ED0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00007FF60F182D35,?,?,?,?,?,?), ref: 00007FF60F186F11

Part of subcall function 00007FF60F181CB0: GetLastError.KERNEL32(?,?,00000000,00007FF60F186914,?,?,?,?,?,?,?,?,?,?,?,00007FF60F181023), ref: 00007FF60F181CD7

WideCharToMultiByte.KERNEL32(00000000,00007FF60F182D35,?,?,?,?,?,?), ref: 00007FF60F186F85

Strings

Failed to get UTF-8 buffer size., xrefs: 00007FF60F186F1E
Out of memory., xrefs: 00007FF60F186F4B
win32_utils_to_utf8, xrefs: 00007FF60F186F52
Failed to encode wchar_t as UTF-8., xrefs: 00007FF60F186F8F
WideCharToMultiByte, xrefs: 00007FF60F186F25, 00007FF60F186F96

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 1717984340-27947307
Opcode ID: df947e153a4d297c551ea8f0f320faf028395d0bacfd384824c4aacdb755590f
Instruction ID: f5d04554ccd4c6ca5e50a62559cf2f543f8df4592cbb757147e4a95b16a717f5
Opcode Fuzzy Hash: df947e153a4d297c551ea8f0f320faf028395d0bacfd384824c4aacdb755590f
Instruction Fuzzy Hash: 2B217731B1CB4685EB149F26EE50079BBA1FF84B80B644175DA4DC37A4EF7CE91A8380

Function 00007FF60F1993D4 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F199417
_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F199804
_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F199AA0

Strings

p, xrefs: 00007FF60F199541
f, xrefs: 00007FF60F199539
p, xrefs: 00007FF60F1994C9

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: d478605e8072a694eb9a9d804e4987f1596106984b5661be3eee2fb972e34d58
Instruction ID: e6d6f4af49c87444b59393ca8431c54c7c8bf57db981966ffc994cb3baf931f9
Opcode Fuzzy Hash: d478605e8072a694eb9a9d804e4987f1596106984b5661be3eee2fb972e34d58
Instruction Fuzzy Hash: 1A12A372E0D14786FB249F15D1546BAB792FB90750FE8417DE68A876C8DF3DE8808B80

Function 00007FF60F186FC0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF60F187055
MultiByteToWideChar.KERNEL32 ref: 00007FF60F187097

Strings

Failed to get wchar_t buffer size., xrefs: 00007FF60F1870D6
Out of memory., xrefs: 00007FF60F1870C6
win32_utils_from_utf8, xrefs: 00007FF60F1870CD
MultiByteToWideChar, xrefs: 00007FF60F1870DD
Failed to decode wchar_t from UTF-8, xrefs: 00007FF60F1870BD

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 626452242-876015163
Opcode ID: c63a8705ae77710e22cb38bb79ea38e96bc84988aed726f017d1a1a1dd5352b3
Instruction ID: b55c2c1d0789c54b915d78e89c33e79a61f5ac3aa309572949986eb1be0b1d88
Opcode Fuzzy Hash: c63a8705ae77710e22cb38bb79ea38e96bc84988aed726f017d1a1a1dd5352b3
Instruction Fuzzy Hash: CA418D32A0CB4282E620DF16A94017A7BA5FB85B90F344175EA8DC7BE4EF7DE456C740

Function 00007FF60F1855E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF60F186DC0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF60F186DFA

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF60F185931,?,?,00000000,?,?,00007FF60F1858AD), ref: 00007FF60F18563F

Strings

LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF60F185616
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF60F185653
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF60F18569A

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 2001182103-3498232454
Opcode ID: 685ac72506e3a068510bc5613cf0a33b36cee39f446b40950092050ae43c98ea
Instruction ID: ae98019972eabad49f558761b38b4b43f909f81e9b79b01545ffb93563a73b91
Opcode Fuzzy Hash: 685ac72506e3a068510bc5613cf0a33b36cee39f446b40950092050ae43c98ea
Instruction Fuzzy Hash: 68319671B1C78391FA24D721E6552FA6391EF987D0FB84472DA4EC27D6EF6CE10A8600

Function 00007FF60F18C258 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF60F18C50A,?,?,?,00007FF60F18C1FC,?,?,00000001,00007FF60F18BE19), ref: 00007FF60F18C2DD
GetLastError.KERNEL32(?,?,?,00007FF60F18C50A,?,?,?,00007FF60F18C1FC,?,?,00000001,00007FF60F18BE19), ref: 00007FF60F18C2EB
LoadLibraryExW.KERNEL32(?,?,?,00007FF60F18C50A,?,?,?,00007FF60F18C1FC,?,?,00000001,00007FF60F18BE19), ref: 00007FF60F18C315
FreeLibrary.KERNEL32(?,?,?,00007FF60F18C50A,?,?,?,00007FF60F18C1FC,?,?,00000001,00007FF60F18BE19), ref: 00007FF60F18C35B
GetProcAddress.KERNEL32(?,?,?,00007FF60F18C50A,?,?,?,00007FF60F18C1FC,?,?,00000001,00007FF60F18BE19), ref: 00007FF60F18C367

Strings

api-ms-, xrefs: 00007FF60F18C2FD

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 9fa3fe7d6df773d1c5bf24e67e430f6ff715784c160aee4fa5e303400e9c878a
Instruction ID: 1dab59cd3850761fabaf282e6818e0353c02412d5ab5b3c84a0f5c9e6cc29461
Opcode Fuzzy Hash: 9fa3fe7d6df773d1c5bf24e67e430f6ff715784c160aee4fa5e303400e9c878a
Instruction Fuzzy Hash: 1F31A031A1EA4292EE529B16AA0097933D4FF48BA0F790575DD1DCA390EF7CE44A8760

Function 00007FF60F186DC0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF60F186DFA

Part of subcall function 00007FF60F181CB0: GetLastError.KERNEL32(?,?,00000000,00007FF60F186914,?,?,?,?,?,?,?,?,?,?,?,00007FF60F181023), ref: 00007FF60F181CD7

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF60F186E80

Strings

Failed to get wchar_t buffer size., xrefs: 00007FF60F186E07
Out of memory., xrefs: 00007FF60F186E42
win32_utils_from_utf8, xrefs: 00007FF60F186E49
MultiByteToWideChar, xrefs: 00007FF60F186E0E, 00007FF60F186E91
Failed to decode wchar_t from UTF-8, xrefs: 00007FF60F186E8A

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 1717984340-876015163
Opcode ID: 13a0b7f3fd21cee1c2cd62ee385234548c1439332c91f829e0dfe80559821203
Instruction ID: afb8313ac547d321dde3dad9cf0bb63d46e1a276f752fcae517dcc1194220c06
Opcode Fuzzy Hash: 13a0b7f3fd21cee1c2cd62ee385234548c1439332c91f829e0dfe80559821203
Instruction Fuzzy Hash: 59218032B0CA4281EB50CB29F94016AA7A1FF88BC4F684171DB5CD3BA9EF6DD5568700

Function 00007FF60F19A790 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF60F1A24C3,?,?,?,00007FF60F19CCFC,?,?,00000000,00007FF60F19387F,?,?,?,00007FF60F199483), ref: 00007FF60F19A79F
FlsGetValue.KERNEL32(?,?,?,00007FF60F1A24C3,?,?,?,00007FF60F19CCFC,?,?,00000000,00007FF60F19387F,?,?,?,00007FF60F199483), ref: 00007FF60F19A7B4
FlsSetValue.KERNEL32(?,?,?,00007FF60F1A24C3,?,?,?,00007FF60F19CCFC,?,?,00000000,00007FF60F19387F,?,?,?,00007FF60F199483), ref: 00007FF60F19A7D5
FlsSetValue.KERNEL32(?,?,?,00007FF60F1A24C3,?,?,?,00007FF60F19CCFC,?,?,00000000,00007FF60F19387F,?,?,?,00007FF60F199483), ref: 00007FF60F19A802
FlsSetValue.KERNEL32(?,?,?,00007FF60F1A24C3,?,?,?,00007FF60F19CCFC,?,?,00000000,00007FF60F19387F,?,?,?,00007FF60F199483), ref: 00007FF60F19A813
FlsSetValue.KERNEL32(?,?,?,00007FF60F1A24C3,?,?,?,00007FF60F19CCFC,?,?,00000000,00007FF60F19387F,?,?,?,00007FF60F199483), ref: 00007FF60F19A824
SetLastError.KERNEL32(?,?,?,00007FF60F1A24C3,?,?,?,00007FF60F19CCFC,?,?,00000000,00007FF60F19387F,?,?,?,00007FF60F199483), ref: 00007FF60F19A83F

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 2edf535838d47d07e159287e64e919bbb9833f77d9c5416c102145f594fa91aa
Instruction ID: a47da2e1d7a16cb90f0486ee15ad4254a3d90af82481120ea07558073646dd5d
Opcode Fuzzy Hash: 2edf535838d47d07e159287e64e919bbb9833f77d9c5416c102145f594fa91aa
Instruction Fuzzy Hash: 44214934E0C20381FA58A762A6421796752DF857B0F745AB8E83E87BD6DF2CB4468380

Function 00007FF60F1A70FC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF60F1A712D
GetLastError.KERNEL32 ref: 00007FF60F1A7139
CloseHandle.KERNEL32 ref: 00007FF60F1A7151
CreateFileW.KERNEL32 ref: 00007FF60F1A717C
WriteConsoleW.KERNEL32 ref: 00007FF60F1A719B

Strings

CONOUT$, xrefs: 00007FF60F1A715D

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 2b1705eb60c5a9ea67d3abf5815f39d96026ea1e9a70ddd12955119ba33cdf2b
Instruction ID: 70de6ad0b09347a84b926f752badb5f0623c1975da3e785d8671f8dd350fed92
Opcode Fuzzy Hash: 2b1705eb60c5a9ea67d3abf5815f39d96026ea1e9a70ddd12955119ba33cdf2b
Instruction Fuzzy Hash: 15114932A1CA42C6E7508B52B95432973E4FB88BE4F244274EA5EC7794DF7CD9188740

Function 00007FF60F19A908 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF60F1960A1,?,?,?,?,00007FF60F19DF2F,?,?,00000000,00007FF60F19AA26,?,?,?), ref: 00007FF60F19A917
FlsSetValue.KERNEL32(?,?,?,00007FF60F1960A1,?,?,?,?,00007FF60F19DF2F,?,?,00000000,00007FF60F19AA26,?,?,?), ref: 00007FF60F19A94D
FlsSetValue.KERNEL32(?,?,?,00007FF60F1960A1,?,?,?,?,00007FF60F19DF2F,?,?,00000000,00007FF60F19AA26,?,?,?), ref: 00007FF60F19A97A
FlsSetValue.KERNEL32(?,?,?,00007FF60F1960A1,?,?,?,?,00007FF60F19DF2F,?,?,00000000,00007FF60F19AA26,?,?,?), ref: 00007FF60F19A98B
FlsSetValue.KERNEL32(?,?,?,00007FF60F1960A1,?,?,?,?,00007FF60F19DF2F,?,?,00000000,00007FF60F19AA26,?,?,?), ref: 00007FF60F19A99C
SetLastError.KERNEL32(?,?,?,00007FF60F1960A1,?,?,?,?,00007FF60F19DF2F,?,?,00000000,00007FF60F19AA26,?,?,?), ref: 00007FF60F19A9B7

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 0908324b7ac9a3d747a6848fb68d48d79e4d89c371889db26e425d0a64325479
Instruction ID: a1df3e2b513a57359b5bdc778247ce4d0eba152f72dcfa7a1d1e192ddbade898
Opcode Fuzzy Hash: 0908324b7ac9a3d747a6848fb68d48d79e4d89c371889db26e425d0a64325479
Instruction Fuzzy Hash: 0D114A30A0C24382FA58A722A6621796782EF857B0F7557B8E87EC77C6DF2CA4454781

Function 00007FF60F18BC18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF60F18BC43
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF60F18BCD8
RtlUnwindEx.KERNEL32 ref: 00007FF60F18BD27

Strings

f, xrefs: 00007FF60F18BC56
csm, xrefs: 00007FF60F18BCBE

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: c81fa8b68ebdc3525af754f24f91b9dd724933d7398a71cb8b59e34543720a2d
Instruction ID: 334580deebd4fea7727ecf8b2a3d7d8828804920f22e9c79b0b3db33bf93d97d
Opcode Fuzzy Hash: c81fa8b68ebdc3525af754f24f91b9dd724933d7398a71cb8b59e34543720a2d
Instruction Fuzzy Hash: 0351A132A1D60296EB18CF15E544A6937A5FB84B8CF618670DE5F87748DFB9E842C700

Function 00007FF60F198A50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF60F198A75
GetProcAddress.KERNEL32 ref: 00007FF60F198A8B
FreeLibrary.KERNEL32 ref: 00007FF60F198AB2

Strings

CorExitProcess, xrefs: 00007FF60F198A84
mscoree.dll, xrefs: 00007FF60F198A6C

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7b1d64ab01259317c918a4692f10d75b0eff9ac50a6035860a5edd4d678e03f2
Instruction ID: bb7357f9e92db7bce9ed1662652518c78692c6eec773665902a4bba6ea6b0d01
Opcode Fuzzy Hash: 7b1d64ab01259317c918a4692f10d75b0eff9ac50a6035860a5edd4d678e03f2
Instruction Fuzzy Hash: 06F06D31A1DB02C1EB108B25E85437A63A0FF8A7A1FA40679CA6E856E4DF2DD48DC340

Function 00007FF60F1A8834 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF60F1A885C
_set_statfp.LIBCMT ref: 00007FF60F1A8877
_set_statfp.LIBCMT ref: 00007FF60F1A8893
_set_statfp.LIBCMT ref: 00007FF60F1A88CF

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction ID: 9eb9101c699e65de1ee379adb40c4086c2aa9c044128433da1ea37ee95c5da38
Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction Fuzzy Hash: 5311A972E1CA1311F6581166E45537917C1EF95374F3806F4EA7ECA7DACF2CA94D4201

Function 00007FF60F19A9D0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF60F199BE3,?,?,00000000,00007FF60F199E7E,?,?,?,?,?,00007FF60F191A50), ref: 00007FF60F19A9EF
FlsSetValue.KERNEL32(?,?,?,00007FF60F199BE3,?,?,00000000,00007FF60F199E7E,?,?,?,?,?,00007FF60F191A50), ref: 00007FF60F19AA0E
FlsSetValue.KERNEL32(?,?,?,00007FF60F199BE3,?,?,00000000,00007FF60F199E7E,?,?,?,?,?,00007FF60F191A50), ref: 00007FF60F19AA36
FlsSetValue.KERNEL32(?,?,?,00007FF60F199BE3,?,?,00000000,00007FF60F199E7E,?,?,?,?,?,00007FF60F191A50), ref: 00007FF60F19AA47
FlsSetValue.KERNEL32(?,?,?,00007FF60F199BE3,?,?,00000000,00007FF60F199E7E,?,?,?,?,?,00007FF60F191A50), ref: 00007FF60F19AA58

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 09351de027a9279ca2a4c1b6434e165991dd483229a246c23f0232d6cbc44178
Instruction ID: 38270b1e304ab4b6927993794aa56ec2d81d1f2bba3b5807f7bc8ede010eae2d
Opcode Fuzzy Hash: 09351de027a9279ca2a4c1b6434e165991dd483229a246c23f0232d6cbc44178
Instruction Fuzzy Hash: 4A111C30F0C64242FA589325A65117A6742DF857F0F6497B8E83E867D6DF2CE8468780

Function 00007FF60F19A864 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF60F1A24C3,?,?,?,00007FF60F19CCFC,?,?,00000000,00007FF60F19387F), ref: 00007FF60F19A875
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF60F1A24C3,?,?,?,00007FF60F19CCFC,?,?,00000000,00007FF60F19387F), ref: 00007FF60F19A894
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF60F1A24C3,?,?,?,00007FF60F19CCFC,?,?,00000000,00007FF60F19387F), ref: 00007FF60F19A8BC
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF60F1A24C3,?,?,?,00007FF60F19CCFC,?,?,00000000,00007FF60F19387F), ref: 00007FF60F19A8CD
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF60F1A24C3,?,?,?,00007FF60F19CCFC,?,?,00000000,00007FF60F19387F), ref: 00007FF60F19A8DE

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 3503e44f68c09ab1fcc5f97d2f28d09950786fdc08e97e82da204339743e9a53
Instruction ID: 0549284f06115540e54ee3fd8268cdb9c02f8090884a346f19b327c080e87c8e
Opcode Fuzzy Hash: 3503e44f68c09ab1fcc5f97d2f28d09950786fdc08e97e82da204339743e9a53
Instruction Fuzzy Hash: 11110C34E0D20741FA6CA37664521796742CF863B0F785BB8E93ECA2C2DF2CB4464791

Function 00007FF60F19F228 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F19F507

Part of subcall function 00007FF60F1A5504: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A5521

Strings

UTF-16LEUNICODE, xrefs: 00007FF60F19F4A5
ccs, xrefs: 00007FF60F19F442
UTF-8, xrefs: 00007FF60F19F486

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: c382c1c977a669aecc7822defb6d065999e88b5839408fc9f42df24ac2fd9b51
Instruction ID: 997da1e16eab6fe4920688f1267f6f206366283185fbfb4cc0f505aeb61f64ba
Opcode Fuzzy Hash: c382c1c977a669aecc7822defb6d065999e88b5839408fc9f42df24ac2fd9b51
Instruction Fuzzy Hash: 42818C36E0C242A5F7644E29815027C27A0EF21B88F7580B9DA4EDB695CF2DFA03D781

Function 00007FF60F18D478 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF60F18D4C4
_CallSETranslator.LIBVCRUNTIME ref: 00007FF60F18D513

Strings

MOC, xrefs: 00007FF60F18D4D8
RCC, xrefs: 00007FF60F18D4E1

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 9b170d5fd3c93297408b7667d730af6b03d447aa0970c9ad65c03f5590751db3
Instruction ID: 049dca43285347fd4b928fbdab967ff13f088476065c4bf36ed58a238b5d9042
Opcode Fuzzy Hash: 9b170d5fd3c93297408b7667d730af6b03d447aa0970c9ad65c03f5590751db3
Instruction Fuzzy Hash: B3616C77A08B458AEB10CF65E1803AD77A0FB45B8CF244266EE4D57B94DF78E056C700

Function 00007FF60F18D7D4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF60F18D7FC
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF60F18D8E4

Strings

csm, xrefs: 00007FF60F18D81E
csm, xrefs: 00007FF60F18D936

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 637ab8e9c70e0df228760242cb149b7cb456e558a6c876299bf740c7ea814677
Instruction ID: dcf1f883e1331dcb8f3e82494031e393d32bdbc8e23b4473efeb7a3186c62d71
Opcode Fuzzy Hash: 637ab8e9c70e0df228760242cb149b7cb456e558a6c876299bf740c7ea814677
Instruction Fuzzy Hash: FA51AF3290C3828AEB648F26A65437877A0FB45B88F244176DA9DC7BD5CFBCE452C701

Function 00007FF60F182CD0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF60F1827C9,?,?,?,?,?,?), ref: 00007FF60F182D01

Part of subcall function 00007FF60F181CB0: GetLastError.KERNEL32(?,?,00000000,00007FF60F186914,?,?,?,?,?,?,?,?,?,?,?,00007FF60F181023), ref: 00007FF60F181CD7

Strings

Failed to get executable path., xrefs: 00007FF60F182D0B
Failed to convert executable path to UTF-8., xrefs: 00007FF60F182D3A
GetModuleFileNameW, xrefs: 00007FF60F182D12

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2776309574-1977442011
Opcode ID: f4519b566fb866c0e24e0c0f6095b74e6cdfdbd0a944601a087909324ed073f8
Instruction ID: c6d4846d4f3738b5477f3cecc1d79a646c239fe24f0e496410d525d0f5a8a9d9
Opcode Fuzzy Hash: f4519b566fb866c0e24e0c0f6095b74e6cdfdbd0a944601a087909324ed073f8
Instruction Fuzzy Hash: 8601A731B1C642D1FA619724E9453F51391FF587C0F600072E94EC6296EF6CF206C710

Function 00007FF60F19BBE0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF60F19BC5F
WriteFile.KERNEL32 ref: 00007FF60F19BF27
WriteFile.KERNEL32 ref: 00007FF60F19BF6D
GetLastError.KERNEL32 ref: 00007FF60F19C023

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 89395c3cea06f18251b83f2629999b57cc62c4450565b522e677bf7b2279916c
Instruction ID: 1731750f2af3ad2a765cf30141bcdecd8f80929f7202fd582fd3dc3537fc5cb4
Opcode Fuzzy Hash: 89395c3cea06f18251b83f2629999b57cc62c4450565b522e677bf7b2279916c
Instruction Fuzzy Hash: 06D11172B1CA8589E710CF75D4402AC37B5FB84B98B244276CE5E97B99DF38D116C780

Function 00007FF60F19484C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF60F19487F
GetFileInformationByHandle.KERNEL32 ref: 00007FF60F1948E1
GetLastError.KERNEL32 ref: 00007FF60F194972
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF60F194784), ref: 00007FF60F1949BE

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 1de9790e05870a994c8cd512dc0bf73c5d0095e8d25e0a1662523fa2deb398d1
Instruction ID: 444c1294c5f1160b661bcbbe8b482cbe7e64b0952d9f5b360a28ba2d96b9fca3
Opcode Fuzzy Hash: 1de9790e05870a994c8cd512dc0bf73c5d0095e8d25e0a1662523fa2deb398d1
Instruction Fuzzy Hash: AD515932E0C6428AFB10DFB1D4613BD23A1EB48B98F248575DE4D97689DF38E486C790

Function 00007FF60F1A4DCC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF60F1A0930: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A0963

_get_daylight.LIBCMT ref: 00007FF60F1A4EE4
_get_daylight.LIBCMT ref: 00007FF60F1A4EF5

Strings

?, xrefs: 00007FF60F1A4E75

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: ea61919ac6f8524f279918af95d4a367ebe415bf813acb2bc51f70dff045491e
Instruction ID: 978ae74ebf90e094937b8bb1f20ce6b37c38800375173d8d08a2132d0207508e
Opcode Fuzzy Hash: ea61919ac6f8524f279918af95d4a367ebe415bf813acb2bc51f70dff045491e
Instruction Fuzzy Hash: 1A41E432A1C38246FB64DB26E40137AA790EB80BA4F344279EE5C87AE9DF7CD445C700

Function 00007FF60F197FE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F198012

Part of subcall function 00007FF60F199F88: RtlFreeHeap.NTDLL(?,?,?,00007FF60F1A1ED2,?,?,?,00007FF60F1A1F0F,?,?,00000000,00007FF60F1A23D5,?,?,00000000,00007FF60F1A2307), ref: 00007FF60F199F9E
Part of subcall function 00007FF60F199F88: GetLastError.KERNEL32(?,?,?,00007FF60F1A1ED2,?,?,?,00007FF60F1A1F0F,?,?,00000000,00007FF60F1A23D5,?,?,00000000,00007FF60F1A2307), ref: 00007FF60F199FA8

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF60F18A495), ref: 00007FF60F198030

Strings

C:\Users\user\Desktop\run0796.exe, xrefs: 00007FF60F19801E

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\run0796.exe
API String ID: 3580290477-3544362879
Opcode ID: 8d8b2631746941ed8e9d93c586c1e08c09f8ebf82f2c91caf3ed4a0a8a2970d8
Instruction ID: cbafe1c4a113985bc4ba705ccff5ed6d0fef9eba0b7b6cb292734d9eb082303f
Opcode Fuzzy Hash: 8d8b2631746941ed8e9d93c586c1e08c09f8ebf82f2c91caf3ed4a0a8a2970d8
Instruction Fuzzy Hash: 25417132A0CB528AE754DF26D8410BD77A4FF45B94BA44475E90E87B85DF3DE881C380

Function 00007FF60F19C278 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF60F19C38F
GetLastError.KERNEL32 ref: 00007FF60F19C3B1

Strings

U, xrefs: 00007FF60F19C33B

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4ebfda0eb3dddeb426bdf92ebf3ecfca638941ee1d5aabdffb869394d8dbdab1
Instruction ID: a2a0c6ab8c2acca39ed5a853e6f4e0cbfe2ca8db1914ced32b3cd5f134f35aa7
Opcode Fuzzy Hash: 4ebfda0eb3dddeb426bdf92ebf3ecfca638941ee1d5aabdffb869394d8dbdab1
Instruction Fuzzy Hash: 5D418032A1CA4296DB208F25E8447AA77A1FB88B94F904036EA8DC7798DF7CD545C780

Function 00007FF60F19E598 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF60F19E5D8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF60F19E62A

Strings

:, xrefs: 00007FF60F19E5EE

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 6ea6d4d4bc35d25bba8af1de083b0a6473d04d25c8de49d1e69948f0a07f610c
Instruction ID: 0e27e7a44d936993938e5461c83913d7a8e5415e7c8f44ee9390162cfdabf6ac
Opcode Fuzzy Hash: 6ea6d4d4bc35d25bba8af1de083b0a6473d04d25c8de49d1e69948f0a07f610c
Instruction Fuzzy Hash: 8B21F172B0C68182FB24CB25D04426D73B2FB84B44FA58079DA9D83285CFBDE949CB91

Function 00007FF60F18E320 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF60F18E364
RaiseException.KERNEL32 ref: 00007FF60F18E3AA

Strings

csm, xrefs: 00007FF60F18E397

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: ca300da370bc200b47a9e29752d724a25d804681f54f6f31a4c62ce82835f912
Instruction ID: eee3c0535b133b55f052cf96bdf8a2a608836e5a3b83e95c76df4618a17f41bc
Opcode Fuzzy Hash: ca300da370bc200b47a9e29752d724a25d804681f54f6f31a4c62ce82835f912
Instruction Fuzzy Hash: EB114C3260CB4182EB618F15F54026977E1FB88B84F284270EE8D47758DF7CD956CB40

Function 00007FF60F19F09C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F19F0CC
GetDriveTypeW.KERNEL32 ref: 00007FF60F19F10C

Strings

:, xrefs: 00007FF60F19F0F5

Memory Dump Source

Source File: 00000000.00000002.1695360038.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000000.00000002.1695334812.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695389254.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1695915868.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1696384772.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff60f180000_run0796.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 5bb9208f1dd75f8da1bf4b84d43d2649c4580fde4fdc4700cc46879c1844a841
Instruction ID: 97a8c2114975a70ad4bed66a35c0286bc09d0236b21a536dcbfbd50ef7ff54a8
Opcode Fuzzy Hash: 5bb9208f1dd75f8da1bf4b84d43d2649c4580fde4fdc4700cc46879c1844a841
Instruction Fuzzy Hash: 0701D67291C20396F770AF60A46227E73A0EF44708FA8147AD54DC2695DF3DE546CB54

Analysis Process: run0796.exePID: 6632, Parent PID: 6472COMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.9%
Total number of Nodes:	907
Total number of Limit Nodes:	29

Executed Functions

Function 00007FFE13271000 Relevance: 307.1, APIs: 10, Strings: 165, Instructions: 859
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00007FFE1327103C
00007FFDFB5BC3F0.PYTHON38 ref: 00007FFE13271051
VerSetConditionMask.NTDLL ref: 00007FFE132710A3
VerSetConditionMask.NTDLL ref: 00007FFE132710B2
VerSetConditionMask.NTDLL ref: 00007FFE132710C1
VerifyVersionInfoW.KERNEL32 ref: 00007FFE132710E4
VerSetConditionMask.NTDLL ref: 00007FFE13272015
VerSetConditionMask.NTDLL ref: 00007FFE13272024
VerSetConditionMask.NTDLL ref: 00007FFE13272035
VerifyVersionInfoA.KERNEL32 ref: 00007FFE1327205B

Strings

SHUT_WR, xrefs: 00007FFE13271EBC
IPPROTO_IPV4, xrefs: 00007FFE132716EC
SO_DONTROUTE, xrefs: 00007FFE1327143B
IPPROTO_IGP, xrefs: 00007FFE132718D0
SO_BROADCAST, xrefs: 00007FFE13271451
TCP_MAXSEG, xrefs: 00007FFE13271C4A
EAI_MEMORY, xrefs: 00007FFE13271D10
AF_IRDA, xrefs: 00007FFE1327134F
SOCK_SEQPACKET, xrefs: 00007FFE132713A4
SOL_IP, xrefs: 00007FFE13271645
SIO_LOOPBACK_FAST_PATH, xrefs: 00007FFE13271F20
SOCK_DGRAM, xrefs: 00007FFE13271378
IPV6_TCLASS, xrefs: 00007FFE13271C21
EAI_SOCKTYPE, xrefs: 00007FFE13271D68
AI_ALL, xrefs: 00007FFE13271DD3
IPV6_UNICAST_HOPS, xrefs: 00007FFE13271B48
SO_SNDLOWAT, xrefs: 00007FFE132714D5
SO_SNDTIMEO, xrefs: 00007FFE13271501
AF_DECnet, xrefs: 00007FFE13271323
MSG_MCAST, xrefs: 00007FFE1327161C
SOL_SOCKET, xrefs: 00007FFE13271632
SIO_KEEPALIVE_VALS, xrefs: 00007FFE13271F01
IPV6_DONTFRAG, xrefs: 00007FFE13271B8A
MSG_WAITALL, xrefs: 00007FFE132715DA
SO_EXCLUSIVEADDRUSE, xrefs: 00007FFE1327140F
SO_RCVTIMEO, xrefs: 00007FFE13271517
SHUT_RDWR, xrefs: 00007FFE13271ED2
IP_MULTICAST_LOOP, xrefs: 00007FFE13271A98
IPV6_LEAVE_GROUP, xrefs: 00007FFE13271AF0
RCVALL_SOCKETLEVELONLY, xrefs: 00007FFE13271F98
SOCK_RDM, xrefs: 00007FFE132713BA
TCP_KEEPCNT, xrefs: 00007FFE13271C8C
IPV6_HOPLIMIT, xrefs: 00007FFE13271BA0
SO_LINGER, xrefs: 00007FFE1327147D
IPV6_HOPOPTS, xrefs: 00007FFE13271BB3
AF_APPLETALK, xrefs: 00007FFE132712F7
RCVALL_MAX, xrefs: 00007FFE13271FAE
gaierror, xrefs: 00007FFE132711C0
AF_UNSPEC, xrefs: 00007FFE132712B5
SO_USELOOPBACK, xrefs: 00007FFE13271467
NI_NAMEREQD, xrefs: 00007FFE13271E6A
SOL_UDP, xrefs: 00007FFE13271671
EAI_AGAIN, xrefs: 00007FFE13271CB8
IPPROTO_FRAGMENT, xrefs: 00007FFE132717B2
IP_TOS, xrefs: 00007FFE13271A2A
SOMAXCONN, xrefs: 00007FFE13271559
IPPROTO_NONE, xrefs: 00007FFE1327180A
IPPROTO_ICMPV6, xrefs: 00007FFE132717F4
RCVALL_OFF, xrefs: 00007FFE13271F6F
IPPROTO_ICMP, xrefs: 00007FFE132716AA
EAI_NODATA, xrefs: 00007FFE13271D26
MSG_BCAST, xrefs: 00007FFE13271606
WSAStartup failed: error code %d, xrefs: 00007FFE1327415F
WSAStartup failed: requested version not supported, xrefs: 00007FFE13274181
INADDR_BROADCAST, xrefs: 00007FFE1327197D
EAI_BADFLAGS, xrefs: 00007FFE13271CCE
EAI_FAMILY, xrefs: 00007FFE13271CFA
IP_TTL, xrefs: 00007FFE13271A40
IPV6_JOIN_GROUP, xrefs: 00007FFE13271ADA
NI_MAXHOST, xrefs: 00007FFE13271E15
IPPROTO_GGP, xrefs: 00007FFE132716D6
IPPROTO_HOPOPTS, xrefs: 00007FFE13271697
AI_NUMERICSERV, xrefs: 00007FFE13271DBD
IPPROTO_DSTOPTS, xrefs: 00007FFE13271820
IPV6_CHECKSUM, xrefs: 00007FFE13271B74
IPPROTO_EGP, xrefs: 00007FFE1327172E
IP_RECVDSTADDR, xrefs: 00007FFE13271A56
IPPROTO_ST, xrefs: 00007FFE132718A4
IPPROTO_CBT, xrefs: 00007FFE132718BA
IP_HDRINCL, xrefs: 00007FFE13271A14
IPPORT_USERRESERVED, xrefs: 00007FFE13271954
SO_TYPE, xrefs: 00007FFE13271543
EAI_NONAME, xrefs: 00007FFE13271D3C
IPPROTO_IPV6, xrefs: 00007FFE13271702
error, xrefs: 00007FFE1327112A
IPPROTO_RAW, xrefs: 00007FFE13271862
socket, xrefs: 00007FFE1327124E
IPPROTO_AH, xrefs: 00007FFE132717DE
AI_ADDRCONFIG, xrefs: 00007FFE13271DE9
EAI_SERVICE, xrefs: 00007FFE13271D52
TCP_KEEPIDLE, xrefs: 00007FFE13271C60
socket.timeout, xrefs: 00007FFE132711DA
INADDR_MAX_LOCAL_GROUP, xrefs: 00007FFE132719D5
IPPROTO_IDP, xrefs: 00007FFE13271770
IPPROTO_ROUTING, xrefs: 00007FFE1327179C
_socket.CAPI, xrefs: 00007FFE13271283
IPPROTO_ICLFXBM, xrefs: 00007FFE1327188E
SO_ERROR, xrefs: 00007FFE1327152D
SO_RCVBUF, xrefs: 00007FFE132714BF
TCP_FASTOPEN, xrefs: 00007FFE13271CA2
AI_V4MAPPED, xrefs: 00007FFE13271DFF
timeout, xrefs: 00007FFE13271204
herror, xrefs: 00007FFE13271180
MSG_DONTROUTE, xrefs: 00007FFE13271598
TCP_NODELAY, xrefs: 00007FFE13271C34
INADDR_ALLHOSTS_GROUP, xrefs: 00007FFE132719BF
IPPROTO_ND, xrefs: 00007FFE13271786
AF_SNA, xrefs: 00007FFE13271339
socket.gaierror, xrefs: 00007FFE1327119A
NI_NUMERICHOST, xrefs: 00007FFE13271E54
TCP_KEEPINTVL, xrefs: 00007FFE13271C76
INADDR_NONE, xrefs: 00007FFE132719EB
IPV6_PKTINFO, xrefs: 00007FFE13271BC9
IPV6_RECVRTHDR, xrefs: 00007FFE13271BDF
WSAStartup failed: network not ready, xrefs: 00007FFE13274178
IPPROTO_PGM, xrefs: 00007FFE132718FC
MSG_CTRUNC, xrefs: 00007FFE132715C4
IPV6_RTHDR, xrefs: 00007FFE13271C0B
IPV6_MULTICAST_IF, xrefs: 00007FFE13271B1C
SO_KEEPALIVE, xrefs: 00007FFE13271425
AI_CANONNAME, xrefs: 00007FFE13271D91
SO_OOBINLINE, xrefs: 00007FFE13271493
SIO_RCVALL, xrefs: 00007FFE13271EE2
IP_OPTIONS, xrefs: 00007FFE132719FE
SO_DEBUG, xrefs: 00007FFE132713CD
IPPROTO_SCTP, xrefs: 00007FFE1327184C, 00007FFE13271928
IP_MULTICAST_TTL, xrefs: 00007FFE13271A82
AF_IPX, xrefs: 00007FFE132712E1
SO_REUSEADDR, xrefs: 00007FFE132713F9
NI_DGRAM, xrefs: 00007FFE13271E96
IPPROTO_MAX, xrefs: 00007FFE13271878
IPPROTO_IP, xrefs: 00007FFE13271684
IPPROTO_PUP, xrefs: 00007FFE13271744
IPV6_RECVTCLASS, xrefs: 00007FFE13271BF5
SocketType, xrefs: 00007FFE13271228
AI_NUMERICHOST, xrefs: 00007FFE13271DA7
RCVALL_ON, xrefs: 00007FFE13271F82
socket.herror, xrefs: 00007FFE1327115A
CAPI, xrefs: 00007FFE13271297
has_ipv6, xrefs: 00007FFE1327126D
NI_MAXSERV, xrefs: 00007FFE13271E2B
AI_PASSIVE, xrefs: 00007FFE13271D7B
IPPROTO_TCP, xrefs: 00007FFE13271718
SO_RCVLOWAT, xrefs: 00007FFE132714EB
IPV6_MULTICAST_HOPS, xrefs: 00007FFE13271B06
SOL_TCP, xrefs: 00007FFE1327165B
SO_ACCEPTCONN, xrefs: 00007FFE132713E3
SOCK_RAW, xrefs: 00007FFE1327138E
INADDR_ANY, xrefs: 00007FFE13271967
IPPROTO_RDP, xrefs: 00007FFE132718E6
IP_ADD_MEMBERSHIP, xrefs: 00007FFE13271AAE
AF_INET6, xrefs: 00007FFE1327130D
EAI_FAIL, xrefs: 00007FFE13271CE4
SHUT_RD, xrefs: 00007FFE13271EA9
IPPORT_RESERVED, xrefs: 00007FFE1327193E
IP_MULTICAST_IF, xrefs: 00007FFE13271A6C
MSG_PEEK, xrefs: 00007FFE13271582
IPPROTO_IGMP, xrefs: 00007FFE132716C0
MSG_OOB, xrefs: 00007FFE1327156C
MSG_ERRQUEUE, xrefs: 00007FFE132715F0
INADDR_LOOPBACK, xrefs: 00007FFE13271993
NI_NUMERICSERV, xrefs: 00007FFE13271E80
INADDR_UNSPEC_GROUP, xrefs: 00007FFE132719A9
IPV6_V6ONLY, xrefs: 00007FFE13271B5E
IP_DROP_MEMBERSHIP, xrefs: 00007FFE13271AC4
MSG_TRUNC, xrefs: 00007FFE132715AE
IPV6_MULTICAST_LOOP, xrefs: 00007FFE13271B32
SOCK_STREAM, xrefs: 00007FFE13271362
IPPROTO_ESP, xrefs: 00007FFE132717C8
IPPROTO_PIM, xrefs: 00007FFE13271836
SO_SNDBUF, xrefs: 00007FFE132714A9
IPPROTO_L2TP, xrefs: 00007FFE13271912
NI_NOFQDN, xrefs: 00007FFE13271E3E
AF_INET, xrefs: 00007FFE132712CB
IPPROTO_UDP, xrefs: 00007FFE1327175A

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion$00007Startup
String ID: AF_APPLETALK$AF_DECnet$AF_INET$AF_INET6$AF_IPX$AF_IRDA$AF_SNA$AF_UNSPEC$AI_ADDRCONFIG$AI_ALL$AI_CANONNAME$AI_NUMERICHOST$AI_NUMERICSERV$AI_PASSIVE$AI_V4MAPPED$CAPI$EAI_AGAIN$EAI_BADFLAGS$EAI_FAIL$EAI_FAMILY$EAI_MEMORY$EAI_NODATA$EAI_NONAME$EAI_SERVICE$EAI_SOCKTYPE$INADDR_ALLHOSTS_GROUP$INADDR_ANY$INADDR_BROADCAST$INADDR_LOOPBACK$INADDR_MAX_LOCAL_GROUP$INADDR_NONE$INADDR_UNSPEC_GROUP$IPPORT_RESERVED$IPPORT_USERRESERVED$IPPROTO_AH$IPPROTO_CBT$IPPROTO_DSTOPTS$IPPROTO_EGP$IPPROTO_ESP$IPPROTO_FRAGMENT$IPPROTO_GGP$IPPROTO_HOPOPTS$IPPROTO_ICLFXBM$IPPROTO_ICMP$IPPROTO_ICMPV6$IPPROTO_IDP$IPPROTO_IGMP$IPPROTO_IGP$IPPROTO_IP$IPPROTO_IPV4$IPPROTO_IPV6$IPPROTO_L2TP$IPPROTO_MAX$IPPROTO_ND$IPPROTO_NONE$IPPROTO_PGM$IPPROTO_PIM$IPPROTO_PUP$IPPROTO_RAW$IPPROTO_RDP$IPPROTO_ROUTING$IPPROTO_SCTP$IPPROTO_ST$IPPROTO_TCP$IPPROTO_UDP$IPV6_CHECKSUM$IPV6_DONTFRAG$IPV6_HOPLIMIT$IPV6_HOPOPTS$IPV6_JOIN_GROUP$IPV6_LEAVE_GROUP$IPV6_MULTICAST_HOPS$IPV6_MULTICAST_IF$IPV6_MULTICAST_LOOP$IPV6_PKTINFO$IPV6_RECVRTHDR$IPV6_RECVTCLASS$IPV6_RTHDR$IPV6_TCLASS$IPV6_UNICAST_HOPS$IPV6_V6ONLY$IP_ADD_MEMBERSHIP$IP_DROP_MEMBERSHIP$IP_HDRINCL$IP_MULTICAST_IF$IP_MULTICAST_LOOP$IP_MULTICAST_TTL$IP_OPTIONS$IP_RECVDSTADDR$IP_TOS$IP_TTL$MSG_BCAST$MSG_CTRUNC$MSG_DONTROUTE$MSG_ERRQUEUE$MSG_MCAST$MSG_OOB$MSG_PEEK$MSG_TRUNC$MSG_WAITALL$NI_DGRAM$NI_MAXHOST$NI_MAXSERV$NI_NAMEREQD$NI_NOFQDN$NI_NUMERICHOST$NI_NUMERICSERV$RCVALL_MAX$RCVALL_OFF$RCVALL_ON$RCVALL_SOCKETLEVELONLY$SHUT_RD$SHUT_RDWR$SHUT_WR$SIO_KEEPALIVE_VALS$SIO_LOOPBACK_FAST_PATH$SIO_RCVALL$SOCK_DGRAM$SOCK_RAW$SOCK_RDM$SOCK_SEQPACKET$SOCK_STREAM$SOL_IP$SOL_SOCKET$SOL_TCP$SOL_UDP$SOMAXCONN$SO_ACCEPTCONN$SO_BROADCAST$SO_DEBUG$SO_DONTROUTE$SO_ERROR$SO_EXCLUSIVEADDRUSE$SO_KEEPALIVE$SO_LINGER$SO_OOBINLINE$SO_RCVBUF$SO_RCVLOWAT$SO_RCVTIMEO$SO_REUSEADDR$SO_SNDBUF$SO_SNDLOWAT$SO_SNDTIMEO$SO_TYPE$SO_USELOOPBACK$SocketType$TCP_FASTOPEN$TCP_KEEPCNT$TCP_KEEPIDLE$TCP_KEEPINTVL$TCP_MAXSEG$TCP_NODELAY$WSAStartup failed: error code %d$WSAStartup failed: network not ready$WSAStartup failed: requested version not supported$_socket.CAPI$error$gaierror$has_ipv6$herror$socket$socket.gaierror$socket.herror$socket.timeout$timeout
API String ID: 1562806975-1455933423
Opcode ID: 3c0f611dac04d412b27ab9a6ceaeaa59a29a38cd1241e2a0695555b645f1dcec
Instruction ID: 7d319e37c8d54b854c457e4c61da63536ac2c521e3736ac4bed8fdd285268682
Opcode Fuzzy Hash: 3c0f611dac04d412b27ab9a6ceaeaa59a29a38cd1241e2a0695555b645f1dcec
Instruction Fuzzy Hash: ECA2CC64B18F1299EA14AF27E8556A42371BBFABE1F4450B5CC0E67774EE7DE108C700

Function 00007FF60F1A4EB0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF60F1A4EF5

Part of subcall function 00007FF60F1A4848: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A485C

Part of subcall function 00007FF60F199F88: HeapFree.KERNEL32(?,?,?,00007FF60F1A1ED2,?,?,?,00007FF60F1A1F0F,?,?,00000000,00007FF60F1A23D5,?,?,00000000,00007FF60F1A2307), ref: 00007FF60F199F9E
Part of subcall function 00007FF60F199F88: GetLastError.KERNEL32(?,?,?,00007FF60F1A1ED2,?,?,?,00007FF60F1A1F0F,?,?,00000000,00007FF60F1A23D5,?,?,00000000,00007FF60F1A2307), ref: 00007FF60F199FA8

Part of subcall function 00007FF60F199F40: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF60F199F1F,?,?,?,?,?,00007FF60F191A50), ref: 00007FF60F199F49
Part of subcall function 00007FF60F199F40: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF60F199F1F,?,?,?,?,?,00007FF60F191A50), ref: 00007FF60F199F6E

_get_daylight.LIBCMT ref: 00007FF60F1A4EE4

Part of subcall function 00007FF60F1A48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A48BC

_get_daylight.LIBCMT ref: 00007FF60F1A515A
_get_daylight.LIBCMT ref: 00007FF60F1A516B
_get_daylight.LIBCMT ref: 00007FF60F1A517C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF60F1A53BC), ref: 00007FF60F1A51A3

Strings

Eastern Summer Time, xrefs: 00007FF60F1A5261
Eastern Standard Time, xrefs: 00007FF60F1A5249

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 694ad2a23735cc7fb3f2ec8971a6aa60c063a628b57b9edeeabbe946f82a905d
Instruction ID: 71f9883345d5a7dadbebb44a9de875d8e6fdd5626254157d273668a8dbe434fd
Opcode Fuzzy Hash: 694ad2a23735cc7fb3f2ec8971a6aa60c063a628b57b9edeeabbe946f82a905d
Instruction Fuzzy Hash: 02D1E136E1C24286EB24DF26E9401B977A1FF84B84F6440BAEA1DC7695DF7CE445C780

Function 00007FF60F1A5DFC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF60F1A5B30: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A5B71
Part of subcall function 00007FF60F1A5B30: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A5BEF
Part of subcall function 00007FF60F1A5B30: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A5C40

CreateFileW.KERNELBASE ref: 00007FF60F1A5F02
CreateFileW.KERNEL32 ref: 00007FF60F1A5F52
GetLastError.KERNEL32 ref: 00007FF60F1A5F82
GetFileType.KERNELBASE ref: 00007FF60F1A5F97
GetLastError.KERNEL32 ref: 00007FF60F1A5FA1
CloseHandle.KERNEL32 ref: 00007FF60F1A5FD4
CloseHandle.KERNEL32 ref: 00007FF60F1A6137
CreateFileW.KERNEL32 ref: 00007FF60F1A616C
GetLastError.KERNEL32 ref: 00007FF60F1A617B

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: f4a66a793454549687445e322010bf0c8aa55a7819c853dce57e356f604717af
Instruction ID: 5f932c4cff2a71ab5cbf149a0b3041c08d873aefc0bebfa0fc401b973b4db778
Opcode Fuzzy Hash: f4a66a793454549687445e322010bf0c8aa55a7819c853dce57e356f604717af
Instruction Fuzzy Hash: ACC1DF32B2CA4285EB10CFA4C5906BC37B1FB49BA8B250275DE2E97795DF39E459C340

Function 00007FF60F1A512C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF60F1A515A

Part of subcall function 00007FF60F1A48A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A48BC

_get_daylight.LIBCMT ref: 00007FF60F1A516B

Part of subcall function 00007FF60F1A4848: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A485C

_get_daylight.LIBCMT ref: 00007FF60F1A517C

Part of subcall function 00007FF60F1A4878: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A488C

Part of subcall function 00007FF60F199F88: HeapFree.KERNEL32(?,?,?,00007FF60F1A1ED2,?,?,?,00007FF60F1A1F0F,?,?,00000000,00007FF60F1A23D5,?,?,00000000,00007FF60F1A2307), ref: 00007FF60F199F9E
Part of subcall function 00007FF60F199F88: GetLastError.KERNEL32(?,?,?,00007FF60F1A1ED2,?,?,?,00007FF60F1A1F0F,?,?,00000000,00007FF60F1A23D5,?,?,00000000,00007FF60F1A2307), ref: 00007FF60F199FA8

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF60F1A53BC), ref: 00007FF60F1A51A3

Strings

Eastern Summer Time, xrefs: 00007FF60F1A5261
Eastern Standard Time, xrefs: 00007FF60F1A5249

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: aa908a3e8f59a2679ecf24881337d3af3797adb0d4fc4d825233bf145dabf6f9
Instruction ID: 38acbc584f84989e3b486e51793f3560ec2cf114bad2888dcdcd7cf93dea3b5f
Opcode Fuzzy Hash: aa908a3e8f59a2679ecf24881337d3af3797adb0d4fc4d825233bf145dabf6f9
Instruction Fuzzy Hash: 93518D32A1C64286E710DF22E9801B9B7A1FF88784F6455BAEA5DC37A6DF3CE405C740

Function 00007FFE13287170 Relevance: 6.9, APIs: 4, Instructions: 889librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE13287C85
GetProcAddress.KERNEL32 ref: 00007FFE13287CAF
VirtualProtect.KERNELBASE(?,?,?,00000000), ref: 00007FFE13287D2F
VirtualProtect.KERNEL32 ref: 00007FFE13287D4D

Memory Dump Source

Source File: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: eb1ed757e0c0d0017b7bbfa9539dfb41ce8016755be030351fe7973ce086d168
Instruction ID: 20547a64e02322e82c995dbf308a9dafbfefe9b848a171bfcc468f3a7b5eba52
Opcode Fuzzy Hash: eb1ed757e0c0d0017b7bbfa9539dfb41ce8016755be030351fe7973ce086d168
Instruction Fuzzy Hash: 20628A226289928AE315DF3DD4002BD77E1F7A8395F045171EA9ED3BD4EA3CEA91C700

Function 00007FFE148EAB70 Relevance: 6.9, APIs: 4, Instructions: 889librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FFE148EB685
GetProcAddress.KERNEL32 ref: 00007FFE148EB6AF
VirtualProtect.KERNELBASE(?,?,?,00000000), ref: 00007FFE148EB72F
VirtualProtect.KERNEL32 ref: 00007FFE148EB74D

Memory Dump Source

Source File: 00000002.00000002.1692543814.00007FFE148EA000.00000080.00000001.01000000.00000008.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000002.00000002.1692469000.00007FFE148E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1692491940.00007FFE148E1000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1692491940.00007FFE148E9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1692562185.00007FFE148EC000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe148e0000_run0796.jbxd

Similarity

API ID: ProtectVirtual$AddressLibraryLoadProc
String ID:
API String ID: 3300690313-0
Opcode ID: 5dae28dba6e705b0fe2cf0c7c3d7d264b9ae2b0064efb0e88754277e5b651d6b
Instruction ID: cdeab95fee911c5d2c4882c661b5b48a74c213599f7e84f52f32246644f931a3
Opcode Fuzzy Hash: 5dae28dba6e705b0fe2cf0c7c3d7d264b9ae2b0064efb0e88754277e5b651d6b
Instruction Fuzzy Hash: D062782262899286E715CF3AD48037DB7A0F749795F045132FA9ED37E4EA3CEA49C710

Function 00007FF60F1817B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fread_nolock.LIBCMT ref: 00007FF60F18185C
_fread_nolock.LIBCMT ref: 00007FF60F18190E

Part of subcall function 00007FF60F18E6E0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F18E6F4

Strings

Cannot read Table of Contents., xrefs: 00007FF60F181995
Could not read full TOC!, xrefs: 00007FF60F181919
malloc, xrefs: 00007FF60F1818EA
Failed to seek to cookie position!, xrefs: 00007FF60F18182F
fseek, xrefs: 00007FF60F181836
Could not allocate buffer for TOC!, xrefs: 00007FF60F1818E3
fread, xrefs: 00007FF60F18186E
Error on file., xrefs: 00007FF60F18193D
MEI, xrefs: 00007FF60F1817EF
Failed to read cookie!, xrefs: 00007FF60F181867

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _fread_nolock$_invalid_parameter_noinfo
String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 3405171723-4158440160
Opcode ID: 770c135d7a320c110b34b208cc8bb55b9606d2930a950d8cbf931880d73878f1
Instruction ID: f42261027cbde2e239c9811e22ddacf527898e21de98bad1e435bd04293adab8
Opcode Fuzzy Hash: 770c135d7a320c110b34b208cc8bb55b9606d2930a950d8cbf931880d73878f1
Instruction Fuzzy Hash: 16514D72A0DA4296EB54CF29D55127833A0FF48B88B608576DA0DD7399DFBCE446C740

Function 00007FF60F1812B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF60F1813E2
malloc, xrefs: 00007FF60F181353
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF60F18134C
fseek, xrefs: 00007FF60F181319
fread, xrefs: 00007FF60F1813E9
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF60F181312
Failed to extract %s: failed to open archive file!, xrefs: 00007FF60F1812E2

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 0-3659356012
Opcode ID: 851645ae4d8e2ba64e8fa848f09866995ef5c47b6c3ea5c2ee8fd1dd56a41fac
Instruction ID: 8deb96ac6ee62c849a446c0bca842eb6476daea894413d8d5ef3604aeb3d8c17
Opcode Fuzzy Hash: 851645ae4d8e2ba64e8fa848f09866995ef5c47b6c3ea5c2ee8fd1dd56a41fac
Instruction Fuzzy Hash: FC418E32B0CA4292EA24DB11E9006BA63A0FF54BD0F644472DE4D97B55EFBCE547C700

Function 00007FF60F181000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF60F182CD0: GetModuleFileNameW.KERNEL32(?,00007FF60F1827C9,?,?,?,?,?,?), ref: 00007FF60F182D01

SetDllDirectoryW.KERNEL32 ref: 00007FF60F1829D5

Part of subcall function 00007FF60F185AF0: GetEnvironmentVariableW.KERNEL32(00007FF60F182817,?,?,?,?,?,?), ref: 00007FF60F185B2A
Part of subcall function 00007FF60F185AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF60F185B47

Strings

Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF60F1828BE
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF60F18295C
_MEIPASS2, xrefs: 00007FF60F182803, 00007FF60F18286C, 00007FF60F182B1B, 00007FF60F182B2B
Failed to convert DLL search path!, xrefs: 00007FF60F1829BD
MEI, xrefs: 00007FF60F182917
_PYI_ONEDIR_MODE, xrefs: 00007FF60F18282C, 00007FF60F182857

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-3602715111
Opcode ID: 0192c57c939c35f0e6dbe9ed0ee8818f80c439c90b295c49350d1662e1304eab
Instruction ID: d514e8a73e6732a384ea52bb459570d788e1907a290763abd1bfb07f5b3b84b9
Opcode Fuzzy Hash: 0192c57c939c35f0e6dbe9ed0ee8818f80c439c90b295c49350d1662e1304eab
Instruction Fuzzy Hash: 9BC18031A1C6C351EA65AB22DA602FD6391FF44784F6040B2EA4DC769AEFBCE507C740

Function 00007FF60F181050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF60F18111F
malloc, xrefs: 00007FF60F1810F8, 00007FF60F181126
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF60F1810F1
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF60F1810B4
1.2.13, xrefs: 00007FF60F18107E
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF60F181249

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID:
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 0-1655038675
Opcode ID: 2a578be33031fd32cf3abfa5031e8686f84481d48ef04cad4200493a6f643d0e
Instruction ID: 46cb2c0f7f1e4877a94a88e9b6ae2abcc918e7b4cbe2e38dc3143f0962339492
Opcode Fuzzy Hash: 2a578be33031fd32cf3abfa5031e8686f84481d48ef04cad4200493a6f643d0e
Instruction Fuzzy Hash: 9151CA32A0C68291EA609B51E5403BA6391FB85B94F7441B6EE4ED7785EF7CE407C700

Function 00007FF60F19B09C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F19B4C9

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a4d685ae9cce30cf93841342e5a1d314e29f636783538e3b5adbfb391e49450
Instruction ID: fef5076ae37b6f82f7bcfceba3c113fc18604a0db98855059d893e79d8f2cdd4
Opcode Fuzzy Hash: 5a4d685ae9cce30cf93841342e5a1d314e29f636783538e3b5adbfb391e49450
Instruction Fuzzy Hash: 1CC10332A0C68791E760CB55A4402BD3BA1EFD1B80F7901B9DA4E83791CF7DEA498380

Function 00007FFE01388980 Relevance: 7.6, APIs: 5, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE013889E0
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE01388A80

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 56ab15ebf88d2f472214260ccf3aa2794fd81f93f1b441577069300a3873c5fd
Instruction ID: b443df4d8dcdc0dd49a48a4965e0f4e15b561225be5ce8dd394c4a27ce354162
Opcode Fuzzy Hash: 56ab15ebf88d2f472214260ccf3aa2794fd81f93f1b441577069300a3873c5fd
Instruction Fuzzy Hash: FE51D220E0C70382FB54A768A9501BD62A1AF94394F5A46B5E52E5F7FBDF6CFC028301

Function 00007FF60F19E96C Relevance: 6.2, APIs: 4, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF60F19EA5C
_get_daylight.LIBCMT ref: 00007FF60F19EA6D
_get_daylight.LIBCMT ref: 00007FF60F19EA7E
_isindst.LIBCMT ref: 00007FF60F19EB49

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 7c116d52e869d70fe36170fafcd4453455d7a89aa2c255f713b58b82420c40e6
Instruction ID: d0d0c75ca962e43ef561abd9aadbb6c4e3103ee5c2a1a727d67b03ad8f060a9a
Opcode Fuzzy Hash: 7c116d52e869d70fe36170fafcd4453455d7a89aa2c255f713b58b82420c40e6
Instruction Fuzzy Hash: 6651E272F0C2128AFB28DF64D9556BC27A1FB50368F640179EE1F93AE5DF38A4068740

Function 00007FF60F19484C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF60F19487F
GetFileInformationByHandle.KERNELBASE ref: 00007FF60F1948E1
GetLastError.KERNEL32 ref: 00007FF60F194972
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF60F194784), ref: 00007FF60F1949BE

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: e26be3db5802fbb9384144a92f7734554038aa84eaf5e6a474e4d8e63b6235a5
Instruction ID: 444c1294c5f1160b661bcbbe8b482cbe7e64b0952d9f5b360a28ba2d96b9fca3
Opcode Fuzzy Hash: e26be3db5802fbb9384144a92f7734554038aa84eaf5e6a474e4d8e63b6235a5
Instruction Fuzzy Hash: AD515932E0C6428AFB10DFB1D4613BD23A1EB48B98F248575DE4D97689DF38E486C790

Function 00007FF60F1946F8 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F194725
CreateFileW.KERNELBASE ref: 00007FF60F194764
CloseHandle.KERNEL32 ref: 00007FF60F194799

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 71793c3252844d471d372c4f7c095e38d9e2ed7ddd768de197b20e7bc70de9cb
Instruction ID: 315dcb31d9b0e207c685762dca199ca53a690e22a81eab77dc2f0040f365addf
Opcode Fuzzy Hash: 71793c3252844d471d372c4f7c095e38d9e2ed7ddd768de197b20e7bc70de9cb
Instruction Fuzzy Hash: 4A41BE32E2C78283E754CB61955037973A0FF957A4F209374EA9C83AD6DF7CA5A18780

Function 00007FFE013862A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FFE013862FC
GetFileType.KERNELBASE ref: 00007FFE01386312

Strings

@, xrefs: 00007FFE01386362

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: FileHandleType
String ID: @
API String ID: 3000768030-2766056989
Opcode ID: 10c4fa39cb729f91123b6bf367b60b64fb3467f7e4e6d2d3a76a5de364945ac9
Instruction ID: 3225d8ccd30e919c002a3bc46fe17f78cc177e6db27e674c984e36bd84945cc9
Opcode Fuzzy Hash: 10c4fa39cb729f91123b6bf367b60b64fb3467f7e4e6d2d3a76a5de364945ac9
Instruction Fuzzy Hash: DD21B462A08B4281EB608B35949113D2A64FB59B74F6A1339DAAF0F7F4CE7DD881D341

Function 00007FF60F18A52C Relevance: 4.6, APIs: 3, Instructions: 102COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF60F18A540

Part of subcall function 00007FF60F18A70C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF60F18A72E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF60F18A555
__scrt_release_startup_lock.LIBCMT ref: 00007FF60F18A5C3

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 3058843127-0
Opcode ID: 1be6874be7b06f60d2a206459abee2dcc30803262f01e71d3cdcfcaefe82dc60
Instruction ID: 46300659b5f5946a15bf2d62f387cebea70d76213ce8a798b1f538a9d432566f
Opcode Fuzzy Hash: 1be6874be7b06f60d2a206459abee2dcc30803262f01e71d3cdcfcaefe82dc60
Instruction Fuzzy Hash: B2315C31E0D64393FA54AB2496113B92391EF86B80FB444B6EA0DC72D7DFADE846C740

Function 00007FF60F18E70C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F18E750
_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F18E847

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 91f838de0bf1c0634cfb639a0c406c35748c40ae1573d712d08faa75350ec251
Instruction ID: 2c9de7b3d986d9c0b87a5270586f15a673ab2e5f4a268f5954d2b71e8dea2f59
Opcode Fuzzy Hash: 91f838de0bf1c0634cfb639a0c406c35748c40ae1573d712d08faa75350ec251
Instruction Fuzzy Hash: 6C51E731F0D68246FB689AA6960067A6791FF85BA4F284674ED7C837C5CFBCE4028740

Function 00007FF60F19BA58 Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF60F19BAD1
GetFileType.KERNELBASE ref: 00007FF60F19BAE7

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: ea0bf9139acf7e29816fcd0aba872ae9fa759e19ef548db38860721d431a1d9c
Instruction ID: 4693968223535430b2a283139e4ba2af16fb3d9f81fc360c706a9ca5afbf5bf3
Opcode Fuzzy Hash: ea0bf9139acf7e29816fcd0aba872ae9fa759e19ef548db38860721d431a1d9c
Instruction Fuzzy Hash: ED317E32A1DB4682EB64CB15A5801782750FB85BB0B780379DB6F873E4CF38E5A1D380

Function 00007FF60F19B774 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF60F19B760,00000000,?,?,?,00007FF60F181023,00007FF60F19B869), ref: 00007FF60F19B7C0
GetLastError.KERNEL32(?,?,?,?,?,00007FF60F19B760,00000000,?,?,?,00007FF60F181023,00007FF60F19B869), ref: 00007FF60F19B7CA

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3ffa62e109f94fb18d3b2cbff054a6c81447e1b6aec8cf58aa39285ecb5c62cf
Instruction ID: 09801d6c33929af24e1aa1a426e59469eb24ec4e748aedba8f3f1a52d4671cf0
Opcode Fuzzy Hash: 3ffa62e109f94fb18d3b2cbff054a6c81447e1b6aec8cf58aa39285ecb5c62cf
Instruction Fuzzy Hash: 9211C172A1CA8281DA50CB26B8040A96761EB84BF4F684371EE7D8B7E9CF7CD1558780

Function 00007FF60F1949F4 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF60F194909), ref: 00007FF60F194A27
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF60F194909), ref: 00007FF60F194A3D

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: d262a3a4eaf9c2b0a2efd7598c1d93a89b64667fc18afc5cc579e88e2597d1a8
Instruction ID: 49ae7d2a00eef2e0c9ebf9e632b68d7616fa4f198033b5122aefb1a7adbbc7cc
Opcode Fuzzy Hash: d262a3a4eaf9c2b0a2efd7598c1d93a89b64667fc18afc5cc579e88e2597d1a8
Instruction Fuzzy Hash: DB11A331A1C64282EB64CB11A41103AB7A0FB847B1F700276F6AEC1AD8EF7CE055DB40

Function 00007FF60F19A198 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF60F19A015,?,?,00000000,00007FF60F19A0CA), ref: 00007FF60F19A206
GetLastError.KERNEL32(?,?,?,00007FF60F19A015,?,?,00000000,00007FF60F19A0CA), ref: 00007FF60F19A210

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 176045b7523cf5febd9284a5f88f2e5d392980a8c79d008abc553eacec4aafb7
Instruction ID: 25d594e04c43e51d6c9110a1b9e8066ea8bdad2a92605038be5bc247b8567d6b
Opcode Fuzzy Hash: 176045b7523cf5febd9284a5f88f2e5d392980a8c79d008abc553eacec4aafb7
Instruction Fuzzy Hash: EA219331F1C68241EA94976195A427D2392EF85BA4F3843B9DA2EC73C5DF6DE4898380

Function 00007FFE013874C0 Relevance: 2.5, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFE013874CD

Part of subcall function 00007FFE013861AC: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01386113), ref: 00007FFE013861D8
Part of subcall function 00007FFE013861AC: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01386113), ref: 00007FFE0138622D

LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00007FFE013874F3

Part of subcall function 00007FFE0138624C: GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFE0138626C

Part of subcall function 00007FFE013862A0: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00007FFE013862FC
Part of subcall function 00007FFE013862A0: GetFileType.KERNELBASE ref: 00007FFE01386312

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: CriticalSection$EnterLeave$FileHandleInfoStartupType
String ID:
API String ID: 2762830733-0
Opcode ID: c868589744674d6913eb51937418dee57fcc5d1debfb9aa775668d33186eab68
Instruction ID: 0df6f66de50d6f0ae9082177438a260a05f16cd18309b61dac28b55b82fcea87
Opcode Fuzzy Hash: c868589744674d6913eb51937418dee57fcc5d1debfb9aa775668d33186eab68
Instruction Fuzzy Hash: 99E01290F196039BFB14BBB19C531BD63249F65356F910030D41DCE1B3DE1DB5898321

Function 00007FF60F19B4EC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F19B514

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 57107eaa3566968eb61c891c6bf60f53c3ecf75195df01cb8ace664919c894e2
Instruction ID: 875d6026db56458103a3a3e13f6c9f62de1137ed1f086114aacec70ad56b76d1
Opcode Fuzzy Hash: 57107eaa3566968eb61c891c6bf60f53c3ecf75195df01cb8ace664919c894e2
Instruction Fuzzy Hash: 0941BE3290C24187FA24CB2AB58427973A0EB96B84F640175DA9EC36D1CF6CE603CB91

Function 00007FF60F186370 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF60F18641A

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 18c58012e19eadf389ff0c619f7667762a4b91089c9f99893196c02b383d4090
Instruction ID: 24a8f237d244b0ce86e396d75f4f376e80cf4fc57e205123619831d652fd4065
Opcode Fuzzy Hash: 18c58012e19eadf389ff0c619f7667762a4b91089c9f99893196c02b383d4090
Instruction Fuzzy Hash: 7A219F31B0C29646FA159B52AA043BAA751FF55BD4FA84071EE4D87786CFBCE842C300

Function 00007FF60F19AF7C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F19B002

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5c21e00b33c8f2b45ceb84e2d38ad87eb1f0bac44c293c41f89c92cf48f3706b
Instruction ID: 26762846c0da8f8f61ebf613db41e8509c0858d3aef8516bf71b2f64c99fed9e
Opcode Fuzzy Hash: 5c21e00b33c8f2b45ceb84e2d38ad87eb1f0bac44c293c41f89c92cf48f3706b
Instruction Fuzzy Hash: 8C31B272A1C60281F7159B25988137C3760EF80F90F7905B5EA2D833D2DFBDE84587A0

Function 00007FF60F195548 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1954AD

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction ID: 5095234b5dcf3cd085f843457fb71b1f119317e429a0a901b4a26e17ae72bbaa
Opcode Fuzzy Hash: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction Fuzzy Hash: 5F11A232A0D64181FAA19F51E40127DA3A1FF95B80F6C44B5EA8CE7B86DF3DE4409B80

Function 00007FF60F1A57EC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F1A580F

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ae9bd99ce62d3538fe7d29b8c80f6b7eb83d48e2b866bc47fbdf5b394f043f57
Instruction ID: aeb20b0c40d69fa6c1413b5648f7642db8ff016eb3c3343248c7612ec0b0eb36
Opcode Fuzzy Hash: ae9bd99ce62d3538fe7d29b8c80f6b7eb83d48e2b866bc47fbdf5b394f043f57
Instruction Fuzzy Hash: 94214232A1CA8187D7618F1AE44037977A1FB84B94F784274E65DC76D9DF3DD4058B40

Function 00007FF60F18E98C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F18E9E0

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction ID: b0da4bfab6f448c846df4b51fe8c0b8a429707375e37a57e278b251b1fbc0516
Opcode Fuzzy Hash: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction Fuzzy Hash: 4201C831A0C78241EA44DBA29A01079A791FF86FE0F6846B5EE5C93BD6CFBCD1024300

Function 00007FF60F186320 Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF60F186DC0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF60F186DFA

LoadLibraryExW.KERNELBASE(?,?,00000000,00007FF60F1822DE,?,?,?,?), ref: 00007FF60F186343

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 4bdf6301c84a861bdb536e2334b00053543545dc7c114505350ac69f55b0c6e6
Instruction ID: 7589d92e6f8f238119c2cf82726ba40f7a06ca198de5619a4cc466809aa6f974
Opcode Fuzzy Hash: 4bdf6301c84a861bdb536e2334b00053543545dc7c114505350ac69f55b0c6e6
Instruction Fuzzy Hash: 11E0CD31B1C14642DE589767FA0547AA351EF4CFC0B58D035DE0D87755DE3DD4958B00

Function 00007FF60F19DEC8 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF60F19AA26,?,?,?,00007FF60F199BE3,?,?,00000000,00007FF60F199E7E), ref: 00007FF60F19DF1D

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 5680686827257c125c79c0b434b54bb6693b4c02053300f6c32a97532040a367
Instruction ID: 1a55410bf38949abb7873eff166a2fc1a8a8fd5ecbd5bf2b325a4b1535cdf27f
Opcode Fuzzy Hash: 5680686827257c125c79c0b434b54bb6693b4c02053300f6c32a97532040a367
Instruction Fuzzy Hash: 00F09074B0D20380FE585761B8523B57390DF55B80F6C54B4C94EC67D2EF2CE48682A0

Function 00007FF60F19CC3C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF60F18F1F4,?,?,?,00007FF60F190706,?,?,?,?,?,00007FF60F19276D), ref: 00007FF60F19CC7A

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: b11fc6a16e25d187a1b91613ce7ef6c78f7eee5e93957fcc5bb755ad2e5a5504
Instruction ID: 8cb9aa4621921c2db3ca6b5f7e82f4e1195e421a59003670a8e8c1afb51a7b95
Opcode Fuzzy Hash: b11fc6a16e25d187a1b91613ce7ef6c78f7eee5e93957fcc5bb755ad2e5a5504
Instruction Fuzzy Hash: FCF05870B0D24384FE2496B159512BA2780CF54BB0F280AB4E86EC52C2EF2CA44482E1

Non-executed Functions

Function 00007FFE01385A20 Relevance: 39.0, APIs: 11, Strings: 11, Instructions: 485libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE01385C00
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE01385C5F
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE01385CBE
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE01385D1D
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE01385D7C
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE01385DDB
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE01385E3A
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE01385E99
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE01385EF8
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE01385F57
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE01385FB3

Strings

GetTimeFormatEx, xrefs: 00007FFE01385D72
IsValidLocaleName, xrefs: 00007FFE01385E30
GetDateFormatEx, xrefs: 00007FFE01385CB4
GetLocaleInfoEx, xrefs: 00007FFE01385C9D, 00007FFE01385D13, 00007FFE01385D5B
LocaleNameToLCID, xrefs: 00007FFE01385F4D
LCMapStringEx, xrefs: 00007FFE01385E8F, 00007FFE01385ED7
CompareStringEx, xrefs: 00007FFE01385BF6
GetUserDefaultLocaleName, xrefs: 00007FFE01385DD1
AreFileApisANSI, xrefs: 00007FFE01385BDF, 00007FFE01385FA9
LCIDToLocaleName, xrefs: 00007FFE01385C3E, 00007FFE01385CFC, 00007FFE01385DBA, 00007FFE01385E19, 00007FFE01385E78, 00007FFE01385EEE, 00007FFE01385F36
EnumSystemLocalesEx, xrefs: 00007FFE01385C55

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressProc
String ID: AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
API String ID: 190572456-3252031757
Opcode ID: e5c01b59c31b06f9d9ddc6d492333062f46c49233acc12ab9cfcc3da049b7148
Instruction ID: 400e9fc471440a86ba36c67140591e99ce245152c6a400e243f375df5b26520f
Opcode Fuzzy Hash: e5c01b59c31b06f9d9ddc6d492333062f46c49233acc12ab9cfcc3da049b7148
Instruction Fuzzy Hash: 4D126365B1EB0346FF198B29E85017963A2AF587C8F495536DC0E8F3B4EE6CE545C301

Function 00007FFE0138B0B0 Relevance: 39.0, APIs: 11, Strings: 11, Instructions: 485COMMONLIBRARYCODE

Download Yara Rule

Strings

GetTimeFormatEx, xrefs: 00007FFE013C963B
IsValidLocaleName, xrefs: 00007FFE013C9745
GetDateFormatEx, xrefs: 00007FFE013C9531
GetLocaleInfoEx, xrefs: 00007FFE013C94F0, 00007FFE013C95B6, 00007FFE013C95FA
LocaleNameToLCID, xrefs: 00007FFE013C98D3
LCMapStringEx, xrefs: 00007FFE013C97CA, 00007FFE013C980E
CompareStringEx, xrefs: 00007FFE013C9427
GetUserDefaultLocaleName, xrefs: 00007FFE013C96C0
AreFileApisANSI, xrefs: 00007FFE013C93A2, 00007FFE013C93E6
LCIDToLocaleName, xrefs: 00007FFE013C946B, 00007FFE013C9575, 00007FFE013C967F, 00007FFE013C9704, 00007FFE013C9789, 00007FFE013C984F, 00007FFE013C9893
EnumSystemLocalesEx, xrefs: 00007FFE013C94AC

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID:
String ID: AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
API String ID: 0-3252031757
Opcode ID: fb8e52c1c90d93fe6c59f15d7ce78a7d005c6badaa9b5647590f3bf837ebe44a
Instruction ID: f2cfa346998b8ef22c1b52152a76779acf14f2c9bdd3ecf570eaaf7652943fa5
Opcode Fuzzy Hash: fb8e52c1c90d93fe6c59f15d7ce78a7d005c6badaa9b5647590f3bf837ebe44a
Instruction Fuzzy Hash: C61264A5B1EB0386FF198729E85017963A2AF487CCF495536DC0E9F7B4EE6CE5458300

Function 00007FFE0138BBB0 Relevance: 30.2, APIs: 16, Strings: 1, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00007FFE0138B903,?,?,?,00007FFE0138B5CC), ref: 00007FFE0138BD6B
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00007FFE0138B903,?,?,?,00007FFE0138B5CC), ref: 00007FFE0138BDCE
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00007FFE0138B903,?,?,?,00007FFE0138B5CC), ref: 00007FFE0138BEC5
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00007FFE0138B903,?,?,?,00007FFE0138B5CC), ref: 00007FFE0138BF0C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00007FFE0138B903,?,?,?,00007FFE0138B5CC), ref: 00007FFE0138BF12
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00007FFE0138B903,?,?,?,00007FFE0138B5CC), ref: 00007FFE0138BF59
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00007FFE0138B903,?,?,?,00007FFE0138B5CC), ref: 00007FFE0138BF5F
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00007FFE0138B903,?,?,?,00007FFE0138B5CC), ref: 00007FFE0138BFA6

Strings

FlsGetValue, xrefs: 00007FFE013C9AED, 00007FFE013C9B93, 00007FFE013C9C20, 00007FFE013C9CAB

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast
String ID: FlsGetValue
API String ID: 1452528299-662576866
Opcode ID: 674dc485f50652908af3f8892ada9cedd9e06ff995babca5fe26488da277a0a7
Instruction ID: 231c51a4f5c69cf2ddb3520bb7e4a1b3f591eea7cc9b637da8067383a1bbad86
Opcode Fuzzy Hash: 674dc485f50652908af3f8892ada9cedd9e06ff995babca5fe26488da277a0a7
Instruction Fuzzy Hash: 7B126AB5B09B4386EF258B15D8503BC63A1BF89B98F565136CA1E4F7B5DE3CE8458300

Function 00007FFE132720F0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 174networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FFE132721E9
htonl.WS2_32 ref: 00007FFE132721F7
bind.WS2_32 ref: 00007FFE13272239

Part of subcall function 00007FFE13272290: inet_pton.WS2_32 ref: 00007FFE13272338

htons.WS2_32 ref: 00007FFE132742E7

Strings

%s(): port must be 0-65535., xrefs: 00007FFE13274200
%s(): AF_INET6 address must be tuple, not %.500s, xrefs: 00007FFE132741B7
bind, xrefs: 00007FFE132741CE, 00007FFE13274211
%s(): flowinfo must be 0-1048575., xrefs: 00007FFE1327423E
socket.bind, xrefs: 00007FFE13272214
O&i;AF_INET address must be a pair (host, port), xrefs: 00007FFE1327427B
%s(): bad family, xrefs: 00007FFE132741AE
O&i|II;AF_INET6 address must be a tuple (host, port[, flowinfo[, scopeid]]), xrefs: 00007FFE13272176
%s(): AF_INET address must be tuple, not %.500s, xrefs: 00007FFE132741C0

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: htons$bindhtonlinet_pton
String ID: %s(): AF_INET address must be tuple, not %.500s$%s(): AF_INET6 address must be tuple, not %.500s$%s(): bad family$%s(): flowinfo must be 0-1048575.$%s(): port must be 0-65535.$O&i;AF_INET address must be a pair (host, port)$O&i|II;AF_INET6 address must be a tuple (host, port[, flowinfo[, scopeid]])$bind$socket.bind
API String ID: 4011969593-4141199466
Opcode ID: 1857343c9154eb684f213fb535026925e11d91f3691683735dd1420ce5b7e241
Instruction ID: 5edbbafe42160efb1e390fcae86da566c2adaedc5e7bd914be7cc168162ec394
Opcode Fuzzy Hash: 1857343c9154eb684f213fb535026925e11d91f3691683735dd1420ce5b7e241
Instruction Fuzzy Hash: 36812876B08F5689F710ABA6E4406B923B1BBB9BA8F104172DA4D67A74DE3CE444C740

Function 00007FFE0139195E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 289COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE01391AA6
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE01391B57

Strings

FlsGetValue, xrefs: 00007FFE013CCA90, 00007FFE013CCBBA

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast
String ID: FlsGetValue
API String ID: 1452528299-662576866
Opcode ID: e2227e03513b00fe38cf432641c1d708b222926280c1054a8c9e815d54820db8
Instruction ID: 95b5301ae638b7aacefec4b82a82cfe61e9ed5ee65261834639ea5b96574e149
Opcode Fuzzy Hash: e2227e03513b00fe38cf432641c1d708b222926280c1054a8c9e815d54820db8
Instruction Fuzzy Hash: 1BD16B72F08B038AFB148B69D4502BC27A1AB447A8F515235DA2D6FBF4EF3CA8418740

Function 00007FF60F1858E0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 141COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,?,00000000,?,?,00007FF60F1858AD), ref: 00007FF60F185977
GetCurrentProcessId.KERNEL32(?,?,00000000,?,?,00007FF60F1858AD), ref: 00007FF60F18597D

Part of subcall function 00007FF60F185AF0: GetEnvironmentVariableW.KERNEL32(00007FF60F182817,?,?,?,?,?,?), ref: 00007FF60F185B2A
Part of subcall function 00007FF60F185AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF60F185B47

Part of subcall function 00007FF60F196828: _invalid_parameter_noinfo.LIBCMT ref: 00007FF60F196841

SetEnvironmentVariableW.KERNEL32(?,?,00000000,?,?,00007FF60F1858AD), ref: 00007FF60F185A31

Strings

TMP, xrefs: 00007FF60F185940
TMP, xrefs: 00007FF60F18591A, 00007FF60F1859D9, 00007FF60F185A67
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF60F18595A
_MEI%d, xrefs: 00007FF60F185985

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: Environment$Variable$CurrentExpandPathProcessStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 1556224225-1116378104
Opcode ID: 83dbfb4363d8f9f3e4c2f7ad03a46d4d084bda9c9f1d5e6e75e36267100ec64a
Instruction ID: b6a80f263035e1aabbf44c7e267f313bd9b1f703b08a67b40e5412dddb1ac5e1
Opcode Fuzzy Hash: 83dbfb4363d8f9f3e4c2f7ad03a46d4d084bda9c9f1d5e6e75e36267100ec64a
Instruction Fuzzy Hash: 5E517D35B0D65341FE14A722AA912BA5382DF85BD0F6844B1ED0ECB797EF6DE4078340

Function 00007FFE013ABE10 Relevance: 9.4, APIs: 6, Instructions: 398COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFE013ABF04
_set_statfp.LIBCMT ref: 00007FFE013ABF34

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 39c15dfeba87cd1253e420539e46141228a28baa41f8b34db465095e72895283
Instruction ID: ea6998639db605cdf4a38786979b0223ec12c3a4aa5e15b90338b3264b419771
Opcode Fuzzy Hash: 39c15dfeba87cd1253e420539e46141228a28baa41f8b34db465095e72895283
Instruction Fuzzy Hash: 1102D622E2DFC589E7678B3554113B6A355AFA63D0F459336ED4E3ABB4DF3CA0428600

Function 00007FFE013AC570 Relevance: 9.3, APIs: 6, Instructions: 255COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFE013AC649
_set_statfp.LIBCMT ref: 00007FFE013AC679

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 7cc4f378d7ecb9d9b63a5e479f5a8ff09ee885e5740bf5dd47cd3253d2d15eb4
Instruction ID: 4b6675ce37664558e90940ab081e2779d2d25c15a8a27aa9fbbd36d497da99d5
Opcode Fuzzy Hash: 7cc4f378d7ecb9d9b63a5e479f5a8ff09ee885e5740bf5dd47cd3253d2d15eb4
Instruction Fuzzy Hash: 7DA15D21E2DB4649E7678B3644403B69651AF6B7A0F5A9336ED2E3DAF0EF3C74824500

Function 00007FFE013ECC28 Relevance: 9.1, APIs: 6, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFE013ECC9A
RtlLookupFunctionEntry.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFE013ECCB2
RtlVirtualUnwind.API-MS-WIN-CORE-RTLSUPPORT-L1-1-0 ref: 00007FFE013ECCED
IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0 ref: 00007FFE013ECD2A
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE013ECD34
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE013ECD3F

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 9e36f71393d4748cefba426a899f0991de3e69447b84127024d5ca21e32ad54c
Instruction ID: fbaac6bce35bd26a0c862e53d50c6c90a79aa4c223c9bd96fddc481147e020ba
Opcode Fuzzy Hash: 9e36f71393d4748cefba426a899f0991de3e69447b84127024d5ca21e32ad54c
Instruction Fuzzy Hash: E1315276618B8186DB60CF25E4503AE73A4FB88748F550136EB4D4BB69DF7CD145CB40

Function 00007FFE01382B90 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 234COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE01389EC0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE01389EC8
Part of subcall function 00007FFE01389EC0: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE01389F50

GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(000000B8,000000BC,000001C2,?,?,00007FFE0138A2FE), ref: 00007FFE01382C2D
IsValidCodePage.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE01382C4B
wcschr.LIBVCRUNTIME ref: 00007FFE01382CF8
wcschr.LIBVCRUNTIME ref: 00007FFE01382D10

Strings

utf8, xrefs: 00007FFE013C6D41

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLastwcschr$CodePageValid
String ID: utf8
API String ID: 3493387046-905460609
Opcode ID: a593764df181b41604c3cf35b94b490e2ae2f6175a511466e70b4f786073926a
Instruction ID: e173fd9aa0af1deff70fac92e647c7ba15555010a432988223b3503c98d8081f
Opcode Fuzzy Hash: a593764df181b41604c3cf35b94b490e2ae2f6175a511466e70b4f786073926a
Instruction Fuzzy Hash: 11A1AC72A0878286FB649F21C5412BE27A5FF84788F468131DA5E4B7E5EF3CE655C340

Function 00007FFE013EEFEC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFE013EF099
FindClose.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFE013EF0C3
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFE013EF13A

Strings

., xrefs: 00007FFE013EF10C
., xrefs: 00007FFE013EF0FD

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$.
API String ID: 3541575487-3769392785
Opcode ID: 1e680fa196d6dba005587c8f8297efac9c1003dcc7a566ee1bcc1fcb11d647f4
Instruction ID: 1f7a7d59043835b68384e55681da6d9525debc12c797614854d6354190571e59
Opcode Fuzzy Hash: 1e680fa196d6dba005587c8f8297efac9c1003dcc7a566ee1bcc1fcb11d647f4
Instruction Fuzzy Hash: E1412722B1C79184EB60DB66D4046BAA7D5EFA57E4F064132DD1D0F6ECDEBCE8458300

Function 00007FFE013EB4B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE013EB50D
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE013EB551
GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE013EB567

Strings

ACP, xrefs: 00007FFE013EB4D9
OCP, xrefs: 00007FFE013EB4E9

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 5468f287aed247b2ce93be947ce76367776866781d1797c0da89900d9844c3d3
Instruction ID: 7784f5463ed7f18d7158efe1ae0081f142e88303c2a54e57f677098923eb93bc
Opcode Fuzzy Hash: 5468f287aed247b2ce93be947ce76367776866781d1797c0da89900d9844c3d3
Instruction Fuzzy Hash: 64210821A0C782C2FB659B15B4505AAA3E0FB55B84F954531EA8D4BAFDEF2CE9418B00

Function 00007FFE0138423C Relevance: 7.8, APIs: 5, Instructions: 250fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

ReadFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFE0138434A

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 9566bb113d5d9a9601f31ea826d55321fdd0beeca9f13ccb7a2b5a4f11f99ee8
Instruction ID: 6e9422c299d5f5bb3b78793530b872eae94257c526c0b709c7eefab9f05dff13
Opcode Fuzzy Hash: 9566bb113d5d9a9601f31ea826d55321fdd0beeca9f13ccb7a2b5a4f11f99ee8
Instruction Fuzzy Hash: B2A10722A0C7878AFB609B24A44137E7AA1BF91B98F160131DD4E0FAF6DF7DE4558700

Function 00007FFE013EB62C Relevance: 7.7, APIs: 5, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE01389EC0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE01389EC8
Part of subcall function 00007FFE01389EC0: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE01389F50

Part of subcall function 00007FFE01389EC0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE01389FA2
Part of subcall function 00007FFE01389EC0: TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE013C5FC3

GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE013EB7FD
IsValidCodePage.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE013EB83B
IsValidLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE013EB852
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE013EB8A0
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE013EB8C0

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$AddressCodeDefaultPageProcUserValue
String ID:
API String ID: 2030195362-0
Opcode ID: f2f1485d9586748bc6347e1db8e5e8d0c9fe7b4c530f4485615fa586f531b1f8
Instruction ID: 43b0fdc0de58af2b6d4d91e135b907ea7ab220d522e3c1548c07719f956a5d4b
Opcode Fuzzy Hash: f2f1485d9586748bc6347e1db8e5e8d0c9fe7b4c530f4485615fa586f531b1f8
Instruction Fuzzy Hash: A7814032A1C7828AEB519F15D4946BAA7E4FF94744F4A4035EA4E4B7E8EF3CE845C700

Function 00007FFE013AD6E0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 264COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFE013AD832

Strings

VUUU, xrefs: 00007FFE013AD903
fmod, xrefs: 00007FFE013AD7FC
!, xrefs: 00007FFE013AD81E

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _handle_error
String ID: !$VUUU$fmod
API String ID: 1757819995-2579133210
Opcode ID: 1830e01b7ee7ba0bd65019ced0d26d39a167c0d49156adfeecbd068e878f52e8
Instruction ID: 987bf43251b3c746f99f9f4b06d77d7eb767bd763fa17f9978fefe6297d5c11d
Opcode Fuzzy Hash: 1830e01b7ee7ba0bd65019ced0d26d39a167c0d49156adfeecbd068e878f52e8
Instruction Fuzzy Hash: FAB1D821E1CFC445D7A78A3454513BAB259AFAA390F55D332E95E3ABB4DF3C94828700

Function 00007FFE01383AE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE01383B7E
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE013C6F29

Strings

GetLocaleInfoEx, xrefs: 00007FFE01383B74
LCIDToLocaleName, xrefs: 00007FFE01383B5C

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressInfoLocaleProc
String ID: GetLocaleInfoEx$LCIDToLocaleName
API String ID: 2353564440-967963574
Opcode ID: 68f70359dd9c902e6f9dd55a734c754b13d50ebba99cfc518a1a37e1bdbd5676
Instruction ID: b14205dcba6339bbe5c7ac582280fabd51dd1057a74902bac773213288dfb964
Opcode Fuzzy Hash: 68f70359dd9c902e6f9dd55a734c754b13d50ebba99cfc518a1a37e1bdbd5676
Instruction Fuzzy Hash: D0218DA1B1DB4286EF449B2AE8501796791AF48BE4F454636DD2D4F7F4DE3CE8458300

Function 00007FFE013922F0 Relevance: 6.5, APIs: 2, Strings: 2, Instructions: 495COMMON

Download Yara Rule

Strings

(null), xrefs: 00007FFE01392564
(null), xrefs: 00007FFE01392515

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID:
String ID: (null)$(null)
API String ID: 0-1601437019
Opcode ID: cace3e99ca62958ba7b7b3b7f03d05f8e9308bbe53226c4620ac36686bbdf807
Instruction ID: 84ca9bf9611c101c6e7136698a12edebc0436ba147586d8d08b766bf1642d538
Opcode Fuzzy Hash: cace3e99ca62958ba7b7b3b7f03d05f8e9308bbe53226c4620ac36686bbdf807
Instruction Fuzzy Hash: 9A22B172A08A929AF7648F28C4407BE3BA5FB05B98F225135DE4D5B7A5DF3CD881C740

Function 00007FFE013ECEC0 Relevance: 6.1, APIs: 4, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00007FFE013ED029,?,?,?,?,?,?,00007FFE013C7AEC), ref: 00007FFE013ECECF
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00007FFE013ED029,?,?,?,?,?,?,00007FFE013C7AEC), ref: 00007FFE013ECEFB
Concurrency::details::_Concurrent_queue_iterator_base_v4::~_Concurrent_queue_iterator_base_v4.LIBCPMT ref: 00007FFE013ECF83
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE013ECFD0

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$Concurrency::details::_Concurrent_queue_iterator_base_v4Concurrent_queue_iterator_base_v4::~_
String ID:
API String ID: 2574209313-0
Opcode ID: 2ae86d2f741d16eca5e60fc062d9739ebf71204a63a6bd1d30e5fea729fae5ff
Instruction ID: 11116c1de53819f2582daa0186526668bfd3368ecd7901bdc13d9017ab03266b
Opcode Fuzzy Hash: 2ae86d2f741d16eca5e60fc062d9739ebf71204a63a6bd1d30e5fea729fae5ff
Instruction Fuzzy Hash: 9C31C261B0C74342FB589774E56137D62A2AF943A8F055639EA2D0FAFADF3CB8058300

Function 00007FFE013C22DC Relevance: 6.0, APIs: 4, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,00000000,00007FFE013C24BF,?,?,?,?,00007FFE013C2422,?,?,?,?,00007FFE013C9E62), ref: 00007FFE013C22E5
SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FFE013C24BF,?,?,?,?,00007FFE013C2422,?,?,?,?,00007FFE013C9E62), ref: 00007FFE013C22FD
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000000,00007FFE013C24BF,?,?,?,?,00007FFE013C2422,?,?,?,?,00007FFE013C9E62), ref: 00007FFE013C2306
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00007FFE013C24BF,?,?,?,?,00007FFE013C2422,?,?,?,?,00007FFE013C9E62), ref: 00007FFE013C231F

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CurrentDebuggerPresentProcess
String ID:
API String ID: 2506494423-0
Opcode ID: 33a0a22a85f2d33e0fb1ce96dff46e2101dc68a3de606c4b2e631d42720813a3
Instruction ID: 865386738f084d66d42412673521f4a7190124767eed0673cee1928443cb9be4
Opcode Fuzzy Hash: 33a0a22a85f2d33e0fb1ce96dff46e2101dc68a3de606c4b2e631d42720813a3
Instruction Fuzzy Hash: 3EF0E5A0E08B038AFB187B61A82537A6271EF58B45F150439DA1F4E2B2DF7E64898740

Function 00007FFE013E8FB8 Relevance: 4.6, APIs: 3, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000098,00007FFE013EBA01,?,?,00000098,00007FFE013C6C48,000000B8), ref: 00007FFE013E8FE9
EnumSystemLocalesW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,?,00000000,00000098,00007FFE013EBA01,?,?,00000098,00007FFE013C6C48,000000B8), ref: 00007FFE013E9023
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000098,00007FFE013EBA01,?,?,00000098,00007FFE013C6C48,000000B8), ref: 00007FFE013E9056

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: CriticalSection$EnterEnumLeaveLocalesSystem
String ID:
API String ID: 2886288447-0
Opcode ID: 4152cb601107a6e473515fdbbcf3a2b636bec8c5df5af793327df1b344ac1bf5
Instruction ID: 69876d91a9bf265761bba57f9976dbe70a468407cc74e3dd3f1e71eb52e25dbe
Opcode Fuzzy Hash: 4152cb601107a6e473515fdbbcf3a2b636bec8c5df5af793327df1b344ac1bf5
Instruction Fuzzy Hash: 6E118B72724B4682EB04CB26E8941A97771FB99BC9B468136DE0D8B378DF3CD559C340

Function 00007FFE1327622C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

listen.WS2_32 ref: 00007FFE13276283

Strings

|i:listen, xrefs: 00007FFE13276248

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: listen
String ID: |i:listen
API String ID: 3257165821-1087349693
Opcode ID: 7e54749a7b74d6e2c5813bc9d7485d31a403a7c46eab295ab8eac8492f2e1caf
Instruction ID: 13e33857fa4a8e4bc6c683098ee6a039649135ae139adcd0150906034bf036be
Opcode Fuzzy Hash: 7e54749a7b74d6e2c5813bc9d7485d31a403a7c46eab295ab8eac8492f2e1caf
Instruction Fuzzy Hash: F8015E21B18F428AE750AB63E88416A73B0FBF8BA0B504175DA4EA3734DF3DE405C700

Function 00007FFE013EAFC4 Relevance: 3.1, APIs: 2, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE01389EC0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE01389EC8
Part of subcall function 00007FFE01389EC0: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE01389F50

GetPrimaryLen.LIBCMT ref: 00007FFE013EB02D
EnumSystemLocalesW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,?,000000B8,00000000,000000BC,000001C2,?,?,00007FFE013C8D7C), ref: 00007FFE013EB042

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$EnumLocalesPrimarySystem
String ID:
API String ID: 1794546269-0
Opcode ID: 177b6059fd2e80799859cf17f3ea94077da4b79de250921c449ceb3879b9ac6f
Instruction ID: 3e331516d7e271ff19f853e06306cb93d4bbb2ca65f227847b96e3173d5e361d
Opcode Fuzzy Hash: 177b6059fd2e80799859cf17f3ea94077da4b79de250921c449ceb3879b9ac6f
Instruction Fuzzy Hash: 4011A0A3A0874186EB518F25E4402BD7BA1EB90BA1F158235D6694B3EDDF3DE981C740

Function 00007FFE013EB074 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE01389EC0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE01389EC8
Part of subcall function 00007FFE01389EC0: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE01389F50

GetPrimaryLen.LIBCMT ref: 00007FFE013EB0BA
EnumSystemLocalesW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,000001C2,00007FFE013EB740,?,?,?,000000B8,00000000,000000BC,000001C2,?,?,00007FFE013C8D7C), ref: 00007FFE013EB0D2

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$EnumLocalesPrimarySystem
String ID:
API String ID: 1794546269-0
Opcode ID: 780ca263feb8d13bf17dc03d657bbbd60b35403ac77c22bac1965f057e6a0b30
Instruction ID: 1c2e0b7ddf78471aed8c6538d7d9292953b7b33e0596395eca7217cc130337d3
Opcode Fuzzy Hash: 780ca263feb8d13bf17dc03d657bbbd60b35403ac77c22bac1965f057e6a0b30
Instruction Fuzzy Hash: B5F04462A0C74682EB525F25D840379BAD1EB907A8F158231E6794B2FDDF3DE8818701

Function 00007FFE013EAF64 Relevance: 1.5, APIs: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE01389EC0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE01389EC8
Part of subcall function 00007FFE01389EC0: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE01389F50

EnumSystemLocalesW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,000001C2,00007FFE013EB7F3,?,?,?,000000B8,00000000,000000BC,000001C2,?,?,00007FFE013C8D7C), ref: 00007FFE013EAFAB

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c64bcbe02d99453967383afca337fd9476b3630fed294925e5c9ab5ab45e3c02
Instruction ID: db432e7ab3052fe716135103d11dbcddb4a7d53bc28280b699cc762e77dd73df
Opcode Fuzzy Hash: c64bcbe02d99453967383afca337fd9476b3630fed294925e5c9ab5ab45e3c02
Instruction Fuzzy Hash: A9F05EA2A0878541EB115B65E9403ADBBE2EB90BB4F568231DA784B3F9CA7CC4918701

Function 00007FFE132763D8 Relevance: 1.5, APIs: 1, Instructions: 21networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FFE13276408

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: dd653d862c5c62c1c71e7322989cf73bc52b7027a9c5e9c9d1b242698b261d5d
Instruction ID: 4fca4fec68a2a21c82ad95da37f53a13f0faa42c8bb59a434210c3ba0e2dec4d
Opcode Fuzzy Hash: dd653d862c5c62c1c71e7322989cf73bc52b7027a9c5e9c9d1b242698b261d5d
Instruction Fuzzy Hash: 65E012B1B00A4586DB68AB1AD45123573A0F759F74F245735DE3D9B7D0CE28D8E1C740

Function 00007FF60F1850B0 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F1850C7
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F185106
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F18512B
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F185150
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F185178
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F1851A0
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F1851C8
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F1851F0
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?), ref: 00007FF60F185218

Strings

Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF60F1852CA
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF60F1851DA
Tcl_GetVar2, xrefs: 00007FF60F18534E
Failed to get address for Tcl_GetVar2, xrefs: 00007FF60F18536A
Tcl_Alloc, xrefs: 00007FF60F185506
Tcl_NewByteArrayObj, xrefs: 00007FF60F185416
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF60F18522A
Failed to get address for Tcl_Init, xrefs: 00007FF60F1850D9
Tcl_ThreadAlert, xrefs: 00007FF60F185326
Failed to get address for Tk_Init, xrefs: 00007FF60F185572
Tcl_Init, xrefs: 00007FF60F1850C0
Tcl_ConditionFinalize, xrefs: 00007FF60F185286
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF60F185342
Failed to get address for Tcl_Free, xrefs: 00007FF60F18554A
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF60F1852F2
Tcl_CreateInterp, xrefs: 00007FF60F1850FC
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF60F18531A
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF60F185162
Tcl_ThreadQueueEvent, xrefs: 00007FF60F1852FE
Tcl_Finalize, xrefs: 00007FF60F18516E
GetProcAddress, xrefs: 00007FF60F1850E0
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF60F185432
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF60F18527A
Failed to get address for Tcl_SetVar2, xrefs: 00007FF60F185392
Tk_Init, xrefs: 00007FF60F185556
Tcl_NewStringObj, xrefs: 00007FF60F1853EE
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF60F185482
Tcl_MutexLock, xrefs: 00007FF60F185236
Tcl_Free, xrefs: 00007FF60F18552E
Tcl_EvalEx, xrefs: 00007FF60F1854B6
Tcl_FinalizeThread, xrefs: 00007FF60F185196
Failed to get address for Tcl_EvalFile, xrefs: 00007FF60F1854AA
Tcl_GetString, xrefs: 00007FF60F1853C6
Failed to get address for Tcl_Finalize, xrefs: 00007FF60F18518A
Tcl_CreateThread, xrefs: 00007FF60F1851E6
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF60F18540A
Tcl_CreateObjCommand, xrefs: 00007FF60F18539E
Tcl_DeleteInterp, xrefs: 00007FF60F1851BE
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF60F1853BA
Tcl_EvalObjv, xrefs: 00007FF60F1854DE
Tcl_GetObjResult, xrefs: 00007FF60F185466
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF60F185118
Tcl_EvalFile, xrefs: 00007FF60F18548E
Tcl_GetCurrentThread, xrefs: 00007FF60F18520E
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF60F18559A
Failed to get address for Tcl_CreateThread, xrefs: 00007FF60F185202
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF60F18513D
Tcl_SetVar2, xrefs: 00007FF60F185376
Failed to get address for Tcl_Alloc, xrefs: 00007FF60F185522
Failed to get address for Tcl_EvalEx, xrefs: 00007FF60F1854D2
Failed to get address for Tcl_MutexLock, xrefs: 00007FF60F185252
Tcl_SetVar2Ex, xrefs: 00007FF60F18543E
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF60F18545A
Tcl_DoOneEvent, xrefs: 00007FF60F185146
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF60F1851B2
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF60F1854FA
Failed to get address for Tcl_GetString, xrefs: 00007FF60F1853E2
Tcl_ConditionNotify, xrefs: 00007FF60F1852AE
Tcl_FindExecutable, xrefs: 00007FF60F185121
Tk_GetNumMainWindows, xrefs: 00007FF60F18557E
Tcl_ConditionWait, xrefs: 00007FF60F1852D6
Tcl_MutexUnlock, xrefs: 00007FF60F18525E
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF60F1852A2

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 190572456-2208601799
Opcode ID: 77b5a64d38601d97cc6f46ef17bc262d941289dca8cc320d3ff37db910af6723
Instruction ID: 56edb9b569ef60ff2d2885b7c327a08e2a12ad883c1598bf95737ca3d3269369
Opcode Fuzzy Hash: 77b5a64d38601d97cc6f46ef17bc262d941289dca8cc320d3ff37db910af6723
Instruction Fuzzy Hash: 1FE17574A0DB0790FA59DB14AA6017833E6EF047A0BB865B5C80E86364EFBDF55DD380

Function 00007FFE013BDEF8 Relevance: 75.7, APIs: 40, Strings: 3, Instructions: 480COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE013BDFA2

Part of subcall function 00007FFE013BA54C: DName::doPchar.LIBVCRUNTIME ref: 00007FFE013BA57E

DName::operator+.LIBVCRUNTIME ref: 00007FFE013BDFB2

Part of subcall function 00007FFE013BA990: DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BA9AB

DName::DName.LIBVCRUNTIME ref: 00007FFE013BE562
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BE57E
DName::DName.LIBVCRUNTIME ref: 00007FFE013BE5CB
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BE5EC
UnDecorator::getSymbolName.LIBVCRUNTIME ref: 00007FFE013BE609
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BE615
DName::operator+=.LIBCMT ref: 00007FFE013BE625
DName::operator=.LIBVCRUNTIME ref: 00007FFE013BDF89

Part of subcall function 00007FFE013BA744: DName::doPchar.LIBVCRUNTIME ref: 00007FFE013BA76C

UnDecorator::getTemplateArgumentList.LIBVCRUNTIME ref: 00007FFE013BDFFE
DName::doPchar.LIBVCRUNTIME ref: 00007FFE013BE01E
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BE02E
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BE03B
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BE060
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BE06B
DName::doPchar.LIBVCRUNTIME ref: 00007FFE013BE0E6
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BE0F7
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BE119
DName::DName.LIBVCRUNTIME ref: 00007FFE013BE1D5
DName::DName.LIBVCRUNTIME ref: 00007FFE013BE211
DName::operator=.LIBVCRUNTIME ref: 00007FFE013BE2DA
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BE2F9
DName::operator=.LIBVCRUNTIME ref: 00007FFE013BE327
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BE362
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BE38F
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BE3A7
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BE3B3
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BE3CB
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BE3D7
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BE3EF
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BE3FB
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BE415
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BE421
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BE430
UnDecorator::getDataType.LIBVCRUNTIME ref: 00007FFE013BE440
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BE450
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BE460
DName::operator=.LIBVCRUNTIME ref: 00007FFE013BE499
DName::operator=.LIBVCRUNTIME ref: 00007FFE013BE669

Strings

`anonymous namespace', xrefs: 00007FFE013BE28B
operator, xrefs: 00007FFE013BDF97
`string', xrefs: 00007FFE013BE248

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: Name::operator+Name::operator+=$Name$Name::Name::operator=$Name::doPchar$Decorator::get$ArgumentDataListSymbolTemplateType
String ID: `anonymous namespace'$`string'$operator
API String ID: 3364110030-815891235
Opcode ID: c61802edf81636580396196de44457ab2d519fa2b74cbead1b50503d1cc9aaf1
Instruction ID: 9c3801dd2c5c07b62ec2736dd4167b0c20123c1be2b890f8a44671b0ca8c8b3e
Opcode Fuzzy Hash: c61802edf81636580396196de44457ab2d519fa2b74cbead1b50503d1cc9aaf1
Instruction Fuzzy Hash: F5226A72E19A5698FB14DB68C8D02FC37B1AF44788F564036DB0E5FAB9EE2CE4558340

Function 00007FFE013BC000 Relevance: 73.8, APIs: 17, Strings: 25, Instructions: 277COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator=.LIBVCRUNTIME ref: 00007FFE013BC084
DName::DName.LIBVCRUNTIME ref: 00007FFE013BC145
UnDecorator::getECSUDataType.LIBVCRUNTIME ref: 00007FFE013BC1F9
DName::operator+=.LIBCMT ref: 00007FFE013BC2F7
DName::DName.LIBVCRUNTIME ref: 00007FFE013BC340
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BC350
DName::doPchar.LIBVCRUNTIME ref: 00007FFE013BC384
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BC394
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BC3A1
DName::operator=.LIBVCRUNTIME ref: 00007FFE013BC3D2
DName::operator+=.LIBCMT ref: 00007FFE013BC3E6
DName::operator=.LIBVCRUNTIME ref: 00007FFE013BC3FC
UnDecorator::getPtrRefType.LIBVCRUNTIME ref: 00007FFE013BC413
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BC433

Strings

__int8, xrefs: 00007FFE013BC11F
float, xrefs: 00007FFE013BC079
long, xrefs: 00007FFE013BC08E
char, xrefs: 00007FFE013BC0A9
<unknown>, xrefs: 00007FFE013BC24F
__int64, xrefs: 00007FFE013BC1A2
int, xrefs: 00007FFE013BC097
short, xrefs: 00007FFE013BC0A0
volatile, xrefs: 00007FFE013BC3F1
__int128, xrefs: 00007FFE013BC196
long , xrefs: 00007FFE013BC2DC
void, xrefs: 00007FFE013BC2C9
__w64 , xrefs: 00007FFE013BC137
bool, xrefs: 00007FFE013BC1BA
double, xrefs: 00007FFE013BC2EC
const, xrefs: 00007FFE013BC3C7
volatile, xrefs: 00007FFE013BC3DB
char32_t, xrefs: 00007FFE013BC237
char16_t, xrefs: 00007FFE013BC243
unsigned , xrefs: 00007FFE013BC32C
__int16, xrefs: 00007FFE013BC177
__int32, xrefs: 00007FFE013BC1AE
UNKNOWN, xrefs: 00007FFE013BC21F
wchar_t, xrefs: 00007FFE013BC22B
signed , xrefs: 00007FFE013BC335

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: Name::operator+Name::operator+=Name::operator=$Decorator::getNameName::Type$DataName::doPchar
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $bool$char$char16_t$char32_t$const$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
API String ID: 1522823107-3737837666
Opcode ID: ff4dd32bca4f277370fa855c8bd494b103e14d7739e4ec44ac55491472eeadb5
Instruction ID: 9aa4ff5f5318f2ea79c2f53670a01812f1a8356d7078740acf515abcfbdc7ebf
Opcode Fuzzy Hash: ff4dd32bca4f277370fa855c8bd494b103e14d7739e4ec44ac55491472eeadb5
Instruction Fuzzy Hash: BCD13B62E18A5399FB60CB64D8C02BC3361BF45788F966432DB1D9E6B5EF6CE645C300

Function 00007FFE13308F68 Relevance: 58.0, APIs: 8, Strings: 25, Instructions: 288COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator=.LIBVCRUNTIME ref: 00007FFE13308FFD
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330935E
DName::operator+.LIBVCRUNTIME ref: 00007FFE133093A0
DName::operator+=.LIBVCRUNTIME ref: 00007FFE133093AD
DName::operator+.LIBVCRUNTIME ref: 00007FFE133093DA

Strings

__int16, xrefs: 00007FFE13309134
volatile, xrefs: 00007FFE1330930F
char16_t, xrefs: 00007FFE13309200
long, xrefs: 00007FFE13309041
volatile, xrefs: 00007FFE133092F9
wchar_t, xrefs: 00007FFE133091E8
__int128, xrefs: 00007FFE13309153
double, xrefs: 00007FFE1330924C
long , xrefs: 00007FFE13309232
unsigned , xrefs: 00007FFE13309035
<unknown>, xrefs: 00007FFE1330920C
__int8, xrefs: 00007FFE133090D7
short, xrefs: 00007FFE13309053
UNKNOWN, xrefs: 00007FFE133091DC
signed , xrefs: 00007FFE1330933B
bool, xrefs: 00007FFE13309177
int, xrefs: 00007FFE1330904A
void, xrefs: 00007FFE1330921F
char, xrefs: 00007FFE1330905C
const, xrefs: 00007FFE133092DF
__int32, xrefs: 00007FFE1330916B
__int64, xrefs: 00007FFE1330915F
__w64 , xrefs: 00007FFE133090EC
char32_t, xrefs: 00007FFE133091F4
float, xrefs: 00007FFE13308FF2

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Name::operator+$Name::operator+=Name::operator=
String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $bool$char$char16_t$char32_t$const$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
API String ID: 2985695045-3737837666
Opcode ID: bf7e98c3344c0179c6ddaaa74246d4408eef3205f29f3d89c83678baefc845d4
Instruction ID: 7f1d728550214c48315e75315b30c893771613bd24b8837009f2003ec5ed2fe6
Opcode Fuzzy Hash: bf7e98c3344c0179c6ddaaa74246d4408eef3205f29f3d89c83678baefc845d4
Instruction Fuzzy Hash: 8FD14B62E18E429CFB14CB66E8801BC2774BB24364F5045B2DA3DB66B5DF7CE588C308

Function 00007FFE133058A0 Relevance: 53.0, APIs: 27, Strings: 3, Instructions: 493COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator=.LIBVCRUNTIME ref: 00007FFE13305933
DName::operator+.LIBVCRUNTIME ref: 00007FFE13305960

Part of subcall function 00007FFE1330B390: DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330B3AB

DName::operator+.LIBVCRUNTIME ref: 00007FFE133059E6
DName::operator+=.LIBVCRUNTIME ref: 00007FFE133059F3
DName::operator+.LIBVCRUNTIME ref: 00007FFE13305AB5
DName::operator+=.LIBVCRUNTIME ref: 00007FFE13305AD5
DName::operator=.LIBVCRUNTIME ref: 00007FFE13305CB3
DName::operator+=.LIBVCRUNTIME ref: 00007FFE13305CDA
DName::operator=.LIBVCRUNTIME ref: 00007FFE13305D0B
DName::operator+.LIBVCRUNTIME ref: 00007FFE13305D43
DName::operator+.LIBVCRUNTIME ref: 00007FFE13305D61
DName::operator+.LIBVCRUNTIME ref: 00007FFE13305D79
DName::operator+=.LIBVCRUNTIME ref: 00007FFE13305D85
DName::operator+.LIBVCRUNTIME ref: 00007FFE13305D9D
DName::operator+=.LIBVCRUNTIME ref: 00007FFE13305DA9
DName::operator+.LIBVCRUNTIME ref: 00007FFE13305DC1
DName::operator+=.LIBVCRUNTIME ref: 00007FFE13305DCD
DName::operator+.LIBVCRUNTIME ref: 00007FFE13305DE7
DName::operator+=.LIBVCRUNTIME ref: 00007FFE13305DF3
DName::operator+.LIBVCRUNTIME ref: 00007FFE13305E02
DName::operator+.LIBVCRUNTIME ref: 00007FFE13305E22
DName::operator+.LIBVCRUNTIME ref: 00007FFE13305E32
DName::operator=.LIBVCRUNTIME ref: 00007FFE13305E57
DName::operator+=.LIBVCRUNTIME ref: 00007FFE13305FB4
UnDecorator::getSymbolName.LIBVCRUNTIME ref: 00007FFE13305FD1
DName::operator+=.LIBVCRUNTIME ref: 00007FFE13305FDD
DName::operator=.LIBVCRUNTIME ref: 00007FFE13306051

Strings

`string', xrefs: 00007FFE13305C1C
operator, xrefs: 00007FFE1330593E
`anonymous namespace', xrefs: 00007FFE13305C69

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Name::operator+$Name::operator+=$Name::operator=$Decorator::getNameSymbol
String ID: `anonymous namespace'$`string'$operator
API String ID: 1939614110-815891235
Opcode ID: 0a418c01cc5cb1d78d8ecc88b58af45e4c8bff701549ed15115c360b0e5e7569
Instruction ID: 631ba1e576b5a3ed5e173499abca3392a38d021910c76f2075977ad178bdbb08
Opcode Fuzzy Hash: 0a418c01cc5cb1d78d8ecc88b58af45e4c8bff701549ed15115c360b0e5e7569
Instruction Fuzzy Hash: 76326C62B1CE56CDFB04DB66D8801FC2771BB247A8F5441B2DA6D27AA9DF2CE445C308

Function 00007FFE13302000 Relevance: 51.2, APIs: 26, Strings: 3, Instructions: 403COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1330BDE4: RtlLookupFunctionEntry.KERNEL32(?,?,?,?,?,?,?,00007FFE1330204C), ref: 00007FFE1330BEB9

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE13302118
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE13302134
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE13302149
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE13302166
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE1330219C
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE133021AD
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE133021C5
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE133021DA
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE13302205
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE1330220C
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE1330239A
CatchIt.LIBVCRUNTIME ref: 00007FFE133023D9
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE133023F0
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE133023F7
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE133023FE
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE13302405
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE13302469
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE1330247D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE13302494
_UnwindNestedFrames.LIBVCRUNTIME ref: 00007FFE133024EE
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE133024FD
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE1330252C
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE1330253A
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE13302541

Part of subcall function 00007FFE133028B0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE133028E6
Part of subcall function 00007FFE133028B0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE13302919
Part of subcall function 00007FFE133028B0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE13302958
Part of subcall function 00007FFE133028B0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE13302979
Part of subcall function 00007FFE133028B0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE1330299C
Part of subcall function 00007FFE133028B0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE133029BA

std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE13302571
_CxxThrowException.LIBVCRUNTIME ref: 00007FFE13302581

Part of subcall function 00007FFE13304620: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFE13302586), ref: 00007FFE1330469D
Part of subcall function 00007FFE13304620: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFE13302586), ref: 00007FFE133046DC

Part of subcall function 00007FFE13304380: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE13301CA0), ref: 00007FFE133043BA
Part of subcall function 00007FFE13304380: strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE13301CA0), ref: 00007FFE133043D2
Part of subcall function 00007FFE13304380: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE13301CA0), ref: 00007FFE133043E8

Strings

csm, xrefs: 00007FFE1330217A
csm, xrefs: 00007FFE13302213
csm, xrefs: 00007FFE133020DC

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: abort$terminate$Exception$CatchEntryFileFramesFunctionHeaderLookupNestedRaiseThrowUnwindfreemallocstd::bad_alloc::bad_allocstrcpy_s
String ID: csm$csm$csm
API String ID: 3386888594-393685449
Opcode ID: 3626c349750869fe565dd3b9c9181262c1049519526de4ccc4dcac70c7db7e4f
Instruction ID: 563e49e3c729f385512ae817d8d8e55d72d4aa1cfb50600cbd1451d8b0293ff1
Opcode Fuzzy Hash: 3626c349750869fe565dd3b9c9181262c1049519526de4ccc4dcac70c7db7e4f
Instruction Fuzzy Hash: DB029C32A08F428EEA589F66D0842BD67A4FF64B68F0404B5DE6D637A5CF3CE455C318

Function 00007FFE013BF7C4 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 235COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE013BF8B2
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BF8C1
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BF8D0

Part of subcall function 00007FFE013BCE04: UnDecorator::getDataType.LIBVCRUNTIME ref: 00007FFE013BCE35

DName::DName.LIBVCRUNTIME ref: 00007FFE013BF8F4
DName::doPchar.LIBVCRUNTIME ref: 00007FFE013BF969
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BF986
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BF991
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BF9BF
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BF9CA
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BF9DF
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BF9EA
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BF9FF
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BFA0E
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE013BFAF1
DName::DName.LIBVCRUNTIME ref: 00007FFE013BFAFE
DName::DName.LIBVCRUNTIME ref: 00007FFE013BFB26
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BFB36
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BFB49

Strings

`generic-class-parameter-, xrefs: 00007FFE013BFB53
`template-type-parameter-, xrefs: 00007FFE013BFB5C
`generic-method-parameter-, xrefs: 00007FFE013BFB1B
NULL, xrefs: 00007FFE013BF8EA

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: Name::operator+=$Name::operator+$NameName::$DataDecorator::getName::doPcharTypeswprintf
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-
API String ID: 1509416489-4167119577
Opcode ID: 342a287a45dd78f49881eb4e3cb1e06f0c8bfac052982164067d2caad856c3fb
Instruction ID: 718d40f038c71ee7cc9937387aaa6fdb400755e4bb15cdfe08a3c9c3f0b66b08
Opcode Fuzzy Hash: 342a287a45dd78f49881eb4e3cb1e06f0c8bfac052982164067d2caad856c3fb
Instruction Fuzzy Hash: 6BB17B22E0CA4298FB14DB64C8D43FC7365AF55748F961036CB0D5BAB6EE6CE60AC740

Function 00007FFE013BD768 Relevance: 39.3, APIs: 26, Instructions: 342COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE013BD7B9

Part of subcall function 00007FFE013BA990: DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BA9AB

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: Name::operator+Name::operator+=
String ID:
API String ID: 382699925-0
Opcode ID: bf514128ed70bf8e329dd96175d2162b2aae0341c907da1aa4dc3e1525c7a98b
Instruction ID: 5f40c56c3d03233b7c0c6e821d8e0d8cd61774127a05e50149c87a0c3c9d4400
Opcode Fuzzy Hash: bf514128ed70bf8e329dd96175d2162b2aae0341c907da1aa4dc3e1525c7a98b
Instruction Fuzzy Hash: B3F16876B08A86AEFB11DFA4D4801EC37B1EB4474CB454036DB4D6BAA9EE7CD619C340

Function 00007FFE13303460 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 242COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FFE133024AF), ref: 00007FFE13303537
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FFE133024AF), ref: 00007FFE1330353E
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FFE133024AF), ref: 00007FFE13303549
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133035DF
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133035F7
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303610
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303625
RtlPcToFileHeader.KERNEL32 ref: 00007FFE13303640
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330365B
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303686

Part of subcall function 00007FFE133048F4: GetLastError.KERNEL32(?,?,?,00007FFE13301831), ref: 00007FFE13304918
Part of subcall function 00007FFE133048F4: SetLastError.KERNEL32(?,?,?,00007FFE13301831), ref: 00007FFE133049C0

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133036AE
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133036D5
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303701
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330374E
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330378A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133037A6

Part of subcall function 00007FFE133048F4: TlsGetValue.KERNEL32(?,?,?,00007FFE13301831), ref: 00007FFE1330495F
Part of subcall function 00007FFE133048F4: _calloc_base.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE13301831), ref: 00007FFE13304989
Part of subcall function 00007FFE133048F4: _free_base.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE13301831), ref: 00007FFE133049B8

Strings

csm, xrefs: 00007FFE133035B3
MOC, xrefs: 00007FFE13303591
csm, xrefs: 00007FFE1330375E
?AVbad_exception@std@@, xrefs: 00007FFE133034ED
RCC, xrefs: 00007FFE1330359D

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: abort$ErrorLast$FileHeaderValue_calloc_base_free_base
String ID: ?AVbad_exception@std@@$MOC$RCC$csm$csm
API String ID: 2425072861-1914178954
Opcode ID: 5ddc374ad099d947232a7d8a7f0c32787dabcb296a25caccbb93ce29c81494a5
Instruction ID: 7b7fa9e6fde098a6e15647c491125f6767bb8157c2e68af090b8a9bef2f3a8f1
Opcode Fuzzy Hash: 5ddc374ad099d947232a7d8a7f0c32787dabcb296a25caccbb93ce29c81494a5
Instruction Fuzzy Hash: 4DA1CF72E09F428AEA659B52D04427E67A0FF68F74F0408B5DA6D23775DF3CE441CA09

Function 00007FFE13272370 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 281networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32 ref: 00007FFE13272486
getsockname.WS2_32 ref: 00007FFE13274760
getsockopt.WS2_32 ref: 00007FFE132747CB

Strings

socket.__new__, xrefs: 00007FFE1327453A
iii, xrefs: 00007FFE13274612
negative file descriptor, xrefs: 00007FFE1327471F
integer argument expected, got float, xrefs: 00007FFE132747E5
socket(), xrefs: 00007FFE13274652
|iiiO:socket, xrefs: 00007FFE132723DB
Oiii, xrefs: 00007FFE1327452E
socket descriptor string has wrong size, should be %zu bytes., xrefs: 00007FFE13274594

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: Socketgetsocknamegetsockopt
String ID: Oiii$iii$integer argument expected, got float$negative file descriptor$socket descriptor string has wrong size, should be %zu bytes.$socket()$socket.__new__$|iiiO:socket
API String ID: 1917005709-2392107858
Opcode ID: ed40e7bf5bd58044e5a72c47c0ce755f19d53f56eeecac347b5218d737ade378
Instruction ID: 050dc86ddc57994044abf66a96877610c50006ea624588162c9bef208d3de4a6
Opcode Fuzzy Hash: ed40e7bf5bd58044e5a72c47c0ce755f19d53f56eeecac347b5218d737ade378
Instruction Fuzzy Hash: 55E13E32A08B428AE720AF2AE4541797760FBF5BB4F205375DA5D626B4DF3CE585C700

Function 00007FFE13303930 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1330C1D0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFE13302F17), ref: 00007FFE1330C1E7
Part of subcall function 00007FFE1330C1D0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFE13302F17), ref: 00007FFE1330C1FE
Part of subcall function 00007FFE1330C1D0: terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFE13302F17), ref: 00007FFE1330C219
Part of subcall function 00007FFE1330C1D0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFE13302F17), ref: 00007FFE1330C22D

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303961
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303982
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133039A1
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133039BF
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133039DD
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133039FB
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303A1D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303A39
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303A5A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303A75
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303A93
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303AB1
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303AD3
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303AEA
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303B06

Strings

csm, xrefs: 00007FFE1330396C
csm, xrefs: 00007FFE13303A44

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: abort$terminate
String ID: csm$csm
API String ID: 579254285-3733052814
Opcode ID: fe75575324e898bddb0e030716503548cf80929cbfae6fbe91e7efb773c12368
Instruction ID: 1689fd2a920e5cdc6bcb74f50ce4b9dc5890f3db783854e4a3a2b15fbbc4968f
Opcode Fuzzy Hash: fe75575324e898bddb0e030716503548cf80929cbfae6fbe91e7efb773c12368
Instruction Fuzzy Hash: 47514F32E0DF4689EE686B57C04413D26B4AFB8B35F0409B9D97D327B2DF2DE8108119

Function 00007FFE1330616C Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 299COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE133061EA
DName::operator+.LIBVCRUNTIME ref: 00007FFE13306235
DName::operator+.LIBVCRUNTIME ref: 00007FFE133062DF
DName::operator+.LIBVCRUNTIME ref: 00007FFE133062EF
DName::operator+.LIBVCRUNTIME ref: 00007FFE13306422
DName::operator+.LIBVCRUNTIME ref: 00007FFE13306434
DName::operator+.LIBVCRUNTIME ref: 00007FFE13306359

Part of subcall function 00007FFE1330B390: DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330B3AB

DName::operator+.LIBVCRUNTIME ref: 00007FFE133063C6
DName::operator+.LIBVCRUNTIME ref: 00007FFE133063D6
DName::operator+.LIBVCRUNTIME ref: 00007FFE133065B5

Part of subcall function 00007FFE1330559C: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE133055FA

DName::operator+.LIBVCRUNTIME ref: 00007FFE13306630

Strings

`anonymous namespace', xrefs: 00007FFE13306529

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Name::operator+$Name::operator+=Replicator::operator[]
String ID: `anonymous namespace'
API String ID: 2709820770-3062148218
Opcode ID: 82e5f84ef63da0c09f1d45ac61254de523a11a8ca8f628e7ef5fa0c4bf2e3efc
Instruction ID: 90ecc6addd2a9f027503cf08bcbe08fd61f5aca563157a29da0584527520191d
Opcode Fuzzy Hash: 82e5f84ef63da0c09f1d45ac61254de523a11a8ca8f628e7ef5fa0c4bf2e3efc
Instruction Fuzzy Hash: E4E19E72A08F829DEB14CF66D8802ED37A0FB647A4F5040B5EA5D27BAADF38D554C704

Function 00007FFE133025C8 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE13302608
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE1330262B
EncodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE13302634
CatchIt.LIBVCRUNTIME ref: 00007FFE13302837

Part of subcall function 00007FFE13302C84: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302CF1
Part of subcall function 00007FFE13302C84: _UnwindNestedFrames.LIBVCRUNTIME ref: 00007FFE13302D34

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE13302867
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE1330286E
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE13302875
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE1330287C
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE13302883
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE1330288A

Part of subcall function 00007FFE133048F4: GetLastError.KERNEL32(?,?,?,00007FFE13301831), ref: 00007FFE13304918
Part of subcall function 00007FFE133048F4: SetLastError.KERNEL32(?,?,?,00007FFE13301831), ref: 00007FFE133049C0

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE13302891
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE13302898
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE1330289F

Strings

RCC, xrefs: 00007FFE13302648
MOC, xrefs: 00007FFE13302640

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: abort$ErrorLast$CatchEncodeFramesNestedPointerUnwindterminate
String ID: MOC$RCC
API String ID: 2140352205-2084237596
Opcode ID: d1b7c608141e651fae73115cad78fec1ac335fdd7b28dfb3f62e3715bf8cc4f2
Instruction ID: 31d7c75f02deef8dc9dc4506c961ba8b55c9ef8c0f721e69a05d35ce33d2823f
Opcode Fuzzy Hash: d1b7c608141e651fae73115cad78fec1ac335fdd7b28dfb3f62e3715bf8cc4f2
Instruction Fuzzy Hash: 50819D32A08E8689EB249B16D48477D6760FFA4F6AF044875CA6D637B5CF3CE105C718

Function 00007FFE13309574 Relevance: 25.9, APIs: 17, Instructions: 393COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE133095C5

Part of subcall function 00007FFE1330B390: DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330B3AB

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Name::operator+Name::operator+=
String ID:
API String ID: 382699925-0
Opcode ID: d14701550f813a1b5f0a6813c5cfc38f9d7d7c563afc0a5d8f31b01ef8bfca20
Instruction ID: 4aa6a9d36efa7ee210d2e60c6c88e63889558caf45cec0b28b70162ead82b4bc
Opcode Fuzzy Hash: d14701550f813a1b5f0a6813c5cfc38f9d7d7c563afc0a5d8f31b01ef8bfca20
Instruction Fuzzy Hash: D3129C76B08E469EEB10CF66D4801FD37B0EB24758B4040B6EA6D67BBADE38D515C348

Function 00007FFE13306DC4 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 257COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE13306EDB
DName::operator+.LIBVCRUNTIME ref: 00007FFE13306EEA
DName::operator+=.LIBVCRUNTIME ref: 00007FFE13306FB8
DName::operator+=.LIBVCRUNTIME ref: 00007FFE13306FF7
DName::operator+=.LIBVCRUNTIME ref: 00007FFE13307018
DName::operator+=.LIBVCRUNTIME ref: 00007FFE13307039
DName::operator+.LIBVCRUNTIME ref: 00007FFE13307048
atol.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FFE133070E1
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330719A

Strings

NULL, xrefs: 00007FFE13306F04
`generic-method-parameter-, xrefs: 00007FFE13307175
`generic-class-parameter-, xrefs: 00007FFE133071B8
{, xrefs: 00007FFE13306F84
`template-type-parameter-, xrefs: 00007FFE133071C1

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Name::operator+Name::operator+=$atol
String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-${
API String ID: 2344370515-4023094362
Opcode ID: 3ccc18cc20a8de763716fe189613d3dfe9f7631dc5b97b57d434d142ef750345
Instruction ID: 84575b76ec730756ecc387934c3650dad85dc990263b890c5f4c20f5fb5cf7f2
Opcode Fuzzy Hash: 3ccc18cc20a8de763716fe189613d3dfe9f7631dc5b97b57d434d142ef750345
Instruction Fuzzy Hash: 26B1C562A0CE429CFB15DB22D4501FD27A1EF64764F5401B5EA6E36ABACF3CE149C348

Function 00007FFE13272290 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 180COMMON

Download Yara Rule

APIs

inet_pton.WS2_32 ref: 00007FFE13272338
getaddrinfo.WS2_32 ref: 00007FFE13274356
FreeAddrInfoW.WS2_32 ref: 00007FFE1327438D
FreeAddrInfoW.WS2_32 ref: 00007FFE132743E4
FreeAddrInfoW.WS2_32 ref: 00007FFE1327440E
inet_pton.WS2_32 ref: 00007FFE1327442B
getaddrinfo.WS2_32 ref: 00007FFE1327448C
FreeAddrInfoW.WS2_32 ref: 00007FFE132744D4

Strings

255.255.255.255, xrefs: 00007FFE132722BF
address family mismatched, xrefs: 00007FFE13274507
<broadcast>, xrefs: 00007FFE132722D3
wildcard resolved to multiple address, xrefs: 00007FFE132743EA
unsupported address family, xrefs: 00007FFE13274393
unknown address family, xrefs: 00007FFE132743AD

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: AddrFreeInfo$getaddrinfoinet_pton
String ID: 255.255.255.255$<broadcast>$address family mismatched$unknown address family$unsupported address family$wildcard resolved to multiple address
API String ID: 3456548859-1715193308
Opcode ID: dca16e9962d2758a608fc27b3aee0d7f866cd99c237aefc7057d199c280d6f73
Instruction ID: 6df20c76c1f1a2f4ab47186a46511f491264c44ff73c0f9ec1194c0f8494b585
Opcode Fuzzy Hash: dca16e9962d2758a608fc27b3aee0d7f866cd99c237aefc7057d199c280d6f73
Instruction Fuzzy Hash: 2F814C21A08F428AE760AF26A80427963A1BBF5BA4F5442B2DA5D777B4DF3CE545C700

Function 00007FFE13272B14 Relevance: 24.2, APIs: 16, Instructions: 235COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE13272B3C
__scrt_initialize_crt.LIBCMT ref: 00007FFE13272B81
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE13272BA2
_RTC_Initialize.LIBCMT ref: 00007FFE13272BD0
__scrt_initialize_default_local_stdio_options.LIBCMT ref: 00007FFE13272BDA
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFE13272BF6
__scrt_release_startup_lock.LIBCMT ref: 00007FFE13272C21
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FFE13272C40
__scrt_fastfail.LIBCMT ref: 00007FFE13272C76
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE13272CB8
_RTC_Initialize.LIBCMT ref: 00007FFE13272CD7
__scrt_release_startup_lock.LIBCMT ref: 00007FFE13272CEA
__scrt_uninitialize_crt.LIBCMT ref: 00007FFE13272CF4
__scrt_fastfail.LIBCMT ref: 00007FFE13272D07

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_fastfail__scrt_release_startup_lock$__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_uninitialize_crt
String ID:
API String ID: 627783611-0
Opcode ID: abc692eb7a093c0b15c8035d40e5ce3b2c0fb7fba3fadb6c77fd15417b76ea17
Instruction ID: 823c9ae0b3cb6f8502b208a8e752bb33f51917cdb875a40141e4407b8b1db916
Opcode Fuzzy Hash: abc692eb7a093c0b15c8035d40e5ce3b2c0fb7fba3fadb6c77fd15417b76ea17
Instruction Fuzzy Hash: 08918F21E08F434EF664BB6794822B922A0BFFA7A0F1440B5DA4D677B6DE3CE441C740

Function 00007FFE148E1114 Relevance: 24.2, APIs: 16, Instructions: 235COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE148E113C
__scrt_initialize_crt.LIBCMT ref: 00007FFE148E1181
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE148E11A2
_RTC_Initialize.LIBCMT ref: 00007FFE148E11D0
__scrt_initialize_default_local_stdio_options.LIBCMT ref: 00007FFE148E11DA
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFE148E11F6
__scrt_release_startup_lock.LIBCMT ref: 00007FFE148E1221
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FFE148E1240
__scrt_fastfail.LIBCMT ref: 00007FFE148E1276
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE148E12B8
_RTC_Initialize.LIBCMT ref: 00007FFE148E12D7
__scrt_release_startup_lock.LIBCMT ref: 00007FFE148E12EA
__scrt_uninitialize_crt.LIBCMT ref: 00007FFE148E12F4
__scrt_fastfail.LIBCMT ref: 00007FFE148E1307

Memory Dump Source

Source File: 00000002.00000002.1692491940.00007FFE148E1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000002.00000002.1692469000.00007FFE148E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1692491940.00007FFE148E9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1692543814.00007FFE148EA000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1692562185.00007FFE148EC000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe148e0000_run0796.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_fastfail__scrt_release_startup_lock$__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_uninitialize_crt
String ID:
API String ID: 627783611-0
Opcode ID: aed60c4f90e4819b847f02365d3c23cbe61a8e4db50aaa61ce56ee17cee8997e
Instruction ID: 59c4ff93eaa16815ad8ecdd215e8970fe287b173a18df2fe6dd10139b42245ac
Opcode Fuzzy Hash: aed60c4f90e4819b847f02365d3c23cbe61a8e4db50aaa61ce56ee17cee8997e
Instruction Fuzzy Hash: A5918221E0CE4385FA50AB6794C12F9E291AF877A0F4441B5FA4D677B7DE3CE8498700

Function 00007FFE13277944 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 149COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FFE13277AD9
htonl.WS2_32 ref: 00007FFE13277B43
getnameinfo.WS2_32 ref: 00007FFE13277B82
FreeAddrInfoW.WS2_32 ref: 00007FFE13277BED

Strings

, xrefs: 00007FFE13277B75
sockaddr resolved to multiple addresses, xrefs: 00007FFE13277B12
si|II;getnameinfo(): illegal sockaddr argument, xrefs: 00007FFE13277A0C
IPv4 sockaddr must be 2 tuple, xrefs: 00007FFE13277BA1
getnameinfo() argument 1 must be a tuple, xrefs: 00007FFE132779BC
getnameinfo(): flowinfo must be 0-1048575., xrefs: 00007FFE13277A2E
Oi:getnameinfo, xrefs: 00007FFE13277979
socket.getnameinfo, xrefs: 00007FFE13277A43
(O), xrefs: 00007FFE13277A3C

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: AddrFreeInfogetaddrinfogetnameinfohtonl
String ID: $(O)$IPv4 sockaddr must be 2 tuple$Oi:getnameinfo$getnameinfo() argument 1 must be a tuple$getnameinfo(): flowinfo must be 0-1048575.$si|II;getnameinfo(): illegal sockaddr argument$sockaddr resolved to multiple addresses$socket.getnameinfo
API String ID: 4001298222-3083988921
Opcode ID: 8172ef050336c576baa91661fce6dafb572fbb64b907fef6e4d363b14985fb42
Instruction ID: 0d62928efe821e379e9fd1edffcd383ab43849d7854d35c2e8cb777f93048ed8
Opcode Fuzzy Hash: 8172ef050336c576baa91661fce6dafb572fbb64b907fef6e4d363b14985fb42
Instruction Fuzzy Hash: BE810D71A08F428AEB10AB26E4442BA73B1FBE4BA4F500176DA4D67A74DF7CE545CB40

Function 00007FFE013C02D8 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 197COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getTemplateName.LIBVCRUNTIME ref: 00007FFE013C0356

Strings

generic-type-, xrefs: 00007FFE013C040D
template-parameter-, xrefs: 00007FFE013C03D1

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: Decorator::getNameTemplate
String ID: generic-type-$template-parameter-
API String ID: 1828801485-13229604
Opcode ID: cd794bd184d42fcc430be5404e90855acf66cd71f42aa28de855b1b3bb644124
Instruction ID: 9ce5912ba29b390cc330ea22cb1a3e55d90730c770262da670d17428f51bd1aa
Opcode Fuzzy Hash: cd794bd184d42fcc430be5404e90855acf66cd71f42aa28de855b1b3bb644124
Instruction Fuzzy Hash: 5D917826A08A86DAEB14CB64D8903BD33B1AB54788F864032EA4D5F7B5DF7DE509C740

Function 00007FFE13302A48 Relevance: 21.2, APIs: 14, Instructions: 156COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302A7C
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302AB5
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302AED
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302B16
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302B38
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302B4C
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302B86
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302BA8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302BBC
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302BF1

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: fead68839a78518182c3d658b19b0aea22ffa5b8ddac6850a95f5d947da0cf14
Instruction ID: 842614537ae0f6b50fbaef34af58c93b14071919c01255ae8d4213392564e694
Opcode Fuzzy Hash: fead68839a78518182c3d658b19b0aea22ffa5b8ddac6850a95f5d947da0cf14
Instruction Fuzzy Hash: B251A232A08F428AEA14AB52D58423C6360FF78B65F0049B6CE3D637B1CF3DE4568319

Function 00007FFE013E4D18 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 151COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE013E4E62
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE013E4E8E

Strings

NAN(IND), xrefs: 00007FFE013E4DC0
NAN(SNAN), xrefs: 00007FFE013E4DAA
inf, xrefs: 00007FFE013E4D9B
nan(snan), xrefs: 00007FFE013E4DB5
nan(ind), xrefs: 00007FFE013E4DCB
INF, xrefs: 00007FFE013E4D88
NAN, xrefs: 00007FFE013E4D76
nan, xrefs: 00007FFE013E4D7D

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 1452528299-2617248754
Opcode ID: b7f5d93782a90aa7d0ad063588971812f68eaa9763b833481060027aa673e715
Instruction ID: 7588ca8797861549272bb0d47e9dab11687d19989845852ffb350ff23f1997bc
Opcode Fuzzy Hash: b7f5d93782a90aa7d0ad063588971812f68eaa9763b833481060027aa673e715
Instruction Fuzzy Hash: 07615B31A0DB428AEB549B74E8513B933E5AF98398F010635DA5D4BBF9EF3CA5158340

Function 00007FFE013BE690 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator=.LIBVCRUNTIME ref: 00007FFE013BE6F2
DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BE702

Part of subcall function 00007FFE013BC000: DName::operator=.LIBVCRUNTIME ref: 00007FFE013BC084
Part of subcall function 00007FFE013BC000: DName::DName.LIBVCRUNTIME ref: 00007FFE013BC340
Part of subcall function 00007FFE013BC000: DName::operator+.LIBVCRUNTIME ref: 00007FFE013BC350
Part of subcall function 00007FFE013BC000: DName::doPchar.LIBVCRUNTIME ref: 00007FFE013BC384
Part of subcall function 00007FFE013BC000: DName::operator+.LIBVCRUNTIME ref: 00007FFE013BC394
Part of subcall function 00007FFE013BC000: DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BC3A1

UnDecorator::getPtrRefType.LIBVCRUNTIME ref: 00007FFE013BE73B
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BE8CB

Strings

volatile, xrefs: 00007FFE013BE6E7, 00007FFE013BE815
std::nullptr_t , xrefs: 00007FFE013BE7D9
std::nullptr_t, xrefs: 00007FFE013BE7F1

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: Name::operator+$Name::operator+=Name::operator=$Decorator::getNameName::Name::doPcharType
String ID: std::nullptr_t$std::nullptr_t $volatile
API String ID: 651045434-294867888
Opcode ID: c78329094525fcf9904cbeeeaf0260f8faebf6f791a68138268abbf138ed1c33
Instruction ID: b4bb036685d7bdd98109be83b89012239b0bc5bfc270c848622c3927773c32dd
Opcode Fuzzy Hash: c78329094525fcf9904cbeeeaf0260f8faebf6f791a68138268abbf138ed1c33
Instruction Fuzzy Hash: D9615E72E08A5294FB149F68D8900F877B5FB04B88B594136DB4E4BAB5EF7CE150C300

Function 00007FFE0138B260 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 291COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE01389EC0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE01389EC8
Part of subcall function 00007FFE01389EC0: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE01389F50

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FFE013D1EF1), ref: 00007FFE0138B28B

Part of subcall function 00007FFE01398DD0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013CA666,?,?,00000000,00007FFE013CD82A,?,?,?,00007FFE013C7AE1), ref: 00007FFE01398DE4
Part of subcall function 00007FFE01398DD0: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013CA666,?,?,00000000,00007FFE013CD82A,?,?,?,00007FFE013C7AE1), ref: 00007FFE01398E2B

LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FFE013D1EF1), ref: 00007FFE0138B2FE
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE0138B376
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE0138B437
Concurrency::details::_Concurrent_queue_iterator_base_v4::~_Concurrent_queue_iterator_base_v4.LIBCPMT ref: 00007FFE013C99DA
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE013C99E1

Strings

FlsGetValue, xrefs: 00007FFE013C9988, 00007FFE013C9A31

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$CriticalSection$Concurrency::details::_Concurrent_queue_iterator_base_v4Concurrent_queue_iterator_base_v4::~_EnterLeave
String ID: FlsGetValue
API String ID: 3230684533-662576866
Opcode ID: c3426e38f44684b669efdbbce9432b6eace8fcc3b84cc672725d4ea16a0b2ae9
Instruction ID: 4541b4374ef776389a543d545fa1c797c770d77c8a052abcedbaec896ef4a164
Opcode Fuzzy Hash: c3426e38f44684b669efdbbce9432b6eace8fcc3b84cc672725d4ea16a0b2ae9
Instruction Fuzzy Hash: A6C19A32B19B438AFB148B25E8512BD63A5AF48798F4A4536D91D4F7B9EF3CE805C301

Function 00007FFE1327725C Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 244COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00007FFE13277477
FreeAddrInfoW.WS2_32 ref: 00007FFE1327757B
FreeAddrInfoW.WS2_32 ref: 00007FFE132775D9

Strings

iiisO, xrefs: 00007FFE13277503
socket.getaddrinfo, xrefs: 00007FFE13277406
Int or String expected, xrefs: 00007FFE132775AC
getaddrinfo() argument 1 must be string or None, xrefs: 00007FFE132775E8
OOiii, xrefs: 00007FFE132773F5
idna, xrefs: 00007FFE13277321
OO|iiii:getaddrinfo, xrefs: 00007FFE132772AF
%ld, xrefs: 00007FFE1327738A

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: AddrFreeInfo$getaddrinfo
String ID: %ld$Int or String expected$OOiii$OO|iiii:getaddrinfo$getaddrinfo() argument 1 must be string or None$idna$iiisO$socket.getaddrinfo
API String ID: 2288433384-3943835681
Opcode ID: 8720e96b0350aa0fa432fd23d9cb1f5c97aff05348f0c23218e180449fa3eb16
Instruction ID: b30d499f704e0918f39943ea69512ca48e064c37f1dc134d795d0eaf8323fdfd
Opcode Fuzzy Hash: 8720e96b0350aa0fa432fd23d9cb1f5c97aff05348f0c23218e180449fa3eb16
Instruction Fuzzy Hash: E7B10A72B08F128AEB10EF66E4505BC23B1BBB9BA4B0445B5DE0E67764DE3CE445C740

Function 00007FFE13303C70 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FFE13303C93
_CxxThrowException.LIBVCRUNTIME ref: 00007FFE13303CD0
_CxxThrowException.LIBVCRUNTIME ref: 00007FFE13303CF3
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE13303D04
_CxxThrowException.LIBVCRUNTIME ref: 00007FFE13303D15
RtlPcToFileHeader.KERNEL32 ref: 00007FFE13303DA0
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE13303E52
_CxxThrowException.LIBVCRUNTIME ref: 00007FFE13303E63
_CxxThrowException.LIBVCRUNTIME ref: 00007FFE13303E8C

Strings

Bad read pointer - no RTTI data!, xrefs: 00007FFE13303CB3
Access violation - no RTTI data!, xrefs: 00007FFE13303CD6, 00007FFE13303E6F

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: ExceptionThrow$FileHeaderstd::bad_alloc::bad_alloc
String ID: Access violation - no RTTI data!$Bad read pointer - no RTTI data!
API String ID: 63457273-1829174677
Opcode ID: 48d942c1111f90c57d4d77f2c68cd7c094e12fa67c9e4fed7b0efa5bcd1c6e13
Instruction ID: 62e943450dc8cbb3b4048113965d3e1047151e8f8e58fdf10ec504bf8cc4ea44
Opcode Fuzzy Hash: 48d942c1111f90c57d4d77f2c68cd7c094e12fa67c9e4fed7b0efa5bcd1c6e13
Instruction Fuzzy Hash: 0F61A032718E869AEA10CF12E5802BEA3A0FB64BB4F405175EAAD53775DF3CD545C704

Function 00007FFE13303040 Relevance: 18.2, APIs: 12, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFE133032A3,?,?,?,00007FFE13302CE7), ref: 00007FFE1330307A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFE133032A3,?,?,?,00007FFE13302CE7), ref: 00007FFE133030AD
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFE133032A3,?,?,?,00007FFE13302CE7), ref: 00007FFE1330311A
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFE133032A3,?,?,?,00007FFE13302CE7), ref: 00007FFE13303138
__AdjustPointer.LIBCMT ref: 00007FFE13303179
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFE133032A3,?,?,?,00007FFE13302CE7), ref: 00007FFE13303186
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFE133032A3,?,?,?,00007FFE13302CE7), ref: 00007FFE1330319F
__AdjustPointer.LIBCMT ref: 00007FFE133031D3
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFE133032A3,?,?,?,00007FFE13302CE7), ref: 00007FFE133031E8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFE133032A3,?,?,?,00007FFE13302CE7), ref: 00007FFE1330320A
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFE133032A3,?,?,?,00007FFE13302CE7), ref: 00007FFE13303239
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00007FFE133032A3,?,?,?,00007FFE13302CE7), ref: 00007FFE13303240

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: terminate$abort$AdjustPointer
String ID:
API String ID: 1115439649-0
Opcode ID: f64bbe57d7db26001b8bcd52496f9bf51d695d9bf4131af8b6190256aa5124b1
Instruction ID: e62a70fe3f4032759f7831ae8a5dccac1aa286bd5e15ac135305fab34191be9a
Opcode Fuzzy Hash: f64bbe57d7db26001b8bcd52496f9bf51d695d9bf4131af8b6190256aa5124b1
Instruction Fuzzy Hash: E5619531A0AF4289FE199B07D14423E63A4AF25FB0B0944B9CA7D277A1DF3CE4418319

Function 00007FFE1330559C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBVCRUNTIME ref: 00007FFE133055FA

Strings

generic-type-, xrefs: 00007FFE133056B4
template-parameter-, xrefs: 00007FFE13305678

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Replicator::operator[]
String ID: generic-type-$template-parameter-
API String ID: 3676697650-13229604
Opcode ID: 15e139576b22ffe1c75b7196b9f80b59ed6480602684051e6bae135f77d95c58
Instruction ID: 03a0f42be5d97d526c5160a1818fadfcbab5104e4cabf6bb9ef324160152979d
Opcode Fuzzy Hash: 15e139576b22ffe1c75b7196b9f80b59ed6480602684051e6bae135f77d95c58
Instruction Fuzzy Hash: 43917C62B0CE4ACDFB14CB62D4901BD37B1AB647A4B8011B5DE6D67BA6CE3CD416C708

Function 00007FFE13274D80 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 137networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13272290: inet_pton.WS2_32 ref: 00007FFE13272338

htons.WS2_32 ref: 00007FFE13274FDF

Strings

%s(): port must be 0-65535., xrefs: 00007FFE13274F54
%s(): AF_INET6 address must be tuple, not %.500s, xrefs: 00007FFE13274DEF
%s(): flowinfo must be 0-1048575., xrefs: 00007FFE13274EB3
O&i;AF_INET address must be a pair (host, port), xrefs: 00007FFE13274F2F
%s(): bad family, xrefs: 00007FFE13274DB9
O&i|II;AF_INET6 address must be a tuple (host, port[, flowinfo[, scopeid]]), xrefs: 00007FFE13274E41
%s(): AF_INET address must be tuple, not %.500s, xrefs: 00007FFE13274F0A

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: htonsinet_pton
String ID: %s(): AF_INET address must be tuple, not %.500s$%s(): AF_INET6 address must be tuple, not %.500s$%s(): bad family$%s(): flowinfo must be 0-1048575.$%s(): port must be 0-65535.$O&i;AF_INET address must be a pair (host, port)$O&i|II;AF_INET6 address must be a tuple (host, port[, flowinfo[, scopeid]])
API String ID: 3877577928-3646714921
Opcode ID: ef9d253bca5788aaec0f56b8a9be97946b5beeb07af36ff499633a12f8160c36
Instruction ID: 4eb2dff73f7049774fac67a3bf0c5a1891e78077641efbca94a66d9844702934
Opcode Fuzzy Hash: ef9d253bca5788aaec0f56b8a9be97946b5beeb07af36ff499633a12f8160c36
Instruction Fuzzy Hash: EC613B32A08F428AE610EF16E44467A73B0FBF5BA4F504172EA4D67AA4DF3CE545CB41

Function 00007FFE133093FC Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE133094BF

Part of subcall function 00007FFE1330B390: DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330B3AB

DName::operator=.LIBVCRUNTIME ref: 00007FFE133094F1
DName::operator+=.LIBVCRUNTIME ref: 00007FFE13309522

Part of subcall function 00007FFE133085E0: DName::operator=.LIBVCRUNTIME ref: 00007FFE13308653
Part of subcall function 00007FFE133085E0: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330869D

Strings

unknown ecsu', xrefs: 00007FFE13309544
union , xrefs: 00007FFE133094E6
struct , xrefs: 00007FFE133094DD
cointerface , xrefs: 00007FFE1330947C
enum , xrefs: 00007FFE1330949E
coclass , xrefs: 00007FFE13309485
class , xrefs: 00007FFE133094D4

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Name::operator+Name::operator+=Name::operator=
String ID: class $coclass $cointerface $enum $struct $union $unknown ecsu'
API String ID: 2521687178-3025788322
Opcode ID: a02d682005c4f8f87c802cf0d30af9cc80522cc67ca91cea7a7b89970b19caa2
Instruction ID: ec765d3ef0d6295705ed10caec78f46647a78e74663a324cebf94b2ca516b01b
Opcode Fuzzy Hash: a02d682005c4f8f87c802cf0d30af9cc80522cc67ca91cea7a7b89970b19caa2
Instruction Fuzzy Hash: 6D410872E18E169DE714CB66D8943BC23B0BB28764F8441B5DA2D67AB9DF3CE544C308

Function 00007FFE1330A838 Relevance: 16.7, APIs: 11, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330A915
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A993
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A9A3
DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330A9AF
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330AA17

Part of subcall function 00007FFE1330B554: DName::operator=.LIBVCRUNTIME ref: 00007FFE1330B581

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330AA07
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A9F7

Part of subcall function 00007FFE1330B390: DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330B3AB

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330AA7C
DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330AAAB
DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330AAE2
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330AAF2

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Name::operator+$Name::operator+=$Name::operator=
String ID:
API String ID: 3504876306-0
Opcode ID: 4cf0dd5078d3509ba570865b42868e9da23906801017a10dcb0b1e26b8be7c43
Instruction ID: a6c7905216491adea0190459eaedf4514d1160e5727802e4b825e8909f212743
Opcode Fuzzy Hash: 4cf0dd5078d3509ba570865b42868e9da23906801017a10dcb0b1e26b8be7c43
Instruction Fuzzy Hash: DB919B62B14A969DFB00CFA2D8801ED37B2FB50768F404176DE5D2BAA9DF78E446C344

Function 00007FFE13306A84 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 212COMMONLIBRARYCODE

Download Yara Rule

APIs

Replicator::operator[].LIBVCRUNTIME ref: 00007FFE13306B0B
DName::operator+=.LIBVCRUNTIME ref: 00007FFE13306D59

Strings

`template-parameter, xrefs: 00007FFE13306C6C, 00007FFE13306CAE
void, xrefs: 00007FFE13306BAC
..., xrefs: 00007FFE13306D6A

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Name::operator+=Replicator::operator[]
String ID: ...$`template-parameter$void
API String ID: 2096148573-2152273162
Opcode ID: 665771c79e234ad4dc464f400d0cf3f39faa05bfa49c5029af23b19dd9380440
Instruction ID: 5bc4f397c1dfd1c10dfd9f3d9ba9de32d99fbf4be442f9f2ae3b14fcb0dd1d9f
Opcode Fuzzy Hash: 665771c79e234ad4dc464f400d0cf3f39faa05bfa49c5029af23b19dd9380440
Instruction Fuzzy Hash: 91A1A066A08F468DEA11CB27E4401BD27A0FB687B8F6041B1DA6D6377ADE3CE545D308

Function 00007FFE0138FDD1 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 168libraryloaderCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE0138FDD1
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE0138FE80
TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFE013CB143
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE013CB159
Concurrency::details::_Concurrent_queue_iterator_base_v4::~_Concurrent_queue_iterator_base_v4.LIBCPMT ref: 00007FFE013CB1E0
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE013CB1E7
TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFE013CB270
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE013CB286

Strings

FlsGetValue, xrefs: 00007FFE013CB14F, 00007FFE013CB27C

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$AddressProcValue$Concurrency::details::_Concurrent_queue_iterator_base_v4Concurrent_queue_iterator_base_v4::~_
String ID: FlsGetValue
API String ID: 2924934987-662576866
Opcode ID: f52ed380836041d23aee315c19e5dac88337c92004505e8cead1a9440b48578b
Instruction ID: 42ad55622caf196bdce660242c3bcf7f3bf644631d3a6c53e35bd38b625bc4d4
Opcode Fuzzy Hash: f52ed380836041d23aee315c19e5dac88337c92004505e8cead1a9440b48578b
Instruction Fuzzy Hash: 0A619D60F0DB0386FB589B25A8212B863A56F497E8F460335D82E5F3F5EE3CB8458300

Function 00007FFE0138D140 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 159libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138D2CC), ref: 00007FFE0138D14A
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138D2CC), ref: 00007FFE0138D19C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138D2CC), ref: 00007FFE0138D1C1
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138D2CC), ref: 00007FFE0138D207
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,00007FFE0138D2CC), ref: 00007FFE0138D263
Concurrency::details::_Concurrent_queue_iterator_base_v4::~_Concurrent_queue_iterator_base_v4.LIBCPMT ref: 00007FFE013CA36E
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138D2CC), ref: 00007FFE013CA375
TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,00007FFE0138D2CC), ref: 00007FFE013CA3DB

Part of subcall function 00007FFE0138D4D0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE0138D549
Part of subcall function 00007FFE0138D4D0: TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE013C6003

Strings

FlsGetValue, xrefs: 00007FFE0138D259

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$AddressProcValue$Concurrency::details::_Concurrent_queue_iterator_base_v4Concurrent_queue_iterator_base_v4::~_
String ID: FlsGetValue
API String ID: 2924934987-662576866
Opcode ID: 4e3376b875426cc0c2da9dad461cceea9f39f7fcaf12e3b06dfc2c35fe93cecf
Instruction ID: 85917878843cbf285a3d349ebdf0448db8934499f11f3d6dddb99ee74cca8616
Opcode Fuzzy Hash: 4e3376b875426cc0c2da9dad461cceea9f39f7fcaf12e3b06dfc2c35fe93cecf
Instruction Fuzzy Hash: CD51CD20F0D70786FB549BA5A9611BC63A5AF897A8F460234E91D4F7F6EE7CF8458300

Function 00007FFE0138CC80 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 159libraryloaderCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138CE0C), ref: 00007FFE0138CC8A
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138CE0C), ref: 00007FFE0138CCDC
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138CE0C), ref: 00007FFE0138CD01
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138CE0C), ref: 00007FFE0138CD47
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,00007FFE0138CE0C), ref: 00007FFE0138CDA3
Concurrency::details::_Concurrent_queue_iterator_base_v4::~_Concurrent_queue_iterator_base_v4.LIBCPMT ref: 00007FFE013CA1C2
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138CE0C), ref: 00007FFE013CA1C9
TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,00007FFE0138CE0C), ref: 00007FFE013CA22F

Part of subcall function 00007FFE0138D4D0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE0138D549
Part of subcall function 00007FFE0138D4D0: TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE013C6003

Strings

FlsGetValue, xrefs: 00007FFE0138CD99

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$AddressProcValue$Concurrency::details::_Concurrent_queue_iterator_base_v4Concurrent_queue_iterator_base_v4::~_
String ID: FlsGetValue
API String ID: 2924934987-662576866
Opcode ID: d6434e662464deee8233572b9f92d953cb998a06bf3648825ffe5b64189818c6
Instruction ID: 6eefbb828124f9b5461e23df1f54885e63b84afc095be1aa64140c2dabd23070
Opcode Fuzzy Hash: d6434e662464deee8233572b9f92d953cb998a06bf3648825ffe5b64189818c6
Instruction Fuzzy Hash: 84519B20F0D70786FB14AB65A9511BC63A5AF897A8F461634E91E4F7F6EE3CF8458300

Function 00007FFE0138C4B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 156libraryloaderCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138C499), ref: 00007FFE0138C4BA
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138C499), ref: 00007FFE0138C50C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138C499), ref: 00007FFE0138C531
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138C499), ref: 00007FFE0138C577
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,00007FFE0138C499), ref: 00007FFE0138C5D3
Concurrency::details::_Concurrent_queue_iterator_base_v4::~_Concurrent_queue_iterator_base_v4.LIBCPMT ref: 00007FFE013C9FF6
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138C499), ref: 00007FFE013C9FFD

Part of subcall function 00007FFE0138D4D0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE0138D549
Part of subcall function 00007FFE0138D4D0: TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE013C6003

TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,00007FFE0138C499), ref: 00007FFE013CA063

Strings

FlsGetValue, xrefs: 00007FFE0138C5C9

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$AddressProcValue$Concurrency::details::_Concurrent_queue_iterator_base_v4Concurrent_queue_iterator_base_v4::~_
String ID: FlsGetValue
API String ID: 2924934987-662576866
Opcode ID: a6e727784818a43a95466b9ad5db6175986da5091dc0bed355263e2ac5cf96a3
Instruction ID: 5d261a7f7fb5f64dc512e244e5f565d84e87c92219d3c1c6bdba8c65d1dcbe71
Opcode Fuzzy Hash: a6e727784818a43a95466b9ad5db6175986da5091dc0bed355263e2ac5cf96a3
Instruction Fuzzy Hash: 0451DD20B09B4386EB149B66E9501BC63A4AF49BE8F050235ED1D5F7F6EE3CF8458300

Function 00007FFE01389D30 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 152libraryloaderCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,00007FFE01421E7C,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE01389D3A
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00007FFE01421E7C,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE01389D8C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00007FFE01421E7C,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE01389DB1
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00007FFE01421E7C,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE01389DF7
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,00007FFE01421E7C,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE01389E4F
Concurrency::details::_Concurrent_queue_iterator_base_v4::~_Concurrent_queue_iterator_base_v4.LIBCPMT ref: 00007FFE013C8B1A
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00007FFE01421E7C,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE013C8B21
TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00007FFE01421E7C,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE013C8B87

Part of subcall function 00007FFE0138D4D0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE0138D549
Part of subcall function 00007FFE0138D4D0: TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE013C6003

Strings

FlsGetValue, xrefs: 00007FFE01389E45

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$AddressProcValue$Concurrency::details::_Concurrent_queue_iterator_base_v4Concurrent_queue_iterator_base_v4::~_
String ID: FlsGetValue
API String ID: 2924934987-662576866
Opcode ID: f2329266c236cee3302473edb8e7c83319f9b1b8437158587f5ec80500eb432a
Instruction ID: ab3e93f059cfa932ec062f92fd536ec0d5cbbb35a3a7f520cb74de62845dfe63
Opcode Fuzzy Hash: f2329266c236cee3302473edb8e7c83319f9b1b8437158587f5ec80500eb432a
Instruction Fuzzy Hash: E4519860B0DB038AFB149B65E96127C63A5AF887A8F060635D91E5F7F5EE3CF9058300

Function 00007FFE0138D360 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138D5A8), ref: 00007FFE0138D36A
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138D5A8), ref: 00007FFE0138D3BC
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138D5A8), ref: 00007FFE0138D3E1
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138D5A8), ref: 00007FFE0138D427
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,00007FFE0138D5A8), ref: 00007FFE0138D487
Concurrency::details::_Concurrent_queue_iterator_base_v4::~_Concurrent_queue_iterator_base_v4.LIBCPMT ref: 00007FFE013CA446
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,00007FFE0138D5A8), ref: 00007FFE013CA44D
TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,00007FFE0138D5A8), ref: 00007FFE013CA4B3

Part of subcall function 00007FFE0138D4D0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE0138D549
Part of subcall function 00007FFE0138D4D0: TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE013C6003

Strings

FlsGetValue, xrefs: 00007FFE0138D47D

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$AddressProcValue$Concurrency::details::_Concurrent_queue_iterator_base_v4Concurrent_queue_iterator_base_v4::~_
String ID: FlsGetValue
API String ID: 2924934987-662576866
Opcode ID: 77fce9172f88cbdad6ddcaee4a143c95107f181c30401ff31f0dab345b65509d
Instruction ID: cf1056bf62878b080f708b5dbcb585367f6563acce3bb15e4976d021c681e7e0
Opcode Fuzzy Hash: 77fce9172f88cbdad6ddcaee4a143c95107f181c30401ff31f0dab345b65509d
Instruction Fuzzy Hash: E651BF20B0DB0386FB549B65E9651BC63A5AF497A8F450234D91E6F7F5EE3CF8058301

Function 00007FFE1330C3B0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 00007FFE1330C42C
_free_base.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1330C450
__vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FFE1330C4FE
TlsFree.KERNEL32 ref: 00007FFE1330C56E
__vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FFE1330C57A
FreeLibrary.KERNEL32 ref: 00007FFE1330C594

Strings

__based(, xrefs: 00007FFE1330C3F7, 00007FFE1330C539
FlsGetValue, xrefs: 00007FFE1330C405
FlsFree, xrefs: 00007FFE1330C549

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Free__vcrt_uninitialize_locks$LibraryValue_free_base
String ID: FlsFree$FlsGetValue$__based(
API String ID: 2814451518-2927404567
Opcode ID: f6cfbe63c062ea6287187b3eb5a9fe17c3e4f29cae45bc5e4672bc025ee94fd5
Instruction ID: aa0ba404f87c431b6987d5bd563e8ec8f034aab8fbc5094cc15a88e3f0df7788
Opcode Fuzzy Hash: f6cfbe63c062ea6287187b3eb5a9fe17c3e4f29cae45bc5e4672bc025ee94fd5
Instruction Fuzzy Hash: 5C519E61E09F038EEE55AB57A84017C62A2AF64770F4402B5D97E777F6DE2CE846830C

Function 00007FFE13304A20 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FFE13304945,?,?,?,00007FFE13301831), ref: 00007FFE13304B7A

Strings

ext-ms-, xrefs: 00007FFE13304AF9
api-ms-, xrefs: 00007FFE13304AE5

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: AddressProc
String ID: api-ms-$ext-ms-
API String ID: 190572456-537541572
Opcode ID: 305ed8650c29c88a46931ba75e192595f887792d6ebc16c8c7e4d4d625547515
Instruction ID: 43089e1e9a61505f1228caf31cad6c5a1c12556cff6f426caf18bbaa865131c7
Opcode Fuzzy Hash: 305ed8650c29c88a46931ba75e192595f887792d6ebc16c8c7e4d4d625547515
Instruction Fuzzy Hash: 0A412361B09E0289FA15DB13A9443B96391BF24BF0F0845B5CD7DBB3A4EE3CE1058748

Function 00007FFE13302D60 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302D97
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302DB1
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302DFC
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302E11
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302E26
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302E62
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302F58
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302F75

Strings

csm, xrefs: 00007FFE13302F1C

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: abort
String ID: csm
API String ID: 4206212132-1018135373
Opcode ID: f7736b398cdf48044678fa18456032d209415373489a7dee373e069894c23483
Instruction ID: e24519857790433d554f2cc53c8f588df2976bc65ba12cf7f2b8d6932363c384
Opcode Fuzzy Hash: f7736b398cdf48044678fa18456032d209415373489a7dee373e069894c23483
Instruction Fuzzy Hash: B8518132A08F428AEA649B13E44016D63A4FF68BB4F1006B5DE6D63B75DF3CE461C709

Function 00007FFE1330A690 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A818

Part of subcall function 00007FFE13308F68: DName::operator=.LIBVCRUNTIME ref: 00007FFE13308FFD
Part of subcall function 00007FFE13308F68: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330935E
Part of subcall function 00007FFE13308F68: DName::operator+.LIBVCRUNTIME ref: 00007FFE133093A0
Part of subcall function 00007FFE13308F68: DName::operator+=.LIBVCRUNTIME ref: 00007FFE133093AD

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A7AA

Part of subcall function 00007FFE1330B390: DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330B3AB

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330A7E3

Strings

std::nullptr_t , xrefs: 00007FFE1330A754
cli::array<, xrefs: 00007FFE1330A788
cli::pin_ptr<, xrefs: 00007FFE1330A7C1
void , xrefs: 00007FFE1330A6EF
void, xrefs: 00007FFE1330A6D8
std::nullptr_t, xrefs: 00007FFE1330A74B

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Name::operator+$Name::operator+=$Name::operator=
String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
API String ID: 3504876306-2239912363
Opcode ID: fb905b2f36ee6f8e76145deec34df325946bc174dcf074b8bb2b93575c82a950
Instruction ID: 3de4f35fe024d2d90b41bebadf867d98e5da65ebe2da7e1952a8e2d12216a2d6
Opcode Fuzzy Hash: fb905b2f36ee6f8e76145deec34df325946bc174dcf074b8bb2b93575c82a950
Instruction Fuzzy Hash: 99517572E08F569CFB11CB62E8401BD37B4BB24BA4F4085B5EA2D227A5DF7C9546C704

Function 00007FFE13301D48 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 203COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13301D83
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13301E39
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13301E5E
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13301EBD
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13301F11
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13301F6E

Strings

csm, xrefs: 00007FFE13301DB3
csm, xrefs: 00007FFE13301F44

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: abort$terminate
String ID: csm$csm
API String ID: 579254285-3733052814
Opcode ID: bf2bd8ebdab93d80cc5c3377118db6f6a4f09d09715ac30f3a7fa679fbe568cb
Instruction ID: 7aac219828dd63f1d345f6c90eff95f96fbd49eb39a322c91557898ad70f8b80
Opcode Fuzzy Hash: bf2bd8ebdab93d80cc5c3377118db6f6a4f09d09715ac30f3a7fa679fbe568cb
Instruction Fuzzy Hash: DA819336E08E428AEA349B57958477DA690BB64BA5F044275CB6D23BB2CF3CE451C708

Function 00007FFE1330AB24 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330AB9A
DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330ACB8

Part of subcall function 00007FFE1330616C: DName::operator+.LIBVCRUNTIME ref: 00007FFE133061EA
Part of subcall function 00007FFE1330616C: DName::operator+.LIBVCRUNTIME ref: 00007FFE13306235
Part of subcall function 00007FFE1330616C: DName::operator+.LIBVCRUNTIME ref: 00007FFE133062DF
Part of subcall function 00007FFE1330616C: DName::operator+.LIBVCRUNTIME ref: 00007FFE133062EF
Part of subcall function 00007FFE1330616C: DName::operator+.LIBVCRUNTIME ref: 00007FFE133065B5

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330AC3F
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330AC4F
DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330AC5A

Part of subcall function 00007FFE1330B638: DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330B653

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330ABA9

Part of subcall function 00007FFE1330B390: DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330B3AB

Part of subcall function 00007FFE1330B554: DName::operator=.LIBVCRUNTIME ref: 00007FFE1330B581

DName::operator+.LIBVCRUNTIME ref: 00007FFE1330ACF5

Strings

{for , xrefs: 00007FFE1330ABD2

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Name::operator+$Name::operator+=$Name::operator=
String ID: {for
API String ID: 3504876306-864106941
Opcode ID: 1c92e329c404754517839ad3aba3f804cdfa7fe5de4e7f1074ce51ab54e1b3f4
Instruction ID: 36991d0ae3b1f38d15f4e3c18af1b8f7e7085f75aa2ee04bebba9466514071aa
Opcode Fuzzy Hash: 1c92e329c404754517839ad3aba3f804cdfa7fe5de4e7f1074ce51ab54e1b3f4
Instruction Fuzzy Hash: AB516C72A08E459DFB01CB66D8403ED27A1BB247A4F8440B1DA6D67BA6CF7CE485C348

Function 00007FFE133037D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330381E
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330383F
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303858
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303871
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13303892
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133038A6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133038BD

Strings

csm, xrefs: 00007FFE133037F2

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: abort
String ID: csm
API String ID: 4206212132-1018135373
Opcode ID: cee6b53f9be09bf52de3ade6e9bb4be5d591decda02f78e2ecb72a162e3db562
Instruction ID: 5eb52bb924837eb2f60129d0c84d077bce86f60e5e29451edf3c8a2fda1aaec5
Opcode Fuzzy Hash: cee6b53f9be09bf52de3ade6e9bb4be5d591decda02f78e2ecb72a162e3db562
Instruction Fuzzy Hash: 84312231D09F428AFA585B52D08423E22A4EF78B76F140AF5CA3C227E1DF3CE4548659

Function 00007FFE013BD374 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator=.LIBVCRUNTIME ref: 00007FFE013BD3E6
DName::DName.LIBVCRUNTIME ref: 00007FFE013BD411
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BD421

Strings

int , xrefs: 00007FFE013BD3C9
char , xrefs: 00007FFE013BD3DB
unsigned , xrefs: 00007FFE013BD406
long , xrefs: 00007FFE013BD3C0
short , xrefs: 00007FFE013BD3D2

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: NameName::Name::operator+Name::operator=
String ID: char $int $long $short $unsigned
API String ID: 2383713746-3894466517
Opcode ID: d821475bbf388ec6fe5dfc2d78fea0b03bb5bbd43309547eec5bbefa909cfc05
Instruction ID: 3b706c883c743c522d2d40230567cb2e6d6ba768f6cc609b3ed49d8303f7633f
Opcode Fuzzy Hash: d821475bbf388ec6fe5dfc2d78fea0b03bb5bbd43309547eec5bbefa909cfc05
Instruction Fuzzy Hash: 95313832E19A5699EB008FA8E8C01F837B1AB4475CB994032DB4D5B2BAEF7CE541C714

Function 00007FFE013BBBE4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBVCRUNTIME ref: 00007FFE013BBC0B

Part of subcall function 00007FFE013BBAB8: DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BBB41

DName::operator+.LIBVCRUNTIME ref: 00007FFE013BBC71
DName::DName.LIBVCRUNTIME ref: 00007FFE013BBCD7

Strings

,<ellipsis>, xrefs: 00007FFE013BBC41
void, xrefs: 00007FFE013BBCC9
..., xrefs: 00007FFE013BBCB9
,..., xrefs: 00007FFE013BBC66
<ellipsis>, xrefs: 00007FFE013BBC9E

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 2164699225-2211150622
Opcode ID: 4a4bb6859b1cf1c336275f23dabc32d47eb2a2d6a5ffe25e480bef53d4d94cd4
Instruction ID: 516802f4ea9f0b87d7b39e011224e38c1835aa4ae10cc818e951d7925ea9d162
Opcode Fuzzy Hash: 4a4bb6859b1cf1c336275f23dabc32d47eb2a2d6a5ffe25e480bef53d4d94cd4
Instruction Fuzzy Hash: DA315372909B8799FB11CB14E8801B977A4EB48798F998031C68D4F3B9EFBCE941C711

Function 00007FFE013815A0 Relevance: 13.8, APIs: 9, Instructions: 282fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE01381844: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFE0138161E), ref: 00007FFE01381864
Part of subcall function 00007FFE01381844: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFE0138161E), ref: 00007FFE013818BA
Part of subcall function 00007FFE01381844: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFE0138161E), ref: 00007FFE01381948

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFE0138167D
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFE0138169B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE0138182C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE013C6296
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFE013C62C9

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: CriticalSection$EnterErrorFileLast$CloseCreateHandleLeaveType
String ID:
API String ID: 3788438030-0
Opcode ID: 527d567c00684b35144dbc2424836a878e2d970a9eb86903730408bd2a2d3b2c
Instruction ID: 9551d807324a2c670c17f9e18c7c1e31e4cd3bcdb47b96c7508b2fb971846af1
Opcode Fuzzy Hash: 527d567c00684b35144dbc2424836a878e2d970a9eb86903730408bd2a2d3b2c
Instruction Fuzzy Hash: 6FC1D076B28B418AEB10CF69D4811AD37B1EB49B98B061239DE6E5B7E5CF3CD416C300

Function 00007FFE013F0A3C Relevance: 13.6, APIs: 9, Instructions: 80threadCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE013F0A4D
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE013F0A75
ExitThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFE013F0A7D
Concurrency::details::_Concurrent_queue_iterator_base_v4::~_Concurrent_queue_iterator_base_v4.LIBCPMT ref: 00007FFE013F0AC5
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE013F0B0F
ExitThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFE013F0B2C

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$ExitThread$Concurrency::details::_Concurrent_queue_iterator_base_v4Concurrent_queue_iterator_base_v4::~_
String ID:
API String ID: 2407257114-0
Opcode ID: a82bbfc26a4f87a68aab9730668b4fbc3fc0cbb5762d8adda0e6baaf70d74d42
Instruction ID: 744a3d3f422da655e59f8f4e3e365d2573920b247c76d30ee2821d562c9186b9
Opcode Fuzzy Hash: a82bbfc26a4f87a68aab9730668b4fbc3fc0cbb5762d8adda0e6baaf70d74d42
Instruction Fuzzy Hash: 52315E20B0CA4342FF596B74995427D62A6AF40BB8F564338E53E1F6F6DF6CE8058340

Function 00007FFE01389EC0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE01389EC8
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE01389F50
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE01389FA2
Concurrency::details::_Concurrent_queue_iterator_base_v4::~_Concurrent_queue_iterator_base_v4.LIBCPMT ref: 00007FFE013C5F56
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE013C5F5D
TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00007FFE013854DE,?,?,?,00007FFE013853F1,?,?,?,?,?,?,?,00007FFE0138532D), ref: 00007FFE013C5FC3

Strings

FlsGetValue, xrefs: 00007FFE01389F98

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$AddressConcurrency::details::_Concurrent_queue_iterator_base_v4Concurrent_queue_iterator_base_v4::~_ProcValue
String ID: FlsGetValue
API String ID: 2828593425-662576866
Opcode ID: 7ebf263ede67ec0f7268489d2c9e8204356379416a53b3ccdee963751b19d755
Instruction ID: 861d1037c2310660f54c8f8ce1816106c2caa6599e8b8bacad0ddb4053a9c732
Opcode Fuzzy Hash: 7ebf263ede67ec0f7268489d2c9e8204356379416a53b3ccdee963751b19d755
Instruction Fuzzy Hash: 63518F61B0DB0386FB189B25A95427D63A1AF897E8F554235E91E0F7F5EE3CF8098300

Function 00007FFE132759C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FFE13275A5D
WSAGetLastError.WS2_32 ref: 00007FFE13275A65
WSAGetLastError.WS2_32 ref: 00007FFE13275AC8
WSAGetLastError.WS2_32 ref: 00007FFE13275AD0
WSAGetLastError.WS2_32 ref: 00007FFE13275AF5
WSAGetLastError.WS2_32 ref: 00007FFE13275B0F

Strings

timed out, xrefs: 00007FFE13275B4E

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: ErrorLast
String ID: timed out
API String ID: 1452528299-3163636755
Opcode ID: 82681b19adf6d6ad467b42a6fe9b12e27ddc8409e2936538c2157e22f345ca03
Instruction ID: 884091f2ed682ff7888fe11fb16bc6cb0d98f264ca671a33b24eac3f7a95be01
Opcode Fuzzy Hash: 82681b19adf6d6ad467b42a6fe9b12e27ddc8409e2936538c2157e22f345ca03
Instruction Fuzzy Hash: A4414521E08E92CEF7657B679448279A250BFF4B70F2451B0CD4E666B4DF3CE885C250

Function 00007FFE13276044 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 113networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32 ref: 00007FFE1327613A
WSAIoctl.WS2_32 ref: 00007FFE132761A9
WSAIoctl.WS2_32 ref: 00007FFE13276216

Strings

kO:ioctl, xrefs: 00007FFE1327607F
k(kkk):ioctl, xrefs: 00007FFE13276167
kI:ioctl, xrefs: 00007FFE132760FC, 00007FFE132761D4
invalid ioctl command %lu, xrefs: 00007FFE132760BE

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: Ioctl
String ID: invalid ioctl command %lu$k(kkk):ioctl$kI:ioctl$kO:ioctl
API String ID: 3041054344-4238462244
Opcode ID: 35bebcf9f928722b537939ffd19b7844e575b288c7ec719cf6e9efdd61baafbd
Instruction ID: b291201323ec067b58ba2c2cf68cac7a3d746993675c17b3abcb428c61c18043
Opcode Fuzzy Hash: 35bebcf9f928722b537939ffd19b7844e575b288c7ec719cf6e9efdd61baafbd
Instruction Fuzzy Hash: AB514C32B18E428DE760DF66E8405ED37B0FBA8768F544172EA4EA3A68DF38D554C700

Function 00007FFE013BD0AC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE013BD194
DName::DName.LIBVCRUNTIME ref: 00007FFE013BD1BC

Part of subcall function 00007FFE013BA634: DName::doPchar.LIBVCRUNTIME ref: 00007FFE013BA6A1

DName::DName.LIBVCRUNTIME ref: 00007FFE013BD1CB
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BD1DA
DName::DName.LIBVCRUNTIME ref: 00007FFE013BD1E9

Strings

`non-type-template-parameter, xrefs: 00007FFE013BD0DF

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: NameName::$Name::doName::operator+Pchar
String ID: `non-type-template-parameter
API String ID: 3026640183-4247534891
Opcode ID: 9437e4a2bc65fd9331940d40897d9c76a7f7037035a9de6aae8135c60e2ad8b3
Instruction ID: 6d9d544bbf69f77e600ae5c4f9dbf24a9b5c037166f7fc281f2deae97fefc274
Opcode Fuzzy Hash: 9437e4a2bc65fd9331940d40897d9c76a7f7037035a9de6aae8135c60e2ad8b3
Instruction Fuzzy Hash: 0A418E32A08A9699E740CB61D9C01BD37A4BB51B88F568031DB4E1BBB5EF3CE9168300

Function 00007FFE133085E0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator=.LIBVCRUNTIME ref: 00007FFE13308653
DName::operator+.LIBVCRUNTIME ref: 00007FFE1330869D

Strings

long , xrefs: 00007FFE1330862D
unsigned , xrefs: 00007FFE1330867E
int , xrefs: 00007FFE13308636
char , xrefs: 00007FFE13308648
short , xrefs: 00007FFE1330863F

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Name::operator+Name::operator=
String ID: char $int $long $short $unsigned
API String ID: 1492653461-3894466517
Opcode ID: c0b7dbe21b8175da4614ce5a65b82f07a77ab9efeaa9dba654015b5c321106f4
Instruction ID: 1204c8ff38baeb8a8f7c5266f652a13beddd376aa0f2455bbe2c7cc801014bc1
Opcode Fuzzy Hash: c0b7dbe21b8175da4614ce5a65b82f07a77ab9efeaa9dba654015b5c321106f4
Instruction Fuzzy Hash: 2E316372E18E4E8DFB108B29D4443BD37B0A724768F944171CA6C6A6B6CF3CD445C708

Function 00007FFE133048F4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFE13301831), ref: 00007FFE13304918
SetLastError.KERNEL32(?,?,?,00007FFE13301831), ref: 00007FFE133049C0

Strings

__based(, xrefs: 00007FFE13304924
FlsGetValue, xrefs: 00007FFE13304937

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: ErrorLast
String ID: FlsGetValue$__based(
API String ID: 1452528299-1499225077
Opcode ID: 667999330e637d529fa0c4ead2f56afba722f0e302c095185809fe3dbf1186dd
Instruction ID: 4b7763501b5c78edeef6cb491c2764a2839394e8cb8d31413cb286acdc52a232
Opcode Fuzzy Hash: 667999330e637d529fa0c4ead2f56afba722f0e302c095185809fe3dbf1186dd
Instruction Fuzzy Hash: 1F212120F0DF0289FA549B63A94417D1291AF68BB0F5446B5D9BD333F5DE3CE5018B58

Function 00007FFE013BCE04 Relevance: 12.2, APIs: 8, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getDataType.LIBVCRUNTIME ref: 00007FFE013BCE35

Part of subcall function 00007FFE013BCD1C: DName::DName.LIBVCRUNTIME ref: 00007FFE013BCD30

UnDecorator::getTemplateName.LIBVCRUNTIME ref: 00007FFE013BCEAA

Part of subcall function 00007FFE013BFB68: UnDecorator::getTemplateArgumentList.LIBVCRUNTIME ref: 00007FFE013BFC6C
Part of subcall function 00007FFE013BFB68: DName::doPchar.LIBVCRUNTIME ref: 00007FFE013BFC95
Part of subcall function 00007FFE013BFB68: DName::operator+.LIBVCRUNTIME ref: 00007FFE013BFCA7
Part of subcall function 00007FFE013BFB68: DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BFCB6
Part of subcall function 00007FFE013BFB68: DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BFCDD
Part of subcall function 00007FFE013BFB68: DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BFCE9

UnDecorator::getScope.LIBVCRUNTIME ref: 00007FFE013BCF21

Part of subcall function 00007FFE013BEBB8: DName::DName.LIBVCRUNTIME ref: 00007FFE013BEC1B
Part of subcall function 00007FFE013BEBB8: DName::operator+.LIBVCRUNTIME ref: 00007FFE013BEC2A
Part of subcall function 00007FFE013BEBB8: DName::doPchar.LIBVCRUNTIME ref: 00007FFE013BEC64
Part of subcall function 00007FFE013BEBB8: DName::operator+.LIBVCRUNTIME ref: 00007FFE013BEC75
Part of subcall function 00007FFE013BEBB8: UnDecorator::getLexicalFrame.LIBVCRUNTIME ref: 00007FFE013BECDE
Part of subcall function 00007FFE013BEBB8: DName::operator+.LIBVCRUNTIME ref: 00007FFE013BEF89

UnDecorator::getScope.LIBVCRUNTIME ref: 00007FFE013BCF6F

Part of subcall function 00007FFE013BEBB8: DName::operator+.LIBVCRUNTIME ref: 00007FFE013BED30
Part of subcall function 00007FFE013BEBB8: DName::operator+.LIBVCRUNTIME ref: 00007FFE013BED41
Part of subcall function 00007FFE013BEBB8: DName::doPchar.LIBVCRUNTIME ref: 00007FFE013BED9F
Part of subcall function 00007FFE013BEBB8: DName::operator+.LIBVCRUNTIME ref: 00007FFE013BEDB2
Part of subcall function 00007FFE013BEBB8: DName::operator+.LIBVCRUNTIME ref: 00007FFE013BEDC2

DName::operator+.LIBVCRUNTIME ref: 00007FFE013BCF90

Part of subcall function 00007FFE013BA9E8: DName::operator+=.LIBCMT ref: 00007FFE013BAA03

DName::operator+.LIBVCRUNTIME ref: 00007FFE013BCF4D

Part of subcall function 00007FFE013BA990: DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BA9AB

DName::operator+.LIBVCRUNTIME ref: 00007FFE013BCFA0
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BCFC3

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: Name::operator+$Decorator::get$Name::operator+=$NameName::doPchar$Name::ScopeTemplate$ArgumentDataFrameLexicalListType
String ID:
API String ID: 3834373156-0
Opcode ID: 0a18e5a26053d17071ef86c64d2d77fcaa9b6bc53dcfc16718ce00805e0ab38e
Instruction ID: 245390e18cfa49625f610e826da28cddc03cdcf47f38f4fae9e43c80584f6b9a
Opcode Fuzzy Hash: 0a18e5a26053d17071ef86c64d2d77fcaa9b6bc53dcfc16718ce00805e0ab38e
Instruction Fuzzy Hash: 63916A72E0866299FB21CBA0D8807BC37B0BB44798F565035DB4D1BAB9EF7CA845C340

Function 00007FFE13302BFD Relevance: 12.1, APIs: 8, Instructions: 88COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302AED
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302B16
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302B38
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302B4C
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302B86
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302BA8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302BBC
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302BF1
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302C24
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302C35
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302C4C
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000000,?,00007FFE13301EE3), ref: 00007FFE13302C60

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: abort$terminate
String ID:
API String ID: 579254285-0
Opcode ID: e3977c0a68af9ce3eb6a72269560602cc14ed44f0c0cc47add408e7440dde568
Instruction ID: eeb4163f60b340fea9183610b902b9b0ee1bad564ca8a68cfb68fce45425ce94
Opcode Fuzzy Hash: e3977c0a68af9ce3eb6a72269560602cc14ed44f0c0cc47add408e7440dde568
Instruction Fuzzy Hash: 7E416E31A09F428AEA24AF52C18423C6750FFA8B65F0148B6CA2D637B1CF3CF4058719

Function 00007FFE13308900 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator=.LIBVCRUNTIME ref: 00007FFE13308962

Part of subcall function 00007FFE13308F68: DName::operator=.LIBVCRUNTIME ref: 00007FFE13308FFD
Part of subcall function 00007FFE13308F68: DName::operator+.LIBVCRUNTIME ref: 00007FFE1330935E
Part of subcall function 00007FFE13308F68: DName::operator+.LIBVCRUNTIME ref: 00007FFE133093A0
Part of subcall function 00007FFE13308F68: DName::operator+=.LIBVCRUNTIME ref: 00007FFE133093AD

DName::operator+.LIBVCRUNTIME ref: 00007FFE13308B4C

Strings

std::nullptr_t , xrefs: 00007FFE13308A4D
volatile, xrefs: 00007FFE13308957, 00007FFE13308A96
std::nullptr_t, xrefs: 00007FFE13308A6C

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Name::operator+$Name::operator=$Name::operator+=
String ID: std::nullptr_t$std::nullptr_t $volatile
API String ID: 3335366782-294867888
Opcode ID: 010d4b62d375ba577e931595fce58cfe727f9f4233cb7cc30c07a584e04d8d6a
Instruction ID: 6ae90f5c435555eeda6851a1ad5f0f7267c39b1a616baddbbcb53f7518e57693
Opcode Fuzzy Hash: 010d4b62d375ba577e931595fce58cfe727f9f4233cb7cc30c07a584e04d8d6a
Instruction Fuzzy Hash: DE614EB2A09E128CFB14DF6698500BD7B64FB24BA4B4445B6DA6D67B76CF3CE150C308

Function 00007FFE013BD470 Relevance: 10.6, APIs: 7, Instructions: 143COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::doPchar.LIBVCRUNTIME ref: 00007FFE013BD528
DName::DName.LIBVCRUNTIME ref: 00007FFE013BD533
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BD543
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BD560
DName::doPchar.LIBVCRUNTIME ref: 00007FFE013BD629

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: Name::doName::operator+Pchar$NameName::
String ID:
API String ID: 2855847547-0
Opcode ID: 66bec9f24421dfbb8cab4e91a47ebe9cacb65c8cd85f5c7411ffbc5a3a6c849d
Instruction ID: bc3df60cb3d9680598fc22c153bfe8ce3f0e21876a3f65a2eb334879c7bb8e54
Opcode Fuzzy Hash: 66bec9f24421dfbb8cab4e91a47ebe9cacb65c8cd85f5c7411ffbc5a3a6c849d
Instruction Fuzzy Hash: 55616B72A08B6699E710CF64E8802AC3BB5EB44B9CF958036DA4D1B7B9EF7DD441C300

Function 00007FFE133066F4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE133067E8
DName::DName.LIBVCRUNTIME ref: 00007FFE13306810
DName::operator+.LIBVCRUNTIME ref: 00007FFE13306836
DName::DName.LIBVCRUNTIME ref: 00007FFE13306845

Strings

`non-type-template-parameter, xrefs: 00007FFE1330672B

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: NameName::$Name::operator+
String ID: `non-type-template-parameter
API String ID: 826178784-4247534891
Opcode ID: 27f7340d07b8a53ae54682156064714a75510f143d49d5ded7006f5a180fbb92
Instruction ID: 04b52d558cea925d79ee3f3d8018cafaf4b3cbcc24df5dd28363977753fbd7ef
Opcode Fuzzy Hash: 27f7340d07b8a53ae54682156064714a75510f143d49d5ded7006f5a180fbb92
Instruction Fuzzy Hash: 07419172A08F9689FB00CF26D5901BC37A5FB24BB0B6040B5DA6D77BA9CF38E4559304

Function 00007FFE13276DE0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FFE13276E3A
setsockopt.WS2_32 ref: 00007FFE13276F2B

Strings

iiO!I:setsockopt, xrefs: 00007FFE13276E78
iiy*:setsockopt, xrefs: 00007FFE13276EC5
socket option is larger than %i bytes, xrefs: 00007FFE13276EF5
iii:setsockopt, xrefs: 00007FFE13276E09

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: setsockopt
String ID: iiO!I:setsockopt$iii:setsockopt$iiy*:setsockopt$socket option is larger than %i bytes
API String ID: 3981526788-1608436615
Opcode ID: 93fb85785a50827721e562a3685a17cbd384e858c3abe8704143fb68ac91661e
Instruction ID: e51eed9a3c671664a4d61a99826638f761e4af69b70eb0379d86b042d4173848
Opcode Fuzzy Hash: 93fb85785a50827721e562a3685a17cbd384e858c3abe8704143fb68ac91661e
Instruction Fuzzy Hash: 7F410D32608F868ADB209F22E4447AA7370FBE8BA4F504272DA9D53764DF3DD509C740

Function 00007FFE133044B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82stringCOMMON

Download Yara Rule

APIs

_malloc_base.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE13304542
strcpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE13304577
InterlockedPushEntrySList.KERNEL32 ref: 00007FFE13304594
_free_base.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE133045A0
_free_base.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE133045A9

Strings

, xrefs: 00007FFE13304528

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: _free_base$EntryInterlockedListPush_malloc_basestrcpy_s
String ID:
API String ID: 3559411272-3916222277
Opcode ID: 674afff8a306edbd1bdf95ce54468db4187de9c58b16d10f99e37dc01cd62d32
Instruction ID: 6d85df2f38b01bc213f21182dca4c1e6d467ddf6c3ccfd35d3dd49a05ff6950e
Opcode Fuzzy Hash: 674afff8a306edbd1bdf95ce54468db4187de9c58b16d10f99e37dc01cd62d32
Instruction Fuzzy Hash: C731D022719F4589EB05CF66A80856D63A0FB18FF4B484674DE7D633A0EE3CE946C704

Function 00007FFE01386448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE01388B96,?,?,?,00007FFE013CD813,?,?,?,00007FFE013C7AE1), ref: 00007FFE013864B2

Strings

api-ms-, xrefs: 00007FFE013C7FA0
ext-ms-, xrefs: 00007FFE013C7FB3

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: LibraryLoad
String ID: api-ms-$ext-ms-
API String ID: 1029625771-537541572
Opcode ID: e56abf4f5901805250e51f2b17b391fbea24d086396af2ae22ca12f96b6131e8
Instruction ID: dd3b5d706f4807a5f2211b34caa2f23064a29e58bbb5305b71ca831ea7dcfc0f
Opcode Fuzzy Hash: e56abf4f5901805250e51f2b17b391fbea24d086396af2ae22ca12f96b6131e8
Instruction Fuzzy Hash: 6C218B21B1AB8285EF259B1A985017C32A5BF49BA4F5A0635DE2E5F7F1DF3CE0098740

Function 00007FFE13308B6C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBVCRUNTIME ref: 00007FFE13308B93

Part of subcall function 00007FFE13308C80: Replicator::operator[].LIBVCRUNTIME ref: 00007FFE13308CFE
Part of subcall function 00007FFE13308C80: DName::operator+=.LIBVCRUNTIME ref: 00007FFE13308D09

Strings

,<ellipsis>, xrefs: 00007FFE13308BC9
<ellipsis>, xrefs: 00007FFE13308C26
,..., xrefs: 00007FFE13308BEE
void, xrefs: 00007FFE13308C59
..., xrefs: 00007FFE13308C49

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: ArgumentDecorator::getListName::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 98997111-2211150622
Opcode ID: 7b61e257d67e4074b012ee781fd519160f23a95b3b10d6e0f956f18611d2db91
Instruction ID: 7d53d090e4a01d4eb9e53bfbdd6fb5a76e8b190f21ecc3bd0e994c76092fe5ff
Opcode Fuzzy Hash: 7b61e257d67e4074b012ee781fd519160f23a95b3b10d6e0f956f18611d2db91
Instruction Fuzzy Hash: A1316BA2909F8A8EFB118B16E84036D77F0EB24765F9481B5D55D6A372CF3CE445C708

Function 00007FFE013BBF3C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE013BBF61

Part of subcall function 00007FFE013BF030: UnDecorator::getScope.LIBVCRUNTIME ref: 00007FFE013BF075
Part of subcall function 00007FFE013BF030: DName::operator+.LIBVCRUNTIME ref: 00007FFE013BF089
Part of subcall function 00007FFE013BF030: DName::operator+.LIBVCRUNTIME ref: 00007FFE013BF099

DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BBFAD

Part of subcall function 00007FFE013BAA40: DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BAA5B

DName::operator+=.LIBCMT ref: 00007FFE013BBFE2

Part of subcall function 00007FFE013BAB04: DName::operator=.LIBVCRUNTIME ref: 00007FFE013BAB2F

Strings

void, xrefs: 00007FFE013BBFB4

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: Name::operator+=$Name::operator+$Decorator::getNameName::Name::operator=Scope
String ID: void
API String ID: 3122822510-3531332078
Opcode ID: e60bfcba61d4e27f84fc130301ff8f00a6e4c99a935fd141718b71362ba95a11
Instruction ID: 147d8da2bb62965ee1fc254d7e68e4fca7e653a9e887a97261e372ddc5f1bb4e
Opcode Fuzzy Hash: e60bfcba61d4e27f84fc130301ff8f00a6e4c99a935fd141718b71362ba95a11
Instruction Fuzzy Hash: BE21847291C98395EB20CB24D8D0179B3A1FF94788F558032E68D8F2B9FE6DE549CB01

Function 00007FFE13277D48 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FFE13277DC2
getservbyport.WS2_32 ref: 00007FFE13277DD0

Strings

i|s:getservbyport, xrefs: 00007FFE13277D58
getservbyport: port must be 0-65535., xrefs: 00007FFE13277E21
port/proto not found, xrefs: 00007FFE13277DF3
socket.getservbyport, xrefs: 00007FFE13277D95

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: getservbyporthtons
String ID: getservbyport: port must be 0-65535.$i|s:getservbyport$port/proto not found$socket.getservbyport
API String ID: 3477891686-2618607128
Opcode ID: dc0349f3359b55ac83e25c3837a107be034ff85053e3974c30154b6231f7094c
Instruction ID: e78559598eda4f6098dd4eb6bfe405c1e68f0f284dff22a7172b4b1f0f8c09e5
Opcode Fuzzy Hash: dc0349f3359b55ac83e25c3837a107be034ff85053e3974c30154b6231f7094c
Instruction Fuzzy Hash: 6C211631B18E428AEA00AB1BE8542792370FFF9BA4F5000B5DA4E67674DF3DE408C740

Function 00007FF60F1A70FC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF60F1A712D
GetLastError.KERNEL32 ref: 00007FF60F1A7139
CloseHandle.KERNEL32 ref: 00007FF60F1A7151
CreateFileW.KERNEL32 ref: 00007FF60F1A717C
WriteConsoleW.KERNEL32 ref: 00007FF60F1A719B

Strings

CONOUT$, xrefs: 00007FF60F1A715D

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 2b1705eb60c5a9ea67d3abf5815f39d96026ea1e9a70ddd12955119ba33cdf2b
Instruction ID: 70de6ad0b09347a84b926f752badb5f0623c1975da3e785d8671f8dd350fed92
Opcode Fuzzy Hash: 2b1705eb60c5a9ea67d3abf5815f39d96026ea1e9a70ddd12955119ba33cdf2b
Instruction Fuzzy Hash: 15114932A1CA42C6E7508B52B95432973E4FB88BE4F244274EA5EC7794DF7CD9188740

Function 00007FFE13301A40 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28COMMON

Download Yara Rule

APIs

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13301A68
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13301A79
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13301A90

Part of subcall function 00007FFE133049E0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE13301A64), ref: 00007FFE133049EE

Strings

RCC, xrefs: 00007FFE13301A47
csm, xrefs: 00007FFE13301A57
MOC, xrefs: 00007FFE13301A4F

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: abort$terminate
String ID: MOC$RCC$csm
API String ID: 579254285-2671469338
Opcode ID: 9c7a60497b8c52de3189ad328f62a3a7d4098e3573e82cc593336359ea62de81
Instruction ID: f0dd9817570429e75c9c13b51d9ccbea00eaf6793e9c89572017417d27104fc8
Opcode Fuzzy Hash: 9c7a60497b8c52de3189ad328f62a3a7d4098e3573e82cc593336359ea62de81
Instruction Fuzzy Hash: 78F01239E18E06CEE6585B53D04523C32A4AFB8B36F4158B5C52C32371CF7C69448A56

Function 00007FFE133028B0 Relevance: 9.1, APIs: 6, Instructions: 129COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE133028E6
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE13302919
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE13302958
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE13302979
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE1330299C
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000066,?,00007FFE1330252A), ref: 00007FFE133029BA

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: e4ab483f4ef964f3aee83e99fc27c46ba6218ad878813aa3894a822b79d211fd
Instruction ID: 968ae335f8b9ec379a2108405be2ac36a32b4c2e65abba01edb69f0a70fc8b62
Opcode Fuzzy Hash: e4ab483f4ef964f3aee83e99fc27c46ba6218ad878813aa3894a822b79d211fd
Instruction Fuzzy Hash: D2516321E09F8689EB699B5A815037C2790AF74B64F0944B5CF6D727F5DF2CE825C308

Function 00007FFE13277164 Relevance: 9.1, APIs: 6, Instructions: 59networkCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FFE1327719C
WSADuplicateSocketW.WS2_32 ref: 00007FFE132771AC
WSASocketW.WS2_32 ref: 00007FFE132771DF
SetHandleInformation.KERNEL32 ref: 00007FFE132771F8
closesocket.WS2_32 ref: 00007FFE13277205
closesocket.WS2_32 ref: 00007FFE13277230

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: Socketclosesocket$CurrentDuplicateHandleInformationProcess
String ID:
API String ID: 174288908-0
Opcode ID: 7138de7cf666f99256a31e383e740153c07012349ca9b434e65bdb1dca4ef917
Instruction ID: 6920d4110703c6366e21ad025c92de7665f4673b38e2e342cbe646ddbcfa810b
Opcode Fuzzy Hash: 7138de7cf666f99256a31e383e740153c07012349ca9b434e65bdb1dca4ef917
Instruction Fuzzy Hash: B5213320B19F4289EA647B26A81837923A0BFF4BB4F040675D82E567F4EE3CE405C600

Function 00007FFE01397AD0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 298libraryloaderCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE01397B72
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE01397BBC
TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFE013D14AE
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE013D14C4

Strings

FlsGetValue, xrefs: 00007FFE013D14BA

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$AddressProcValue
String ID: FlsGetValue
API String ID: 3663398396-662576866
Opcode ID: e4e2c4a3587466353b3ac0c7ecf3fb8968e7bc6575260a077602a664fb9ff940
Instruction ID: d30b24eee17f387e1eb689a444e32c7006fbdca2292190a2c14f5bf845e4d85e
Opcode Fuzzy Hash: e4e2c4a3587466353b3ac0c7ecf3fb8968e7bc6575260a077602a664fb9ff940
Instruction Fuzzy Hash: B4B1F261B2DA8282FF649B26A9042BA7391AF44FD4F494531CD4E1FBF9DE3CE4418A04

Function 00007FFE148E26F8 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 200networkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00007FFE148E2894
select.WS2_32 ref: 00007FFE148E2913
WSAGetLastError.WS2_32 ref: 00007FFE148E2936

Part of subcall function 00007FFE148E2B9C: __WSAFDIsSet.WS2_32 ref: 00007FFE148E2BC2
Part of subcall function 00007FFE148E2B9C: 00007FFDFB4A4480.PYTHON38 ref: 00007FFE148E2BE3
Part of subcall function 00007FFE148E2B9C: __WSAFDIsSet.WS2_32 ref: 00007FFE148E2C0F

Strings

timeout must be non-negative, xrefs: 00007FFE148E27AE
timeout must be a float or None, xrefs: 00007FFE148E277D

Memory Dump Source

Source File: 00000002.00000002.1692491940.00007FFE148E1000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000002.00000002.1692469000.00007FFE148E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1692491940.00007FFE148E9000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1692543814.00007FFE148EA000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000002.00000002.1692562185.00007FFE148EC000.00000004.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe148e0000_run0796.jbxd

Similarity

API ID: select$00007A4480ErrorLast
String ID: timeout must be a float or None$timeout must be non-negative
API String ID: 2628283105-2150404077
Opcode ID: 99788f7e8e2d398d85ae76ba03251bf1ec8ee263d0e9fc0492a963463265e440
Instruction ID: 7658aad8c76bcace59346eed0fcf9cde222533a39cd92edb9b7d17b4762e4774
Opcode Fuzzy Hash: 99788f7e8e2d398d85ae76ba03251bf1ec8ee263d0e9fc0492a963463265e440
Instruction Fuzzy Hash: 46913431A08E8399EA219F26EC845B9A360FF46BA4F405175FA0D667B8DF3DD94DC700

Function 00007FFE013ACD30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFE013ACD93
_set_statfp.LIBCMT ref: 00007FFE013ACDB7

Strings

cosh, xrefs: 00007FFE013ACDF6
", xrefs: 00007FFE013ACE14

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _set_statfp
String ID: "$cosh
API String ID: 1156100317-3800341493
Opcode ID: a61dca7f21404ff4a322655326c6205bac334bf09e04c26996710cdf75f9daf9
Instruction ID: c38e16b1c4a17565beb1e1ba57a59b55e1d8fcfd621e1d71e43880a00223e1db
Opcode Fuzzy Hash: a61dca7f21404ff4a322655326c6205bac334bf09e04c26996710cdf75f9daf9
Instruction Fuzzy Hash: 66816331E28F8589D7638B34A4513B67369EF6A3D5F519333E58E39A71DF2CA1838600

Function 00007FFE0138CA40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150libraryloaderCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE0138CA98
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE0138CAE2
TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00007FFE013CA0F5
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE013CA10B

Strings

FlsGetValue, xrefs: 00007FFE013CA101

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$AddressProcValue
String ID: FlsGetValue
API String ID: 3663398396-662576866
Opcode ID: 5b2a71626349c6b70572ce110cfdab6c0d8cc8c81acfd89e7d87e2c3e480110e
Instruction ID: fedf732ced3428dca87d224243aadd8db9aaced1027e3aa0f6e60320e12ca69f
Opcode Fuzzy Hash: 5b2a71626349c6b70572ce110cfdab6c0d8cc8c81acfd89e7d87e2c3e480110e
Instruction Fuzzy Hash: 3A51D021F0CB5282FB559B25A9002B9A3A0AF48BE4F495635ED5D5F7F4EE3CE8458300

Function 00007FFE013AD1D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFE013AD238
_set_statfp.LIBCMT ref: 00007FFE013AD265

Strings

coshf, xrefs: 00007FFE013AD29B
", xrefs: 00007FFE013AD2BC

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _set_statfp
String ID: "$coshf
API String ID: 1156100317-3152456168
Opcode ID: 2cbd73d72d1f212f0e840ead1081993e713157aeb2b29627e0262b9120ec3630
Instruction ID: cd4984cf16f067e62bd8c8f5c204424fe85ee6266418b494a280d9010e02728c
Opcode Fuzzy Hash: 2cbd73d72d1f212f0e840ead1081993e713157aeb2b29627e0262b9120ec3630
Instruction Fuzzy Hash: 4C51A131C2CF458AEB639B31A451265A76AEF567D0F518332E54E3AA75EF2CF0C28600

Function 00007FFE013BA7C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE013BA818

Part of subcall function 00007FFE013BA54C: DName::doPchar.LIBVCRUNTIME ref: 00007FFE013BA57E

DName::operator+.LIBVCRUNTIME ref: 00007FFE013BA827

Part of subcall function 00007FFE013BA990: DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BA9AB

UnDecorator::getTemplateName.LIBVCRUNTIME ref: 00007FFE013BA840

Part of subcall function 00007FFE013BCE04: UnDecorator::getDataType.LIBVCRUNTIME ref: 00007FFE013BCE35

DName::operator=.LIBVCRUNTIME ref: 00007FFE013BA8D1

Strings

CV: , xrefs: 00007FFE013BA80A

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: Decorator::getName$DataName::Name::doName::operator+Name::operator+=Name::operator=PcharTemplateType
String ID: CV:
API String ID: 4239920947-3725821052
Opcode ID: b67cc8e34b0b0c8e487b6fb24c22fd5d7a6ed5cd9cebb98c98375a7178b170ab
Instruction ID: b963aa6610f1dc6861d296812e75a4bd3d636024a57feb4c3dda8f721ca4b689
Opcode Fuzzy Hash: b67cc8e34b0b0c8e487b6fb24c22fd5d7a6ed5cd9cebb98c98375a7178b170ab
Instruction Fuzzy Hash: 53518366E0CA4789FB518B25D8902B83BB1AF45B98F554035CA5E4FBF4EF7DA841D300

Function 00007FFE0138D980 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00007FFE0138D961), ref: 00007FFE0138D9A6
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00007FFE0138D961), ref: 00007FFE0138D9ED

Part of subcall function 00007FFE0138DB30: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FFE0138DA20,?,?,?,?,?,?,00007FFE0138D961), ref: 00007FFE0138DB5C
Part of subcall function 00007FFE0138DB30: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00000000,00007FFE0138DA20,?,?,?,?,?,?,00007FFE0138D961), ref: 00007FFE0138DB78

TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,?,?,00007FFE0138D961), ref: 00007FFE013CA599
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,?,?,00007FFE0138D961), ref: 00007FFE013CA5AF

Strings

FlsGetValue, xrefs: 00007FFE013CA5A5

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: CriticalErrorLastSection$AddressEnterLeaveProcValue
String ID: FlsGetValue
API String ID: 2861905401-662576866
Opcode ID: f072d435864527a4893847b6c262340e0ee2098a041a37e02d37a97d201ce830
Instruction ID: f13a61317bdcf4b7fa7dc8f74b8709e423aebd580a05c86cb8b55d366c7a48d6
Opcode Fuzzy Hash: f072d435864527a4893847b6c262340e0ee2098a041a37e02d37a97d201ce830
Instruction Fuzzy Hash: 37316261B09B0286FB149B68E85017973A1AF883A4F558236E96D4B7F4EF3CE845C700

Function 00007FFE132750A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 00007FFE132750D9
WSAGetLastError.WS2_32 ref: 00007FFE132750F2
WSAGetLastError.WS2_32 ref: 00007FFE132750FE
WSASetLastError.WS2_32 ref: 00007FFE13275148

Part of subcall function 00007FFE132759C0: WSAGetLastError.WS2_32 ref: 00007FFE13275A5D
Part of subcall function 00007FFE132759C0: WSAGetLastError.WS2_32 ref: 00007FFE13275A65

Strings

3', xrefs: 00007FFE1327512C

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: ErrorLast$connect
String ID: 3'
API String ID: 375857812-280543908
Opcode ID: 9d0792441fc5044678e91fe98d31e73feb8c4f451fbd58069c187c194a03edea
Instruction ID: 63fd1bc27d7ee6e48ebec25e23c8ca1e2bb7c1a6f49a1f24241510bba325f7b7
Opcode Fuzzy Hash: 9d0792441fc5044678e91fe98d31e73feb8c4f451fbd58069c187c194a03edea
Instruction Fuzzy Hash: A9314331B08F82CAFB50AF27A854579A291BFF4BB5F240175E94EA27B4DE3CE441C640

Function 00007FFE13302E92 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302EA4
RaiseException.KERNEL32 ref: 00007FFE13302EEB
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302F58
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13302F75

Strings

csm, xrefs: 00007FFE13302F1C

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: abort$ExceptionRaise
String ID: csm
API String ID: 3453572468-1018135373
Opcode ID: a0f470496b3338efbe37c9d345d780ede6fcb3b70bc9e3d0c544a15374437034
Instruction ID: 964d900278fdde25913eed65855eb493113fb48ca38ebac81b612f2420fed5f8
Opcode Fuzzy Hash: a0f470496b3338efbe37c9d345d780ede6fcb3b70bc9e3d0c544a15374437034
Instruction Fuzzy Hash: 20316436608A418AE7249F12D44026D7760FBA8BB4F140271DE6D637B5CF3CE441C705

Function 00007FFE1327765C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73COMMON

Download Yara Rule

Strings

socket.gethostbyaddr, xrefs: 00007FFE132776B1
idna, xrefs: 00007FFE13277686
unsupported address family, xrefs: 00007FFE1327770C
et:gethostbyaddr, xrefs: 00007FFE1327768D

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID:
String ID: et:gethostbyaddr$idna$socket.gethostbyaddr$unsupported address family
API String ID: 0-1751716127
Opcode ID: 974771ad23af20d920d272cf528bd418683bbb1b06c52bc06fd23ce16be65df9
Instruction ID: 9b7cf22e5ffa1909f7e94700cebdd909b494ef3a0634c327916971053eda49c6
Opcode Fuzzy Hash: 974771ad23af20d920d272cf528bd418683bbb1b06c52bc06fd23ce16be65df9
Instruction Fuzzy Hash: 05311E22B08E8689EB60AB1BE8543BA6360FBF5BD4F444072DA4E67664DE3CE504C740

Function 00007FFE01387250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70libraryloaderCOMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE01387232,?,?,?,00007FFE01383D4A,?,?,?,?,?,00007FFE01381395), ref: 00007FFE01387264
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE01387232,?,?,?,00007FFE01383D4A,?,?,?,?,?,00007FFE01381395), ref: 00007FFE013872A7
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE01387232,?,?,?,00007FFE01383D4A,?,?,?,?,?,00007FFE01381395), ref: 00007FFE013872F1
TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFE01387232,?,?,?,00007FFE01383D4A,?,?,?,?,?,00007FFE01381395), ref: 00007FFE013C80E7

Strings

FlsGetValue, xrefs: 00007FFE013872E7

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$AddressProcValue
String ID: FlsGetValue
API String ID: 3663398396-662576866
Opcode ID: 8c4cfa7bd90da7381d7e2cad420cf7ae98564061bc231c65ce60d6c65de917a8
Instruction ID: e9bd7715c97e6c3559eb5183fcbd431ec983b98ac956b23178d581052c2a6cc5
Opcode Fuzzy Hash: 8c4cfa7bd90da7381d7e2cad420cf7ae98564061bc231c65ce60d6c65de917a8
Instruction Fuzzy Hash: BE217F61F19B0286FF049B29E95017963A2AF487E4F598735E92D4F7F8EE3CE8458301

Function 00007FFE01398DD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013CA666,?,?,00000000,00007FFE013CD82A,?,?,?,00007FFE013C7AE1), ref: 00007FFE01398DE4
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013CA666,?,?,00000000,00007FFE013CD82A,?,?,?,00007FFE013C7AE1), ref: 00007FFE01398E2B
TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFE013CA666,?,?,00000000,00007FFE013CD82A,?,?,?,00007FFE013C7AE1), ref: 00007FFE013C612F
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE013CA666,?,?,00000000,00007FFE013CD82A,?,?,?,00007FFE013C7AE1), ref: 00007FFE013C6145

Strings

FlsGetValue, xrefs: 00007FFE013C613B

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$AddressProcValue
String ID: FlsGetValue
API String ID: 3663398396-662576866
Opcode ID: ce4f6164693054ca30ee57a630227fe5c0f775dd423d8a7d6c6f1b647305ae80
Instruction ID: 831654214dea6a3d2707dec0e343c95a362fc535064c29a594a24265f1a681c1
Opcode Fuzzy Hash: ce4f6164693054ca30ee57a630227fe5c0f775dd423d8a7d6c6f1b647305ae80
Instruction Fuzzy Hash: 27214DA1F19B0286FB049B25E95017963A2AF887A4F594335D92E5F7F4EE3CE8458301

Function 00007FFE13275428 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

iy#, xrefs: 00007FFE1327546D
OiII, xrefs: 00007FFE132754B7

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID:
String ID: OiII$iy#
API String ID: 0-3267959945
Opcode ID: 6ecd11499d5d71d6cb424291d44840528deedcdec41fed1fd353bc168884c5bb
Instruction ID: d87e3bd8bdbbaf329f0aaaee40dde1606353a181db2b17af0ed98674502bc002
Opcode Fuzzy Hash: 6ecd11499d5d71d6cb424291d44840528deedcdec41fed1fd353bc168884c5bb
Instruction Fuzzy Hash: 36212161B08E92CAEA246F27A554079A361BFF8BE1B5440B5CA4D67BB1EF2CE451C700

Function 00007FFE13304830 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00007FFE13304871
TlsFree.KERNEL32 ref: 00007FFE133048D6

Strings

__based(, xrefs: 00007FFE1330483A, 00007FFE133048A1
FlsAlloc, xrefs: 00007FFE1330484A
FlsFree, xrefs: 00007FFE133048AF

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: AllocFree
String ID: FlsAlloc$FlsFree$__based(
API String ID: 265982327-1814498500
Opcode ID: 54e4ea7337ee46c35fd7b6825b034efbdce11ec9159bc44db4f3c68ed160b025
Instruction ID: de4dd3b76b0432ee29592d5337d13f8cc6831327d5482d679b18f7cc72321cd3
Opcode Fuzzy Hash: 54e4ea7337ee46c35fd7b6825b034efbdce11ec9159bc44db4f3c68ed160b025
Instruction Fuzzy Hash: 76114D20E0DE4799FA549B23A8850BC2391AF34775B4009B5D57E362F1DF3CE6058B1C

Function 00007FFE13277C80 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44networkCOMMON

Download Yara Rule

APIs

getservbyname.WS2_32 ref: 00007FFE13277CEE
htons.WS2_32 ref: 00007FFE13277D31

Strings

socket.getservbyname, xrefs: 00007FFE13277CC0
s|s:getservbyname, xrefs: 00007FFE13277C90
service/proto not found, xrefs: 00007FFE13277D11

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: getservbynamehtons
String ID: service/proto not found$socket.getservbyname$s|s:getservbyname
API String ID: 3889749166-1257235949
Opcode ID: 4fcc85b13632f52815bd33602d30490cef968fee825d94501babe309e3752164
Instruction ID: 2d21091dbc0bb257bd58a1a591e8f5bab637e0a40f9cad1b668d9171e7382787
Opcode Fuzzy Hash: 4fcc85b13632f52815bd33602d30490cef968fee825d94501babe309e3752164
Instruction Fuzzy Hash: F811FC71A08E4289EA04AB27E8542796370FBF5BA5F501075DA8D67674DF3CE445C700

Function 00007FFE013C3644 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FFE013C3669
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE013C3675

Part of subcall function 00007FFE0141A470: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0 ref: 00007FFE0141A481

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFE013C36A7
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00007FFE013C36C8

Strings

CONOUT$, xrefs: 00007FFE013C3693

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: c04be7df5962b4ca2a526bf3f45f432c3903d0931af474cd28b0175bc7d5c165
Instruction ID: 86bbf4d307ef8c2436c2a523ee89d2f88ab9a8731d2055b06fe6a8cca96cb020
Opcode Fuzzy Hash: c04be7df5962b4ca2a526bf3f45f432c3903d0931af474cd28b0175bc7d5c165
Instruction Fuzzy Hash: 7D116972A18A4287EB508F56E4443A973B0FB88BD8F144135DA8D4B778CF3CD865CB01

Function 00007FFE13275528 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 38networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FFE1327554B
00007FFDFB5BC3F0.PYTHON38 ref: 00007FFE132755B0

Strings

WSAStartup failed: error code %d, xrefs: 00007FFE13275570
WSAStartup failed: network not ready, xrefs: 00007FFE13275585
WSAStartup failed: requested version not supported, xrefs: 00007FFE1327558E

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: 00007Startup
String ID: WSAStartup failed: error code %d$WSAStartup failed: network not ready$WSAStartup failed: requested version not supported
API String ID: 939726317-2179513580
Opcode ID: 10e81ce022be9c6644ba46257e410a3f9e6120ba4fc22d17ee6881ad74e80977
Instruction ID: 549c4cbe5c523e520eee7412167d2be9a954b2d8efd853ea2186a3aeb4662bba
Opcode Fuzzy Hash: 10e81ce022be9c6644ba46257e410a3f9e6120ba4fc22d17ee6881ad74e80977
Instruction Fuzzy Hash: 7F11F175B08E82CDF660A716D8652B463A1FBF97A5F5040B1D40D66674DE6DE448C300

Function 00007FFE013856E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE01385700
FreeLibrary.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE0138571E
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE013C7B1C

Strings

CorExitProcess, xrefs: 00007FFE013C7B15
mscoree.dll, xrefs: 00007FFE013856F7

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 38f1c9a3e5da8ec76cca111081b417a6c2648a2653dbba2a19f639492ce0a011
Instruction ID: 78377c0010b752baac92341c7210f9ddea2c50e70f4ae1e24581ad0da6496722
Opcode Fuzzy Hash: 38f1c9a3e5da8ec76cca111081b417a6c2648a2653dbba2a19f639492ce0a011
Instruction Fuzzy Hash: 86F0DA61B2E642C2FF585B10E89437D2364AF98791F455435E94F4E5B4DF2CE5888700

Function 00007FFE0138A880 Relevance: 7.8, APIs: 5, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5363838be8a4ec3bfbd5de901e861b574f4757e8892c8627142229e74fca17
Instruction ID: 5ea61543ee740b227efe834722116617dbbea30f2813ff395189a93212520674
Opcode Fuzzy Hash: 2c5363838be8a4ec3bfbd5de901e861b574f4757e8892c8627142229e74fca17
Instruction Fuzzy Hash: 41D1AF32B0C7828AFB619B6491402BD76B1EF54BE8F064232DE9D5BBE5DE3CD5418310

Function 00007FFE13309C84 Relevance: 7.6, APIs: 5, Instructions: 143COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBVCRUNTIME ref: 00007FFE13309D47
DName::operator+.LIBVCRUNTIME ref: 00007FFE13309D57
DName::operator+.LIBVCRUNTIME ref: 00007FFE13309D74

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID:
API String ID: 168861036-0
Opcode ID: 05f6c9b8cef8aaff6f7b8e4e38ae0c77bd3df8e4f84dc53290f47b7289bc6966
Instruction ID: 4298a15eecdf8ed58300a99d46a2a30e2726fd8c4528d18237fca876f38e45d0
Opcode Fuzzy Hash: 05f6c9b8cef8aaff6f7b8e4e38ae0c77bd3df8e4f84dc53290f47b7289bc6966
Instruction Fuzzy Hash: 6F614B72A08E558CE711CF26E8805AD3775FB68B94F9480B5EA6D63B76DF38D841C304

Function 00007FFE13277F9C Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

GetIfTable2Ex.IPHLPAPI ref: 00007FFE13277FDD
ConvertInterfaceLuidToNameW.IPHLPAPI ref: 00007FFE13278050
FreeMibTable.IPHLPAPI ref: 00007FFE132780BC
FreeMibTable.IPHLPAPI ref: 00007FFE13278110
FreeMibTable.IPHLPAPI ref: 00007FFE1327812E

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: FreeTable$ConvertInterfaceLuidNameTable2
String ID:
API String ID: 1671601251-0
Opcode ID: 7b6afd35a454c464795ed6a9c2513b32d1fd9e66ea611b4ee14a2fd8ce1d6cda
Instruction ID: a00e81bb562c2954c3ff9027b5c45714e4f7ee0ba51388a7ab3749b26249fec8
Opcode Fuzzy Hash: 7b6afd35a454c464795ed6a9c2513b32d1fd9e66ea611b4ee14a2fd8ce1d6cda
Instruction Fuzzy Hash: F7413031F1CF4289EA64AB23A81527963A0FFF5BA5F040071D94EA76B4DF2CE405CB41

Function 00007FFE13303340 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFE133024AF), ref: 00007FFE13303452

Part of subcall function 00007FFE133048F4: GetLastError.KERNEL32(?,?,?,00007FFE13301831), ref: 00007FFE13304918
Part of subcall function 00007FFE133048F4: SetLastError.KERNEL32(?,?,?,00007FFE13301831), ref: 00007FFE133049C0

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFE133024AF), ref: 00007FFE1330343D
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFE133024AF), ref: 00007FFE13303444
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFE133024AF), ref: 00007FFE1330344B
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFE133024AF), ref: 00007FFE13303459

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: abort$ErrorLast$terminate
String ID:
API String ID: 3823219622-0
Opcode ID: 20405dfbf244a3566e5a1d9f09ca0e0238db28aba3bd7d0cc38adc7fa1fba175
Instruction ID: 430c1a05858e75aa558db39fe470bf53efdef4d47469be6c4ec120fc97d090d2
Opcode Fuzzy Hash: 20405dfbf244a3566e5a1d9f09ca0e0238db28aba3bd7d0cc38adc7fa1fba175
Instruction Fuzzy Hash: 84319032A08F82C9EA15DB57D4801BE6764FF64FB5B0548B2DE2D27761DE38E481C344

Function 00007FFE013BF030 Relevance: 7.6, APIs: 5, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getScope.LIBVCRUNTIME ref: 00007FFE013BF075

Part of subcall function 00007FFE013BEBB8: DName::DName.LIBVCRUNTIME ref: 00007FFE013BEC1B
Part of subcall function 00007FFE013BEBB8: DName::operator+.LIBVCRUNTIME ref: 00007FFE013BEC2A
Part of subcall function 00007FFE013BEBB8: DName::doPchar.LIBVCRUNTIME ref: 00007FFE013BEC64
Part of subcall function 00007FFE013BEBB8: DName::operator+.LIBVCRUNTIME ref: 00007FFE013BEC75
Part of subcall function 00007FFE013BEBB8: UnDecorator::getLexicalFrame.LIBVCRUNTIME ref: 00007FFE013BECDE
Part of subcall function 00007FFE013BEBB8: DName::operator+.LIBVCRUNTIME ref: 00007FFE013BEF89

DName::operator+.LIBVCRUNTIME ref: 00007FFE013BF108
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BF099

Part of subcall function 00007FFE013BA990: DName::operator+=.LIBVCRUNTIME ref: 00007FFE013BA9AB

DName::operator+.LIBVCRUNTIME ref: 00007FFE013BF089

Part of subcall function 00007FFE013BA9E8: DName::operator+=.LIBCMT ref: 00007FFE013BAA03

DName::operator+.LIBVCRUNTIME ref: 00007FFE013BF118

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: Name::operator+$Decorator::getName::operator+=$FrameLexicalNameName::Name::doPcharScope
String ID:
API String ID: 1546031984-0
Opcode ID: a41a32a73ef280f1c0eb226252b6108ad4bbb78884f5fa41fe49f468b2489355
Instruction ID: bddfcdd28fdf4e1bb13fb0b3773c349b69281a14adcaec312eb66d97f01f2f4f
Opcode Fuzzy Hash: a41a32a73ef280f1c0eb226252b6108ad4bbb78884f5fa41fe49f468b2489355
Instruction Fuzzy Hash: A3318E73908B869AEB118F24D8803A977A5EB85B88F59D035D78D0B3B6EF7CD444C710

Function 00007FFE013ADFCC Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFE013ADFF4
_set_statfp.LIBCMT ref: 00007FFE013AE00F
_set_statfp.LIBCMT ref: 00007FFE013AE02B
_set_statfp.LIBCMT ref: 00007FFE013AE067

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: dc6e3670485b0d4430f46cbfa2b7112dabbfdd72c5e42d9f16c55895acb062e8
Instruction ID: e9304f8ec7ccd1beb4f353171cff710b347f09888762ad4b0d3bd934f6527273
Opcode Fuzzy Hash: dc6e3670485b0d4430f46cbfa2b7112dabbfdd72c5e42d9f16c55895acb062e8
Instruction Fuzzy Hash: 0011E562E9CA0309F764652AE48637A1141AF58370FCB4B34EA7E4E6FB9F7CA8414214

Function 00007FF60F19A864 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF60F1A24C3,?,?,?,00007FF60F19CCFC,?,?,00000000,00007FF60F19387F), ref: 00007FF60F19A875
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF60F1A24C3,?,?,?,00007FF60F19CCFC,?,?,00000000,00007FF60F19387F), ref: 00007FF60F19A894
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF60F1A24C3,?,?,?,00007FF60F19CCFC,?,?,00000000,00007FF60F19387F), ref: 00007FF60F19A8BC
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF60F1A24C3,?,?,?,00007FF60F19CCFC,?,?,00000000,00007FF60F19387F), ref: 00007FF60F19A8CD
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF60F1A24C3,?,?,?,00007FF60F19CCFC,?,?,00000000,00007FF60F19387F), ref: 00007FF60F19A8DE

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: c0fb399be8661876b698731ebb01a083231cf0cb32d6881bef92b5c8a6d37d35
Instruction ID: 0549284f06115540e54ee3fd8268cdb9c02f8090884a346f19b327c080e87c8e
Opcode Fuzzy Hash: c0fb399be8661876b698731ebb01a083231cf0cb32d6881bef92b5c8a6d37d35
Instruction Fuzzy Hash: 11110C34E0D20741FA6CA37664521796742CF863B0F785BB8E93ECA2C2DF2CB4464791

Function 00007FFE13301930 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFE1330194F
TlsGetValue.KERNEL32 ref: 00007FFE13301992
SetLastError.KERNEL32 ref: 00007FFE1330199D

Strings

__based(, xrefs: 00007FFE1330195B
FlsGetValue, xrefs: 00007FFE1330196B

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: ErrorLast$Value
String ID: FlsGetValue$__based(
API String ID: 1883355122-1499225077
Opcode ID: 3cde031b42971c501b99c4d062fe830ef97904619396822104c6fd8221abb387
Instruction ID: 10788246275fcf36316d33a8862bcb9e04099118bd42da41dcbf0ea588c79d94
Opcode Fuzzy Hash: 3cde031b42971c501b99c4d062fe830ef97904619396822104c6fd8221abb387
Instruction Fuzzy Hash: B4119421B08E468AEA549F27A94017D33A0AB247B0B440775E5BE273F5DF3CE4408798

Function 00007FFE1330C1D0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFE13302F17), ref: 00007FFE1330C1E7
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFE13302F17), ref: 00007FFE1330C1FE
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFE13302F17), ref: 00007FFE1330C219
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFE13302F17), ref: 00007FFE1330C22D
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFE13302F17), ref: 00007FFE1330C247

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: abort$terminate
String ID:
API String ID: 579254285-0
Opcode ID: b9a64d3d6ee68471bce02abac799c6deb2a21801f345f0dcf847466b3a3e6a69
Instruction ID: 3a64eb0c0f7f09111fdadcb631ad7eab5f8478f68f3f35052e7d833c83f9106f
Opcode Fuzzy Hash: b9a64d3d6ee68471bce02abac799c6deb2a21801f345f0dcf847466b3a3e6a69
Instruction Fuzzy Hash: 02012531A0DF8699FE189B97E08413D5364AF78B74F1808B5DA3C26B75DE2CE4508219

Function 00007FFE13301890 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFE133018AF
TlsGetValue.KERNEL32 ref: 00007FFE133018F2
SetLastError.KERNEL32 ref: 00007FFE133018FD

Strings

__based(, xrefs: 00007FFE133018BB
FlsGetValue, xrefs: 00007FFE133018CB

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: ErrorLast$Value
String ID: FlsGetValue$__based(
API String ID: 1883355122-1499225077
Opcode ID: 1694fcc8876eaf970d65f9f7cf6b22be3eb451f9a49f8659623d94e435215b4e
Instruction ID: d858c57ae58f3e03739a30112c334bcd0457a69175406cd55eb2109e78e72b2c
Opcode Fuzzy Hash: 1694fcc8876eaf970d65f9f7cf6b22be3eb451f9a49f8659623d94e435215b4e
Instruction Fuzzy Hash: 6E11AC24F09F428AEA449B16A98407C7362FB687B0B440275EA7E237F5DF3CE9418758

Function 00007FFE013AE6A0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 177COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFE013AE6F8

Strings

", xrefs: 00007FFE013AE765
sinh, xrefs: 00007FFE013AE746

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _set_statfp
String ID: "$sinh
API String ID: 1156100317-1232919748
Opcode ID: 1b32543455a6c8168f2937d647417d3a52b2d3b296e9a1f1c63220f0cefa6fe5
Instruction ID: 3363052220d1f2e478c2ecec3443f7e471158ecf684228cd3b07e80fcf3998fb
Opcode Fuzzy Hash: 1b32543455a6c8168f2937d647417d3a52b2d3b296e9a1f1c63220f0cefa6fe5
Instruction Fuzzy Hash: A8918121E28F8189E7638B34A4513B67759EF6A3D5F519337E58E39A71DF2CA0838700

Function 00007FFE13274AF0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 169networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WS2_32 ref: 00007FFE13274B1B
00007FFE1FFA3440.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13274B38

Strings

NOO, xrefs: 00007FFE13274CF2
unsupported address family, xrefs: 00007FFE13274D11

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: 00007A3440ErrorLast
String ID: NOO$unsupported address family
API String ID: 848807496-3515961143
Opcode ID: 909fc28e825e186d18d6ade4b90d007801ae108912a46624615076baaa721aae
Instruction ID: e0965d2b26d03f378cb2d03211d5bbd51c06167f811e019aa1b94d70069db900
Opcode Fuzzy Hash: 909fc28e825e186d18d6ade4b90d007801ae108912a46624615076baaa721aae
Instruction Fuzzy Hash: 5A716D31A09F8289EA54AF26A45457A63A0FFF4BA4F0541B5DE8E27774EF3CE440C700

Function 00007FFE013ACBA3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFE013ADDFA

Strings

", xrefs: 00007FFE013ADDB2
_hypot, xrefs: 00007FFE013ADD90

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _set_statfp
String ID: "$_hypot
API String ID: 1156100317-1188193384
Opcode ID: 30edd1d860c6fbca9ed95a4b2fcb81cbc6a271cc11a0906b11b1b7d0d48f6558
Instruction ID: 1e589bc699580e0683b563c62fe3c11c2dec5781fb6e9db300c118b610f418e9
Opcode Fuzzy Hash: 30edd1d860c6fbca9ed95a4b2fcb81cbc6a271cc11a0906b11b1b7d0d48f6558
Instruction Fuzzy Hash: 6F51B87291DF8986EB12CF61A40037AB265FF96780F914331FA5E2AEA5DF3CE141C640

Function 00007FFE013AB496 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFE013AB534

Strings

!, xrefs: 00007FFE013AB565
acosf, xrefs: 00007FFE013AB547

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _set_statfp
String ID: !$acosf
API String ID: 1156100317-101895715
Opcode ID: 71ec19b4c8ad8ee9648a7ba0fa85dfd1995abbbd0122232bfbe41f41b9ffeac9
Instruction ID: 5dbf97e298d5679772b5c1c366a8a84b668da5e2e908f05cf9e23092646f6dea
Opcode Fuzzy Hash: 71ec19b4c8ad8ee9648a7ba0fa85dfd1995abbbd0122232bfbe41f41b9ffeac9
Instruction Fuzzy Hash: F351D831C2CA8986E322C73B5841175E650FFAA340F69C736ED59799B4DF3DB0859E00

Function 00007FFE013AEB80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 131COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFE013AEBCB

Strings

", xrefs: 00007FFE013AEC47
sinhf, xrefs: 00007FFE013AEC40

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _set_statfp
String ID: "$sinhf
API String ID: 1156100317-3935523221
Opcode ID: 918958a1fb63c09ba493611ac2a7382131e3e9afba7afa72afa230d2478bc51d
Instruction ID: ab57cda95afa00d89ebad4a003584eb7c64fc4eea24022ef8cc7557ac627e1ad
Opcode Fuzzy Hash: 918958a1fb63c09ba493611ac2a7382131e3e9afba7afa72afa230d2478bc51d
Instruction Fuzzy Hash: 8D61A231D1CF818AEB639B35A451275A355FF563D1F618332E58E3AA75EF3CA0C28600

Function 00007FFE013AB9B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFE013ABA3A

Strings

!, xrefs: 00007FFE013ABA6B
asinf, xrefs: 00007FFE013ABA4D

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _set_statfp
String ID: !$asinf
API String ID: 1156100317-2917828882
Opcode ID: e02c587f2bbad5ae47ffa9e0c77fe692eca3b15f8905fe1beaed0f650771b692
Instruction ID: 441792e5f4aa00f7723671d44efc971da7d2b5748573cbf8c58b7174bf79279f
Opcode Fuzzy Hash: e02c587f2bbad5ae47ffa9e0c77fe692eca3b15f8905fe1beaed0f650771b692
Instruction Fuzzy Hash: F9516331D2DA8986F322C73B648127AB650BFAE341F69CB25ED48699F4DF3D70459A00

Function 00007FFE013E9288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00007FFE013EAD0E), ref: 00007FFE013E9303
CompareStringW.API-MS-WIN-CORE-STRING-L1-1-0(?,?,?,?,?,?,?,00000000,00000000,00007FFE013EAD0E), ref: 00007FFE013E935F

Strings

CompareStringEx, xrefs: 00007FFE013E92F9
AreFileApisANSI, xrefs: 00007FFE013E92DB

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressCompareProcString
String ID: AreFileApisANSI$CompareStringEx
API String ID: 108076903-3979650549
Opcode ID: 9c01116c69461785fb70ad1c05279c168e2a8828430552149869a588c4d73f25
Instruction ID: 8c72051dd547b92ab1edce2fa9d1faa784281205d038cd93427bafed2b0fbd81
Opcode Fuzzy Hash: 9c01116c69461785fb70ad1c05279c168e2a8828430552149869a588c4d73f25
Instruction Fuzzy Hash: 36319331B1CB4286EB54CB2AE84026973E0BB587A8F144335DD6D9B7F8DE3CE8018700

Function 00007FFE01388010 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,?,?,00000000,00000098,00000000,00007FFE013EC258), ref: 00007FFE013880DA
LCMapStringW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,?,?,?,?,00000000,00000098,00000000,00007FFE013EC258), ref: 00007FFE013C842D

Strings

LCMapStringEx, xrefs: 00007FFE013880D0
LCIDToLocaleName, xrefs: 00007FFE013880B8

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressProcString
String ID: LCIDToLocaleName$LCMapStringEx
API String ID: 3874510993-3928102921
Opcode ID: a0cdd02db15d2baaee71b25ddafbc6e81294e66017932d8cf8f93dd6d9f3de1a
Instruction ID: f1ab3376dd553c7cd447a5c6fde797c54eccaddfd80f7570cb866330ee4c74dc
Opcode Fuzzy Hash: a0cdd02db15d2baaee71b25ddafbc6e81294e66017932d8cf8f93dd6d9f3de1a
Instruction Fuzzy Hash: 66318071B1DB4286EB14CB19F85027A67A1BB88BA4F454339EE6D8B7B4DF3CE4418700

Function 00007FFE013E95F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,?,?,?,00007FFE01425634,?,?,?,?,?,?,00000000,?), ref: 00007FFE013E966F
GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(?,?,?,?,?,?,?,00007FFE01425634,?,?,?,?,?,?,00000000,?), ref: 00007FFE013E96C5

Strings

GetDateFormatEx, xrefs: 00007FFE013E9665
GetLocaleInfoEx, xrefs: 00007FFE013E9647

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressDateFormatProc
String ID: GetDateFormatEx$GetLocaleInfoEx
API String ID: 2680382325-3651929019
Opcode ID: 7c3b1c42358e41c3879f7fc51d98f508681f88725dc7721055a332750a378f6d
Instruction ID: 0a5fa0023cb165c337764f009e3e9c57533946984fd7a780e6b65df12e601831
Opcode Fuzzy Hash: 7c3b1c42358e41c3879f7fc51d98f508681f88725dc7721055a332750a378f6d
Instruction Fuzzy Hash: 04311021B1DB4286EB14DB1AE81022A67A1BB547E8F454336EE5D4B7F8DF3CE505CB00

Function 00007FFE013E981C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 84libraryloadertimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,?,?,?,00007FFE014256D7,?,?,?,?,?,?,00000000,?), ref: 00007FFE013E9897
GetTimeFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(?,?,?,?,?,?,?,00007FFE014256D7,?,?,?,?,?,?,00000000,?), ref: 00007FFE013E98ED

Strings

GetTimeFormatEx, xrefs: 00007FFE013E988D
GetLocaleInfoEx, xrefs: 00007FFE013E986F

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressFormatProcTime
String ID: GetLocaleInfoEx$GetTimeFormatEx
API String ID: 3572143191-1887218579
Opcode ID: c88a4ff822122563e7e13919ba5be6c966a78eb1ab820d30e35d194ba584dd40
Instruction ID: 11585ab4f8d077f8ff08e0423ce859cbfb12176e9e44a3f10ef846e168379149
Opcode Fuzzy Hash: c88a4ff822122563e7e13919ba5be6c966a78eb1ab820d30e35d194ba584dd40
Instruction Fuzzy Hash: 43314121B1DB4286EB14DB2AE81026967E1FB587E8F454336EE6D4B7F8DE3CE4058700

Function 00007FFE01387390 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE013875A3,?,?,00000000,00007FFE01388AE1), ref: 00007FFE01387454
InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FFE013875A3,?,?,00000000,00007FFE01388AE1), ref: 00007FFE013C812D
__vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FFE013C813B

Strings

InitializeCriticalSectionEx, xrefs: 00007FFE013873B3, 00007FFE0138744A

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressCountCriticalInitializeProcSectionSpin__vcrt_uninitialize_locks
String ID: InitializeCriticalSectionEx
API String ID: 3597771952-3084827643
Opcode ID: 64c6903de641859419fbbc5e7920358b8a09ef9f9e97dbfbfc7f49064fec7532
Instruction ID: 5633748b378f3a3b6224896e26c9837a675a456ea7e18446f729a1b91ac08310
Opcode Fuzzy Hash: 64c6903de641859419fbbc5e7920358b8a09ef9f9e97dbfbfc7f49064fec7532
Instruction Fuzzy Hash: 2E31AF21B18B0382FB589B25E85017923A2EF857A8F555236DD2E5FBF8DF3CE4468340

Function 00007FFE13272600 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32 ref: 00007FFE1327263D
GetLastError.KERNEL32 ref: 00007FFE1327498E

Strings

socket.gethostname, xrefs: 00007FFE13272615

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: ComputerErrorLastName
String ID: socket.gethostname
API String ID: 3560734967-2650736202
Opcode ID: 095da23aa149d5187cd0f7ae323386cb0076a1ee99408e4307cb689096eda50e
Instruction ID: 97c13214a1274cc9137eab0a0e2ace7c3f2748e33aa12c2cb8ac5647cb23e8a7
Opcode Fuzzy Hash: 095da23aa149d5187cd0f7ae323386cb0076a1ee99408e4307cb689096eda50e
Instruction Fuzzy Hash: CD31F021B0CF428AE724AB23E81527A63A5FFF97A5F444175D94E666B4DF3CE405C700

Function 00007FFE13275EF4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

getsockopt.WS2_32 ref: 00007FFE13275F63
getsockopt.WS2_32 ref: 00007FFE13275FB6

Strings

ii|i:getsockopt, xrefs: 00007FFE13275F14
getsockopt buflen out of range, xrefs: 00007FFE13275FF4

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: getsockopt
String ID: getsockopt buflen out of range$ii|i:getsockopt
API String ID: 3272894102-2750947780
Opcode ID: 0322cdff57f77cc2b7393446e0397869c2c2d530b9d2fbdfc7ba9d1bd7ad0373
Instruction ID: df36c672fc93a74432660a8e0fbea9ca361a4be9a41e12e54bb7b77f2060bf75
Opcode Fuzzy Hash: 0322cdff57f77cc2b7393446e0397869c2c2d530b9d2fbdfc7ba9d1bd7ad0373
Instruction Fuzzy Hash: 96310972B18E42CBEB54AF26E45406A73A1FBE4B64B200175EA4E97A74DF3DD405CB00

Function 00007FFE132782C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

inet_ntop.WS2_32 ref: 00007FFE13278385

Strings

invalid length of packed IP address string, xrefs: 00007FFE1327830F, 00007FFE13278349
iy*:inet_ntop, xrefs: 00007FFE132782E1
unknown address family %d, xrefs: 00007FFE132783E2

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: inet_ntop
String ID: invalid length of packed IP address string$iy*:inet_ntop$unknown address family %d
API String ID: 448242623-2822559286
Opcode ID: 821bdc76849829ac382dd6bfe7ebbdf4799ccd67fbae3e73fb104eed7083eac5
Instruction ID: 9c42912d845d2eb0589ff7b2143d225c1d22381e17ceb1dc48cfbbc96b8c168a
Opcode Fuzzy Hash: 821bdc76849829ac382dd6bfe7ebbdf4799ccd67fbae3e73fb104eed7083eac5
Instruction Fuzzy Hash: D531FB31B18E4389EB60AB27E86467923B0FBF5B64F404472D54EA7674DE7CE449C700

Function 00007FFE013ADE30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 00007FFE013ADF1B

Part of subcall function 00007FFE013AE1B0: _raise_excf.LIBCMT ref: 00007FFE013AE256

_set_statfp.LIBCMT ref: 00007FFE013ADF4A

Strings

", xrefs: 00007FFE013ADF07
_hypotf, xrefs: 00007FFE013ADEE9

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _handle_errorf_raise_excf_set_statfp
String ID: "$_hypotf
API String ID: 2298391848-905711854
Opcode ID: 5f43d922e01293972ed8460855153002ebb918f5f1b2f1ea9cc3e8d90e8f3529
Instruction ID: 9094bac4a6b6e1f216f2632924407e7de575dbf946027840a736c92bd7dd8538
Opcode Fuzzy Hash: 5f43d922e01293972ed8460855153002ebb918f5f1b2f1ea9cc3e8d90e8f3529
Instruction Fuzzy Hash: CF213A32D2DB8546D632CA3294016769656BFA7390F618332F97E39DE4CB3CE0859B00

Function 00007FFE013E9A58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE013E9AC2
IsValidLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00007FFE013E9B03

Strings

IsValidLocaleName, xrefs: 00007FFE013E9AB8
LCIDToLocaleName, xrefs: 00007FFE013E9A9A

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressLocaleProcValid
String ID: IsValidLocaleName$LCIDToLocaleName
API String ID: 2003423906-1752364312
Opcode ID: 65b0c262ca36154cd53a740d3a81f65cf26c20ac48d112a99bb656f3d84eeda0
Instruction ID: 867be05c3674ff1c4c784cc4c7aba72b8677b9584041a25837bcafbdc6c32fd3
Opcode Fuzzy Hash: 65b0c262ca36154cd53a740d3a81f65cf26c20ac48d112a99bb656f3d84eeda0
Instruction Fuzzy Hash: AF215E60B1DB4342FF08876AE95027923A1AF587E8F555335DD2D5B7F4EE6CE4858300

Function 00007FFE01381EC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,00000098,00007FFE01381E63), ref: 00007FFE01381F40
GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,?,00000098,00007FFE01381E63), ref: 00007FFE013C682B

Strings

GetUserDefaultLocaleName, xrefs: 00007FFE01381F36
LCIDToLocaleName, xrefs: 00007FFE01381F1F

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressDefaultProcUser
String ID: GetUserDefaultLocaleName$LCIDToLocaleName
API String ID: 306211784-2335043742
Opcode ID: 189e9eb15733c52c6acb18485faa6e2e3afa5949e2a93b7d527beaa8dac3b8c9
Instruction ID: 837a28b550c4ef8c4424cc086876bb7450767d5a4bba40f89b47e7193128a60c
Opcode Fuzzy Hash: 189e9eb15733c52c6acb18485faa6e2e3afa5949e2a93b7d527beaa8dac3b8c9
Instruction Fuzzy Hash: 86216DA1B1AB0342FF049B25E91017963A2AF487A8F555735DD2E1F7F8EE3CE4458300

Function 00007FFE13301BA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13301C3F
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13301C46
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13301C4D

Strings

csm, xrefs: 00007FFE13301BBE

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: terminate
String ID: csm
API String ID: 1821763600-1018135373
Opcode ID: 438b22e0981f78b69658ddcae18d3ec84825a9baaa088e9bbe4ec400c4afb42d
Instruction ID: 2b70a8b96b7002ccf25ccdd0c37bb5ffbeae4977a3b50d9b87ed4c5b350138f4
Opcode Fuzzy Hash: 438b22e0981f78b69658ddcae18d3ec84825a9baaa088e9bbe4ec400c4afb42d
Instruction Fuzzy Hash: 8911DABAE08E4A8AFB68CF66D08517C2762FF30761F544475C92D53760DE2CD491C205

Function 00007FFE1327785C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32 ref: 00007FFE132778EA

Strings

socket.gethostbyname, xrefs: 00007FFE132778AE
et:gethostbyname_ex, xrefs: 00007FFE1327788D
idna, xrefs: 00007FFE13277886

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: gethostbyname
String ID: et:gethostbyname_ex$idna$socket.gethostbyname
API String ID: 930432418-574663143
Opcode ID: 54f4fd81d729306ff9aedb914a1bb74dce5a6755a4873b6e6c034d5538e1bf51
Instruction ID: 706b7a9c8e4e29bfd2c1d3e9b9b376d8dcf406dc4351e48aa56b72498bb02a14
Opcode Fuzzy Hash: 54f4fd81d729306ff9aedb914a1bb74dce5a6755a4873b6e6c034d5538e1bf51
Instruction Fuzzy Hash: 6D21FC21B08E8689EB60AB27F9547BA63A0FFF9BA4F444075D94E67675DE2CE104C700

Function 00007FFE13278404 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

inet_pton.WS2_32 ref: 00007FFE13278443

Strings

illegal IP address string passed to inet_pton, xrefs: 00007FFE13278461
is:inet_pton, xrefs: 00007FFE1327841F
unknown address family, xrefs: 00007FFE13278498

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: inet_pton
String ID: illegal IP address string passed to inet_pton$is:inet_pton$unknown address family
API String ID: 1350483568-903159468
Opcode ID: 6b3a4026c44cec4ec7538d6aa5690018d334bb71108f633ead04177c9dedd22e
Instruction ID: c79ae1494d7a39b3d3322c1f5f72bb1df833be79aa7d202e6a5990e9926e024e
Opcode Fuzzy Hash: 6b3a4026c44cec4ec7538d6aa5690018d334bb71108f633ead04177c9dedd22e
Instruction Fuzzy Hash: CE213E72B18E4289EA60FB16E86107937B1FBF4B64F5040B2D64E66574DFBCE505C700

Function 00007FFE013BF134 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::doPchar.LIBVCRUNTIME ref: 00007FFE013BF19E
DName::operator+.LIBVCRUNTIME ref: 00007FFE013BF1AE

Strings

generic-type-, xrefs: 00007FFE013BF139
-, xrefs: 00007FFE013BF196

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: Name::doName::operator+Pchar
String ID: -$generic-type-
API String ID: 2230304450-2190548783
Opcode ID: a222bea0931922b931cd2f10f3fe1c7f4edeeeddb3b74bbb269479d4843b1b80
Instruction ID: e0e0509996ed860237be293bcdd3e3eddbfb43964030e94612797feebab1506d
Opcode Fuzzy Hash: a222bea0931922b931cd2f10f3fe1c7f4edeeeddb3b74bbb269479d4843b1b80
Instruction Fuzzy Hash: 8B010422A0C68195EB108B11E9803BAB320FB857D8F144031D79D0FBBAEF7CD0548700

Function 00007FFE13277EA8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FFE13277F1A

Strings

i:htons, xrefs: 00007FFE13277EB4
htons: Python int too large to convert to C 16-bit unsigned integer (The silent truncation is deprecated), xrefs: 00007FFE13277EF9
htons: can't convert negative Python int to C 16-bit unsigned integer, xrefs: 00007FFE13277ED4

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: htons
String ID: htons: Python int too large to convert to C 16-bit unsigned integer (The silent truncation is deprecated)$htons: can't convert negative Python int to C 16-bit unsigned integer$i:htons
API String ID: 4207154920-4284149983
Opcode ID: 729e96e7b12afc6b5897316c3b0dbc4f4c5b66e951e21554fbea4e40ff9651a1
Instruction ID: ffceac9bdfa54245f3dc71bf3e574b2851e019b0ad4536b34095e7371e00668f
Opcode Fuzzy Hash: 729e96e7b12afc6b5897316c3b0dbc4f4c5b66e951e21554fbea4e40ff9651a1
Instruction Fuzzy Hash: 95012121B18E438AFA10BB27D89017423B0BFF5BA5F5004B1D94EA7570DE6EE805C740

Function 00007FFE13278534 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32networkCOMMON

Download Yara Rule

APIs

htons.WS2_32 ref: 00007FFE132785A6

Strings

ntohs: Python int too large to convert to C 16-bit unsigned integer (The silent truncation is deprecated), xrefs: 00007FFE13278585
ntohs: can't convert negative Python int to C 16-bit unsigned integer, xrefs: 00007FFE13278560
i:ntohs, xrefs: 00007FFE13278540

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: htons
String ID: i:ntohs$ntohs: Python int too large to convert to C 16-bit unsigned integer (The silent truncation is deprecated)$ntohs: can't convert negative Python int to C 16-bit unsigned integer
API String ID: 4207154920-2105665782
Opcode ID: e796ab97eb9230b9202cf1ef48d8ea29262147f76c6ebbc76763d0961c0534d0
Instruction ID: d84a6850491adc06d7a80f3e67fa2ceec0f5754cc3d573c7f1b30cccc757bbe8
Opcode Fuzzy Hash: e796ab97eb9230b9202cf1ef48d8ea29262147f76c6ebbc76763d0961c0534d0
Instruction Fuzzy Hash: D201DA61F08E4389EA10AB27EC9117527B0BFF4BE5F5040B1D94EAB5B0EE6DE549C740

Function 00007FFE132781C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00007FFE13278214

Strings

255.255.255.255, xrefs: 00007FFE132781E2
illegal IP address string passed to inet_aton, xrefs: 00007FFE1327822A
s:inet_aton, xrefs: 00007FFE132781CC

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: inet_addr
String ID: 255.255.255.255$illegal IP address string passed to inet_aton$s:inet_aton
API String ID: 1393076350-4110412280
Opcode ID: a1e12168fce0f0faf93cf48384a411813160d1229747e6eb0ce927bb8162e8e8
Instruction ID: 4395e427dc76f254b7b8a5e8c2f54ea0f4a5ebd060fd6f5ae5ae38e20dc730af
Opcode Fuzzy Hash: a1e12168fce0f0faf93cf48384a411813160d1229747e6eb0ce927bb8162e8e8
Instruction Fuzzy Hash: 92011A61A08E4289EA00BB2BE8541792770FFF57B5F6045B1D61EA65B4DF2DD409C700

Function 00007FFE1330C380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

__C_specific_handler.LIBVCRUNTIME ref: 00007FFE1330C389

Part of subcall function 00007FFE1330C680: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1330C740
Part of subcall function 00007FFE1330C680: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1330C38E), ref: 00007FFE1330C78F

terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330C3A1

Strings

csm, xrefs: 00007FFE1330C394
f, xrefs: 00007FFE1330C38E

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: C_specific_handlerCurrentImageNonwritableUnwindterminate
String ID: csm$f
API String ID: 2215565074-629598281
Opcode ID: a100106faf02f9425695e37ff6904bd06c41ae4876ec1667ba193be14bb0b118
Instruction ID: cd1c574223480282b3d669345a1c53b073835e17be4a6c2af990a6800ae61ace
Opcode Fuzzy Hash: a100106faf02f9425695e37ff6904bd06c41ae4876ec1667ba193be14bb0b118
Instruction Fuzzy Hash: 72D05E21D28B46C9FF381A73908523C26845F34734F0884F0CA2C1C2E18E1E98E9421B

Function 00007FFE01381844 Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFE0138161E), ref: 00007FFE01381864
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFE0138161E), ref: 00007FFE013818BA
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFE0138161E), ref: 00007FFE01381919
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFE0138161E), ref: 00007FFE0138192F
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,?,00007FFE0138161E), ref: 00007FFE01381948

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: 302044b92b2308bce7121270ea834612e31e28d4b7090ae58e8a9f8d8bdd8df1
Instruction ID: b76765e167107d7f26cd888f6e33174e32c2b52965da9987ba80723076eb1d0f
Opcode Fuzzy Hash: 302044b92b2308bce7121270ea834612e31e28d4b7090ae58e8a9f8d8bdd8df1
Instruction Fuzzy Hash: 1C318F22A18B9286F7548F11A84427DA764FB94BA4F1A1235DDAE0B7B1DE7CE582C300

Function 00007FFE01421DC0 Relevance: 6.1, APIs: 4, Instructions: 144fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FFE013C7A06), ref: 00007FFE01421E1D
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFE01421F20
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFE01421F61
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE01421F9C

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLast
String ID:
API String ID: 765721374-0
Opcode ID: d79d0a6dc17aab93c60b94be928b241413c0b385ad5ba48a6bb4bfa34089292c
Instruction ID: 3cc39b3326d059997e8eb3a6f184028ffee2ce6eed753cad8f2780d92613d961
Opcode Fuzzy Hash: d79d0a6dc17aab93c60b94be928b241413c0b385ad5ba48a6bb4bfa34089292c
Instruction Fuzzy Hash: 7E51CD32F1469289E710CF61E8906AD3BB0BB64B98F454132DE5E5BAB4DF3CD186C701

Function 00007FFE0138CEB0 Relevance: 6.1, APIs: 4, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013A28D6,?,?,?,?,?,?,?,00000040), ref: 00007FFE0138CEEC
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013A28D6,?,?,?,?,?,?,?,00000040), ref: 00007FFE0138CF3E

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 524cda4936ba2ef802744aff912098b033c9da1022ee252861117ab8191c56bd
Instruction ID: bf3f411f123100bf79aff95db838f346ae9295734a1cbdb0cbc7bb0927e7564f
Opcode Fuzzy Hash: 524cda4936ba2ef802744aff912098b033c9da1022ee252861117ab8191c56bd
Instruction Fuzzy Hash: 5951BB21E0D75686FB559B24E5402BD73A0EF45B98F255234DA6D4F7F2EF2CB8918300

Function 00007FFE13309B40 Relevance: 6.1, APIs: 4, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+=.LIBVCRUNTIME ref: 00007FFE13309BE9
DName::operator+=.LIBVCRUNTIME ref: 00007FFE13309BFA
DName::operator+=.LIBVCRUNTIME ref: 00007FFE13309C33
DName::operator+=.LIBVCRUNTIME ref: 00007FFE13309C54

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Name::operator+=
String ID:
API String ID: 3821211099-0
Opcode ID: ff692e02c459a60db3a90965a0e40e8b060188389d68a8067c539dd7fc5ea092
Instruction ID: 4d99f5074c43d85f83a8a81fae006cf7251b43aaa98e8d21fa8a6458a0534916
Opcode Fuzzy Hash: ff692e02c459a60db3a90965a0e40e8b060188389d68a8067c539dd7fc5ea092
Instruction Fuzzy Hash: 0C416D62F08F528DEB10DF53D8800BD67A5BB24BA4F444872DE6C67AB9DE38D551C308

Function 00007FFE132755D4 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

VerSetConditionMask.NTDLL ref: 00007FFE1327564E
VerSetConditionMask.NTDLL ref: 00007FFE1327565D
VerSetConditionMask.NTDLL ref: 00007FFE1327566C
VerifyVersionInfoA.KERNEL32 ref: 00007FFE1327569A

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 915e44011b00c5956dca37e0df7ef38024c7c35bec0575d793d4045e04d37780
Instruction ID: 11ea763d6137c27601606977049d50c8c2af5ab7f24b17141fc7dba3aafab002
Opcode Fuzzy Hash: 915e44011b00c5956dca37e0df7ef38024c7c35bec0575d793d4045e04d37780
Instruction Fuzzy Hash: 0C311D35A09B81CAEB20DF12E4447A973A0FBE8B54F444175CA8D67B68DF3CE549CB10

Function 00007FFE013884B0 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE013884D7
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE01388576

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: b48df02448ea6c3c3e81b37e96f7fbedd635f325f2f5f48e109908653462f0fb
Instruction ID: 9c627665696ffa4dfde566215e981ec8eb61393ad641fe4bcdc0af1ef9dc3d50
Opcode Fuzzy Hash: b48df02448ea6c3c3e81b37e96f7fbedd635f325f2f5f48e109908653462f0fb
Instruction Fuzzy Hash: 2221A120E0D70382FB54A774A95517DA2A55F843A8F56077CD42E4F6FAEF2CF8058310

Function 00007FFE01393850 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE01393861
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE013938AB

Part of subcall function 00007FFE013938F0: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?,00007FFE01383CB3,?,?,?), ref: 00007FFE013938FA
Part of subcall function 00007FFE013938F0: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?,00007FFE01383CB3,?,?,?), ref: 00007FFE01393944

SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE013938D1
Concurrency::details::_Concurrent_queue_iterator_base_v4::~_Concurrent_queue_iterator_base_v4.LIBCPMT ref: 00007FFE013CD7E3

Part of subcall function 00007FFE0138D4D0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE0138D549
Part of subcall function 00007FFE0138D4D0: TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE013C6003

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$AddressConcurrency::details::_Concurrent_queue_iterator_base_v4Concurrent_queue_iterator_base_v4::~_ProcValue
String ID:
API String ID: 2828593425-0
Opcode ID: a3f83c6428281c083870adb58c7dfdc5829ba1d8a2042a875c092bef449fd859
Instruction ID: cab2901ed926134d243c8be2f30e9990432d5d94815ea881eea3b735779e62a3
Opcode Fuzzy Hash: a3f83c6428281c083870adb58c7dfdc5829ba1d8a2042a875c092bef449fd859
Instruction Fuzzy Hash: 37218E60F0D74342FB54AB70A95517D62A5AF843A4F160638E92E4F7F6EE3CF8098340

Function 00007FFE0139BBB0 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0139BC48: GetModuleHandleExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE0139BBD8,?,?,?,?,?,00007FFE0139BB82,?,?,?,?,?,00007FFE0139BB39), ref: 00007FFE0139BC8C

CreateThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,?,?,00007FFE0139BB82,?,?,?,?,?,00007FFE0139BB39), ref: 00007FFE0139BC01
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,00007FFE0139BB82,?,?,?,?,?,00007FFE0139BB39), ref: 00007FFE013D1E0F

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: CreateErrorHandleLastModuleThread
String ID:
API String ID: 182981130-0
Opcode ID: 10b7d636ff5d98f08303ca471f79011c60a894864000ff7db2019a0b9034142f
Instruction ID: 54bcfccdfe74838c4af324861f193b38a9a0d3b7d47d3ec18f0df93023e80f51
Opcode Fuzzy Hash: 10b7d636ff5d98f08303ca471f79011c60a894864000ff7db2019a0b9034142f
Instruction Fuzzy Hash: 47216F25A0D78286FF15DB65B45057AA2A5EF85B80F5A0430DE8E4F7B9DE3CE4008B40

Function 00007FFE013938F0 Relevance: 6.1, APIs: 4, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?,00007FFE01383CB3,?,?,?), ref: 00007FFE013938FA
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?,00007FFE01383CB3,?,?,?), ref: 00007FFE01393944
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?,00007FFE01383CB3,?,?,?), ref: 00007FFE01393960
Concurrency::details::_Concurrent_queue_iterator_base_v4::~_Concurrent_queue_iterator_base_v4.LIBCPMT ref: 00007FFE013CD85B

Part of subcall function 00007FFE0138D4D0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE0138D549
Part of subcall function 00007FFE0138D4D0: TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE013C6003

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$AddressConcurrency::details::_Concurrent_queue_iterator_base_v4Concurrent_queue_iterator_base_v4::~_ProcValue
String ID:
API String ID: 2828593425-0
Opcode ID: 2694630f62aafb5f25829a23acb7910750d305b072d7734d1a2032a41b423732
Instruction ID: ac13f0b617c74449fd5f12118aac6f214d8e90d67c8073c594cef7a3dc04eaea
Opcode Fuzzy Hash: 2694630f62aafb5f25829a23acb7910750d305b072d7734d1a2032a41b423732
Instruction Fuzzy Hash: C3219060E0D70346FB589770A5652B952A5AF843A8F060334E82E0F6F6EF2CF8058340

Function 00007FFE01381D50 Relevance: 6.1, APIs: 4, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013C7949,?,?,?,00007FFE01385043,?,?,?,00007FFE01383CB3,?,?,?,00007FFE013F1153), ref: 00007FFE01381D5A
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013C7949,?,?,?,00007FFE01385043,?,?,?,00007FFE01383CB3,?,?,?,00007FFE013F1153), ref: 00007FFE01381DA4
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013C7949,?,?,?,00007FFE01385043,?,?,?,00007FFE01383CB3,?,?,?,00007FFE013F1153), ref: 00007FFE01381DC0
Concurrency::details::_Concurrent_queue_iterator_base_v4::~_Concurrent_queue_iterator_base_v4.LIBCPMT ref: 00007FFE013C67AB

Part of subcall function 00007FFE0138D4D0: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE0138D549
Part of subcall function 00007FFE0138D4D0: TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE013C6003

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$AddressConcurrency::details::_Concurrent_queue_iterator_base_v4Concurrent_queue_iterator_base_v4::~_ProcValue
String ID:
API String ID: 2828593425-0
Opcode ID: 2f432a438df1f1b4216f799124d22d226c50d070f1c4872b7ed6e825bdfe5df5
Instruction ID: 8962c91d2d664f36a0798c5fade6e4b9ec39ac2e0577ee12774973d8c29aee68
Opcode Fuzzy Hash: 2f432a438df1f1b4216f799124d22d226c50d070f1c4872b7ed6e825bdfe5df5
Instruction Fuzzy Hash: DE216060B0D70346FB54AB60A6556BD52A59F843A8F060734D52E0F7F6EF2CF8098340

Function 00007FFE13303270 Relevance: 6.1, APIs: 4, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFE13302CE7), ref: 00007FFE133032BC
__AdjustPointer.LIBCMT ref: 00007FFE133032D2
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FFE13302CE7), ref: 00007FFE133032F6
__AdjustPointer.LIBCMT ref: 00007FFE1330330C

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: AdjustPointerabort
String ID:
API String ID: 3954111656-0
Opcode ID: 309a1d1c1b1e5aa468863802a9d91ddaa5992cf4c1454c0b22ad85108a3dbc05
Instruction ID: ba26705d901da4bf66b321eaf61ca7015eeb17c0da1d702a9032f765848f7239
Opcode Fuzzy Hash: 309a1d1c1b1e5aa468863802a9d91ddaa5992cf4c1454c0b22ad85108a3dbc05
Instruction Fuzzy Hash: BB218732E08F42C9EA149B57D18407E6364FF64BB5B0844B6DB2C27B66CF3CE5958748

Function 00007FFE0141FC28 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FFE0141FDA2,?,?,?,?,00007FFE013C6F55,?,?,?,00007FFE013F1153,?,?,00000000), ref: 00007FFE0141FC5E
FlushFileBuffers.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00007FFE0141FDA2,?,?,?,?,00007FFE013C6F55,?,?,?,00007FFE013F1153,?,?,00000000), ref: 00007FFE0141FC8F

Part of subcall function 00007FFE01381D50: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013C7949,?,?,?,00007FFE01385043,?,?,?,00007FFE01383CB3,?,?,?,00007FFE013F1153), ref: 00007FFE01381D5A
Part of subcall function 00007FFE01381D50: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE013C7949,?,?,?,00007FFE01385043,?,?,?,00007FFE01383CB3,?,?,?,00007FFE013F1153), ref: 00007FFE01381DA4

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,00007FFE0141FDA2,?,?,?,?,00007FFE013C6F55,?,?,?,00007FFE013F1153,?,?,00000000), ref: 00007FFE0141FCA3
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,00007FFE0141FDA2,?,?,?,?,00007FFE013C6F55,?,?,?,00007FFE013F1153,?,?,00000000), ref: 00007FFE0141FCCE

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorLast$CriticalSection$BuffersEnterFileFlushLeave
String ID:
API String ID: 1312186065-0
Opcode ID: ee76ac8f46fbed5b4f5efb849bdda1e853cbd41d329b9c3ee47b2fcfb560e6d1
Instruction ID: d56cc19e68161fc3b0c00b7e99a3239543fd0e4814fb4e4cd623571d0fcc919b
Opcode Fuzzy Hash: ee76ac8f46fbed5b4f5efb849bdda1e853cbd41d329b9c3ee47b2fcfb560e6d1
Instruction Fuzzy Hash: B711B2B2B24B4682DB549F65E884239A360FB58BC5B054135DA5F4F375EF3CE0558300

Function 00007FFE13304770 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13304780
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330479A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133047C7
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE133047DC

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: abort$terminate
String ID:
API String ID: 579254285-0
Opcode ID: 0575d6c39966dbd82ec46a155e414ed2de6267770d3a2ba2e587cfaa28695db4
Instruction ID: 87114b723c756ff1aae3251a6e87ddbdf83871d8711c1170deef012430e16ee2
Opcode Fuzzy Hash: 0575d6c39966dbd82ec46a155e414ed2de6267770d3a2ba2e587cfaa28695db4
Instruction Fuzzy Hash: D7F08121E09F4689F9086B63E48417C5364AF78F60F1808B5EA3D22766DE2CE5504618

Function 00007FFE13273F4C Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

VerSetConditionMask.NTDLL ref: 00007FFE13273FB2
VerSetConditionMask.NTDLL ref: 00007FFE13273FC5
VerSetConditionMask.NTDLL ref: 00007FFE13273FD4
VerifyVersionInfoW.KERNEL32 ref: 00007FFE13273FF9

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 8b396afc2959a7b7062373c8648dfc0c8814537d5f2e8906ce295a48b12feaba
Instruction ID: 57ebe47224837d385886ff9dda6ecd0097950eeb0070506d76d4172d264a3fa1
Opcode Fuzzy Hash: 8b396afc2959a7b7062373c8648dfc0c8814537d5f2e8906ce295a48b12feaba
Instruction Fuzzy Hash: E511E732A19A8186D720DF22E8813DAB2B1FBD8754F455139DA8D87768EB7CD109CB44

Function 00007FFE13273E70 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

VerSetConditionMask.NTDLL ref: 00007FFE13273ED6
VerSetConditionMask.NTDLL ref: 00007FFE13273EE9
VerSetConditionMask.NTDLL ref: 00007FFE13273EF8
VerifyVersionInfoW.KERNEL32 ref: 00007FFE13273F1D

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 202f66560dac0e126ab4f3184bce5b4244807b0f8ad9589e321976817cce69d4
Instruction ID: 57ebe47224837d385886ff9dda6ecd0097950eeb0070506d76d4172d264a3fa1
Opcode Fuzzy Hash: 202f66560dac0e126ab4f3184bce5b4244807b0f8ad9589e321976817cce69d4
Instruction Fuzzy Hash: E511E732A19A8186D720DF22E8813DAB2B1FBD8754F455139DA8D87768EB7CD109CB44

Function 00007FFE013C25E4 Relevance: 6.0, APIs: 4, Instructions: 40timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,00007FFE013889AD), ref: 00007FFE013C2611
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFE013889AD), ref: 00007FFE013C261F
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFE013889AD), ref: 00007FFE013C262B
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?,?,?,00007FFE013889AD), ref: 00007FFE013C263B

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: d503fa05623a57c4eeef4bffdf31ee343c622b4c9e351dd5a0394b126dd876f0
Instruction ID: 7ee4f2f2b8a7c0680a4d71a833cb38c083ab23dc0dab2ca436284c643f95426d
Opcode Fuzzy Hash: d503fa05623a57c4eeef4bffdf31ee343c622b4c9e351dd5a0394b126dd876f0
Instruction Fuzzy Hash: 9311FA32B09F428AEB108F75E8950A933A4FB5DB5CB441A35EA5D8B774DF7CD1A48340

Function 00007FFE1330D364 Relevance: 6.0, APIs: 4, Instructions: 40timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,00007FFE1330C5E9), ref: 00007FFE1330D391
GetCurrentThreadId.KERNEL32 ref: 00007FFE1330D39F
GetCurrentProcessId.KERNEL32(?,?,?,00007FFE1330C5E9), ref: 00007FFE1330D3AB
QueryPerformanceCounter.KERNEL32(?,?,?,00007FFE1330C5E9), ref: 00007FFE1330D3BB

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 1fefa3f07759f2b27021d6aa4cfab479302c24b9d86d53738b153a3556951b4d
Instruction ID: 0324f9b4a633553f442b27604a2903689c3a9e2ff3d4ef97b7147d60f518ec75
Opcode Fuzzy Hash: 1fefa3f07759f2b27021d6aa4cfab479302c24b9d86d53738b153a3556951b4d
Instruction Fuzzy Hash: 0D113062B04F418AEB10CF72E8541A933A4F71D768B041A71EA6D87764DF3CD1A48354

Function 00007FF60F18A920 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF60F18A94C
GetCurrentThreadId.KERNEL32 ref: 00007FF60F18A95A
GetCurrentProcessId.KERNEL32 ref: 00007FF60F18A966
QueryPerformanceCounter.KERNEL32 ref: 00007FF60F18A976

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: be9da76585353bf4ff120931e3f5bbaf95a19439f17c7ee9af2afa7da57e9186
Instruction ID: 20bef7217564d57e6d6b8efc10b3d3bbabe09ce231f67aa7425c7cde3d1d0e13
Opcode Fuzzy Hash: be9da76585353bf4ff120931e3f5bbaf95a19439f17c7ee9af2afa7da57e9186
Instruction Fuzzy Hash: 0A111836B18B029AEB008F61E8552B833A4FB19758F540E31EA6D867A4DF7CD1998380

Function 00007FFE133050B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE13305127

Part of subcall function 00007FFE1330B390: DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330B3AB

DName::operator=.LIBVCRUNTIME ref: 00007FFE133051CF

Strings

CV: , xrefs: 00007FFE13305107

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Name::operator+Name::operator+=Name::operator=
String ID: CV:
API String ID: 2521687178-3725821052
Opcode ID: d0ba46de3f1c83a20ab42dfcfcdc110b5b72e88ff0278ae87969a8fad92ba96a
Instruction ID: 5ea687ff24a3e4f294ea5542c4fa45a26b7604d9726f419ad1469755f71c08ce
Opcode Fuzzy Hash: d0ba46de3f1c83a20ab42dfcfcdc110b5b72e88ff0278ae87969a8fad92ba96a
Instruction Fuzzy Hash: 45519B62E0CE86DDFB19CB62D8502BD27B1AF647A4F8440B1D96D677F6CE2CA445C308

Function 00007FFE01385FF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE0138E040: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(?,?,00000000,00007FFE013CD82A,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE0138E088

InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00000000,00007FFE013818FB,?,?,?,?,?,00007FFE0138161E), ref: 00007FFE013C7DB6
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,00000000,00007FFE013818FB,?,?,?,?,?,00007FFE0138161E), ref: 00007FFE013C7DCC

Strings

InitializeCriticalSectionEx, xrefs: 00007FFE0138603D, 00007FFE013C7DC2

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressAllocCountCriticalHeapInitializeProcSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 1188775705-3084827643
Opcode ID: 703f7b587c740a315befa96fa6719fbfaa469b782927c6126cfb9385a7780fe7
Instruction ID: 478805ef2bf3b7e74eccb7b06a3c0090b022b0fc9a5613e8a58b48cf17feaf00
Opcode Fuzzy Hash: 703f7b587c740a315befa96fa6719fbfaa469b782927c6126cfb9385a7780fe7
Instruction Fuzzy Hash: 4E41B062B18B4282EB148B29E41427D77A1BB957A8F594335EE6D4F7F8DF3CE4018700

Function 00007FFE01422184 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98fileCOMMON

Download Yara Rule

APIs

WriteFile.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00007FFE01422293
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00007FFE014222B5

Strings

U, xrefs: 00007FFE0142223C

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4863c300516b6a9dedc084c1348bf3084e7177d5d3d42e52d2e91a76a9248602
Instruction ID: 74dba5abd357a9bb923bd1894801273a3cca9b2e4faa3f197509da55027e14e6
Opcode Fuzzy Hash: 4863c300516b6a9dedc084c1348bf3084e7177d5d3d42e52d2e91a76a9248602
Instruction Fuzzy Hash: 4C31E022B18A4186EB208F65E4447AEB7A0FB98794F814031EE4D8BBB8EF7CD441C751

Function 00007FFE013B36F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 00007FFE013B3862

Strings

", xrefs: 00007FFE013B380D
powf, xrefs: 00007FFE013B385B

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _handle_errorf
String ID: "$powf
API String ID: 2315412904-603753351
Opcode ID: 0f5bcb0aa6d35f86e40bcd6dc930a44beb6cf17166eead1c5b5978abef3f93d2
Instruction ID: 459fdb61b4436fc5a4244e4ce654745e6619b047739f020746e092fb8ad2e831
Opcode Fuzzy Hash: 0f5bcb0aa6d35f86e40bcd6dc930a44beb6cf17166eead1c5b5978abef3f93d2
Instruction Fuzzy Hash: 52416073D28680DBD370CF22E4847AABAA0F799348F112329F749069A8DF7DD554AB44

Function 00007FFE013E9C54 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,00000000,00007FFE013C840B,?,?,?,?,?,?,00000000,00000098,00000000,00007FFE013EC258), ref: 00007FFE013E9CBE

Strings

LocaleNameToLCID, xrefs: 00007FFE013E9CB4
LCIDToLocaleName, xrefs: 00007FFE013E9C96

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressProc
String ID: LCIDToLocaleName$LocaleNameToLCID
API String ID: 190572456-2637756803
Opcode ID: d2f67aa584737989cd60aa142cfc7d9170daa0443f015e61b3e60402520badb7
Instruction ID: da1954a61fe025815f3c030524b7ba0b09a6b82272d8d8a77b41646948fd7d2e
Opcode Fuzzy Hash: d2f67aa584737989cd60aa142cfc7d9170daa0443f015e61b3e60402520badb7
Instruction Fuzzy Hash: 1D218E60B1DB4282FF099719E91027963E1AF147E8F454731DE2D9B7F8EE2CE8518300

Function 00007FFE013E93EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,?,00000000,00000098,00007FFE013EBA01,?,?,00000098,00007FFE013C6C48,000000B8,000000BC,000001C2,?,?), ref: 00007FFE013E9460

Strings

LCIDToLocaleName, xrefs: 00007FFE013E9438
EnumSystemLocalesEx, xrefs: 00007FFE013E9456

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressProc
String ID: EnumSystemLocalesEx$LCIDToLocaleName
API String ID: 190572456-3704287933
Opcode ID: e031951836a15d870668f8db9beeab4be1d8df7f09d18e85a6ff08e926df0380
Instruction ID: e189a3e47f79268de144c255ca2adc3cf655d5546f95ea159e852d9d0b35862d
Opcode Fuzzy Hash: e031951836a15d870668f8db9beeab4be1d8df7f09d18e85a6ff08e926df0380
Instruction Fuzzy Hash: 98318272A1DB0282EB05CB25E81066A63A1FB543A8F414735EE6D5B7F8EF7CE445CB00

Function 00007FFE013E9B50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0 ref: 00007FFE013E9BC1

Strings

LCMapStringEx, xrefs: 00007FFE013E9B99
LCIDToLocaleName, xrefs: 00007FFE013E9BB7

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressProc
String ID: LCIDToLocaleName$LCMapStringEx
API String ID: 190572456-3928102921
Opcode ID: 066ec8f9d7d7c0c38e437a62451d49de7ffa05a0090a9c9b25d44b5805199569
Instruction ID: f3891d324a0c6803be44cac8edfefc830f9ce7069a1479b5e1bc47a5831530a3
Opcode Fuzzy Hash: 066ec8f9d7d7c0c38e437a62451d49de7ffa05a0090a9c9b25d44b5805199569
Instruction Fuzzy Hash: 1B214F61B1DB1386EF049B29E95027963A1AF54BE8F554735DD2D4B7F8DE3CE8418300

Function 00007FFE01388B20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE013CD813,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE01388BA9
TlsSetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFE013CD813,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE013C8606

Strings

FlsSetValue, xrefs: 00007FFE01388B9F

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressProcValue
String ID: FlsSetValue
API String ID: 1414840956-3750699315
Opcode ID: 141a6e68d7d00231ce51b312d1e9fc3fa37c404d4c6573b92cb4a8d8eaf1be28
Instruction ID: 47d5c8adb366c1885ee855b2fd607a69fed0057e7efeec9dcada1732f5d89070
Opcode Fuzzy Hash: 141a6e68d7d00231ce51b312d1e9fc3fa37c404d4c6573b92cb4a8d8eaf1be28
Instruction Fuzzy Hash: D1215161B19B0286FF059B15E8101796361AF487E4F498735DD2E4F7F8DF3CE8418200

Function 00007FFE01386660 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,00002000,00007FFE01384995,?,?,00000000,00007FFE013848E1,?,?,?,00007FFE01384664), ref: 00007FFE013866E3
InitializeCriticalSectionAndSpinCount.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,00002000,00007FFE01384995,?,?,00000000,00007FFE013848E1,?,?,?,00007FFE01384664), ref: 00007FFE013C8075

Strings

InitializeCriticalSectionEx, xrefs: 00007FFE013866C2, 00007FFE013866D9

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressCountCriticalInitializeProcSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 1498394645-3084827643
Opcode ID: ddf4b0a480a43b402f6ace76273d01146ff806f56be996b468f3267f4dc4eb8a
Instruction ID: 20c7dc8e08b5d9c12198676c35123ed6ebd5281e11ecd3c781d594071933e0ad
Opcode Fuzzy Hash: ddf4b0a480a43b402f6ace76273d01146ff806f56be996b468f3267f4dc4eb8a
Instruction Fuzzy Hash: 8E215C61B19B5382FB588B15E91123922A2AF887A8F555335DD2E0FBF8EE3CE4418300

Function 00007FFE133083F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE133084DC: DName::operator+.LIBVCRUNTIME ref: 00007FFE13308545

DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330847C

Part of subcall function 00007FFE1330B638: DName::operator+=.LIBVCRUNTIME ref: 00007FFE1330B653

Part of subcall function 00007FFE1330B554: DName::operator=.LIBVCRUNTIME ref: 00007FFE1330B581

Strings

void, xrefs: 00007FFE13308489

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Name::operator+=$Name::operator+Name::operator=
String ID: void
API String ID: 3725178723-3531332078
Opcode ID: 9b968bc2e922b99509c453ea154173d36d1b892fe03fcd21ec92663b842f2082
Instruction ID: dc15ec9c333a2805922788d092188c45f359fc1cfda4b7f9cf9dde198324b974
Opcode Fuzzy Hash: 9b968bc2e922b99509c453ea154173d36d1b892fe03fcd21ec92663b842f2082
Instruction Fuzzy Hash: FE315462E18E468DFF10CB66D8513BC2B70EB24768F5440B1DA2C6A6BADF6CD4C5C358

Function 00007FFE0138E420 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,000067EBB6D5B716,00007FFE0138D7A6,?,?,?,?,?,?,?,00007FFE0138A022), ref: 00007FFE013CA712
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,000067EBB6D5B716,00007FFE0138D7A6,?,?,?,?,?,?,?,00007FFE0138A022), ref: 00007FFE013CA728

Strings

FlsSetValue, xrefs: 00007FFE013CA71E

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressProcValue
String ID: FlsSetValue
API String ID: 1414840956-3750699315
Opcode ID: fe0a1bbddaf81aa03f7c9a5abef65909dc359e7693faf75625a7cf74660712c5
Instruction ID: 32ac539273ac187bb2e12a6908422c8a0b78221671d3f0cef629b41fcb38f1c8
Opcode Fuzzy Hash: fe0a1bbddaf81aa03f7c9a5abef65909dc359e7693faf75625a7cf74660712c5
Instruction Fuzzy Hash: 67214F61B19B0342FF448B25E91027923A2AF487E8F559739D92E1F7F8EE3CE8458300

Function 00007FFE0138E480 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,000067EBB6D5B716,00007FFE0138D819,?,?,?,?,?,?,?,00007FFE0138A022), ref: 00007FFE013CA7AD
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,000067EBB6D5B716,00007FFE0138D819,?,?,?,?,?,?,?,00007FFE0138A022), ref: 00007FFE013CA7C3

Strings

FlsSetValue, xrefs: 00007FFE013CA7B9

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressProcValue
String ID: FlsSetValue
API String ID: 1414840956-3750699315
Opcode ID: c4172e71829929f4f5fe8b0b90eeccfd7986301197f64af4a82082aad63af629
Instruction ID: 2a98adbddf9cea43453c1873b2adcf1c2ac383a6e2a2096db12195f22e14623e
Opcode Fuzzy Hash: c4172e71829929f4f5fe8b0b90eeccfd7986301197f64af4a82082aad63af629
Instruction Fuzzy Hash: 45214161B19B0342FB448B65E91017923A2AF487E4F459735D92E5F7F8EE3CE8458300

Function 00007FFE1330880C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::operator+.LIBVCRUNTIME ref: 00007FFE133088EC

Strings

void , xrefs: 00007FFE1330887C
void, xrefs: 00007FFE13308864

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: Name::operator+
String ID: void$void
API String ID: 2943138195-3746155364
Opcode ID: 9fed0904b7036b1a7e7c47886692c4ade50ba0f084095a30f4e99b30a35ca245
Instruction ID: 0405d830f4e683d8ba2698bca973f5db5378dc628002e5f02911bfe8b3862a3f
Opcode Fuzzy Hash: 9fed0904b7036b1a7e7c47886692c4ade50ba0f084095a30f4e99b30a35ca245
Instruction Fuzzy Hash: 77314A72E18F569CFB01CB62E8800ED37B0BB68758B440176EA6E66B66DF3CD144C718

Function 00007FFE013E950C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE013E8F04,?,?,?,?,00007FFE013C8501), ref: 00007FFE013E9575
TlsFree.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFE013E8F04,?,?,?,?,00007FFE013C8501), ref: 00007FFE013E95A9

Strings

FlsFree, xrefs: 00007FFE013E956B

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressFreeProc
String ID: FlsFree
API String ID: 4110577592-3081468905
Opcode ID: c3b89851103aa9b012822ebfa07cb1b7bb2dac97f545a164cff3b4fa4cb9a974
Instruction ID: 3500f8c7aa151e0a963e4ff974be3ece06575bf64f6afb27e96139525986dd77
Opcode Fuzzy Hash: c3b89851103aa9b012822ebfa07cb1b7bb2dac97f545a164cff3b4fa4cb9a974
Instruction Fuzzy Hash: F7214F61B1DB4282FF098729E81027923A1AF547E8F455335DD2D5F7F8EE6CE8458301

Function 00007FFE0139ACC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61libraryloadertimeCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE0139AB84,?,?,?,00007FFE0139AB3D), ref: 00007FFE0139AD3B
GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,?,00007FFE0139AB84,?,?,?,00007FFE0139AB3D), ref: 00007FFE013D1C00

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00007FFE0139AD31

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: Time$AddressFileProcSystem
String ID: GetSystemTimePreciseAsFileTime
API String ID: 1981195492-595813830
Opcode ID: 436b3a9aaec52841e0b9d771b7ae3c9b7f3300fe22404c01370292b75ca1e7e3
Instruction ID: 137e03ea8f030e2c28d3a1ff1952ac84277effd9ea7a360dbd430f15c5940ded
Opcode Fuzzy Hash: 436b3a9aaec52841e0b9d771b7ae3c9b7f3300fe22404c01370292b75ca1e7e3
Instruction Fuzzy Hash: 95215EA1B19B0282FF588B25E91017963A1AF487A8F599335DD2E5F7F4EE7CE4458300

Function 00007FFE0138D4D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE0138D549
TlsGetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFE01393916,?,?,?,00007FFE013C7AE1,?,?,?,?,00007FFE01385036,?,?,?), ref: 00007FFE013C6003

Strings

FlsGetValue, xrefs: 00007FFE0138D53F

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressProcValue
String ID: FlsGetValue
API String ID: 1414840956-662576866
Opcode ID: 0aa447bb164f84aace856ea3207806c9d7ff746207915637949a022d62aedaa7
Instruction ID: 5e5cfeeb25ce74ebb9a7e0f716de6363860b88e9600de9c30b534741dab76a4b
Opcode Fuzzy Hash: 0aa447bb164f84aace856ea3207806c9d7ff746207915637949a022d62aedaa7
Instruction Fuzzy Hash: 65215061B19B0282FF088B25E95017923A1AF487A4F55573AE92E5F7F8EE3CE4458311

Function 00007FFE01386390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,?,00007FFE013874AB,?,?,?,?,00007FFE013875B1,?,?,00000000,00007FFE01388AE1), ref: 00007FFE01386407
TlsAlloc.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00007FFE013874AB,?,?,?,?,00007FFE013875B1,?,?,00000000,00007FFE01388AE1), ref: 00007FFE0138643F

Strings

FlsAlloc, xrefs: 00007FFE013863FD

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressAllocProc
String ID: FlsAlloc
API String ID: 2924745751-671089009
Opcode ID: 6f3942be4f8eb5dad98a1116d30526fec4c5fa6834764893a013cf6c816b3689
Instruction ID: 81f3f198e4392aaea303c42f742d137034aeaceb3196768447358f4a4d988634
Opcode Fuzzy Hash: 6f3942be4f8eb5dad98a1116d30526fec4c5fa6834764893a013cf6c816b3689
Instruction Fuzzy Hash: D2218E61B19B0382FF449B25E95013923A2AF487E4F459739E92D0F7F8EE7CE4458300

Function 00007FFE013B35C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFE013B36D2

Strings

pow, xrefs: 00007FFE013B36C1
", xrefs: 00007FFE013B36AB

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _handle_error
String ID: "$pow
API String ID: 1757819995-713443511
Opcode ID: ede202a549bcfe3015e3b7a4bce954d34602f1d43060412508e8ac6ac717d3a8
Instruction ID: 3d1d694d02c709306eddca86dedb7185b68877056759e46854fa4c732b200f3f
Opcode Fuzzy Hash: ede202a549bcfe3015e3b7a4bce954d34602f1d43060412508e8ac6ac717d3a8
Instruction Fuzzy Hash: A2214172D1CAC587D370CF10E48176ABAA0FBDA354F211325F7890AA64EBBDD1459F00

Function 00007FFE0139C710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0(?,?,000001C2,00007FFE0138A2BD), ref: 00007FFE0139C773

Strings

CompareStringEx, xrefs: 00007FFE0139C769
AreFileApisANSI, xrefs: 00007FFE0139C752

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: AddressProc
String ID: AreFileApisANSI$CompareStringEx
API String ID: 190572456-3979650549
Opcode ID: 342e9442b81f71762d44531511e133278f5ebb6217a5cb3553a5f3ea75293761
Instruction ID: 6107969c72fc05efd0fae3cd002119aa8b8a0e0a76128d7d179947cffd0f6768
Opcode Fuzzy Hash: 342e9442b81f71762d44531511e133278f5ebb6217a5cb3553a5f3ea75293761
Instruction Fuzzy Hash: 92114FA1B19A0346FF448729E95017913A25F493A8F596736D83D0F7F4EE3CE845C210

Function 00007FFE013AE410 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 00007FFE013AE473

Strings

!, xrefs: 00007FFE013AE4B3
_logbf, xrefs: 00007FFE013AE46C

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _handle_errorf
String ID: !$_logbf
API String ID: 2315412904-399603704
Opcode ID: 9f5e5259284b0ed6f76e847bfe8c634ff3a56e8073b74e58c5c4e1ec8c22e376
Instruction ID: f9c7a10417d13aca0ed0e54c0dc1300aa5ae563971ea757c1f072e7d489e3cc7
Opcode Fuzzy Hash: 9f5e5259284b0ed6f76e847bfe8c634ff3a56e8073b74e58c5c4e1ec8c22e376
Instruction Fuzzy Hash: 4C11B972D28B8147E360CA21D4847797555FBD5348F604339F6496A9F5DFBCE4C4AB00

Function 00007FFE013AE320 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFE013AE398

Part of subcall function 00007FFE013AE088: _raise_exc.LIBCMT ref: 00007FFE013AE12F

Strings

_logb, xrefs: 00007FFE013AE35F
", xrefs: 00007FFE013AE384

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _handle_error_raise_exc
String ID: "$_logb
API String ID: 1935476177-1481363779
Opcode ID: 8554f4c38aff2a1c86db1cb0ec2e4fa02653d7767733f84c79fdfb50ac8ab648
Instruction ID: b615c5ebe934f1168e7ec9c94a0cfaae024619bf4884b0668dc38f682c59fd0f
Opcode Fuzzy Hash: 8554f4c38aff2a1c86db1cb0ec2e4fa02653d7767733f84c79fdfb50ac8ab648
Instruction Fuzzy Hash: 6011E361F58B8142EB14DB21940033A6153DF9ABB0F904331F93E1A7E4DF7CE0858B00

Function 00007FFE1330DA0E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1330C1D0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFE13302F17), ref: 00007FFE1330C1E7
Part of subcall function 00007FFE1330C1D0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFE13302F17), ref: 00007FFE1330C1FE
Part of subcall function 00007FFE1330C1D0: terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFE13302F17), ref: 00007FFE1330C219
Part of subcall function 00007FFE1330C1D0: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FFE13302F17), ref: 00007FFE1330C22D

abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330DA6E
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1330DA8D

Part of subcall function 00007FFE13301B60: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE13301B73

Strings

csm, xrefs: 00007FFE1330DA2E

Memory Dump Source

Source File: 00000002.00000002.1692400554.00007FFE13301000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFE13300000, based on PE: true

Associated: 00000002.00000002.1692385564.00007FFE13300000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692417219.00007FFE1330E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692436386.00007FFE13312000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.1692454073.00007FFE13313000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13300000_run0796.jbxd

Similarity

API ID: abort$terminate
String ID: csm
API String ID: 579254285-1018135373
Opcode ID: 009a99e405968afe9082b478891bf969a292b7194393816fbdb550564c4b69a5
Instruction ID: 642ada016d08e0dcdfe52132f851d7749d0cdc7a6bd76d441fe7098c504169dd
Opcode Fuzzy Hash: 009a99e405968afe9082b478891bf969a292b7194393816fbdb550564c4b69a5
Instruction Fuzzy Hash: B8015E22A49F42CDEB249F2BD84417C22E0EF39B69F040574DD1D2B365EF28E9418208

Function 00007FFE013AEF52 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFE013AEFDF

Strings

!, xrefs: 00007FFE013AEFCB
sqrt, xrefs: 00007FFE013AEFA0

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _handle_error
String ID: !$sqrt
API String ID: 1757819995-799759792
Opcode ID: 41087aa92c074fd2461e6bbe5b23ab73c846575d7d880c89778c5c11fc57a0f7
Instruction ID: 2f0a38c8854b7dacc73d511ac3f1c21fe8382e7fe32aa024b0c74a7a2322fa1e
Opcode Fuzzy Hash: 41087aa92c074fd2461e6bbe5b23ab73c846575d7d880c89778c5c11fc57a0f7
Instruction Fuzzy Hash: 2D11A776D18B8686DF11CF11A50032A6666FF967E4F614331FA6C0A7E8EF3CE0459A00

Function 00007FFE013AF022 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 00007FFE013AF099

Strings

!, xrefs: 00007FFE013AF085
sqrtf, xrefs: 00007FFE013AF05E

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _handle_errorf
String ID: !$sqrtf
API String ID: 2315412904-3181196081
Opcode ID: da464d9161ddbc70d0fa62e9955e3ff7c787bf03f1219012581fd81f082c77bc
Instruction ID: c570bc4ad4fd88be8edf4a663b0411bbe578c828fa57971896c7c1a16e19255b
Opcode Fuzzy Hash: da464d9161ddbc70d0fa62e9955e3ff7c787bf03f1219012581fd81f082c77bc
Instruction Fuzzy Hash: 7A01C836D587C587E750CB22944126EB262FBD5344F648334F64846AF8DF7CE0459F00

Function 00007FFE013B4070 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFE013B4142

Part of subcall function 00007FFE013AE088: _raise_exc.LIBCMT ref: 00007FFE013AE12F

Strings

cos, xrefs: 00007FFE013B4076
!, xrefs: 00007FFE013B412A

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _handle_error_raise_exc
String ID: !$cos
API String ID: 1935476177-1949035351
Opcode ID: 926f023dcb395efe29e9f9cf21788b62c9e0ed12d1d37f035fbb2f4997938131
Instruction ID: 1cd9d7cd6831e9528d063e7dee987decd3669e8067e6b69133e4624053dce65f
Opcode Fuzzy Hash: 926f023dcb395efe29e9f9cf21788b62c9e0ed12d1d37f035fbb2f4997938131
Instruction Fuzzy Hash: 70019232E18B8582DB14CF22A8803766162FB9A794F504334EA5E0BB99EF7CD1515B04

Function 00007FF60F19F09C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF60F19F0CC
GetDriveTypeW.KERNEL32 ref: 00007FF60F19F10C

Strings

:, xrefs: 00007FF60F19F0F5

Memory Dump Source

Source File: 00000002.00000002.1691492610.00007FF60F181000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF60F180000, based on PE: true

Associated: 00000002.00000002.1691469586.00007FF60F180000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691519836.00007FF60F1AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691545021.00007FF60F1CC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1691591884.00007FF60F1CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff60f180000_run0796.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 5bb9208f1dd75f8da1bf4b84d43d2649c4580fde4fdc4700cc46879c1844a841
Instruction ID: 97a8c2114975a70ad4bed66a35c0286bc09d0236b21a536dcbfbd50ef7ff54a8
Opcode Fuzzy Hash: 5bb9208f1dd75f8da1bf4b84d43d2649c4580fde4fdc4700cc46879c1844a841
Instruction Fuzzy Hash: 0701D67291C20396F770AF60A46227E73A0EF44708FA8147AD54DC2695DF3DE546CB54

Function 00007FFE013B4090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 00007FFE013B41D7

Part of subcall function 00007FFE013AE1B0: _raise_excf.LIBCMT ref: 00007FFE013AE256

Strings

!, xrefs: 00007FFE013B41C7
cosf, xrefs: 00007FFE013B4096

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _handle_errorf_raise_excf
String ID: !$cosf
API String ID: 3848079588-2208875612
Opcode ID: 26b774126baaf243e6bc53b960026d5df92d452ba4082686f3f634491a9e9896
Instruction ID: 97f955a04badb7fc28d4aa894257332770d1e180c5e2d1bd443086b785bcc93f
Opcode Fuzzy Hash: 26b774126baaf243e6bc53b960026d5df92d452ba4082686f3f634491a9e9896
Instruction Fuzzy Hash: 2401B972E1C65187F314CB2AE48036AB5A1FBE4784F714225F7450AAB9DB7CD1815F04

Function 00007FFE013B40B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFE013B4142

Part of subcall function 00007FFE013AE088: _raise_exc.LIBCMT ref: 00007FFE013AE12F

Strings

sin, xrefs: 00007FFE013B40B6
!, xrefs: 00007FFE013B412A

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _handle_error_raise_exc
String ID: !$sin
API String ID: 1935476177-1565623160
Opcode ID: 62574e8540d24f84c87472f104277cb576fe087112787b180d5915e614e9f115
Instruction ID: 6db2dc3ca0c9c06c921e9383036e006dfa6b791f4dca34f8f7c208fccd87d6aa
Opcode Fuzzy Hash: 62574e8540d24f84c87472f104277cb576fe087112787b180d5915e614e9f115
Instruction Fuzzy Hash: F8018871E18B8582D714CF22A8803766161BFDA7D4F504335EA5E1BB95EF7CD1415B04

Function 00007FFE013AF8C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 00007FFE013AF955

Strings

", xrefs: 00007FFE013AF91F
expf, xrefs: 00007FFE013AF938

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _handle_errorf
String ID: "$expf
API String ID: 2315412904-303238936
Opcode ID: c25ccdf68e813efd17a07b6cce32e1116de40518e53c6b29da4ebfe3fe30e03f
Instruction ID: 0e98f6507da0d459410ad74cbb7c8dd4421a95b56ec1d56351b0f3114c234076
Opcode Fuzzy Hash: c25ccdf68e813efd17a07b6cce32e1116de40518e53c6b29da4ebfe3fe30e03f
Instruction Fuzzy Hash: 810156729286C497D330CB21D4457AAB660FFE5344F905319E784166B4DF7DD495AF00

Function 00007FFE013B4200 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 00007FFE013B41D7

Part of subcall function 00007FFE013AE1B0: _raise_excf.LIBCMT ref: 00007FFE013AE256

Strings

!, xrefs: 00007FFE013B41C7
sinf, xrefs: 00007FFE013B4206

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _handle_errorf_raise_excf
String ID: !$sinf
API String ID: 3848079588-676365165
Opcode ID: 96c8438363064ea2871ce68c63b096ee2a125b1042229195728392d85c0a1e2a
Instruction ID: d3a2f3412661c54d522238961102f431bf990064c654a573c348ce6938ee6ec3
Opcode Fuzzy Hash: 96c8438363064ea2871ce68c63b096ee2a125b1042229195728392d85c0a1e2a
Instruction Fuzzy Hash: 1B01D472E1C68183F310CB26E88036AB6A1FBE4784F704324E7490AAB9DF7CD0809F04

Function 00007FFE013B4240 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 00007FFE013B41D7

Part of subcall function 00007FFE013AE1B0: _raise_excf.LIBCMT ref: 00007FFE013AE256

Strings

!, xrefs: 00007FFE013B41C7
tanf, xrefs: 00007FFE013B4246

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _handle_errorf_raise_excf
String ID: !$tanf
API String ID: 3848079588-3147098732
Opcode ID: 7dea2b079d508d96e5b7d407b91a86e8908217ad4ab7312aa947a5f7f4c85213
Instruction ID: 684c99ccbd3c12fbd99fa3c0564e75b8a4e252dd113ea03b78fafb15fa1cfaa6
Opcode Fuzzy Hash: 7dea2b079d508d96e5b7d407b91a86e8908217ad4ab7312aa947a5f7f4c85213
Instruction Fuzzy Hash: F9018472E1C68187F314CB26E88136AB6A1FBE5784F704325E7490AAB9DB7CD5819F04

Function 00007FFE013AF820 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FFE013AF8A6

Strings

", xrefs: 00007FFE013AF87F
exp, xrefs: 00007FFE013AF895

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: _handle_error
String ID: "$exp
API String ID: 1757819995-2878093337
Opcode ID: 0a5b4b2791ad97c1fb4e84ea0ca9bfa908e42d49a1b3a39517376e4252d0e70a
Instruction ID: a11d3fede8214d7b1f4c3dd62ca48ff59e1a0407532ee721b6aadbceb2aced45
Opcode Fuzzy Hash: 0a5b4b2791ad97c1fb4e84ea0ca9bfa908e42d49a1b3a39517376e4252d0e70a
Instruction Fuzzy Hash: 37018436D28B9887E720CF24D4492AE7BB1FFEA744F641315E7442A670CB7DD4859B00

Function 00007FFE13278140 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

if_nametoindex.IPHLPAPI ref: 00007FFE13278176

Strings

O&:if_nametoindex, xrefs: 00007FFE13278153
no interface with this name, xrefs: 00007FFE1327819A

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: if_nametoindex
String ID: O&:if_nametoindex$no interface with this name
API String ID: 3183282855-3835682882
Opcode ID: 2ab6b64bff9d2b892d881fe9f08b6323cb6d2d50f3a21e32f60e21339ada057f
Instruction ID: 3f1420c9921b8a7bea972781dce380ee3b9328c1ccfb1415f97dca37a6473d6d
Opcode Fuzzy Hash: 2ab6b64bff9d2b892d881fe9f08b6323cb6d2d50f3a21e32f60e21339ada057f
Instruction Fuzzy Hash: 8101E870B08F428AEA10BB27E8950792770BFF9F68F5404B5DA4E66674DE7CE504C710

Function 00007FFE13277BFC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

getprotobyname.WS2_32 ref: 00007FFE13277C35

Strings

s:getprotobyname, xrefs: 00007FFE13277C08
protocol not found, xrefs: 00007FFE13277C58

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: getprotobyname
String ID: protocol not found$s:getprotobyname
API String ID: 402843736-630402058
Opcode ID: c71a71efda0356e1d774585c53ee7afc9774e87fcc9d592355ba6f2c983bde5d
Instruction ID: 3ea33b27db83ae49ef19fbf3746886cd30f85ba03d3037fc50e9c8f0edabc414
Opcode Fuzzy Hash: c71a71efda0356e1d774585c53ee7afc9774e87fcc9d592355ba6f2c983bde5d
Instruction Fuzzy Hash: 93010475B18F428AEA14AB27E99407963B0FFF9BE5F4400B5DA4E67A34DE2CE054C700

Function 00007FFE13278240 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

inet_ntoa.WS2_32 ref: 00007FFE132782A4

Strings

y*:inet_ntoa, xrefs: 00007FFE1327824C
packed IP wrong length for inet_ntoa, xrefs: 00007FFE1327826C

Memory Dump Source

Source File: 00000002.00000002.1692291900.00007FFE13271000.00000040.00000001.01000000.00000007.sdmp, Offset: 00007FFE13270000, based on PE: true

Associated: 00000002.00000002.1692276597.00007FFE13270000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13281000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13283000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692291900.00007FFE13286000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692354101.00007FFE13287000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.1692369518.00007FFE13288000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe13270000_run0796.jbxd

Similarity

API ID: inet_ntoa
String ID: packed IP wrong length for inet_ntoa$y*:inet_ntoa
API String ID: 1879540557-3027498899
Opcode ID: 7daa6f1744a3d0a75287305b6be245906bfaeac108ce3fe86f9020a565bdced7
Instruction ID: dbe0afcedf40372aa1eaf194ad7dfd83e6becf652b90aece73171cd6f477feef
Opcode Fuzzy Hash: 7daa6f1744a3d0a75287305b6be245906bfaeac108ce3fe86f9020a565bdced7
Instruction Fuzzy Hash: 6101DA35B08F478ADA10AB26E8580692370FBF9B59B5401B5D68E63674DE3CD509C700

Function 00007FFE013C21A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FFE013C21C9
TlsSetValue.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00007FFE013C1BE1,?,?,?,?,00007FFE013C1A3D,?,?,?,?,00007FFE01388ACC), ref: 00007FFE013C21E0

Strings

FlsSetValue, xrefs: 00007FFE013C21B6

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 612b9a4b753447088afa87767267f8aa2290b8aefb7273a0d5797a0a9381a075
Instruction ID: 8aca8c862509d497ab04d1b325f83b4e249593feb1b8ca6d966ed3c3b4980634
Opcode Fuzzy Hash: 612b9a4b753447088afa87767267f8aa2290b8aefb7273a0d5797a0a9381a075
Instruction Fuzzy Hash: 58E06D65A0868282FB085B55FC041B92262EF887C0F894032DA4D0E2B5CE3CE948C710

Function 00007FFE0138AD20 Relevance: 5.2, APIs: 4, Instructions: 196COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1692148435.00007FFE01381000.00000020.00000001.01000000.00000004.sdmp, Offset: 00007FFE01380000, based on PE: true

Associated: 00000002.00000002.1692131277.00007FFE01380000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692212836.00007FFE01431000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692240853.00007FFE01469000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1692258780.00007FFE0146C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffe01380000_run0796.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d76f31d62366e6e35a10628089bc0c69e54cc1b0187099d9002e0f5e05de5c
Instruction ID: 8b11d801b86b506a7695348df0d28aa66cdabe28806831f6e853b75d9a3ce69b
Opcode Fuzzy Hash: 79d76f31d62366e6e35a10628089bc0c69e54cc1b0187099d9002e0f5e05de5c
Instruction Fuzzy Hash: D681A462A0C78286EB619B64A44027EB7E0FF417A0F155236EEAD4B6F5DF3CE495C700

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report run0796.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI64722\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\_bz2.pyd

C:\Users\user\AppData\Local\Temp\_MEI64722\_hashlib.pyd

C:\Users\user\AppData\Local\Temp\_MEI64722\_lzma.pyd

C:\Users\user\AppData\Local\Temp\_MEI64722\_socket.pyd

C:\Users\user\AppData\Local\Temp\_MEI64722\_ssl.pyd

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-console-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-datetime-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-debug-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-errorhandling-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l1-2-0.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-file-l2-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-handle-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-heap-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-interlocked-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-libraryloader-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-localization-l1-2-0.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-memory-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-namedpipe-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processenvironment-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processthreads-l1-1-0.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-processthreads-l1-1-1.dll

C:\Users\user\AppData\Local\Temp\_MEI64722\api-ms-win-core-profile-l1-1-0.dll

Windows Analysis Report
run0796.exe

Function 00007FF60F1A4EB0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Function 00007FF60F1858E0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 141
COMMON

Function 00007FF60F1A5DFC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Function 00007FF60F1A512C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Function 00007FF60F1817B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144
COMMON